Date: 10 May 2023
In its judgment of 4 May 2023, the European Court of Justice (ECJ) ruled for the first time on the prerequisites of the claim for damages under Art. 82 of the General Data Protection Regulation (GDPR).
In this eagerly awaited judgment, the ECJ clarified that the mere infringement of the provisions of the GDPR is not sufficient for a claim under Art. 82 GDPR and that the claimant must always provide concrete evidence of causal damage suffered. However, it is not necessary to reach a materiality threshold for non-material damage.
The decision was based on three questions referred by the Austrian Supreme Court on 12 May 2021 on the interpretation of Art. 82 GDPR: (1) Is the infringement of any provision of the GDPR sufficient or does the claimant have to prove damage in addition? (2) How is the amount of compensation to be assessed? (3) Is non-material damage only present if the consequence of the infringement exceeds a certain materiality threshold or is the upset caused by the infringement sufficient?
In response to these questions, the ECJ first clarified that the claim under Art. 82 GDPR is subject to the following cumulative conditions: the existence of damage, the existence of an infringement of the GDPR and the causal link between the damage and the infringement.
Furthermore, the ECJ clarified that it is not necessary to reach a materiality threshold with regard to the damage suffered. However, it must always be proven that the consequences of a breach of the GDPR constitute non-material damage within the meaning of Article 82 GDPR.
Finally, the ECJ ruled that the GDPR does not contain any provision dedicated to the rules for the assessment of damages. The respective provisions of the Member States, as interpreted by the national courts, are decisive in this regard.
After a long period of confusion about the interpretation of Art. 82 GDPR and the lack of uniform case law, the ECJ has now clarified some of the issues.
In particular, the decision that there is explicitly no need for a materiality threshold with regard to damage suffered is likely to lead to an increase in legal proceedings for damages against companies for data protection violations. This also applies against the background of the Consumer Rights Enforcement Act - VDuG will most likely come into force in Germany this summer, with which consumer associations will be able to sue directly for damages.
In particular, hacker attacks on companies and the associated data leaks are increasingly being used by internet users as an opportunity to claim damages from the companies concerned.
On the other hand, the proof of the causal concrete immaterial damage is likely to be associated with difficulties for claimants. Furthermore, there are still a large number of open legal questions in connection with Art. 82 GDPR and there are good arguments to defend oneself against such claims for damages.
For such an effective defence, involving legal expertise as early as possible is often crucial. Our experienced litigation team, which already accompanies ongoing data protection proceedings, will be happy to advise you in this regard.