When I learned from Twitter that Advocate General Campos Sánchez-Bordona had been writing an Opinion dedicated to the late-90s R&B boyband Damage, I was surprised but not shocked. This, I thought, is precisely the sort of esoteric approach to middling music-based law that resulted in so many voting to leave the EU. Imagine, then, my surprise to find upon reading the Opinion in Case C-300/12 UI v Österreichische Post AG (EU:C:2022:756) that there is almost no mention of Jade Jones’ long-term relationship with Spice Girl Emma Bunton, but instead there is a detailed Lloyd v Google style analysis of in what circumstances damages can be obtained for contravention of the GDPR.
In all seriousness (I know, I know – very much not what you are here for), UI is the first opportunity the CJEU has had to squarely confront the general problems, giving rise to inconsistent approaches across national courts (and sometimes even within Member States) as to whether compensation can be awarded merely to vindicate a contravention of the GDPR, and what sort of non-material harm is recoverable. These are hugely significant questions: anyone working in this field knows that, for better or worse, many breaches of the GDPR can only really be vindicated by the affected data subject if they can make a claim for damages as a result of distress (in most, but not all, cases), or for ‘loss of control’. Without the latter, as the Supreme Court made clear in Lloyd, representative actions are very difficult to run. Readers will also recall that Lord Leggatt in Lloyd specifically excluded from his analysis the GDPR, leaving open the question as to whether compensation for loss of control (in the sense of a mere contravention) could be recovered under the GDPR when it cannot under the DPA 1998.
Where then does the Advocate General lead us in UI? The first question referred by the Austrian courts squarely raised the Lloyd point by reference to Article 82 GDPR. The Advocate General, in detailed reasoning, concluded that Article 82 did not require that compensation should be recoverable merely for a contravention of the GDPR. He considered that the language of “compensation” in Article 82(1) was inconsistent with such a proposition, but that the language might not itself exclude punitive damages (which such a head of recovery effectively is). However, he concluded that compensation on a punitive basis was not recoverable: it was inconsistent with the literal wording, there was no basis in the history of the provision, the punitive aspect is addressed separately through administrative fines (a point made long ago by Arden LJ in Halliday v Creation Consumer Finance [2013] EWCA Civ 333), and there was no purposive need to do so (including because it would encourage misplaced litigation).
For essentially the same reasons, the Advocate General also rejected the more nuanced argument that a contravention would always lead to a loss of control of data, such that there was, in effect, a presumption of damage. That, he thought, collapsed into the same point. Where EU law requires automatic compensation, it says so, and he considered that the references to loss of control in the recitals “may be taken to be linguistic licence to refer to damage subsequent to such a loss [of control], should such damage occur”: at [62]. Neither the legislative history nor the context assisted the argument. The Advocate General rejected the argument that the objective of the GDPR “is to grant data subjects control over their personal data as a right in itself, or that data subjects must have the greatest control possible over those data” (at [74]), because it is not a right of informational self-determination (whatever that is). He noted at [82] that the “aim of the GDPR is not, I stress, to limit systematically the processing of personal data but rather to legitimise it under strict conditions.”
Indeed, the Advocate General made clear his view that even in a system of national law in which, unusually, compensation was available to vindicate the right without any proof of damage, such an award could not be made under Article 82. It may, at most, have a role to play under Article 79; but nothing in the GDPR required it. Nor does the GDPR provide for damages which deprive the wrongdoer of the profit made: at [93].
The Opinion is, accordingly, a detailed and comprehensive rejection of the argument – in its various forms – that a contravention of the GDPR should entitle the data subject to recover compensation as of right. The issue was thought sufficiently arguable in SMO v TikTok [2022] EWHC 489 (QB) to permit service out, but perhaps no longer.
In discussion of the application of the principles of effectiveness and equivalence, the Advocate General indicated that it was possible that “reparation sought for non-material damage may include components other than merely financial components, such as recognition that the infringement occurred, thereby providing the applicant with a certain moral satisfaction”, by analogy with other areas of EU law: at [89].
The third question referred required the Advocate General to engage with whether Article 82 implies a threshold of seriousness. Article 82 provides no answer and nor, he thought, did any of the recitals help. The critical paragraph of the Opinion’s reasoning is [105]: “While the case-law of the Court permits the argument that, in the terms stated, a principle of compensation for non-material damage exists in EU law, I do not believe, however, that it is possible to infer from this a rule pursuant to which all non-material damage, regardless of how serious it is, is eligible for compensation.” The distinction was endorsed between non-material damage for which compensation may be awarded and other inconveniences arising as a result of abuse of the law which, owing to their insignificance, do not necessarily create the right to compensation. That, he thought, applied also to the GDPR. In particular, Article 82(1) “does not appear to me to be a suitable instrument for countering infringements in connection with the processing of personal data where all those infringements create for the data subject is annoyance or upset”: at [112]. Nor is displeasure sufficient, or vague fleeting feelings or emotions.
What, then, is the line? There, this carefully reasoned Opinion gives up somewhat. Instead, at [116], the Advocate General offers this as a conclusion:
“I am in no doubt that there is a fine line between mere upset (which is not eligible for compensation) and genuine non-material damage (which is eligible for compensation) and I am also aware of how complicated it is to delimit, in the abstract, the two categories and apply them to a particular dispute. That difficult task falls to the courts of the Member States, which will probably be unable to avoid in their rulings the perception prevailing in society at a given time regarding the permissible degree of tolerance where the subjective effects of infringement of a provision in this area do not exceed a de minimis level.”
In this respect, it is hard to see that the Opinion says anything very different from the approach adopted in English law under the DPA 1998 and the GDPR. But it is very helpful to have it confirmed.
Two significant caveats, of course. First, it is only an Opinion. The CJEU usually follows the Opinion, but not always, and rarely in precisely the same way or to the same degree of detail. Much will turn on precisely what the CJEU specifically endorses itself in UI. Secondly, even if the CJEU adopts the Opinion in full it no longer binds domestic courts, who may simply have regard to it: section 6(2) of the European Union (Withdrawal) Act 2018.
When the CJEU gives its own view, we will let you know. If Emma Bunton makes a cameo appearance, we will let you know pronto.
Christopher Knight