Panopticon has covered a number of judgments handed down in the UK over the last year or two that demonstrate judicial scepticism about compensation claims for alleged data protection infringements. In a number of cases (though not all), judges have been particularly sceptical whether, on the facts before them, the claim – even if made out – would pass the threshold of seriousness for entitlement to compensation. Some, however, argue that compensation claims under the GDPR/UK GDPR are not subject to any such threshold. So what’s the answer?

At an EU level, this week’s judgment of the CJEU in UI v Österreichische Post AG (Case C‑300/21) tackles this issue. The case concerns a claim for non-material damage by an individual in Austria, who alleged that special category data about him and others was processed by the defendant – an address broker who used algorithmic inferential profiling – in contravention of the GDPR. One of the inferential data points suggested that the claimant was likely to have affinity with a political party he in fact disliked. He was offended and said this “caused him great upset, a loss of confidence and a feeling of exposure”. He sought an injunction (which he got) and compensation of €1k (which he did not get).

On appeal concerning the compensation issue, the Austrian appellate court held that a threshold of seriousness applied to such compensation claims under Article 82(1) of the GDPR, and that the feelings expressed by the claimant did not meet that threshold. The Austrian Supreme Court sought a preliminary ruling from the CJEU. Here are the key points:

1. Is there entitlement to compensation merely for the fact of a GDPR infringement?

Answer: no, as per the analysis in Lloyd v Google. See the CJEU at [31]: “the existence of ‘damage’ which has been ‘suffered’ constitutes one of the conditions for the right to compensation laid down in that provision, as does the existence of an infringement of the GDPR and of a causal link between that damage and that infringement, those three conditions being cumulative.” So far so expected. But…

2. What about the threshold for seriousness for compensation under the GDPR?

Here it is important to note the specific question that was being asked. The question was not: is Article 82 GDPR subject to a threshold of seriousness? Rather, the question was “whether Article 82(1) of the GDPR must be interpreted as precluding a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness” (at [43], my emphasis). In other words, where member state rules or practices impose a threshold of seriousness for GDPR compensation claims, is that lawful?

Answer: no. Taking both a literal and a purposive approach to Article 82(1) GDPR, it does not accommodate a threshold requirement as regards the seriousness of the alleged damage. So, while a claimant has to show they suffered material or non-material damage as a result of the GDPR contravention, they do not have to show that this damage meets a threshold of seriousness in order to pursue a compensation claim. See [51], and this at [49]: “making compensation for non-material damage subject to a certain threshold of seriousness would risk undermining the coherence of the rules established by the GDPR”.

Notable stuff – certainly at EU level – and in particular given that the CJEU went against the AG’s opinion on this issue.

3. How to calculate compensation amounts? Is this governed by national law or the GDPR?

The CJEU also held that, when it comes to determining the amount of damages payable under Article 82(1), each court must apply its domestic principles, provided that the EU law principles of equivalence (the EU law right can’t be treated less favourably than a domestic law right) and effectiveness (the national law principles “do not make it excessively difficult or impossible in practice to exercise the rights conferred by EU law”).

What now?

Good question, and not one I’ll try to answer just now (it’s Friday evening, after all). Plenty of argument to be had as to (i) the extent to which UK courts apply conclusion 2 to the UK GDPR in a post-Brexit world, and (ii) how the CJEU’s conclusions on issues 2 and 3 can fit together, e.g. within the framework of the UK’s CPR, track/court allocation and common law principles relating to compensation. But, after a slew of UK judgments that have tended to be downers from a claimant perspective, this one is certainly more cheerful.

Robin Hopkins