A recent European Court of Justice ruling found that just because a person’s data protection rights have been breached, it doesn’t mean that they can automatically claim compensation for the breach. Damages can only be awarded where there is clear material or immaterial damage.
What Happened In Österreichische Post AG?
An Austrian individual brought the claim against Österreichische Post AG for processing his personal data without consent. The company used an algorithm to link the individual to certain political views. As a result, the individual tried to claim immaterial damages because the political associations were seriously damaging to his reputation. In this case, the court had to interpret Article 82 GDPR to establish whether compensation could be claimed.
Article 82 GDPR states that “any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered.”
It was concluded that three conditions must be satisfied before someone can claim compensation for a data breach.
- There must be an infringement of the GDPR
- The damage suffered must be material or immaterial
- There must be a link between the damage suffered and the breach
As such, not all claims against data infringement have an automatic right to compensation.
The European Court of Justice also clarified that there is no minimum level of seriousness when claiming compensation for non-material damages. The GDPR does not have specific rules about when compensation can be claimed, therefore it is down to the individual member states to establish the rules for assessing damages and deciding when an infringement has breached individual rights.
What Does This Ruling Mean for Individuals?
It was found in this case that non-material damage does not cover “mere upset” or inconvenience. An individual must experience a level of pain and suffering that has been caused by the data breach. In addition, there should be sufficient evidence to prove that the breach directly caused financial loss or suffering. For example, in cases where a data leak has led to identity theft which has caused financial loss and severe distress, this could be enough to claim non-material damages.
It is ultimately the decision of each legal system to work out the threshold of establishing when someone can claim for non-material damages. For instance, in the English case of Rolfe v Veale, it was found that a claim for compensation for distress as a result of a data breach without any evidence of financial loss and medical records showing a physical or mental impact on the individual would likely fail.