When is there a right - and when not - to receive compensation for damages due to an infringement of data protection legislation according to the CJEU?

Regulation (EU) 2016/679 of the European Parliament and of the Council, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), established the right of individuals who had suffered material or non-material damage as a result of an infringement of the Regulation to receive compensation for that damage (article 82).

It also contemplated the possibility of joint protection from these types of breaches, whereby data subjects may authorize certain non-profit bodies, organizations or associations to lodge a complaint on their behalf (article 80).

In this context, doubts have arisen regarding the scenarios in which such right to compensation exists, which has led to various referrals for a preliminary ruling from the CJEU, to date with respect to individual legal actions.

The referrals made by the national courts to the CJEU have been diverse, ranging from whether the existence of a breach of personal data legislation gives rise, in all cases, to a right to compensation, to the rules on liability that are applicable in such event and including, the grounds for relief, among others.

These doubts have arisen in a wide variety of cases such as: the processing of data related to political affinities without the data subject’s consent (judgment of May 4, 2023, case C-300/21, Österreichische Post AG); claim in the case of a cyberattack and the publication of personal data on the internet as a result of that attack (judgment of December 14, 2023, case C‑340/21Natsionalna agentsia za prihodite); disclosure of personal data without consent on the website of a municipal council, specifically of the agenda of a meeting of the municipal council which referred to a judgment (here too the judgment was handed down on December 14, 2023, case C-456/22, Gemeinde Ummendorf); the processing by an employer of the health data of an employee (judgment of December 21, 2023, case C-667/21, Medizinischer Dienst der Krankenversicherung Nordrhein); the handing over to an unauthorized third party by mistake of documents concerning a purchase, containing personal data including the customer’s income and bank details (judgment of January 25, 2024, case C-687/21, MediaMarktSaturn); receipt of commercial communications by the data subject despite having objected (judgment of April 11, 2024, case C-741/21, juris GmbH); disclosure to third parties, by mistake, of the tax return of the data subjects (judgment of June 20, 2024, case C-590/22, PS); theft by third parties of the personal data stored on a trading application (judgment of June 20, 2024, C-182/22 and C-189/22, Scalable Capital); dissemination of video footage featuring a character that imitated the applicant, a well-known journalist, without his consent (judgment also of October 4, 2024, case C-507/23, Patērētāju tiesību aizsardzības centrs); or the publication of personal data not legally required on the commercial register of a Member State (judgment also of October 4, 2024, case C-200/23, Agentsia po vpisvaniyata).

Although questions will continue to be referred for a preliminary ruling, the criteria set out below can be drawn from the judgments handed down to date by the CJEU.

Criteria of the CJEU

1. There is no “automatic right to compensation” due to the infringement of data protection legislation

The mere existence of a breach of data protection legislation does not automatically generate the right to compensation. The following three requirements must be cumulatively met: i) the existence of an infringement of the provisions of the GDPR; ii) the data subject must have sustained damage; and iii) there must be a causal link between the damage and the infringement.

This was clearly established for the first time by the judgment of May 4, 2023, case C-300/21, Österreichische Post AG (paragraphs 32 – 36 and 42) and this has continued consistently  in subsequent rulings (judgments of December 14, 2023, case C‑340/21 Natsionalna agentsia za prihodite, paragraph 77; also of December 14, 2023, case C‑456/22, Gemeinde Ummendorf, paragraph 14; of December 21, 2023, case C-667/2, Medizinischer Dienst der Krankenversicherung Nordrhein, paragraph 82; of January 25, 2024, case C-687/21, MediaMarktSaturn, paragraph 58; of April 11, 2024, case C-741/21, juris GmbH, paragraph 34; of June 20, 2024, case C-590/22, PS, paragraphs 22 and 24-25; also of June 20, 2024, C-182/22 and C-189/22, Scalable Capital, paragraph 41-42 y 57; of October 4, 2024, case C-507/23, Patērētāju tiesību aizsardzības centrs, paragraph 24 and 26-27) also of October 4, 2024, case C-200/23, Agentsia po vpisvaniyata, paragraph 140 and 159).

2. Whereas the concept of compensation for damages is governed by EU law, the amount of the damages is decided by the legislation of each Member State

To the extent that there is no express reference to the law of the Member States, the concept “material or non-material damage” and the right to “compensation for the damage suffered” set forth in article 82 of the GDPR must be interpreted autonomously. That is, the interpretation must follow EU law and must be interpreted uniformly in all the EU Member States and does not need to coincide with the interpretation that may be made in relation to these concepts under the national law of each Member State (judgments of May 4, 2023, case C-300/21, Österreichische Post AG, paragraphs 29-30 and 44 and October 4,2024, case C-200/23, Agentsia po vpisvaniyata, paragraph 139).

However, to the extent that the GDPR does not contain any provisions in this regard, the determination or quantification of the compensation will be governed by the national law of each Member State, respecting, in all cases, the principles of equivalence and effectiveness (judgments of May 4, 2023, case C-300/21, Österreichische Post AG, paragraphs 54 and 59; of December 21, 2023, case C-667/2, Medizinischer Dienst der Krankenversicherung Nordrhein, paragraphs 83 and 101; of January 25, 2024, case C-687/21, MediaMarktSaturn, paragraph 53; of April 11, 2024, case C-741/21, juris GmbH, paragraphs 58 and 63; of June 20, 2024, case C-590/22, PS, paragraph 40; also of June 20, 2024, C‑182/22 and C‑189/22, Scalable Capital, paragraphs 27 and 33; of October 4, 2024, case C-507/23, Patērētāju tiesību aizsardzības centrs, paragraph 32, also of October 4, 2024, case C-200/23, Agentsia po vpisvaniyata, paragraph 152).

Specifically, as the most authorized academic opinion has underscored, in cross-borders scenarios, the rules on conflicts in each Member State will determine the national legislation applicable, since Regulation (EC) no, 864/2007 on the law applicable to non-contractual obligations (Rome II) excludes from its scope, non-contractual obligations arising out of violations of privacy deriving from rights relating to personality (article 1.2 g) of the Rome II Regulation). In Spain, the rule on conflict applicable will be article 10.9 of the Civil Code (which provides that “non-contractual obligations shall be governed by the law of the place where the event from which they arise occurred”).

In addition, according to article 79.2 of the GDPR, both the courts of the Member State where the controller or processor has an establishment, as well as the courts of the Member State where the data subject has his or her habitual residence (unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers) will have jurisdiction. The dual nature of the jurisdiction applicable (apart from possibly applying the forums envisaged in Regulation (EU) no. 1215/2012 of the European Parliament and of the Council, in accordance with Whereas 147 of the GDPR) could lead to situations of forum shopping, that is of choosing the courts in the most favorable jurisdiction.

3. Extent of the compensation

1. Material or non-material damage

   The data subject is entitled to compensation both for the material and non-material damage suffered (such as moral damages for example), without requiring a specific threshold of seriousness (judgments of May 4, 2023, case C-300/21, Österreichische Post AG -paragraphs 45 – 51-; of December 14, 2023, case C‑340/21 Natsionalna agentsia za prihodite paragraph 78; of January 25, 2024, case C-687/21, MediaMarktSaturn, paragraphs 59 and 60; of April 11, 2024, case C-741/21, juris GmbH, paragraphs 36 and 41; of June 20, 2024, case C-590/22, PS, paragraph 26; also of June 20, 2024, C‑182/22 and C‑189/22, Scalable Capital, paragraph 44; and of October 4, 2024, case C-200/23, Agentsia po vpisvaniyata, paragraph 149).

   The GDPR itself (Whereas 85) underscores that “a personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”

   In order for the damage to confer a right to compensation, it is necessary to evidence its existence and negative consequences (judgments of January 25, 2024, case C-687/21, MediaMarktSaturn, paragraphs 60 and 61; of June 20, 2024, case C-590/22, PS, paragraphs 34 and 35; and of October 4, 2024, case C-200/23, Agentsia po vpisvaniyata, paragraph 141-142).

   A data subject’s fear of the potential misuse of their personal data by third parties in the future following an infringement, could constitute non-material damage eligible for compensation, although it is necessary to evidence that such fear is well founded (judgments of December 14, 2023, case C‑340/21 Natsionalna agentsia za prihodite, paragraphs 83-85; of June 20, 2024, case C-590/22, PS, paragraph 32; and of October 4, 2024, case C-200/23, Agentsia po vpisvaniyata, paragraphs 143-144).

   Similarly, a loss of control over the personal data for a brief period of time could cause the data subject “non-material damage” which give rise to a right to compensation, if the data subject can prove that they have actually suffered such damage, however slight (judgments of January 25, 2024, case C-687/21, MediaMarktSaturn, paragraph 66; of June 20, 2024, case C-590/22, PS, paragraph 33; or of October 4, 2024, case C-200/23, Agentsia po vpisvaniyata, paragraph 150).

   As indicated previously, a mere infringement of data protection legislation does not grant data subjects the right per se, to require compensation from the infringer. They must evidence that they have actually suffered the damage claimed, however minimal (judgment of December 14, 2023, case C‑456/22, Gemeinde Ummendorf, paragraph 22). However, a purely hypothetical risk of misuse by an unauthorized third party cannot give rise to compensation if, for example, it is demonstrated that no third party became aware of the personal data at issue (judgment of January 25, 2024, case C-687/21, MediaMarktSaturn, paragraph 68).

   Finally, the CJEU has established that, where the damage suffered by the data subject is not serious, a national court may compensate for it by awarding minimal compensation to the data subject, provided that such minimal compensation compensates in full the damage suffered (judgments of June 20, 2024, C-182/22 and C-189/22, Scalable Capital, paragraphs 45-46 and October 4, 2024, case C-507/23, Patērētāju tiesību aizsardzības centrs, paragraph 35). Even giving an apology may constitute a standalone or supplementary form of redress of a moral damage, in accordance with the national law applicable. In particular, where it is impossible to restore the situation existing before the damage was caused and provided that this form of redress compensates in full the damage suffered by the data subject (judgment of October 4, 2024, case C-507/23, Patērētāju thiesību aizsardzības centrs, paragraphs 36 and 37).

2. Compensatory, not punitive function

   The right to compensation under article 82 of the GDPR, must fulfill a compensatory function, whereby the financial compensation must fully compensate the damage suffered as a result of the infringement. However, compensation for punitive damage may not be imposed pursuant to the GDPR (judgment of May 4, 2023, case C-300/21, Österreichische Post AG, paragraphs 57 and 58; of December 21, 2023, case C-667/2, Medizinischer Dienst der Krankenversicherung Nordrhein, paragraphs 84 and 102; of January 25, 2024, case C-687/21, MediaMarktSaturn, paragraph 47; of April 11, 2024, case C-741/21, juris GmbH, paragraphs 60 and 61; of June 20, 2024, case C-590/22, PS, paragraphs 41-42; of October 4, 2024, case C-507/23, Patērētāju tiesību aizsardzības centrs, paragraph 34 or also of October 4, 2024, case C-200/23, Agentsia po vpisvaniyata, paragraph 153).

   To the extent that the imposition of administrative fines on the one hand and the determination of compensation on the other reflect different regulatory areas, the criteria of the former, cannot be used to assess the amount of the latter (judgments of April 11, 2024, case C-741/21, juris GmbH, paragraph 57; of December 21, 2023, case C-667/2, Medizinischer Dienst der Krankenversicherung Nordrhein, paragraphs 85 and 86, of June 20, 2024, case C-590/22, PS, paragraph 43; also of June 20, 2024, C‑182/22 and C‑189/22, Scalable Capital, paragraphs 22, 39 and 44; or of October 4, 2024, case C-507/23, Patērētāju tiesību aizsardzības centrs, paragraphs 39 to 41).

   Given the exclusively compensatory function of compensation, elements such as the degree of seriousness of the damage or the potentially intentional nature of the infringement by the data controller should not be taken into account for the purposes of compensation for damage and only the damage suffered by the data subject must be borne in mind (judgments of April 11, 2024, case C-741/21, juris GmbH, paragraph 64; of June 20, 2024, C‑182/22 and C‑189/22, Scalable Capital, paragraphs 28-30; or of October 4, 2024, case C-507/23, Patērētāju tiesību aizsardzības centrs, paragraph 42-43). Indeed, it cannot be held as a matter of principle, that physical injury is, by its nature, more serious than non-material damage (judgments of June 20, 2024, C‑182/22 and C‑189/22, Scalable Capital, paragraphs 38 and 39 or of October 4, 2024, case C-200/23, Agentsia po vpisvaniyata, paragraph 151).

   In turn, the controller’s attitude and motivation cannot be taken into account in order to award redress that is “smaller” than the damage suffered by the data subject (judgment of October 4, 2024, case C-507/23, Patērētāju tiesību aizsardzības centrs, paragraphs 44-45).

4. Fault-based liability with a reversal of the burden of proof

The data subject must evidence the existence of the infringement and of the damage suffered, whereas it is the data controller that must prove the absence of fault in the event giving rise to the damage if it is to be exempt from liability, because the existence of fault is presumed to exist (judgments of December 21, 2023, case C-667/2, Medizinischer Dienst der Krankenversicherung Nordrhein, paragraphs 93-94, 98-99 and 103; of April 11, 2024, case C-741/21, juris GmbH, paragraphs 46 and 47; of June 20, 2024, C-182/22 and C-189/22, Scalable Capital paragraph 28; or of October 4, 2024, case C-200/23, Agentsia po vpisvaniyata, paragraph 154 and paragraphs 160-164) or the absence of a causal link between the potential data protection infringement and the damage suffered by the data subject (judgment of December 14, 2023, Natsionalnaagentsia za prihodite, C‑340/21, paragraph 70 and 72).

Thus, where the personal data breach has been committed by cybercriminals, the data controller may be exempt from liability, if it proves that it did not breach the data protection obligations to which it is subject (judgment of December 14, 2023, Natsionalnaagentsia za prihodite, C‑340/21, paragraph 70-72).

However, the controller cannot avoid liability by relying on negligence or failure on the part of a person acting under its authority, to the extent that it is up to the controller to ensure that its employees apply its instructions correctly (judgment of April 11, 2024, case C-741/21, juris GmbH, paragraphs 49 and 52). In addition, the existence of a non-binding advisory opinion issued by a supervisory authority to the controller does not exempt the controller from liability either (judgment of October 4, 2024, case C-200/23, Agentsia po vpisvaniyata, paragraphs 174 - 176).

Conclusion

It is not uncommon for data subjects that have sustained a personal data breach to seek to determine the civil liability of the party that has committed the breach in question.

But it is essential to bear in mind the boundaries of liability marked by the CJEU, because the mere existence of a personal data breach does not automatically determine the award of compensation. Indeed, such compensation is only received where the data subjects have actually suffered damage and there is a causal link with that damage, which must be evidenced, however slight. In addition, compensation must compensate for the damage suffered but may not be punitive or a deterrent.