Compensation in Data Breach Claims – Recent Developments

Since the introduction of the General Data Protection Regulation (GDPR), a number of Member State Courts, including those in Austria, Germany1 and Bulgaria2 have made preliminary references to the Court of Justice of the European Union (CJEU) concerning the extent and scope of the right to compensation for non-material damage under the GDPR.

There has been some preliminary guidance from the CJEU in the form of an Advocate General’s (AG) opinion delivered in October 2022 in Case C-300/21 – UI v Österreichische Post AG (the Austrian Post Case).  The AG’s opinion, which we examine in further detail below, takes a pragmatic approach to compensation in data breach claims and is likely to be welcomed by parties faced with these claims.

While the opinion of the AG in a given case tends to be influential and is often followed by the Court, it is of course not binding on the Court. The judgment of the CJEU in the Austrian Post Case is therefore eagerly awaited and will undoubtedly have an impact on data breach claims in this jurisdiction, as evidenced by a recent stay application in a data breach claim before the Irish Circuit Court.

Recent Irish proceedings - Cunniam v Parcel Connect Limited & Ors

In recent Irish Circuit Court proceedings, Cunniam v Parcel Connect Limited & Ors3, the defendants sought a stay in data breach proceedings brought against them, claiming that the preliminary references to the CJEU regarding the interpretation of Article 82 GDPR on the right to compensation and liability would clarify the law and that a stay would prevent unnecessary costs being incurred in the interim. In making the application the defendants relied on the AG’s opinion in the Austrian Post Case arguing that, should the CJEU decide to accept the recommendation of the Advocate General in that case, it is possible that the plaintiff in this Irish case will not be entitled to any damages even if liability is established.

On 23 January 2023, Judge O’Connor of the Circuit Court delivered his judgment on this application and granted the defendants a stay pending the outcome of the preliminary references, noting that the Court had a duty of sincere cooperation with other courts under the Treaty on the Functioning of the European Union (TFEU) and that the defendants would be prejudiced if the proceedings were not stayed.

The Austrian Post case

In the Austrian Post case, the data subject claimed €1,000 compensation in the Austrian court for non-material damage arising from the processing of his personal data for the purposes of political advertising, using an algorithm. The data subject said that he was upset by the storage of his party affinity data and angered and offended by the political affinity specifically attributed to him by Austrian Post.

The Austrian Supreme Court referred a series of questions to the CJEU seeking clarification on whether the award of compensation under Article 82 requires, in addition to an infringement of the GDPR, that the claimant has suffered harm. The reference also sought clarification on whether compensation for non-material damage requires the existence of more than upset caused by the infringement.

The AG’s key findings

GDPR infringements are not of themselves sufficient to warrant compensation

The AG found that a mere breach of the GDPR is not in itself sufficient to warrant compensation and the breach must be accompanied by corresponding material or non-material damage.   He noted that “the prospect of obtaining compensation independently of any harm would, in all likelihood, encourage civil litigation, with proceedings that are perhaps not always justified, and, to that extent, could discourage data processing.”

The AG also considered, and rejected, the argument that an infringement of the GDPR gives rise to a “loss of control” over personal data which in and of itself constitutes damage, or gives rise to an irrebuttable presumption of damage.

Punitive damages do not fall within the scope of the GDPR

The AG considered whether damages under the GDPR are limited to compensatory damages or whether they should also have a punitive or deterrent effect. He analysed the GDPR under the various cannons of statutory interpretation (literal, historic, contextual and purposive) and found that the GDPR does not provide for punitive damages.  In particular, he observed that the GDPR makes no reference to the punitive nature of compensation for material and non-material damage.

Non-material damage does not cover “mere upset”

The Austrian Supreme Court asked whether the award of compensation for non-material damage under the GDPR is conditional on an “infringement of at least some weight that goes beyond the upset caused by that infringement”.

The AG noted that Article 82 GDPR does not provide a direct answer to the question and that, while the case law of the CJEU provides that non-material damage exists as a concept in EU law, it cannot be inferred from this that all non-material damage, regardless of how serious it is, is eligible for compensation. The AG expressed the view that the GDPR does not cover “mere upset” or compensation for “vague, fleeting feelings or emotions connected with the infringement of rules on processing”.

As regards where the line falls in terms of the “threshold of seriousness”, the AG acknowledged that this is not clear cut, stating: 

I am in no doubt that there is a fine line between mere upset (which is not eligible for compensation) and genuine non-material damage (which is eligible for compensation) and I am also aware of how complicated it is to delimit, in the abstract, the two categories and apply them to a particular dispute.

That difficult task falls to the courts of the Member States, which will probably be unable to avoid in their rulings the perception prevailing in society at a given time regarding the permissible degree of tolerance where the subjective effects of infringement of a provision in this area do not exceed a de minimis level.

As to the level or quantum of damages, the AG confirmed that the level of compensation is also a matter for the law of the Member State.

Conclusion

The AG’s opinion in the Austrian Post case follows the direction of travel in recent UK decisions including the dismissal by the UK Supreme Court in Lloyd v Google4 of the possibility of damages for loss of control of data (this case concerned the pre-GDPR regime) and the decision by the High Court of England and Wales in Rolfe v Veale Wasbrough Vizards LLP5 that there must be damage above a de minimis threshold for a claim in damages to succeed under the GDPR.

While not binding on the CJEU, which will deliver its judgment in due course, the opinion of the AG in the Austrian Post case will be welcomed by data controllers and processers as signalling that compensation may not be payable for mere infringements of the GDPR or for non-material damage of a minor or trivial nature arising from breaches of the GDPR.

If the CJEU follows the opinion of the AG, a question will still remain for the Irish courts as to what it considers constitutes non-material damage above a de minimis threshold. While this opinion provides welcome clarification, there is still some distance to go in terms of ascertaining exactly what damage will be eligible for compensation under the GDPR in Ireland and the level of compensation such claims are likely to attract.

Also contributed to by Louise Mitchell


  1. Cases   C-667/21;  C-687/21;  C-741/21;  C-182/22;  C-189/22
  2. Case C-340/21
  3. [2023] IECC 1
  4. [2021] 3 WLR 1268]
  5. [2021] EWHC 2809 (QB)

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.