UK & Europe
Regulation (EU) 2016/679 – also known as General Data Protection Regulation (‘GDPR‘) – provides for material and non-material damage claims in case of an infringement of said Regulation. After the GDPR became enforceable in 2018, these damage claims have been quite dormant for a while – the focus was rather on regulatory enforcement and in particular administrative fines. When affected individuals (the so-called ‚data subjects‘) went to court it was mainly to enforce data subject rights such as access to or erasure of personal data. In Germany it seems that this is about to change since courts become more and more generous when awarding non-material damages. This again has triggered the interest of a ‘claimant industry’ consisting of specialized claimant-side law firms, litigation funders and legal tech companies.
Damage claims under the GDPR
Article 82(1) GDPR – which is directly applicable in all EU member states – provides any person who has suffered a material or non-material damage because of an infringement of the GDPR with a claim for compensation from the controller (see Article 4(7) GDPR) or processor (see Article 4(8) GDPR) for the damage suffered. While there are sound systematical arguments that ‘any person’ in this context is actually limited to data subjects, it can currently not be excluded that courts will actually interpret it in a broader sense also included other natural or legal persons. This could for example include damage claims by a controller against its processor or even sub-processor with whom the controller doesn’t even have a contractual relationship. For this overview, the focus will however be on damage claims brought against controllers and processors by data subjects.
Looking at the wording of Article 82(1) GDPR the requirements for a damage claim seem to be quite simple:
But this is only the first glance: the question whether awarding compensation under Article 82 GDPR requires, in addition to a GDPR infringement, that the claimant has suffered a damage, or whether the infringement of provisions of the GDPR itself sufficient for a compensation, is already pending with the Court of Justice of the European Union (‘CJEU’) after a referral for preliminary ruling by the Supreme Court of Justice (Oberster Gerichtshof – ‘OGH’) of the Republic of Austria (OGH, decision dated 14 April 2021, case number 6 Ob 35/21x).
Where a controller is generally liable for any type of GDPR infringement, the processor’s liability is per se limited to processor damage caused by processing where it has not complied with obligations specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller (see Article 82(2) GDPR). An additional burden for the defendant is Article 82(3) GDPR. provides for an additional burden for a defendant as this provision states that a controller or processor shall be exempt from liability only if it proves that it is not in any way responsible for the event giving rise to the damage. German courts currently interpret Article 82(3) GDPR that the reversed burden of proof only applies to causality and fault, not to the questions whether there is a GDPR infringement or a damage suffered (e. g. Local Court [Amtsgericht – ‘AG’] Frankfurt/Main, decision dated 10 July 2020, case number 385 C 155/19 (70). The latter becomes important when looking at how to determine non-material damages.
Non-material damages and how to calculate them
Material damages in terms of Article 82 can be determined relatively easily and cover financial loss (e. g. because a credit hasn’t been granted or granted due to wrong credit data or an employment contract gets terminated due an inadmissible internal investigation), compensation for bodily harm (e. g. caused by a cyber attack on a hospital) and reimbursement for legal fees when data subject rights are not complied with in due time (see Regional Court [Landgericht – ‘LG’] Wuppertal, decision dated 29 March 2019, case number 17 O 178/18). The question how to determine and calculate non-material damages on the other hand, is one of the current unknowns of the GDPR. Multiple, very important questions in this regard are already pending with the CJEU.
The OGH has asked the court the following additional questions in the aforementioned referral:
The German Federal Labour Court (Bundesarbeitsgericht – ‘BAG’) wants to know, if damage claims under Article 82 GDPR have a preventive character which needs to be taken in to account when determining the amount of non-material damages to be awarded and whether the degree of fault of the defendant needs to be factored in (BAG, decision dated 26 August 2021, case number 8 AZR 253/20 (A)). Bulgarias highest administrative court Varhoven administrativen sad has referred several data breach-related questions to the CJEU (CJEU case number C-340/21 – Natsionalna agentsia za prihodite), inter alia:
“Is Article 82(1) and (2) [GDPR], read in conjunction with recitals 85 and 146 [of the GDPR], to be interpreted as meaning that, in a case such as the present one, involving a personal data breach consisting in unauthorised access to, and dissemination of, personal data by means of a ‘hacking attack’, the worries, fears and anxieties suffered by the data subject with regard to a possible misuse of personal data in the future fall per se within the concept of non-material damage, which is to be interpreted broadly, and entitle him or her to compensation for damage where such misuse has not been established and/or the data subject has not suffered any further harm?”
In addition, two other German courts have referred questions regarding the interpretation of Article 82 GDPR to the CJEU (LG Saarbrücken, decision dated 22 November 2021, case number 5 O 151/19 and AG Hagen, decision dated 11 October 2021, CJEU case number C-687/21 – Saturn Electro).
With more than 40 decisions on Article 82 GDPR as of now, the case law in Germany can only be described as fractured at the moment. Multiple courts have refused to award damages even after a data breach with the arguments that (a) the claimant wasn’t able to demonstrate a respective damage going beyond mere subjective discomfort without any objectively measurable impact and/or (b) that the GDPR does not provide for punitive damages (e. g. AG Frankfurt/Main, decision dated 10 July 2020, case number 385 C 155/19 (70) – Marriott/Starwood breach; LG Frankfurt/Main, decision dated 18 January 2021, case number 2-30 O 147/20 – Mastercard Priceless breach; LG Cologne, decision dated 7 October 2020, case number 28 O 71/20 – accidental disclosure of bank account record to third party). Other courts tend to award non-material damages for formal non-compliance with the GDPR such as delayed and incomplete response to a data subject access request (e. g. Labour Court [Arbeitsgericht – ‘ArbG’] Düsseldorf, decision dated 5 March 2020, case number 9 Ca 6557/18: € 500 per month for the first two month, € 1,000 for each further month, € 500 for each missing category of information – total of € 5,000; Regional Labour Court [Landesarbeitsgericht – ‘LAG’], decision dated 11 May 2021, case number 6 Sa 1260/20: € 1,000; ArbG Neumünster, decision dated 11. August 2020, case number 1 Ca 247 c/20: € 500 per month – total of € 1,500) or minor nuisance such as one unsolicited marketing email (AG Pfaffenhofen/Ilm, decision dated 9 September 2021, case number 2 C 133/21 - € 500). In a recent decision, the LG Munich I awarded € 2,500 in non-material damages to a claimant who was affected by a data breach (decision dated 9 December 2021, case number 31 O 16606/20). This case is even more interesting when taking into account that the claimant was back by one of the litigation funders and seems to be a test case for more litigation to come. Multiple German courts, in particular labour law courts, have awarded non-material damages in the range of a few hundred to several thousand Euros not only after inadmissible disclosure of personal data (LAG Köln, decision dated 14 September 2020, case number 2 Sa 358/20 – failure to remove professional CV from website after end of employment: € 300; AG Hildesheim, decision dated 5 October 2020, case number 43 C 145/19: € 800 for reselling unwiped PC; LG Darmstadt, decision dated 26 May 2020, case number 13 O 244/19: € 1,000 for accidentally disclosing candidate data to another applicant; LG Lüneburg, decision dated 14 July 2020, case number 9 O 145/19: € 1,000 for unauthorized report to credit reference agency; ArbG Dresden, decision dated 26 August 2020, case number 13 Ca 1046/20: € 1,500 for unauthorized disclosure of health data; AG Pforzheim, decision dated 25 March 2020, case number 13 C 160/19: € 4,000 for unauthorized disclosure of very sensitive health data; ArbG Münster, decision dated 25 March 2021, case number 3 Ca 391/20: € 5.000 for unauthorized publication of employee photo containing special categories of personal data in the form of skin colour). Whether and to what extent non-material damages will be determined and calculated in a more consistent way in the future heavily depends on the outcome of the aforementioned pending CJEU cases.
Looking at the UK, the Supreme Court decided in the case Lloyd v Google LLC where the claimant sued for £ 3 billion in damages (£ 750 per affected data subject, 4 million Apple iPhone users affected by Google’s alleged unauthorized collection of Safari browser information) that damages for data privacy infringements require a “damage” in terms of “material damage (such as financial loss) or mental distress distinct from, and caused by, unlawful processing of personal data in contravention of the [Data Protection Act 1998], and not to such unlawful processing itself” (decision dated 10 November 2021, case number UKSC 2019/0213). That said, in the UK damages cannot be awarded to individuals for the mere loss of control of their data, if the loss of control does not result in material damage or mental distress. It remains to be seen whether the CJEU will take a similar approach when deciding on Article 82 GDPR. The LG Munich I has already indicated that a mere loss of control over personal data may result in non-material damages.
A scenario for mass litigation?
Since – except for serious cases of GDPR infringements – claims for non-material damages under Article 82 GDPR are rather in the range of three- to low four-digit amounts per case in Germany, individual enforcement is not very effective. Like air passenger or tenant rights claims, a scenario where small claims meet a potentially large number of potential claimants (e. g. after a data breach, data scandals relating to misuse of a large number of employee or customer data or after large bulks of marketing emails have been sent without proper consent), naturally attracts institutional claimants trying to compile such claims to process them in a cost-efficient way using legal tech and to put pressure on the defendant to settle. Several franchises have already started exploring how to commercialize GDPR damage claims, including legal tech company RightNow.
Since German law does not provide for a proper class action mechanism comparable to those know for example under UK or US law, such commercialization of GDPR damage claims is not that simple. The so-called Model Declaratory Action (Musterfeststellungsklage) is not very suitable since (a) only non-profit organizations (e. g. consumer protection organizations) can initiate such action and (b) it is not aimed at awarding payments, but rather at deciding about the factual or legal requirements for a claim or legal relationship. Furthermore, it is currently highly disputed whether and to what extent the Model Declaratory Action is compatible with the requirements for exercising the right to receive compensation under Article 82 GDPR on behalf of a data subject as set out in Article 80(1) GDPR. Therefore, even consumer protection organizations currently refrain from using the Model Declaratory Action in connection with GDPR damages and are waiting for the outcome of CJEU case Facebook Ireland (C-319/20).
That said, institutional claimants currently try to compile GDPR damage claims for a ‘synthetic’ class action by purchasing such claims from affected data subjects who then assign the claim to the institutional claimant. This model however has one crucial flaw: it is currently highly disputed in Germany whether claims for non-material damages (which are the claims the institutional claimants ae preying on) under Article 82 GDPR can actually be assigned. In 2020, the AG Hannover (decision dated 9 March 2020, case number 531 C 10952/19) decided that claims for non-material damages under Article 82 GDPR are personal in nature and consequently cannot be assigned:
“The plaintiff is not authorized to assert any claims of his wife pursuant to Article 82(1) GDPR on the basis of assigned rights. Insofar as claims for compensation for non-material damage are asserted by way of assignment by third parties, there is - due to the lack of transferability of this highly personal claim - no active legitimation, Spittka, GRUR-Prax 2019, 475, 477.“
In a recent decision the LG Essen came to a contrary conclusion and found that claims for non-material damages can be assigned like any other claim (decision dated 23 September 2021, case number 6 O 190/21). It needs to be said that the court did not explain its reasoning very well and didn’t even reflect the AG Hannover’s position. Nevertheless, if the position of the LG Essen became the prevailing opinion, the floodgates for Article 82 GDPR mass litigation would be wide open and we would potentially see Diesel-like civil actions after every larger data breach or data scandal. As data privacy litigation has been identified as a quite lucrative market by specialized claimant-side law firms, litigation funders and legal tech companies in Germany, in particular due to the recent spike in cyber-attacks on companies and other organizations, it is very likely that the decision by the LG Essen will fuel further attempts to commercialize Article 82 GDPR. It remains to be seen what position other German courts and at the end of the day the CJEU will take. A low – or even no – threshold for awarding compensation for non-material damages combined with free assignability of such claims would be the perfect storm from a defendant’s perspective which could even put GDPR fines in the shade. Imagine € 300 for one unsolicited marketing email and a batch of 100,000 recipients or a data breach affecting 150,000 or more data subjects with individual damage claims of € 2,500…