We are mostly informed from time to time about the GDPR fines imposed by supervisory authorities on different companies for non compliance. However GDPR also provides that a data subject may claim compensation on account of GDPR data breach through an action in the Court.
In this connection it is interesting for academic students of GDPR to follow the recent cases in Germany.
Article 82 of GDPR states:
Article 82: Right to compensation and liability
1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).
One of the issues that arise in implementing this provision is whether the data subject entitled to compensation even if they have not suffered any kind of material damage?
In 2019 a case had been filed by a customer of an organization who had received a marketing mail from a data controller claiming a compensation of EUR 500, in the Gulsar Local Court. The Magistrate Court rejected the claim ruing that he failed to show suffering of any relevant damage from the unsolicited email that met the “Minimal threshold of impairment”.
The complainant later made a complaint with the Constitutional Court arguing that the Magistrate Court had wrongly applied its own interpretation of the law rather than referring to the ECJ the question of whether it is necessary to meet a de minimis threshold of impairment to be entitled to compensation of non-material damages under Article 82 GDPR.
The FCC (Federal Constitutional Court) agreed with Plaintiff, ruling that the Magistrate Court was indeed obliged to turn to the ECJ in accordance with Article 267 para. 3 TFEU. The FCC found, whenever a question of EU law arises in a proceeding to be decided by the national court unless (i) the court has determined that the question is not relevant to the decision, (ii) the provision in question has already been interpreted by the ECJ , or (iii) the correct application of the law is so obvious that there is no room for reasonable doubt .
The FCC referred the matter to the Magistrate Court, which is to hear it once again and is to decide on it, in particular on the referral to the ECJ.
On 14th January 2021, the Constitutional Court of Germany held that the question has to be referred to the European Court of Justice. (Refer here)
In case the EUCJ holds that it is not essential for the data subject to prove suffering of a quantifiable damage to make claim of compensation, it is expected that there would be a flood of litigations from the public whenever a data breach occurs. The “Data Subject Compensation Risk” would be additional to the risk of penalty to be imposed by the supervisory authorities and will be an additional burden to the industry though it could be covered by an insurance policy.
In the meantime, there was another Regional Court of Munich order related to Scalable Capital which was ordered to pay non material damages of EUR 2500 to a data subject. (Refer here) The data breach through a cyber attack had been reported to the data subject on 19.10.2020. A total of 389,000 records of 33200 affected persons had been breached in this incident. Because data subject feared for identity theft and other fraud, they brought the action before Court and claimed compensation.
In this case of appeal against the compensation granted by the lower Court, the personal information of the customers had been transferred to a data processor whose contract had been terminated at the end of 2015. The company assumed that the data had been deleted but not verified it. The credentials of the data processor was used by the hackers for the attack.
The Court held that , when assessing the amount of the non-material damages, it must be taken into account that the data in dispute has obviously not yet been misused, at least not to the detriment of the plaintiff, and therefore at most a more or less high risk can be assumed. However, the deterrent effect of the damages intended by the legislator must also be taken into account – as mentioned above. Weighing up all these aspects, the court considers (non-material) damages in the amount of 2,500 euros to be appropriate.
It appears that in this case the need for ECJ reference was not insisted for certain technical reasons. The Court said in this reference
“Insofar as the defendant believes that a preliminary ruling by the ECJ is mandatory, which was recently established by the BVerfG, decision of 14.1.2021 – 1 BvR 2853/19, it overlooks Article 267 (3) TFEU.* Whereas in the facts underlying the aforementioned decision, neither the appeal complaint had been reached nor the Local Court had allowed the appeal, this is undoubtedly given in the present case (cf. section 511 (1), (2) no. 1 of the Code of Civil Procedure), so that no decision of last instance is given.”(Decision published on 21.12.2021”
(Comments are welcome)
Naavi
- Article 267(ex Article 234 TEC)
The Court of Justice of the European Union shall have jurisdiction to give preliminary rulings concerning:
(a) the interpretation of the Treaties;
(b) the validity and interpretation of acts of the institutions, bodies, offices or agencies of the Union;
Where such a question is raised before any court or tribunal of a Member State, that court or tribunal may, if it considers that a decision on the question is necessary to enable it to give judgment, request the Court to give a ruling thereon.
Where any such question is raised in a case pending before a court or tribunal of a Member State against whose decisions there is no judicial remedy under national law, that court or tribunal shall bring the matter before the Court.
If such a question is raised in a case pending before a court or tribunal of a Member State with regard to a person in custody, the Court of Justice of the European Union shall act with the minimum of delay.
Reference:
