Key CJEU rulings on non-material damages
CJEU case law has had a noteworthy influence on the Dutch legal framework regarding non-material damages. In particular, the following five notable cases have significantly impacted the interpretation of such damages:
Case C-300/2021 Österreichische Post underlined the three cumulative criteria for compensation payable for non-material damages suffered by data subjects: (1) a breach of the GDPR, (2) a damage suffered, and (3) a causal link requiring the damage to have been caused by the breach. Importantly, the CJEU rejected the notion that damages needed to meet or exceed a threshold of seriousness. Instead, the CJEU emphasized that any non-material damage, once proven, justifies compensation. If you would like to read more about this groundbreaking judgment of the CJEU, you can consult our earlier blogpost.
In case C-340/2021 Natsionalna agentsia za prihodite, the CJEU significantly expanded the scope of "non-material damage" under the GDPR, as it considered that the fear of possible future misuse of personal data, could qualify as a compensable harm. Further elaborating on the Österreichische Post case, the CJEU noted that the GDPR's text does not explicitly exclude the fear of future misuse of personal data from the definition of "non-material damage”. Nevertheless, individuals claiming such non-material damages must substantiate their claims by demonstrating that their fear is well-founded, based on the specifics of the case and the nature of the data involved.
In case C-456/22 VX, AT v. Gemeinde Ummendorf, the CJEU noted that the concept of “non-material damage” within Article 82(1) GDPR is given a definition that is specific to EU law and independent of Member States' national legislation. This ensures a consistent application of the GDPR across the EU, and emphasizes that non-material damages do not require reaching a specific severity level to be compensable, as such a practice would be incompatible with GDPR’s objective to provide a high level of protection to individuals regarding personal data processing, as it could undermine the uniformity and effectiveness of this protection. Despite rejecting the “de minimis threshold,” the CJEU reiterated that individuals claiming non-material damages must still demonstrate that they have suffered actual harm as a consequence of a GDPR infringement.
In case C-667/21 ZQ v. Medizinischer Dienst, the CJEU clarified that Article 82(1) of the GDPR establishes a fault-based liability regime. While liability under Article 82(1) of the GDPR requires a violation of the GDPR, the occurrence of damage, and a causal link between the violation and the damage, the CJEU stated that, although the responsibility of the data controller or processor is contingent upon the existence of fault, the severity of this fault does not need to be considered when calculating compensation for moral damages. However, the CJEU stressed that the right to compensation under Article 82 of the GDPR serves a compensatory, and not a punitive, function. Damages awarded under this provision should therefore fully cover the actual harm suffered from the GDPR violation, without extending to punitive or dissuasive amounts.
In case C 741/21 GP v. juris GmbH, the CJEU reiterated several of its earlier considerations regarding the necessity of a causal link between a GDPR infringement and compensation for damages, as well as rejecting any severity threshold for damages (under both EU or national laws). What is noteworthy in this case is that the CJEU elaborated on a loss of control over personal data as a result of a data breach damage, as described in Recital 85 GDPR. According to the CJEU, that this type of damage does constitute non-material damages under Article 82(1) GDPR, provided the data subject can convincingly demonstrate that such loss of control occurred and was a result of a GDPR infringement. The CJEU noted that under Article 82 GDPR, a controller is, in principle, liable for damages caused by processing that infringes the GDPR, unless the controller can prove they were not responsible for the event causing the damage. In that respect, it stated that merely showing that an employee (or person acting under the authority of the controller) failed to follow instructions, leading to the damage, is not sufficient for the controller to be exempted from liability.
The Dutch Perspective: Adapting to European Jurisprudence
In the context of GDPR violations, Dutch courts have been proactive in integrating the notion of non-material damages into their legal framework and have been influenced by jurisprudence of the CJEU.
Establishing Groundwork Pre-CJEU Influence:
Cases before the Amsterdam and Noord-Nederland District Courts (ECLI:NL:RBAMS:2019:6490 and ECLI:NL:RBNNE:2020:247) illustrate a liberal interpretation of "damage" and the entitlement to comprehensive compensation, aligning with the GDPR's overarching goals.
In the case before the Amsterdam District Court (ECLI:NL:RBAMS:2019:6490) the dispute arose when UWV (Employee Insurance Agency) sent a notification letter about the claimant's long-term illness to her new employer without her consent. This information was deemed sensitive personal data and the sending of the letter was considered a violation of the GDPR, as it lacked the claimant's permission and potentially led to serious adverse effects for her. The court, following Article 82 GDPR and Recital 146 GDPR, considered that individuals are entitled to receive full and effective compensation for the damage suffered. Importantly, in this case, the court read Article 82 GDPR in conjunction with Article 6:106(1.b) Dutch Civil Code to interpret the notion of non-material damages. It was determined that the claimant had indeed suffered non-material damages due to the unauthorized disclosure of her health status, leading to a compensation award of €250, along with interest.
In case before the Noord-Nederland District Court (ECLI:NL:RBNNE:2020:247), the District Court ruled that wrongful disclosure of personal data warrants compensation for non-material harm. The court held that its decision aligns with Article 82 GDPR and Recital 146 GDPR, which advocate for a broad interpretation of “damage” to include psychological distress or other negative effects resulting from privacy breaches. Similarly, to the case above, the court read Article 82 GDPR in conjunction with Article 6:106(1.b) Dutch Civil Code. The court found that the individual impacted by the unauthorized data disclosure suffered a violation of their privacy rights. However, it also considered the limited scope of the breach (from one employee to a third party) and the absence of broader distribution or specific negative consequences to the claimant directly linked to this incident. In assessing the appropriate compensation for the non-material harm suffered, the court acknowledged the difficulty in precisely quantifying such damages, yet emphasized the importance of acknowledging the distress and potential reputational harm the affected party endured. Consequently, the court deemed a fixed amount of €250 as fair and reasonable compensation for the non-material damages, considering the nature of the privacy infringement and its impact on the individual’s personal and professional life.
Adapting to CJEU’s Post-rulings:
Judgments in more recent cases before two courts (ECLI:NL:RVS:2023:3130 and ECLI:NL:RBGEL:2023:5435) reflect the adoption of CJEU jurisprudence by the Dutch courts regarding non-material damages, emphasizing the necessity for full and effective compensation without setting arbitrary thresholds for damage severity.
In case ECLI:NL:RVS:2023:3130, the appellant argued that the municipal council unlawfully processed photos of his property because his consent for the use of the photos was limited to a 2012 property value assessment under the Dutch Property Valuation Act (WOZ) and did not cover or extend to subsequent uses. He claimed the right to compensation due to this alleged unauthorized use of the photos, which included the use of his property's images as a reference for assessing the value of other properties. The Administrative Jurisdiction Division of the Council of State (Raad van State) found that the decision by the municipal council to use the photos did not adequately assess whether the processing of the photos was lawful under the GDPR and the lawfulness of the further use of the photos was insufficiently investigated. This oversight led the Council of State to conclude that the municipal council’s decision on the appellant’s request for compensation for non-material damages was inadequately substantiated. Therefore, the Council of State overturned the lower court’s decision, declared the appellant’s appeal justified, and ordered the municipal council to reevaluate the appellant’s claim for non-material damages. Specifically, this re-evaluation should consider whether there was unlawful handling of the appellant’s personal data and, if so, to decide on the compensation request based on the applicable legal standards, explicitly referencing the ones set in the Österreichische Post decision of the CJEU.
With regard to case before the Gelderland District Court (ECLI:NL:RBGEL:2023:5435), the plaintiff (an alumnus of the university, who completed his education with some delay due to personal circumstances) sought compensation for the emotional impact and the breach of his privacy due to the unauthorized access and potential misuse of his sensitive data. With explicit reference to the CJEU’s definition of non-material damages in the Österreichische Post case, the District Court of Gelderland underlined the broad interpretation of “damage” under the GDPR and the necessity to prove a tangible impact on the individual’s personal integrity or privacy. The plaintiff described his emotional distress, loss of trust, and ongoing concerns about the misuse of his sensitive medical information, which had been shared with the university under assurances of confidentiality and security. The court awarded the plaintiff €300 in compensation for non-material damages, recognizing the significant emotional and privacy implications of the breach. The judgment also highlighted that while the exact use of the leaked data by the hacker was unclear, the mere access and potential dissemination of such sensitive information was sufficient to warrant compensation for non-material damages.
Conclusion & Final Remarks:
These decisions illustrate the way in which the Dutch judiciary makes use of the CJEU jurisprudence in refining the Dutch legal framework for assessing and awarding compensation for non-material damages suffered due to GDPR infringements in the Netherlands. It shows, in any event, that the outcome of the case highly depends on the circumstances of the case. This evolving jurisprudence also illustrates the ongoing complexity of quantifying non-material damages. A critical challenge highlighted in both EU and Dutch case law is the burden of proof on claimants to demonstrate the existence and extent of non-material damages. This requirement ensures that only substantiated claims lead to compensation, preventing potential abuses of the system. However, it also places a significant burden on individuals to quantify harms that are inherently difficult to measure, such as psychological distress or loss of privacy, especially where damages may still materialize in future. We expect that more litigation on GDPR infringements is yet to come. This also follows from the various GDPR/privacy related class actions on Article 82 GDPR currently pending in the Netherlands.