CJEU Determines that a Mere Infringement of the GDPR is not Sufficient to Require Compensation

On
May
4,
2023,
the
Court
of
Justice
of
the
European
Union
(“CJEU”)
issued
a

judgment
in
the
Österreichische
Post
case
(C-300/21).
In
the
decision,
the
CJEU
clarified
that
a
mere
infringement
of
the
EU
General
Data
Protection
Regulation
(“GDPR”)
is
not
sufficient
to
give
data
subjects
the
right
to
receive
compensation
under
Article
82
of
the
GDPR.
Article
82
provides
that

“any
person
who
has
suffered
material
or
non-material
damage
as
a
result
of
an
infringement
of
this
Regulation
shall
have
the
right
to
receive
compensation
from
the
controller
or
processor
for
the
damage
suffered.”

Background

The
case
dates
back
to
2017
when
the
Austrian
Post
(“Österreichische
Post”)
collected
data
relating
to
the
political
affinities
of
Austrian
residents.
In
particular,
the
Austrian
Post
used
an
algorithm
to
define
“target
group
addresses”
based
on
selected
socio-demographic
features,
and
classified
individuals
into
target
groups.
The
data
was
subsequently
sold
to
various
organizations
to
enable
them
to
send
targeted
advertising
in
relation
to
political
elections.

One
individual
filed
a
complaint
relating
to
this
practice
and
claimed
€1,000
in
non-material
damage.

The
CJEU
Decision

According
to
the
CJEU,
a
broad
interpretation
of
the
GDPR
provision
regarding
the
right
to
compensation
would
be
contrary
to
the
text
of
the
law.
The
CJEU
highlighted
that
compensation
is
required
only
when
three
conditions
are
met:
(1)
personal
data
is
processed
in
a
manner
that
infringes
the
GDPR;
(2)
the
data
subject
suffered
damage;
and
(3)
there
is
a
causal
link
between
the
unlawful
processing
and
the
damage
suffered.

The
CJEU
also
rejected
the
proposition
of
a
required
minimum
threshold
to
award
compensation
for
non-material
damage
under
the
GDPR.
Instead,
the
CJEU
found
that
the
GDPR
requires
“full
and
effective
compensation
for
the
damage”
and
that
establishing
a
minimum
threshold
would
risk
undermining
the
coherent
application
of
the
GDPR.

Finally,
the
CJEU
confirmed
that,
in
the
absence
of
rules
in
the
GDPR
on
the
assessment
of
damages,
the
matter
should
be
regulated
at
the
EU
Member
States
level,
including,
in
particular,
“the
criteria
for
determining
the
extent
of
the
compensation
payable
in
that
context,
subject
to
compliance
with
[the]
principles
of
equivalence
and
effectiveness.”

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts