Österreichische Post AG: Another nail in the coffin of class actions under the GDPR?
Browse this blog post
In 2021, the UK Supreme Court rejected the proposition that compensation for a data breach was payable for infringement without proof of damage. This was the Lloyd v Google case and, as we previously reported, it was greeted with a sigh of relief by data controllers and seen as a big blow to data breach class actions in England. However, the Lloyd case was decided by English courts, in relative post-Brexit isolation and based upon the old 1995 Directive 95/46/EC. Fast-forward one year on and the Court of Justice of the European Union is now considering a similar issue, but this time under the GDPR.
From 2017, the Austrian postal service (Österreichische Post) used an algorithm to determine whether individuals had an affinity to a particular political party, based on certain socio-demographic features of their address information. One individual claimed compensation under the GDPR on the basis that the conduct of the postal service caused him great upset, and that the political affinity attributed to him was insulting and shameful as well as extremely damaging to his reputation.
The claim was dismissed by the Austrian courts at first instance and on appeal, prompting the Austrian Supreme Court to refer a number of questions on the matter to the Court of Justice for clarification including:
- Is mere infringement of the GDPR itself sufficient for an award of compensation, or must the individual have suffered harm?
- Is it compatible with EU law to take the view that, to award compensation for “non-material damage” under the GDPR, the damage must go beyond the upset caused to the individual caused by an infringement?
The Advocate General has now issued his opinion which will be taken into account by the Court of Justice when its responds to the Austrian Supreme Court. Whilst not yet a binding view, there are a number of key findings coming out of the opinion that will be welcomed by organisations across the EU dealing with compensation claims under the GDPR.
No compensation without damage
The Advocate General found that infringement of the GDPR alone does not give rise to the payment of compensation. In particular, he concluded that:
- The individual must have suffered damage as a result of the infringement to trigger compensation.
- There is no presumption of damage having occurred as a result of a breach of the GDPR. The GDPR’s objective is not to grant data subjects control over their personal data as a right in itself, nor is its aim to limit the processing of personal data or to increase an individual’s control over their personal data. Rather, the aim of the GDPR is to legitimise processing under strict conditions and a loss of control of personal data by the controller will not itself amount to damage that is eligible for compensation.
- Whilst member states may separately legislate for the award of punitive damages, these are not contemplated under the GDPR compensation mechanism. The Advocate General noted that the primary aim of civil liability established by the GDPR is to give the data subject “full and effective” compensation for damage suffered. By comparison, the punitive functions of the GDPR enable supervisory authorities and member states to levy fines and other penalties on organisations who are in breach. Whilst there is no reference in the GDPR to compensation levels acting as a deterrent, deterrence is considered an important feature of criminal penalties and administrative fines under the GDPR.
- Reparation for non-material damage may include components other than merely financial compensation, such as the controller recognising that the infringement occurred, giving some moral satisfaction to the applicant.
When is distress damaging?
One key question not referred to in the Lloyd case is how do you determine what amounts to non-material damage under the GDPR. Helpfully, the Advocate General is of the view that non-material damage requires a claimant to demonstrate more than mere "upset". The presence of vague, fleeting feelings or emotions are not intended to be protected by the compensation scheme, but rather data subjects have other rights and remedies under the GDPR that may provide some redress.
Unhelpfully (but predictably), the Advocate General stopped short of giving a view as to whether the individual in the Austrian case was more than merely upset, instead suggesting that the task of determining whether subjective feelings of displeasure are sufficient to amount to non-material damage falls to the national courts of Member States.
There is of course a fine line between "mere upset" (which is not eligible for compensation) and "genuine non-material damage" (which is eligible for compensation), and this will remain a key focus of disputes in the future.
A harm-onised approach?
The (three-five judge) jury is still out on the Österreichische Post case as we now await the formal decision of the Court of Justice.
However, the Advocate General’s opinion, if followed by the court, provides further certainty and comfort for organisations dealing with compensation claims under the GDPR. Whilst routed in legal analysis, the opinion demonstrates a harm-based approach to GDPR interpretation, and a welcome development for organisations assessing the risk associated with their GDPR compliance programmes.
A harm-based analysis is consistent with the approach been taken by certain supervisory authorities such as the ICO, who, as part of its ICO 25 plan, is taking a more focussed approach to its work, prioritising areas of greatest harm and risk to individuals ‘to ensure enforcement action makes a real difference to people’s lives’.
By contrast, rights organisations and campaigners, including Max Schrems, have expressed concern about the impact of the Advocate General’s opinion. The European consumer rights organisation, the BEUC, has called the opinion “troubling” and suggested that, if followed, “it would hamper the possibilities to seek compensation when an individual has suffered non-material damages, such as reputational damage and emotional distress.”
Nonetheless, whilst we must be careful not to get too ahead of ourselves, this opinion does provide some optimism, for potential defendants, that frivolous claims, as well as opt-out class actions, are much more likely to fail in the absence of damage that goes beyond mere upset.
Watch this space!