Privacy litigation in practice
Current developments on fines and compensation.
Recent judgments from the Court of Justice of the European Union (CJEU) have profoundly impacted the interpretation and enforcement of GDPR provisions, particularly regarding compensation for data protection infringements.
These rulings clarify some key aspects of liability, the burden of proof, and the conditions under which non-material damages can be claimed.
Understanding these developments is essential for managing privacy litigation risks effectively. For businesses, these decisions present both opportunities and risks: the opportunity to strengthen compliance and enhance trust with stakeholders, and the risk of significant financial penalties and reputational damage if GDPR obligations are not adequately met.
1. Current Case Law of the CJEU on Compensation
The landscape of privacy litigation has been significantly shaped by recent judgments from the CJEU.
These rulings provide critical insights into the interpretation GDPR, particularly concerning compensation for damages resulting from data protection infringements.
Case: Österreichische Post AG
The CJEU’s judgment on May 4, 2023, in the case of Österreichische Post AG, addresses the conditions under which compensation can be claimed for non-material damage under Article 82 GDPR. The case involved a legal dispute over the processing of political affinity data without consent, leading to targeted advertising. The court clarified that compensation requires three cumulative conditions:
- Infringement of the GDPR
- Damage (material or non-material)
- A causal link between the infringement and the damage
Notably, the CJEU emphasized that non-material damage need not reach a specific degree of seriousness to be compensable. However, claimants must still prove the consequences of a GDPR infringement constitute non-material damage. This ruling highlights the principle that mere infringement of GDPR provisions is insufficient for compensation claims, stressing the need for a concrete demonstration of damage.
Case: NAP
In another significant judgment dated December 14, 2023, the CJEU ruled on a case involving the Bulgarian National Revenue Agency (NAP), following a cyberattack that exposed personal data of over six million individuals. The court underscored that GDPR’s reference to „appropriate security“ does not imply the elimination of all risks but rather the implementation of risk management systems. The appropriateness of technical and organizational measures must be assessed based on the likelihood and severity of potential risks, taking into account the state of the art and costs of implementation as well as the circumstances of the relevant processing. The CJEU also clarified that in compensation proceedings, the burden of proof lies with the controller to demonstrate that the security measures were appropriate. However, this decision underscores the importance of concrete, case-by-case assessments by national courts, making it challenging to establish collective compensation claims without individual examination.
Case: Gemeinde Ummendorf
On December 14, 2023, the CJEU addressed the issue of non-material damage thresholds in the Gemeinde Ummendorf case. The CJEU, does not further elucidate the distinction between non-compensable negative consequences and compensable damages, emphasizing that claimants must still prove a causal link between the infringement and the damage.
Case: MDK Nordrhein
The CJEU’s ruling on December 21, 2023, in the MDK Nordrhein case involved compensation claims for unlawful processing of health data. The court reiterated that compensation under Article 82 GDPR serves a purely compensatory function, not punitive. The burden of proof lies with the controller to demonstrate the absence of fault. The decision clarifies that the severity of an infringement does not affect compensation amounts, however focusing on the aspect that the data subject must demonstrate and prove the prerequisites for the compensation claim.
Case: Media Markt
In the Media Markt case, ruled on January 25, 2024, the CJEU dealt with an accidental disclosure of personal data to an unauthorized third party. The court highlighted that such incidents do not automatically imply inappropriate technical and organizational measures. A mere fear of future data misuse does not constitute compensable non-material damage.
Case: juris GmbH
On April 11, 2024, the CJEU addressed the liability of a controller for sending advertising emails despite withdrawal of consent in the juris GmbH case. The court ruled that a must demonstrate that there there is no causal relationship between the GDPR infringement and the damage suffered. It is not sufficient for the controller to merely prove that they issued instructions to a person under their authority according to Article 29 GDPR, and these instructions were not followed, resulting in damage.
2. Current Case Law of the CJEU on Fines
Case: Lithuanian National Centre for Public Health
The CJEU’s judgment on December 5, 2023, in the case against the Lithuanian National Centre for Public Health highlights the conditions for imposing fines under the GDPR. The court noted that fines can be imposed for intentional or negligent violations, and controllers may be liable for processing activities carried out by processors if the processing is within the scope set by the controller.
Case: Deutsche Wohnen SE
In another judgment on December 5, 2023, involving Deutsche Wohnen SE, the CJEU addressed fines for failure to comply with deletion obligations. The court ruled that fines can be imposed without attributing the infringement to a specific natural person, aligning with antitrust case law.
3. Practical Implications and Outlook
These CJEU rulings have significant implications for privacy litigation and enforcement practices. Controllers and processors must be vigilant in implementing and documenting appropriate technical and organizational measures to mitigate risks and ensure compliance with the GDPR. The burden of proof in compensation claims and stringent requirements for demonstrating exemption from liability highlight the cri- tical importance of proactive data protection strategies.
The rulings also underscore the non-punitive nature of compensation under the GDPR, focusing on fully compensating the damage suffered. This principle necessitates careful evaluation of claims to establish a causal link between GDPR infringements and damages. In the context of fines, the CJEU’s alignment with antitrust case law indicates a trend towards stringent enforcement and higher fines for GDPR violations. Controllers must ensure robust data protection practices and maintain comprehensive records to demonstrate compliance and mitigate legal risks. These developments underscore the evolving nature of data protection law and the increasing importance of adhering to GDPR principles. Legal practitioners must stay abreast of these changes to effectively navigate the complexities of privacy litigation and advise on best practices for compliance and risk management.
Status of the text is May 2024.
