Mass EU Privacy Litigation May Be Imminent After GDPR Case

The European Court of Justice's decision on May 4 in UI v. Österreichische Post AG was highly anticipated since it is the first time that the European Union's highest court has revealed its view on the interpretation of Article 82 of the General Data Protection Regulation.

This article was originally published in Law 360 on Wednesday 28 June, and is available here.

The question of under what circumstances an infringement of the rules set out for the handling of personal data under the GDPR gives rise to damage claims for the affected individual is among the most debated issues in EU data privacy law.

Article 82 of the GDPR, which is directly applicable law in all member states, provides that "any person who has suffered material or non-material damage as a result of an infringement of [the GDPR] shall have the right to receive compensation from the controller or processor for the damage suffered."

During the first years of the application of the GDPR, the interpretation of this rule by the courts quickly became quite fractured.

Where some courts even declined damage claims after serious data breaches, e.g., the Frankfurt/Main Regional Court's decision on Jan. 18, 2021,[1] denying claims after the MasterCard Inc. "priceless specials" breach, other courts awarded nonmaterial damages even for formal infringements of the GDPR, such as a delayed response to a data subject access request, e.g,. the Oldenburg Labor Court's decision on Feb. 9,[2] awarding €10,000 ($10,959) for a 20-month delay.

The judges who decided against claims under Article 82 of the GDPR often argued that the claimants failed to demonstrate that they actually suffered at least a nonmaterial damage as a result of the breach or found that the damages were not serious enough and therefore below the article's supposedly required de minimis threshold.

The judges who awarded damages mainly took the position that damage claims also need to have a dissuasive effect on the defendant and often also referenced the criteria for determining the amount of GDPR fines.

The latter argumentation naturally attracted the interest of claimant-side law firms, litigation funders and legal tech companies that saw the opportunity in data breach or privacy scandal scenarios to compile GDPR damage claims to process and enforce them in a cost-efficient way.

Several franchises have already started exploring how to commercialize GDPR damage claims.

In addition, the EU directive on representative actions for the protection of the collective interests of consumers, the Collective Redress Directive, which needed to be transposed into local law by the EU member states by June 25, provides consumer protection organizations and certain data privacy nongovernmental organizations with a mechanism for collective redress of GDPR damage claims.

The Austrian Post Decision and Its Consequences

In the present case, a private individual, or UI, sued the Austrian post operator for nonmaterial damages in amount of €1,000 for processing of personal data using an algorithm to determine political preferences. Such processing caused the claimant "great upset," a "loss of confidence" and a "feeling of exposure."

After the courts of first and second instance dismissed the claim, the Austrian Supreme Court referred the matter to the ECJ for a preliminary ruling.

The questions referred included whether a breach of the GDPR automatically gives rise to claims for damages, whether the assertion of nonmaterial damages requires a de minimis threshold to be reached, and whether there are specific requirements under EU law for assessing the amount of damages.

The ECJ concluded that a mere infringement of the GDPR is not sufficient to give rise to damage claims. Rather, the breach must also cause a respective damage.

On the other hand, the ECJ also stated that reaching a de minimis threshold is not a prerequisite for a claim for damages under Article 82 of the GDPR. Such a limitation would contradict the broad understanding of the term "damage" under the GDPR, which could potentially further fracture the case law among member states.

However, the court also emphasized that the lack of a de minimis threshold cannot be understood as meaning that a person alleging an infringement of the GDPR, which has had negative consequences for him or her, would be relieved of the need to demonstrate that those consequences constitute nonmaterial damage under Article 82 of the GDPR.

Finally, the ECJ ruled that it is up to the member state courts to determine the criteria for determining the amount of damage, provided that the national rules respect union law principles of equivalence and effectiveness.

The decisive factor is that the specific damage suffered is fully compensated. However, such compensation does not require awarding punitive damages.

The decision will have significant practical relevance and impact on future data privacy litigation, as this is the first time that the ECJ has dealt with the prerequisites and scope of the GDPR claim for damages.

The judges' findings provide a lot to pick from on both the claimant and the defendant side.

From a defendant's perspective, it is definitely positive that the ECJ didn't follow a "damage claim without actual damage" approach and made a clear statement against any consideration of punitive damages.

Looking at the judgment through the eyes of a claimant, the key takeaways are that awarding nonmaterial damages does not require a certain degree of seriousness and that member state courts need to ensure full and effective compensation for the damage suffered by the claimants.

Nevertheless, the defendant still has the chance to defend itself with the argument that the claimant failed to demonstrate that (1) there is an infringement of the GDPR as, for example, not every cyber incident qualifies as a breach of the GDPR, (2) the GDPR infringement does not have negative consequences of the claimants and (3) the negative consequences do not qualify as nonmaterial damage.

This also reveals the biggest weakness of the Austrian post decision: The ECJ missed the opportunity to flesh out what actually qualifies as nonmaterial damage in terms of Article 82 of the GDPR.

Apart from the reference to the required autonomous interpretation of the term under union law, the decision does not provide any further assistance.

In this respect, the question of what is only to be understood as a mere negatively perceived emotion and what qualifies as nonmaterial damage remains relevant in data breach litigation.

The existence of damage is, for example, difficult to imagine with regard to violations of formal obligations under the GDPR, including information or access obligations.

Impact on Future Data Breach Litigation

When it comes to data breach litigation in the form of damage claims after cyber incidents involving data exfiltration or scandals around misuse of personal data, the focus will need to shift to the questions around burden of proof and whether, and to what extent, the mere loss of control over personal data may constitute a nonmaterial damage for the affected individuals.

The Austrian post case is therefore only the starting point for understanding GDPR damage claims as it sets out the basic dogmatic rules. 

The next important ECJ decision to watch out for this year is VB v. Natsionalna agentsia za prihodite,[3] lodged on June 2, 2021, dealing with GDPR damage claims following a large-scale hacking attack against the Bulgarian national revenue agency.

The court will need to decide if unauthorized disclosure of, or access to, personal data by external threat actors is sufficient for the presumption that the technical and organizational security measures implemented by the breached organization were not appropriate.

The court will also need to decide on the scope of judicial review of security measures, the burden of proving that the technical and organizational measures implemented are appropriate, and questions around exemption from liability in the scenario of an external cyberattack.

Finally, the judges will get the chance to specify if the worries, fears and anxieties suffered by the affected individuals with regard to a potential misuse of personal data in the future fall per se within the concept of nonmaterial damage and entitle the claimants to compensation for damage where such misuse has not been established and/or the data subject has not suffered any further harm.

Meanwhile, data breach mass litigation is gaining traction.

In a series of test cases for nonmaterial compensation, robot adviser and fintech company Scalable Capital is currently dragged before the German civil courts following a 2020 cyber incident involving the loss of quite sensitive data such as customer financial information and ID and passport copies.

In two cases that cannot be appealed anymore, courts already have awarded the claimants with compensation for nonmaterial damages — €2,500 by the Regional Court of Munich I in a decision dated Dec. 9, 2021,[4] and €1,200 by the Regional Court of Cologne in a decision dated May 18, 2022.[5]

Taking into account that the Scalable Capital breach affected up to 33,200 customers, the risk exposure sums up mid to high two-digit million euro amounts.

In January, it became known that Mastercard decided to settle the "priceless" breach with a 2,000 claimants strong ground agreeing on the payment of €400 per claimant.

At the end of May, in a decision dated May 25, the Regional Court of Lübeck rendered the first member state court decision referencing the Austrian post decision.[6]

The court ordered Meta Platforms Inc., which operates Facebook, to pay compensation for nonmaterial damages in the amount of €500 per claimant for failure to implement technical security measured to prevent data scraping.

The court found that the loss of authority of the individual to decide in principle when and within what limits personal data are disclosed when data is scraped and traded by cybercriminals is sufficient to qualify as nonmaterial damage.

The decision is not final. Taking into account that Facebook has more than 30 million users in Germany alone, the potential risk exposure is way higher that in the Scalable Capital or MasterCard cases.

Even though the ECJ's decision in the Austrian post case has not yet opened the floodgates for data breach litigation across Europe, the court's position definitely has encouraged individuals to pursue private enforcement of alleged GDPR infringements.

At the moment, every data breach that becomes publicly known is followed by more or less substantiated claims for nonmaterial damages.

Against this background, claimant-side law firms, litigation funders and legal tech companies are currently lining up with varying business models to commercialize GDPR damage claims in scenarios with large numbers of affected individuals.

Where claimant-side law firms begin to aggressively market their breach litigation offerings, we also see legal tech companies setting up online platforms to broker potential claimants to these firms.

Other stakeholders are trying to compile GDPR damage claims for "synthetic" class actions by purchasing such claims from affected individuals who then assign the claim to the institutional claimant.

This model however has one crucial flaw: It is currently highly disputed in Germany whether claims for nonmaterial under Article 82 of the GDPR can actually be assigned or whether they can only be asserted by the affected individuals themselves due to the highly personal nature of such claims.

Once the Collective Redress Directive is transposed into local law by the EU member states, consumer protection organizations and data privacy nongovernmental organizations may also join the private enforcement of the GDPR — depending on the respective member stated — based on opt-in or opt-out class actions models.

GDPR damage claims are generally covered by the Collective Redress Directive as far as consumer personal data is affected.

Whether claims for nonmaterial damages may be suitable for collective redress remains to be seen since such claims may be too individual for a class action.

Regardless, the stage for data privacy mass litigation across the EU is set. The success of such attempts will depend on how the member state courts will interpret the ECJ's Austrian post decision and the soon-to-be rendered decision in the Natsionalna agentsia za prihodite case.