Not every infringement of the EU GDPR automatically grants data subjects the right to compensation under Article 82. That is the key takeaway of a decision dated 4 May 2023 of the Court of Justice of the European Union (CJEU) (Österreichische Post case, C-300/21).
The CJEU concluded that in order to obtain compensation, the following is required: (i) there must be a violation of the GDPR, (ii) it must be proven that the infringement of the EU GDPR has resulted in harm to the data subject and (iii) there must be a causal relationship between the infringement and the harm endured. While the data subject must prove that harm has occurred, the EU GDPR does not require the data subject to demonstrate that the harm exceeded a particular level of seriousness before compensation can be claimed.
Background
Starting in 2017, the Österreichische Post collected data on the political affinities of the Austrian population by using an algorithm to define “target group addresses”. These addresses were then sold to different political organizations to enable them to send targeted advertisements. The data subject, who did not consent to the processing of his personal data, was offended by the idea that was associated with one particular party and claimed that the retention of data pertaining to his supposed political views caused him to experience significant emotional distress, loss of trust, and a sense of vulnerability.
The data subject’s initial claim of EUR 1,000 was refused by the Regional Court for Civil Matters in Vienna, Austria on 14 July 2020. On 9 December 2020, the Higher Regional Court in Vienna confirmed this decision and stated that a violation of data protection law only gives rise to a right to compensation where such damage reaches a certain “threshold of seriousness”, which had not been the case at hand. Both parties appealed this decision. The Austrian Supreme Court then opted to suspend the proceedings and referred a set of questions to the CJEU for a preliminary ruling.
CJEU’s Reasoning
The takeaway of this decision is that not every infringement of the EU GDPR automatically leads to a right to compensation. Potential practical implications After this decision, it will be harder for data subjects to obtain compensation following GDPR violations – including following a cybersecurity incident. Plaintiffs will need to prove the harm suffered and that it was caused by those violations.
