Starting in 2017, Austrian Post sold sensitive customer data, including party affiliation, of 2.2 million citizens to an address trader. The data was used to send targeted election advertising. This was done without informing the data subjects and without their consent.
After the data trade became public in 2019, 2,000 data subjects registered with the legal protection platform Cobin Claims. Swiss Post had subsequently reached an out-of-court settlement with the portal for compensation of up to EUR 2.7 million. This roughly corresponds to a payment of EUR 1,350 for each of the affected persons registered on the platform.
In connection with this, today, May 4, 2023, the European Court of Justice issued a judgment on the right to non-material damages under Article 82 of the GDPR.
Breach of the GDPR does not automatically lead to a claim for damages:
The ECJ ruled that a breach of the GDPR alone does not give rise to a claim for damages by data subjects. Rather, proof of concrete damage is required.
Accordingly, for a claim for damages
- a breach of the GDPR
- AND proof of damage causally caused by the breach is required.
No de minimis limit for damages:
The ECJ ruled that no de minimis limit applies to a claim for damages. Some national courts had ruled that the damage had to exceed a certain materiality threshold to give rise to a claim for damages. The ECJ has hereby countered this.
Relevance and evaluation:
The ECJ's case law provides a clearer definition of the right to damages under data protection law. However, many legal questions have not yet been clarified.
For companies, there is a non-negligible risk of being exposed to mass lawsuits by consumers and consumer protection associations in the event of data privacy violations.
Data protection supervision, which has been dysfunctional to a large extent to date, could also be overtaken by the fact that those affected now pursue data protection violations independently or via legal tech platforms because of financial incentives.
The developments about immaterial damages are therefore not a legal glass bead game but will have very concrete economic effects on companies.
Companies in the consumer sector should address these risks, which can result from data privacy violations, at an early stage.