OPINION OF ADVOCATE GENERAL
CAMPOS SÁNCHEZ-BORDONA
delivered on 6 October 2022 (1)
Case C‑300/21
UI
v
Österreichische Post AG
(Request for a preliminary ruling
from the Oberster Gerichtshof (Supreme Court, Austria))
(Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Non-material damage resulting from unlawful processing of data – Conditions for the right to compensation – Damage above a certain threshold of seriousness)
1. Regulation (EU) 2016/679 (2) grants any person who has suffered material or non-material damage as a result of an infringement of its provisions the right to receive compensation from the data controller or processor.
2. The possibility of relying on that right before the courts already existed under the previous legislation (Article 23 of Directive 95/46/EC (3)), although it was rarely exercised. (4) Unless I am mistaken, the Court never interpreted that article specifically.
3. Under the GDPR, actions for damages have gained in importance. (5) Their increase is noticeable in the courts of the Member States and is reflected in associated references for a preliminary ruling. (6) In this reference, the Oberster Gerichtshof (Supreme Court, Austria) asks the Court of Justice to define a number of common points of the rules on civil liability laid down by the GDPR.
I. Legal framework. GDPR
4. Recitals 75, 85 and 146 of the GDPR are of particular relevance to this dispute.
5. Article 6 (‘Lawfulness of processing’) reads:
‘1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
…’
6. Paragraph 1 of Article 79 (‘Right to an effective judicial remedy against a controller or processor’) provides:
‘Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.’
7. Paragraph 1 of Article 82 (‘Right to compensation and liability’) states:
‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.’
II. Facts, dispute and questions referred for a preliminary ruling
8. From 2017 onwards, Österreichische Post AG, an undertaking which publishes address directories, collected information on the political party affinities of the Austrian population. With the assistance of an algorithm, it defined ‘target group addresses’ according to certain socio-demographic features.
9. UI is a natural person in respect of whom Österreichische Post carried out an extrapolation, by means of statistical calculation, in order to determine his classification within the possible target groups for election advertising from various political parties. From that extrapolation it emerged that UI had a high affinity with one of those political parties. Those data were not transferred to third parties.
10. UI, who had not consented to the processing of his personal data, was upset by the storage of his party affinity data and angered and offended by the affinity specifically attributed to him by Österreichische Post.
11. UI has claimed compensation of EUR 1 000 in respect of non-material damage (inner discomfort). UI claims that the political affinity attributed to him is insulting and shameful, as well as extremely damaging to his reputation. In addition, Österreichische Post’s conduct caused him great upset and a loss of confidence, and also a feeling of public exposure.
12. The first-instance court dismissed UI’s claim for compensation. (7)
13. The appellate court confirmed the first-instance judgment. It ruled that compensation for non-material damage does not automatically accompany every breach of the GDPR and that:
– since Austrian law is applicable as a supplement to the GDPR, only damage that goes beyond the upset or the feelings (‘Gefühlsschaden’) caused by the breach of the applicant’s rights is eligible for compensation;
– the principle underlying Austrian law must be adhered to, namely that mere discomfort and feelings of unpleasantness must be borne by everyone without any consequence in terms of compensation. To put it another way, the right to compensation requires that the damage claimed must be of a certain significance.
14. An appeal against the judgment of the appellate court was lodged with the Oberster Gerichtshof (Supreme Court, Austria), which has referred the following questions to the Court of Justice for a preliminary ruling:
‘(1) Does the award of compensation under Article 82 of [the GDPR] also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
(2) Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
(3) Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?’
III. Procedure
15. The request for a preliminary ruling was received at the Registry of the Court on 12 May 2021.
16. Written observations were lodged by UI, Österreichische Post, the Austrian and Czech Governments, Ireland and the European Commission. It was not considered necessary to hold a hearing.
IV. Analysis
A. Preliminary matters
1. Admissibility
17. UI contends that the first question referred for a preliminary ruling is not relevant to the proceedings, since his action was not based on the ‘mere’ infringement of a provision of the GDPR but rather on the consequences or effects of that infringement.
18. The plea of inadmissibility must be dismissed. Even if it were accepted that the data processing breached the GDPR without causing any harm to him, UI may be entitled to compensation under Article 82 of the GDPR if, as the referring court asks, it is confirmed that the mere infringement of a rule relating to processing creates such entitlement.
19. In UI’s submission, the Court may also consider the second question to be inadmissible on the grounds that it is very open as regards its content and excessively limited in relation to the requirements of EU law, without referring to any specific requirement.
20. That plea, although it has more merits than the previous plea, cannot succeed either. It is legitimate for a court to seek to ascertain whether, in addition to compliance with the principles of equivalence and effectiveness, it is necessary to examine other conditions laid down by EU law for the purposes of assessing the damage.
2. Delimitation of the subject matter of this Opinion
21. Article 82 of the GDPR contains six paragraphs. The referring court does not mention any of these in particular but implicitly refers to paragraph 1. Nor does the referring court specify the provision a breach of which would give rise to compensation.
22. My Opinion will be based on the following assumptions:
– UI’s personal data were processed without obtaining his consent for the purposes of Article 6(1)(a) of the GDPR.
– The right to compensation is available to anyone who has suffered damage. In this case, UI, as an identified natural person who is affected by the processing, is a ‘data subject’. (8)
– The GDPR provides for compensation for material and non-material damage. UI’s claim is confined to non-material damage and has a financial element.
B. Question 1
23. By its first question, the referring court asks, in short, whether infringement alone of the GDPR gives rise to a right to compensation, regardless of whether or not harm occurred.
24. It can be inferred from the referring court’s findings and from the observations lodged with the Court of Justice that another, rather more complex, reading of the question is also possible: it is necessary to determine whether infringement of the provisions of the GDPR automatically produces harm which gives rise to a right to compensation without the defendant having the possibility to demonstrate otherwise.
25. There is a certain (theoretical) difference between those two approaches: in the first, damage is not a prerequisite for compensation; it is, however, in the second. In practice, the requirement that the applicant prove the damage is removed in both cases; nor is the applicant required to prove the causal link between the infringement and that damage. (9)
26. In any event, I shall say now that, in my view, neither of those two readings of the first question warrants an affirmative answer. I shall deal with each separately.
1. Compensation without damage?
27. The argument that there is a right to compensation even though the data subject did not suffer damage as a result of the breach of the GDPR creates obvious difficulties, starting with that relating to the wording of Article 82(1) of the GDPR.
28. In accordance with that provision, compensation (10) is awarded specifically because prior damage has occurred. Therefore, there is an unequivocal requirement that the natural person concerned must have suffered damage as a result of an infringement of the GDPR.
29. Therefore, an interpretation which automatically associates the notion of ‘infringement’ with that of ‘compensation’, without the existence of any damage, is not compatible with the wording of Article 82 of the GDPR. Nor is it compatible with the primary aim of the civil liability established by the GDPR, which is to give the data subject satisfaction through ‘full and effective’ compensation for the damage he or she has suffered. (11)
30. In the absence of damage, the compensation would no longer perform the function of redressing the adverse consequences caused by the breach but rather another function of a different nature, closer to that of punishment.
31. It is, however, the case that a Member State’s legal system may provide for the payment of punitive damages. (12) That means an order to pay a substantial sum which goes further than strict compensation for the damage.
32. As a general rule, punitive damages do take into account the prior existence of harm. However, taking that as the starting point, they separate the financial consequences of that harm from the amount of compensation consistent with that harm.
33. Nevertheless, it is not unthinkable for punitive damages to disregard the damage or to treat it as irrelevant for the purposes of giving satisfaction to the person who has claimed such damages.
34. The answer to the first question requires me to examine whether punitive damages fall within the scope of the GDPR, especially since they are referred to in the order for reference and the observations lodged by the parties and those intervening in the reference for a preliminary ruling.
2. Does the GDPR cover punitive damages?
(a) Literal interpretation
35. In addition to the traditional function of civil liability, there may be another ‘punitive’ or ‘exemplary’ function, by virtue of which, as I have already described, the amount of compensation does not equate to the damage suffered and instead increases or even multiplies it.
36. In principle, EU law does not preclude punitive damages for infringement of its provisions if it is possible to award such damages in similar actions based on national law. (13)
37. Punitive damages have a deterrent aim. That same aim may be present where, in light of the infringement of a directive, Member States have to adopt measures intended to have ‘a real deterrent effect’. (14) Some directives explicitly stipulate that damages conceived as penalties must act as a deterrent. (15)
38. By contrast, in other instruments, the legislature states that the aim of a directive ‘is not to introduce an obligation to provide for punitive damages’, (16) or that Member States are to avoid punitive damages when transposing the directive. (17) In EU law, direct awards of so-called ‘punitive damages’ are an exception. (18)
39. The GDPR makes no reference to the punitive nature of compensation for material or non-material damage; nor does it state that calculation of the amount of damages must reflect that punitive nature or that such damages must act as a deterrent (a feature which it does, however, attribute to criminal penalties and administrative fines). (19) From a literal point of view, therefore, it does not allow punitive damages to be awarded.
(b) Interpretation in the light of the history of the provision
40. The precedent for Article 82(1) of the GDPR is Article 23(1) of Directive 95/46. That provision was part of a system that entrusted its effectiveness to public and private enforcement, (20) but in which (private) compensation and (public) penalties were completely separate. (21) Supervision of compliance with the rules was primarily the responsibility of independent supervisory authorities. (22)
41. The GDPR repeats that model but strengthens the tools for ensuring the effectiveness of its provisions – which are now more detailed – and of the responses provided for – which are now more robust – in the event of an infringement or threat of infringement of those provisions:
– First, the GDPR broadens the role of supervisory authorities which, among other tasks, are responsible for imposing the harmonised penalties provided for therein. (23) It thus emphasises the public enforcement component of the provisions.
– Second, it provides that individuals may take up the defence of the rights granted to them under the GDPR, (24) either by triggering the procedure conducted by supervisory authorities (Article 77) or by bringing proceedings before the courts (Articles 79 and 82). In addition, Article 80 empowers certain bodies to bring representative actions, (25) which makes the protection of general interests available to individuals easier. (26)
42. The development of a uniform system of civil liability for damage in the GDPR was limited. Areas which may have been uncertain under Directive 95/46, such as that relating to the inclusion of non-material damage as damage eligible for compensation, (27) were soon clarified. Negotiations focused on other aspects of that system. (28)
43. I have not found in the legislative documents any discussion of a possible punitive function of the civil liability provided for in the GDPR. Therefore, in the absence of any discussion of the subject, it is not possible to conclude that this is covered by Article 82, especially since there was discussion concerning its inclusion in other EU legislation. (29)
44. In those circumstances, I believe that the action under Article 82(1) was designed and laid down to support the typical functions of civil liability: damages (for the injured party) and, on a secondary basis, the prevention of future harm (by the infringer).
(c) Contextual interpretation
45. As I have already pointed out, Article 82 of the GDPR forms part of a system of guarantees of the effectiveness of the rules in which private initiative supplements public enforcement of those rules. Compensation payable by data controllers or processors contributes to that effectiveness.
46. The duty to compensate operates (ideally) as an incentive to act more carefully in the future, through observance of the rules and the avoidance of further damage. In that way, by claiming compensation for himself or herself, each individual contributes to the general effectiveness of the rules.
47. In that context, the compensatory and punitive functions are separate:
– The latter is served by the fines which supervisory authorities and courts may impose (Article 83(1) and (9) of the GDPR) and other penalties which Member States may adopt under Article 84 of the GDPR. (30)
– The former is served by complaints from individuals (Article 77) and court proceedings (Article 79). However, supervisory authorities are not responsible for adjudicating on the right to compensation.
48. Also in connection with the separation of the functions of compensation and penalties:
– When imposing a fine and setting its amount, the authority must take into account the factors set out in Article 83 of the GDPR, which are not provided for in the area of civil liability and which, in principle, may not be transferred to the calculation of damages. (31)
– While the level of damage suffered by injured parties is a factor for adjustment of the fine, (32) there is no reason why calculation of the amount of the fine should take account of any compensation the injured parties may have received. (33)
49. From a theoretical perspective, an interpretation which, in the absence of any damage, entrusts the punitive function to civil liability creates the risk of making the compensatory mechanisms redundant with the punitive mechanisms.
50. In practice, the opportunity to obtain a ‘punitive’ profit by way of compensation could lead data subjects to prefer that remedy to the one provided for in Article 77 of the GDPR. If that became widespread, it would deprive supervisory authorities of a tool (the data subject’s complaint) to learn about and, therefore, investigate and sanction possible infringements of the GDPR, to the detriment of more suitable instruments for protection of the public interest.
(d) Purposive interpretation
51. The GDPR essentially has two objectives which are stated in its title: (a) first, ‘the protection of natural persons with regard to the processing of personal data’; (b) second, ensuring that that protection is structured in such a way that ‘the free movement of personal data’ within the European Union is neither restricted nor prohibited. (34)
52. I believe that, for the purposes of the attainment of those objectives, the GDPR does not require compensation to be linked to the mere infringement of the provision governing processing, thereby attributing punitive functions to civil liability.
53. For the purposes of attainment of the first objective, there is no need to broaden by interpretation the scope of Article 82 of the GDPR to cover situations where there has been infringement of a provision but no damage. Broadening its scope in that way could, however, adversely affect the second objective.
54. As I pointed out above, the GDPR lays down a number of mechanisms to guarantee compliance with its provisions, which co-exist and complement one another. The Member States do not have to choose (nor, in reality are they able to) between the mechanisms for guaranteeing data protection laid down in Chapter VIII. In the event of a breach which does not create harm, the data subject is still afforded (as a minimum) the right to make a complaint to a supervisory authority under Article 77(1) of the GDPR.
55. Moreover, the prospect of obtaining compensation independently of any harm would, in all likelihood, encourage civil litigation, with proceedings that are perhaps not always justified, (35) and, to that extent, could discourage data processing. (36)
3. Is there a presumption of damage?
56. Some of the parties’ observations propose a different reading of the first question from that which I have examined so far. If I understand their position properly, (37) they appear to argue that there is an irrebuttable presumption of damage once an infringement of the provision has occurred.
57. The parties further suggest that that infringement would automatically lead to loss of control over the data, which in itself constitutes damage for which compensation can be awarded under Article 82(1) of the GDPR.
58. In theory, that presumption means that damage cannot be dispensed with, thereby reflecting the typical structure of civil liability and the wording of the provision of the GDPR. In practice, however, the effects for the applicant and the defendant of accepting that presumption would be similar to those arising as a result of linking compensation under Article 82(1) of the GDPR to the mere infringement of the provision.
59. Again, I shall employ the usual criteria for interpretation to explain why, in my view, that interpretation is incorrect.
(a) Literal interpretation
60. Where the legislature has taken the view in other fields of EU law that the infringement of a provision creates an automatic right to compensation, it has readily provided for this. (38) That does not occur in the GDPR, which includes rules relating to evidence, or to the direct effects on it, (39) but no automatic link, whether direct or by means of an irrebuttable presumption.
61. The references to control over personal data (or the loss of that control) in recitals 75 (40) and 85 (41) of the GDPR do not appear to me to counter that absence. In addition to the fact that recitals do not, as such, have legislative force, neither of those recitals supports the view that the infringement of a provision results per se in damage which is eligible for compensation:
– Recital 75 refers to being prevented from exercising control over personal data as one of the possible risks of processing.
– Recital 85 refers to loss of control as one of the consequences which could occur as a result of a personal data breach. (42)
62. There is no reason why loss of control over data should necessarily create damage. The expression may be taken to be linguistic licence to refer to damage subsequent to such a loss, should such damage occur. (43)
(b) Interpretation in the light of the legislative history
63. An analysis of the legislative history does not support the existence of that presumption, which did not appear in Directive 95/46, (44) either, while the preparatory documents for the GDPR of the Commission, the European Parliament and the Council, which I have examined, did not refer to it.
(c) Contextual interpretation
64. The scheme of the GDPR offers evidence to rule out that it includes the presumption at issue, taking the data subject’s consent as the reference point. (45) As a vehicle for the data subject’s control over his or her data, that consent legitimises the processing of such data at the same level as other legal bases (Article 6 of the GDPR). (46)
65. The unlawful processing of personal data is conceivable notwithstanding the data subject’s consent and, therefore, notwithstanding the control which granting or refusing that consent represents. In short, its importance within the system is not absolute.
66. Moreover, the GDPR provides for other possibilities for the exercise of that control, including the right to erasure which requires the controller to erase the data concerned ‘without undue delay’. (47)
67. For the data subject, that right operates as a safety valve in the system of protection: it persists (as a rule of principle) where the controller did not obtain the data subject’s consent and also where no other basis legitimising the data processing exists, and it is not dependent on the processing causing any damage. (48)
(d) Teleological interpretation
(1) Is the data subject’s control over his or her data an objective of the GDPR?
68. The automatic equivalence between the processing of personal data for which the data subject’s consent has not been obtained and damage for which compensation may be awarded presupposes that such control, of which consent is the vehicle, constitutes a right in itself.
69. I agree that, at first sight, there is plenty of support for that view. That individuals should have control over their data is set out in the Commission’s proposal as one of the main reasons for the reform. (49) Recital 7 of the GDPR states that ‘natural persons should have control of their own personal data’.
70. The fact is that caution is required when interpreting that term, beyond the debates it has created in academic legal circles. The GDPR does not include a precise definition of ‘control’ (and I have not found one anywhere else either). (50) The term has at least two possible meanings, which are not mutually exclusive: ‘power’ and ‘supervision’.
71. The wording of recital 7 of the GDPR generates some uncertainty, because it differs depending on the language version. (51) Having regard to its subject matter, I believe that the GDPR confers on data subjects rights of supervision and intervention in operations carried out by others on their data, as one tool (in addition to others) for the protection of those data.
72. Data subjects themselves contribute to and are responsible for the protection of the information represented by the data, to the extent – degree and detailed rules – that this is provided for in the GDPR. The scope for individual action is limited: as regards the rights listed in the GDPR, it is confined to the exercise of those rights in specified circumstances.
73. The data subject’s consent, as the ultimate expression of control, (52) is just one of the legal bases for lawful processing but it does not have the ability to validate a failure to comply with the other obligations and conditions incumbent on the controller and the processor.
74. In my view, it is not straightforward to conclude from the GDPR that its objective is to grant data subjects control over their personal data as a right in itself, or that data subjects must have the greatest control possible over those data.
75. That finding is unsurprising. First, it is not clear that control, in the sense of power, over data, forms part of the essential subject matter of the fundamental right to the protection of personal data. (53) Second, the interpretation of that right as a right to informational self-determination is far from being unanimous: Article 8 of the Charter does not use those terms. (54)
76. On the same lines, nor was a recital with the wording ‘the right to the protection of personal data is based on the right of data subjects to exercise control over personal data which is being processed’ included in the final text of the GDPR. (55)
77. The foregoing considerations, which are perhaps excessively abstract, lead me to assert that, where a data subject does not consent to processing and processing is carried out without another legitimate legal basis, that is not a ground for the data subject to receive financial compensation on account of the loss of control over his or her data, as though that loss of control itself amounted to damage that is eligible for compensation. (56) It remains to be seen (and must be proved) whether or not the data subject has also suffered damage. (57)
(2) Control by the data subject within the context
78. Finally, I believe it is helpful to point out that the protection of personal data is expressed as an objective of the GDPR, in addition to the aim of promoting the free movement of data. (58)
79. Strengthening individuals’ control over their personal information in the digital environment is one of the recognised aims of the modernisation of the rules on the protection of personal data, albeit not an independent or isolated aim.
80. The Commission, in the Communication accompanying its proposal for the GDPR, associated a high level of protection of data with trust in online services, which enables the potential of the digital economy to be fulfilled and encourages ‘economic growth and the competitiveness of EU industries’. The modernisation (and increased harmonisation) of the EU legislation enhances ‘the Single Market dimension of data protection’. (59)
81. In light of the clear value of (personal and non-personal) data to economic and social progress in Europe, the GDPR does not seek to increase the control of individuals over information concerning them, by merely giving way to their preferences, but rather to reconcile each person’s right to protection of personal data with the interests of third parties and society. (60)
82. The aim of the GDPR is not, I stress, to limit systematically the processing of personal data but rather to legitimise it under strict conditions. That aim is served especially by promoting confidence on the part of data subjects that processing will be carried out in a safe environment, (61) to which the data subjects themselves contribute. This encourages the willingness of data subjects to permit access to and use of their data in, among other spheres, the sphere of online commercial transactions.
C. Question 2
83. The referring court wishes to know whether ‘the assessment of the compensation [depends] on further EU-law requirements in addition to the principles of effectiveness and equivalence’.
84. In fact, it does not appear that the principle of equivalence plays an important role here: the harmonised provisions of the GDPR apply directly in this area and Article 82 of the GDPR applies in respect of all non-material damage occurring as a result of an infringement, regardless of its source.
85. The same assessment applies to the principle of effectiveness. The fact that compensation, in keeping with recital 146 of the GDPR (data subjects should receive full and effective compensation for the damage they have suffered), must have one content or another is another matter.
86. Article 82 of the GDPR does not lay down any condition other than the infringement of its provisions where this leads to any person suffering material or non-material damage. On the specific calculation of the amount of compensation for that damage, the GDPR does not provide any guidance for national courts.
87. In the light of the two adjectives transcribed above (full and effective), compensation will depend, first of all, on the claim put forward by each applicant.
88. If that claim is for the award of punitive damages, (62) the answer to the first question is sufficient: such damages do not appear in the GDPR. In the GDPR, civil liability performs a ‘private’ compensatory function, whereas fines and criminal penalties have a public deterrent and, as the case may be, punitive function.
89. It cannot be ruled out that reparation sought for non-material damage may include components other than merely financial components, such as recognition that the infringement occurred, thereby providing the applicant with a certain moral satisfaction. The judgment of the Court of Justice of 15 April 2021, (63) although it concerned an area outside the sphere of data protection, makes an assessment of that claim possible by analogy.
90. In legal systems which stipulate as much, it is possible that the rules on civil liability may provide for awards to be made by way of vindication of a right (payment of symbolic compensation) or neutralisation of an unfair advantage (transfer of the unfairly obtained profit).
91. Underlying the former is the notion of providing continuity and realising the right (‘Rechtsfortsetzungsfunktion’) by means of purely symbolic compensation, in addition to a declaration that the defendant has committed an unlawful act and breached the applicant’s rights. Article 82 of the GDPR does not provide for this and nor is there any sign of it in the preparatory documents, which should be no surprise as it is not common in the Member States’ legal systems (64) and is controversial in the systems where it does exist. (65)
92. However, the scheme and objectives of the GDPR do not preclude Member States which recognise that remedy from offering it to those who are affected by the infringement of a provision, within the remedies provided for in Article 79 of the GDPR, where there is no damage at all. By contrast, if the applicant claims that he or she has suffered financial damage, the situation is governed by Article 82 of the GDPR and the difficulty in proving the damage must not result in nominal damages. (66)
93. As regards awards of damages consisting of the payment of a sum following the infringement of a right, these may have the purpose of depriving the infringer of the profit obtained. Outwith the sphere of intellectual property, (67) that is not a common purpose in the law of damages which looks, rather, at the injured party’s loss and not the infringer’s gain. (68) The GDPR does not include this in its provisions.
94. I have set out these considerations to make the referring court’s task easier, in the light of the broad nature of the second question. I am aware, however, that they may be of little help when it comes to upholding or dismissing an action in which the data subject seeks strictly financial compensation for non-material damage.
D. Question 3
95. The referring court asks whether, under the GDPR, the award of compensation for non-material damage is conditional on an ‘infringement of at least some weight that goes beyond the upset caused by that infringement’.
96. As a criterion for eligibility for compensation, the request for a preliminary ruling refers to the intensity of the data subject’s experience. It does not ask, however (at least not directly), whether certain emotions or feelings of the data subject are relevant or irrelevant for the purposes of Article 82(1) of the GDPR by virtue of their nature. (69)
97. The question thus arises as to whether the Member States may make compensation for non-material damage conditional on the significance of the consequences derived from infringement of the provision, by including only those consequences which exceed a certain threshold of seriousness. The question does not concern elements in respect of which compensation may be awarded (70) or the amount of compensation but rather the existence of a lower limit for the reaction of the injured party, below which that person will not be awarded compensation.
98. Article 82 of the GDPR does not provide a direct answer to the question. Nor, in my opinion, do recitals 75 and 85. Both contain a list of examples of damage, culminating in an open-ended clause which appears to limit eligibility for compensation to damage that is ‘significant’.
99. However, I do not believe that those recitals are helpful when it comes to answering the referring court’s question:
– Recital 75 concerns the identification and evaluation of the risks of data processing and the adoption of measures to prevent or mitigate these. It explains the undesirable consequences of any processing and draws attention, ‘in particular’, to a number of these, undoubtedly because of their more serious nature.
– Recital 85 refers to personal data breaches, warning that their effects may become significant.
100. It is not possible either to infer from the wording of recital 146 of the GDPR (controllers should compensate ‘any damage’) (71) criteria which make it possible to answer that question.
101. The inclusion of that recital in the text of the GDPR meant that the GDPR implicitly includes non-material damage, replacing the silence on that point of Directive 95/46. (72) However, the question now referred to the Court of Justice was, in particular, not addressed.
102. Recital 146 of the GDPR states that ‘the concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation’.
103. I am not sure that that instruction will have been particularly helpful in the context of data protection, for the Court had yet to rule on the subject when the GDPR was adopted. (73) If the intention was to refer to judgments on civil liability governed by other directives or regulations, a reference to analogy would have been welcome.
104. In fact, the Court has not drawn up a general definition of ‘damage’ which is applicable without distinction in any sphere. (74) For the present purposes (non-material damage), it can be inferred from the Court’s case-law that:
– where the objective (or one of the objectives) of the provision being interpreted is the protection of individuals or a certain category of individuals, (75) the definition of damage must be broad;
– in keeping with that rule, compensation covers non-material damage, even where it is not mentioned in the provision interpreted. (76)
105. While the case-law of the Court permits the argument that, in the terms stated, a principle of compensation for non-material damage exists in EU law, I do not believe, however, that it is possible to infer from this a rule pursuant to which all non-material damage, regardless of how serious it is, is eligible for compensation.
106. The Court has accepted the compatibility with EU legislation of national law which, for the purpose of calculating compensation, differentiates between non-material damage linked to physical injury caused by an accident depending on the origin of that accident. (77)
107. The Court has also assessed which circumstances are liable to give rise to non-material damage, in accordance with the provision applicable in each case, (78) but has not ruled explicitly (unless I am mistaken) on the requirement of seriousness of that damage. (79)
108. At his juncture, I believe that question 3 should be answered in the affirmative.
109. In support of my position, I note that the GDPR does not have as its sole aim the safeguarding of the fundamental right to the protection of personal data (80) and that the system of guarantees laid down therein includes mechanisms of different types. (81)
110. Relevant in that connection is the distinction, suggested to the Court, between non-material damage for which compensation may be awarded and other inconveniences arising as a result of abuse of the law which, owing to their insignificance, do not necessarily create the right to compensation.
111. Such a distinction is visible in national legal systems as an inevitable corollary of life in society. (82) The Court is not unaware of that difference, which it accepts when referring to trouble and inconvenience as a separate category from damage in areas where it finds that those items should be compensated. (83) There is nothing to preclude that distinction from being transferred to the GDPR.
112. In addition, the right to compensation under Article 82(1) of the GDPR does not appear to me to be a suitable instrument for countering infringements in connection with the processing of personal data where all those infringements create for the data subject is annoyance or upset.
113. As a rule, any breach of a provision governing data protection leads to some negative reaction on the part of the data subject. Compensation arising as a result of a mere feeling of displeasure due to another person’s failure to comply with the law is easily confused with compensation without damage, which has already been ruled out.
114. From a practical point of view, the inclusion of mere upset in the category of non-material damage eligible for compensation is not efficient in the light of the typical inconveniences and difficulties for the applicant of bringing legal proceedings, (84) and for the defendant of mounting a defence. (85)
115. Refusal of the right to compensation for vague, fleeting feelings or emotions (86) connected with the infringement of rules on processing does not leave the data subject without any protection at all. As I stated in response to the first question, the system laid down in the GDPR provides data subjects with other remedies.
116. I am in no doubt that there is a fine line between mere upset (which is not eligible for compensation) and genuine non-material damage (which is eligible for compensation) and I am also aware of how complicated it is to delimit, in the abstract, the two categories and apply them to a particular dispute. That difficult task falls to the courts of the Member States, which will probably be unable to avoid in their rulings the perception prevailing in society at a given time regarding the permissible degree of tolerance where the subjective effects of infringement of a provision in this area do not exceed a de minimis level. (87)
V. Conclusion
117. In the light of the foregoing considerations, I propose that the following replies should be given to the Oberster Gerichtshof (Supreme Court, Austria):
Article 82 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
is to be interpreted as meaning that for the purposes of the award of compensation for damage suffered by a person as a result of an infringement of that regulation, a mere infringement of the provision is not in itself sufficient if that infringement is not accompanied by the relevant material or non-material damage.
The compensation for non-material damage provided for in the regulation does not cover mere upset which the person concerned may feel as a result of the infringement of provisions of Regulation 2016/679. It is for the national courts to determine when, owing to its characteristics, a subjective feeling of displeasure may be deemed, in each case, to be non-material damage.