Language of document : ECLI:EU:C:2022:756

Provisional text

OPINION OF ADVOCATE GENERAL

CAMPOS SÁNCHEZ-BORDONA

delivered on 6 October 2022 (1)

Case C300/21

UI

v

Österreichische Post AG

(Request for a preliminary ruling from the Oberster Gerichtshof (Supreme Court, Austria))

(Reference for a preliminary ruling – Protection of personal data – Regulation (EU) 2016/679 – Non-material damage resulting from unlawful processing of data – Conditions for the right to compensation – Damage above a certain threshold of seriousness)






1.        Regulation (EU) 2016/679 (2) grants any person who has suffered material or non-material damage as a result of an infringement of its provisions the right to receive compensation from the data controller or processor.

2.        The possibility of relying on that right before the courts already existed under the previous legislation (Article 23 of Directive 95/46/EC (3)), although it was rarely exercised. (4) Unless I am mistaken, the Court never interpreted that article specifically.

3.        Under the GDPR, actions for damages have gained in importance. (5) Their increase is noticeable in the courts of the Member States and is reflected in associated references for a preliminary ruling. (6) In this reference, the Oberster Gerichtshof (Supreme Court, Austria) asks the Court of Justice to define a number of common points of the rules on civil liability laid down by the GDPR.

I.      Legal framework. GDPR

4.        Recitals 75, 85 and 146 of the GDPR are of particular relevance to this dispute.

5.        Article 6 (‘Lawfulness of processing’) reads:

‘1.      Processing shall be lawful only if and to the extent that at least one of the following applies:

(a)      the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

…’

6.        Paragraph 1 of Article 79 (‘Right to an effective judicial remedy against a controller or processor’) provides:

‘Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.’

7.        Paragraph 1 of Article 82 (‘Right to compensation and liability’) states:

‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.’

II.    Facts, dispute and questions referred for a preliminary ruling

8.        From 2017 onwards, Österreichische Post AG, an undertaking which publishes address directories, collected information on the political party affinities of the Austrian population. With the assistance of an algorithm, it defined ‘target group addresses’ according to certain socio-demographic features.

9.        UI is a natural person in respect of whom Österreichische Post carried out an extrapolation, by means of statistical calculation, in order to determine his classification within the possible target groups for election advertising from various political parties. From that extrapolation it emerged that UI had a high affinity with one of those political parties. Those data were not transferred to third parties.

10.      UI, who had not consented to the processing of his personal data, was upset by the storage of his party affinity data and angered and offended by the affinity specifically attributed to him by Österreichische Post.

11.      UI has claimed compensation of EUR 1 000 in respect of non-material damage (inner discomfort). UI claims that the political affinity attributed to him is insulting and shameful, as well as extremely damaging to his reputation. In addition, Österreichische Post’s conduct caused him great upset and a loss of confidence, and also a feeling of public exposure.

12.      The first-instance court dismissed UI’s claim for compensation. (7)

13.      The appellate court confirmed the first-instance judgment. It ruled that compensation for non-material damage does not automatically accompany every breach of the GDPR and that:

—      since Austrian law is applicable as a supplement to the GDPR, only damage that goes beyond the upset or the feelings (‘Gefühlsschaden’) caused by the breach of the applicant’s rights is eligible for compensation;

—      the principle underlying Austrian law must be adhered to, namely that mere discomfort and feelings of unpleasantness must be borne by everyone without any consequence in terms of compensation. To put it another way, the right to compensation requires that the damage claimed must be of a certain significance.

14.      An appeal against the judgment of the appellate court was lodged with the Oberster Gerichtshof (Supreme Court, Austria), which has referred the following questions to the Court of Justice for a preliminary ruling:

‘(1)      Does the award of compensation under Article 82 of [the GDPR] also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?

(2)      Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?

(3)      Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?’

III. Procedure

15.      The request for a preliminary ruling was received at the Registry of the Court on 12 May 2021.

16.      Written observations were lodged by UI, Österreichische Post, the Austrian and Czech Governments, Ireland and the European Commission. It was not considered necessary to hold a hearing.

IV.    Analysis

A.      Preliminary matters

1.      Admissibility

17.      UI contends that the first question referred for a preliminary ruling is not relevant to the proceedings, since his action was not based on the ‘mere’ infringement of a provision of the GDPR but rather on the consequences or effects of that infringement.

18.      The plea of inadmissibility must be dismissed. Even if it were accepted that the data processing breached the GDPR without causing any harm to him, UI may be entitled to compensation under Article 82 of the GDPR if, as the referring court asks, it is confirmed that the mere infringement of a rule relating to processing creates such entitlement.

19.      In UI’s submission, the Court may also consider the second question to be inadmissible on the grounds that it is very open as regards its content and excessively limited in relation to the requirements of EU law, without referring to any specific requirement.

20.      That plea, although it has more merits than the previous plea, cannot succeed either. It is legitimate for a court to seek to ascertain whether, in addition to compliance with the principles of equivalence and effectiveness, it is necessary to examine other conditions laid down by EU law for the purposes of assessing the damage.

2.      Delimitation of the subject matter of this Opinion

21.      Article 82 of the GDPR contains six paragraphs. The referring court does not mention any of these in particular but implicitly refers to paragraph 1. Nor does the referring court specify the provision a breach of which would give rise to compensation.

22.      My Opinion will be based on the following assumptions:

—      UI’s personal data were processed without obtaining his consent for the purposes of Article 6(1)(a) of the GDPR.

—      The right to compensation is available to anyone who has suffered damage. In this case, UI, as an identified natural person who is affected by the processing, is a ‘data subject’. (8)

—      The GDPR provides for compensation for material and non-material damage. UI’s claim is confined to non-material damage and has a financial element.

B.      Question 1

23.      By its first question, the referring court asks, in short, whether infringement alone of the GDPR gives rise to a right to compensation, regardless of whether or not harm occurred.

24.      It can be inferred from the referring court’s findings and from the observations lodged with the Court of Justice that another, rather more complex, reading of the question is also possible: it is necessary to determine whether infringement of the provisions of the GDPR automatically produces harm which gives rise to a right to compensation without the defendant having the possibility to demonstrate otherwise.

25.      There is a certain (theoretical) difference between those two approaches: in the first, damage is not a prerequisite for compensation; it is, however, in the second. In practice, the requirement that the applicant prove the damage is removed in both cases; nor is the applicant required to prove the causal link between the infringement and that damage. (9)

26.      In any event, I shall say now that, in my view, neither of those two readings of the first question warrants an affirmative answer. I shall deal with each separately.

1.      Compensation without damage?

27.      The argument that there is a right to compensation even though the data subject did not suffer damage as a result of the breach of the GDPR creates obvious difficulties, starting with that relating to the wording of Article 82(1) of the GDPR.

28.      In accordance with that provision, compensation (10) is awarded specifically because prior damage has occurred. Therefore, there is an unequivocal requirement that the natural person concerned must have suffered damage as a result of an infringement of the GDPR.

29.      Therefore, an interpretation which automatically associates the notion of ‘infringement’ with that of ‘compensation’, without the existence of any damage, is not compatible with the wording of Article 82 of the GDPR. Nor is it compatible with the primary aim of the civil liability established by the GDPR, which is to give the data subject satisfaction through ‘full and effective’ compensation for the damage he or she has suffered. (11)

30.      In the absence of damage, the compensation would no longer perform the function of redressing the adverse consequences caused by the breach but rather another function of a different nature, closer to that of punishment.

31.      It is, however, the case that a Member State’s legal system may provide for the payment of punitive damages. (12) That means an order to pay a substantial sum which goes further than strict compensation for the damage.

32.      As a general rule, punitive damages do take into account the prior existence of harm. However, taking that as the starting point, they separate the financial consequences of that harm from the amount of compensation consistent with that harm.

33.      Nevertheless, it is not unthinkable for punitive damages to disregard the damage or to treat it as irrelevant for the purposes of giving satisfaction to the person who has claimed such damages.

34.      The answer to the first question requires me to examine whether punitive damages fall within the scope of the GDPR, especially since they are referred to in the order for reference and the observations lodged by the parties and those intervening in the reference for a preliminary ruling.

2.      Does the GDPR cover punitive damages?

(a)    Literal interpretation

35.      In addition to the traditional function of civil liability, there may be another ‘punitive’ or ‘exemplary’ function, by virtue of which, as I have already described, the amount of compensation does not equate to the damage suffered and instead increases or even multiplies it.

36.      In principle, EU law does not preclude punitive damages for infringement of its provisions if it is possible to award such damages in similar actions based on national law. (13)

37.      Punitive damages have a deterrent aim. That same aim may be present where, in light of the infringement of a directive, Member States have to adopt measures intended to have ‘a real deterrent effect’. (14) Some directives explicitly stipulate that damages conceived as penalties must act as a deterrent. (15)

38.      By contrast, in other instruments, the legislature states that the aim of a directive ‘is not to introduce an obligation to provide for punitive damages’, (16) or that Member States are to avoid punitive damages when transposing the directive. (17) In EU law, direct awards of so-called ‘punitive damages’ are an exception. (18)

39.      The GDPR makes no reference to the punitive nature of compensation for material or non-material damage; nor does it state that calculation of the amount of damages must reflect that punitive nature or that such damages must act as a deterrent (a feature which it does, however, attribute to criminal penalties and administrative fines). (19) From a literal point of view, therefore, it does not allow punitive damages to be awarded.

(b)    Interpretation in the light of the history of the provision

40.      The precedent for Article 82(1) of the GDPR is Article 23(1) of Directive 95/46. That provision was part of a system that entrusted its effectiveness to public and private enforcement, (20) but in which (private) compensation and (public) penalties were completely separate. (21) Supervision of compliance with the rules was primarily the responsibility of independent supervisory authorities. (22)

41.      The GDPR repeats that model but strengthens the tools for ensuring the effectiveness of its provisions – which are now more detailed – and of the responses provided for – which are now more robust – in the event of an infringement or threat of infringement of those provisions:

—      First, the GDPR broadens the role of supervisory authorities which, among other tasks, are responsible for imposing the harmonised penalties provided for therein. (23) It thus emphasises the public enforcement component of the provisions.

—      Second, it provides that individuals may take up the defence of the rights granted to them under the GDPR, (24) either by triggering the procedure conducted by supervisory authorities (Article 77) or by bringing proceedings before the courts (Articles 79 and 82). In addition, Article 80 empowers certain bodies to bring representative actions, (25) which makes the protection of general interests available to individuals easier. (26)

42.      The development of a uniform system of civil liability for damage in the GDPR was limited. Areas which may have been uncertain under Directive 95/46, such as that relating to the inclusion of non-material damage as damage eligible for compensation, (27) were soon clarified. Negotiations focused on other aspects of that system. (28)

43.      I have not found in the legislative documents any discussion of a possible punitive function of the civil liability provided for in the GDPR. Therefore, in the absence of any discussion of the subject, it is not possible to conclude that this is covered by Article 82, especially since there was discussion concerning its inclusion in other EU legislation. (29)

44.      In those circumstances, I believe that the action under Article 82(1) was designed and laid down to support the typical functions of civil liability: damages (for the injured party) and, on a secondary basis, the prevention of future harm (by the infringer).

(c)    Contextual interpretation

45.      As I have already pointed out, Article 82 of the GDPR forms part of a system of guarantees of the effectiveness of the rules in which private initiative supplements public enforcement of those rules. Compensation payable by data controllers or processors contributes to that effectiveness.

46.      The duty to compensate operates (ideally) as an incentive to act more carefully in the future, through observance of the rules and the avoidance of further damage. In that way, by claiming compensation for himself or herself, each individual contributes to the general effectiveness of the rules.

47.      In that context, the compensatory and punitive functions are separate:

—      The latter is served by the fines which supervisory authorities and courts may impose (Article 83(1) and (9) of the GDPR) and other penalties which Member States may adopt under Article 84 of the GDPR. (30)

—      The former is served by complaints from individuals (Article 77) and court proceedings (Article 79). However, supervisory authorities are not responsible for adjudicating on the right to compensation.

48.      Also in connection with the separation of the functions of compensation and penalties:

—      When imposing a fine and setting its amount, the authority must take into account the factors set out in Article 83 of the GDPR, which are not provided for in the area of civil liability and which, in principle, may not be transferred to the calculation of damages. (31)

—      While the level of damage suffered by injured parties is a factor for adjustment of the fine, (32) there is no reason why calculation of the amount of the fine should take account of any compensation the injured parties may have received. (33)

49.      From a theoretical perspective, an interpretation which, in the absence of any damage, entrusts the punitive function to civil liability creates the risk of making the compensatory mechanisms redundant with the punitive mechanisms.

50.      In practice, the opportunity to obtain a ‘punitive’ profit by way of compensation could lead data subjects to prefer that remedy to the one provided for in Article 77 of the GDPR. If that became widespread, it would deprive supervisory authorities of a tool (the data subject’s complaint) to learn about and, therefore, investigate and sanction possible infringements of the GDPR, to the detriment of more suitable instruments for protection of the public interest.

(d)    Purposive interpretation

51.      The GDPR essentially has two objectives which are stated in its title: (a) first, ‘the protection of natural persons with regard to the processing of personal data’; (b) second, ensuring that that protection is structured in such a way that ‘the free movement of personal data’ within the European Union is neither restricted nor prohibited. (34)

52.      I believe that, for the purposes of the attainment of those objectives, the GDPR does not require compensation to be linked to the mere infringement of the provision governing processing, thereby attributing punitive functions to civil liability.

53.      For the purposes of attainment of the first objective, there is no need to broaden by interpretation the scope of Article 82 of the GDPR to cover situations where there has been infringement of a provision but no damage. Broadening its scope in that way could, however, adversely affect the second objective.

54.      As I pointed out above, the GDPR lays down a number of mechanisms to guarantee compliance with its provisions, which co-exist and complement one another. The Member States do not have to choose (nor, in reality are they able to) between the mechanisms for guaranteeing data protection laid down in Chapter VIII. In the event of a breach which does not create harm, the data subject is still afforded (as a minimum) the right to make a complaint to a supervisory authority under Article 77(1) of the GDPR.

55.      Moreover, the prospect of obtaining compensation independently of any harm would, in all likelihood, encourage civil litigation, with proceedings that are perhaps not always justified, (35) and, to that extent, could discourage data processing. (36)

3.      Is there a presumption of damage?

56.      Some of the parties’ observations propose a different reading of the first question from that which I have examined so far. If I understand their position properly, (37) they appear to argue that there is an irrebuttable presumption of damage once an infringement of the provision has occurred.

57.      The parties further suggest that that infringement would automatically lead to loss of control over the data, which in itself constitutes damage for which compensation can be awarded under Article 82(1) of the GDPR.

58.      In theory, that presumption means that damage cannot be dispensed with, thereby reflecting the typical structure of civil liability and the wording of the provision of the GDPR. In practice, however, the effects for the applicant and the defendant of accepting that presumption would be similar to those arising as a result of linking compensation under Article 82(1) of the GDPR to the mere infringement of the provision.

59.      Again, I shall employ the usual criteria for interpretation to explain why, in my view, that interpretation is incorrect.

(a)    Literal interpretation

60.      Where the legislature has taken the view in other fields of EU law that the infringement of a provision creates an automatic right to compensation, it has readily provided for this. (38) That does not occur in the GDPR, which includes rules relating to evidence, or to the direct effects on it, (39) but no automatic link, whether direct or by means of an irrebuttable presumption.

61.      The references to control over personal data (or the loss of that control) in recitals 75 (40) and 85 (41) of the GDPR do not appear to me to counter that absence. In addition to the fact that recitals do not, as such, have legislative force, neither of those recitals supports the view that the infringement of a provision results per se in damage which is eligible for compensation:

—      Recital 75 refers to being prevented from exercising control over personal data as one of the possible risks of processing.

—      Recital 85 refers to loss of control as one of the consequences which could occur as a result of a personal data breach. (42)

62.      There is no reason why loss of control over data should necessarily create damage. The expression may be taken to be linguistic licence to refer to damage subsequent to such a loss, should such damage occur. (43)

(b)    Interpretation in the light of the legislative history

63.      An analysis of the legislative history does not support the existence of that presumption, which did not appear in Directive 95/46, (44) either, while the preparatory documents for the GDPR of the Commission, the European Parliament and the Council, which I have examined, did not refer to it.

(c)    Contextual interpretation

64.      The scheme of the GDPR offers evidence to rule out that it includes the presumption at issue, taking the data subject’s consent as the reference point. (45) As a vehicle for the data subject’s control over his or her data, that consent legitimises the processing of such data at the same level as other legal bases (Article 6 of the GDPR). (46)

65.      The unlawful processing of personal data is conceivable notwithstanding the data subject’s consent and, therefore, notwithstanding the control which granting or refusing that consent represents. In short, its importance within the system is not absolute.

66.      Moreover, the GDPR provides for other possibilities for the exercise of that control, including the right to erasure which requires the controller to erase the data concerned ‘without undue delay’. (47)

67.      For the data subject, that right operates as a safety valve in the system of protection: it persists (as a rule of principle) where the controller did not obtain the data subject’s consent and also where no other basis legitimising the data processing exists, and it is not dependent on the processing causing any damage. (48)

(d)    Teleological interpretation

(1)    Is the data subject’s control over his or her data an objective of the GDPR?

68.      The automatic equivalence between the processing of personal data for which the data subject’s consent has not been obtained and damage for which compensation may be awarded presupposes that such control, of which consent is the vehicle, constitutes a right in itself.

69.      I agree that, at first sight, there is plenty of support for that view. That individuals should have control over their data is set out in the Commission’s proposal as one of the main reasons for the reform. (49) Recital 7 of the GDPR states that ‘natural persons should have control of their own personal data’.

70.      The fact is that caution is required when interpreting that term, beyond the debates it has created in academic legal circles. The GDPR does not include a precise definition of ‘control’ (and I have not found one anywhere else either). (50) The term has at least two possible meanings, which are not mutually exclusive: ‘power’ and ‘supervision’.

71.      The wording of recital 7 of the GDPR generates some uncertainty, because it differs depending on the language version. (51) Having regard to its subject matter, I believe that the GDPR confers on data subjects rights of supervision and intervention in operations carried out by others on their data, as one tool (in addition to others) for the protection of those data.

72.      Data subjects themselves contribute to and are responsible for the protection of the information represented by the data, to the extent – degree and detailed rules – that this is provided for in the GDPR. The scope for individual action is limited: as regards the rights listed in the GDPR, it is confined to the exercise of those rights in specified circumstances.

73.      The data subject’s consent, as the ultimate expression of control, (52) is just one of the legal bases for lawful processing but it does not have the ability to validate a failure to comply with the other obligations and conditions incumbent on the controller and the processor.

74.      In my view, it is not straightforward to conclude from the GDPR that its objective is to grant data subjects control over their personal data as a right in itself, or that data subjects must have the greatest control possible over those data.

75.      That finding is unsurprising. First, it is not clear that control, in the sense of power, over data, forms part of the essential subject matter of the fundamental right to the protection of personal data. (53) Second, the interpretation of that right as a right to informational self-determination is far from being unanimous: Article 8 of the Charter does not use those terms. (54)

76.      On the same lines, nor was a recital with the wording ‘the right to the protection of personal data is based on the right of data subjects to exercise control over personal data which is being processed’ included in the final text of the GDPR. (55)

77.      The foregoing considerations, which are perhaps excessively abstract, lead me to assert that, where a data subject does not consent to processing and processing is carried out without another legitimate legal basis, that is not a ground for the data subject to receive financial compensation on account of the loss of control over his or her data, as though that loss of control itself amounted to damage that is eligible for compensation. (56) It remains to be seen (and must be proved) whether or not the data subject has also suffered damage. (57)

(2)    Control by the data subject within the context

78.      Finally, I believe it is helpful to point out that the protection of personal data is expressed as an objective of the GDPR, in addition to the aim of promoting the free movement of data. (58)

79.      Strengthening individuals’ control over their personal information in the digital environment is one of the recognised aims of the modernisation of the rules on the protection of personal data, albeit not an independent or isolated aim.

80.      The Commission, in the Communication accompanying its proposal for the GDPR, associated a high level of protection of data with trust in online services, which enables the potential of the digital economy to be fulfilled and encourages ‘economic growth and the competitiveness of EU industries’. The modernisation (and increased harmonisation) of the EU legislation enhances ‘the Single Market dimension of data protection’. (59)

81.      In light of the clear value of (personal and non-personal) data to economic and social progress in Europe, the GDPR does not seek to increase the control of individuals over information concerning them, by merely giving way to their preferences, but rather to reconcile each person’s right to protection of personal data with the interests of third parties and society. (60)

82.      The aim of the GDPR is not, I stress, to limit systematically the processing of personal data but rather to legitimise it under strict conditions. That aim is served especially by promoting confidence on the part of data subjects that processing will be carried out in a safe environment, (61) to which the data subjects themselves contribute. This encourages the willingness of data subjects to permit access to and use of their data in, among other spheres, the sphere of online commercial transactions.

C.      Question 2

83.      The referring court wishes to know whether ‘the assessment of the compensation [depends] on further EU-law requirements in addition to the principles of effectiveness and equivalence’.

84.      In fact, it does not appear that the principle of equivalence plays an important role here: the harmonised provisions of the GDPR apply directly in this area and Article 82 of the GDPR applies in respect of all non-material damage occurring as a result of an infringement, regardless of its source.

85.      The same assessment applies to the principle of effectiveness. The fact that compensation, in keeping with recital 146 of the GDPR (data subjects should receive full and effective compensation for the damage they have suffered), must have one content or another is another matter.

86.      Article 82 of the GDPR does not lay down any condition other than the infringement of its provisions where this leads to any person suffering material or non-material damage. On the specific calculation of the amount of compensation for that damage, the GDPR does not provide any guidance for national courts.

87.      In the light of the two adjectives transcribed above (full and effective), compensation will depend, first of all, on the claim put forward by each applicant.

88.      If that claim is for the award of punitive damages, (62) the answer to the first question is sufficient: such damages do not appear in the GDPR. In the GDPR, civil liability performs a ‘private’ compensatory function, whereas fines and criminal penalties have a public deterrent and, as the case may be, punitive function.

89.      It cannot be ruled out that reparation sought for non-material damage may include components other than merely financial components, such as recognition that the infringement occurred, thereby providing the applicant with a certain moral satisfaction. The judgment of the Court of Justice of 15 April 2021, (63) although it concerned an area outside the sphere of data protection, makes an assessment of that claim possible by analogy.

90.      In legal systems which stipulate as much, it is possible that the rules on civil liability may provide for awards to be made by way of vindication of a right (payment of symbolic compensation) or neutralisation of an unfair advantage (transfer of the unfairly obtained profit).

91.      Underlying the former is the notion of providing continuity and realising the right (‘Rechtsfortsetzungsfunktion’) by means of purely symbolic compensation, in addition to a declaration that the defendant has committed an unlawful act and breached the applicant’s rights. Article 82 of the GDPR does not provide for this and nor is there any sign of it in the preparatory documents, which should be no surprise as it is not common in the Member States’ legal systems (64) and is controversial in the systems where it does exist. (65)

92.      However, the scheme and objectives of the GDPR do not preclude Member States which recognise that remedy from offering it to those who are affected by the infringement of a provision, within the remedies provided for in Article 79 of the GDPR, where there is no damage at all. By contrast, if the applicant claims that he or she has suffered financial damage, the situation is governed by Article 82 of the GDPR and the difficulty in proving the damage must not result in nominal damages. (66)

93.      As regards awards of damages consisting of the payment of a sum following the infringement of a right, these may have the purpose of depriving the infringer of the profit obtained. Outwith the sphere of intellectual property, (67) that is not a common purpose in the law of damages which looks, rather, at the injured party’s loss and not the infringer’s gain. (68) The GDPR does not include this in its provisions.

94.      I have set out these considerations to make the referring court’s task easier, in the light of the broad nature of the second question. I am aware, however, that they may be of little help when it comes to upholding or dismissing an action in which the data subject seeks strictly financial compensation for non-material damage.

D.      Question 3

95.      The referring court asks whether, under the GDPR, the award of compensation for non-material damage is conditional on an ‘infringement of at least some weight that goes beyond the upset caused by that infringement’.

96.      As a criterion for eligibility for compensation, the request for a preliminary ruling refers to the intensity of the data subject’s experience. It does not ask, however (at least not directly), whether certain emotions or feelings of the data subject are relevant or irrelevant for the purposes of Article 82(1) of the GDPR by virtue of their nature. (69)

97.      The question thus arises as to whether the Member States may make compensation for non-material damage conditional on the significance of the consequences derived from infringement of the provision, by including only those consequences which exceed a certain threshold of seriousness. The question does not concern elements in respect of which compensation may be awarded (70) or the amount of compensation but rather the existence of a lower limit for the reaction of the injured party, below which that person will not be awarded compensation.

98.      Article 82 of the GDPR does not provide a direct answer to the question. Nor, in my opinion, do recitals 75 and 85. Both contain a list of examples of damage, culminating in an open-ended clause which appears to limit eligibility for compensation to damage that is ‘significant’.

99.      However, I do not believe that those recitals are helpful when it comes to answering the referring court’s question:

—      Recital 75 concerns the identification and evaluation of the risks of data processing and the adoption of measures to prevent or mitigate these. It explains the undesirable consequences of any processing and draws attention, ‘in particular’, to a number of these, undoubtedly because of their more serious nature.

—      Recital 85 refers to personal data breaches, warning that their effects may become significant.

100. It is not possible either to infer from the wording of recital 146 of the GDPR (controllers should compensate ‘any damage’) (71) criteria which make it possible to answer that question.

101. The inclusion of that recital in the text of the GDPR meant that the GDPR implicitly includes non-material damage, replacing the silence on that point of Directive 95/46. (72) However, the question now referred to the Court of Justice was, in particular, not addressed.

102. Recital 146 of the GDPR states that ‘the concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation’.

103. I am not sure that that instruction will have been particularly helpful in the context of data protection, for the Court had yet to rule on the subject when the GDPR was adopted. (73) If the intention was to refer to judgments on civil liability governed by other directives or regulations, a reference to analogy would have been welcome.

104. In fact, the Court has not drawn up a general definition of ‘damage’ which is applicable without distinction in any sphere. (74) For the present purposes (non-material damage), it can be inferred from the Court’s case-law that:

—      where the objective (or one of the objectives) of the provision being interpreted is the protection of individuals or a certain category of individuals, (75) the definition of damage must be broad;

—      in keeping with that rule, compensation covers non-material damage, even where it is not mentioned in the provision interpreted. (76)

105. While the case-law of the Court permits the argument that, in the terms stated, a principle of compensation for non-material damage exists in EU law, I do not believe, however, that it is possible to infer from this a rule pursuant to which all non-material damage, regardless of how serious it is, is eligible for compensation.

106. The Court has accepted the compatibility with EU legislation of national law which, for the purpose of calculating compensation, differentiates between non-material damage linked to physical injury caused by an accident depending on the origin of that accident. (77)

107. The Court has also assessed which circumstances are liable to give rise to non-material damage, in accordance with the provision applicable in each case, (78) but has not ruled explicitly (unless I am mistaken) on the requirement of seriousness of that damage. (79)

108. At his juncture, I believe that question 3 should be answered in the affirmative.

109. In support of my position, I note that the GDPR does not have as its sole aim the safeguarding of the fundamental right to the protection of personal data (80) and that the system of guarantees laid down therein includes mechanisms of different types. (81)

110. Relevant in that connection is the distinction, suggested to the Court, between non-material damage for which compensation may be awarded and other inconveniences arising as a result of abuse of the law which, owing to their insignificance, do not necessarily create the right to compensation.

111. Such a distinction is visible in national legal systems as an inevitable corollary of life in society. (82) The Court is not unaware of that difference, which it accepts when referring to trouble and inconvenience as a separate category from damage in areas where it finds that those items should be compensated. (83) There is nothing to preclude that distinction from being transferred to the GDPR.

112. In addition, the right to compensation under Article 82(1) of the GDPR does not appear to me to be a suitable instrument for countering infringements in connection with the processing of personal data where all those infringements create for the data subject is annoyance or upset.

113. As a rule, any breach of a provision governing data protection leads to some negative reaction on the part of the data subject. Compensation arising as a result of a mere feeling of displeasure due to another person’s failure to comply with the law is easily confused with compensation without damage, which has already been ruled out.

114. From a practical point of view, the inclusion of mere upset in the category of non-material damage eligible for compensation is not efficient in the light of the typical inconveniences and difficulties for the applicant of bringing legal proceedings, (84) and for the defendant of mounting a defence. (85)

115. Refusal of the right to compensation for vague, fleeting feelings or emotions (86) connected with the infringement of rules on processing does not leave the data subject without any protection at all. As I stated in response to the first question, the system laid down in the GDPR provides data subjects with other remedies.

116. I am in no doubt that there is a fine line between mere upset (which is not eligible for compensation) and genuine non-material damage (which is eligible for compensation) and I am also aware of how complicated it is to delimit, in the abstract, the two categories and apply them to a particular dispute. That difficult task falls to the courts of the Member States, which will probably be unable to avoid in their rulings the perception prevailing in society at a given time regarding the permissible degree of tolerance where the subjective effects of infringement of a provision in this area do not exceed a de minimis level. (87)

V.      Conclusion

117. In the light of the foregoing considerations, I propose that the following replies should be given to the Oberster Gerichtshof (Supreme Court, Austria):

Article 82 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

is to be interpreted as meaning that for the purposes of the award of compensation for damage suffered by a person as a result of an infringement of that regulation, a mere infringement of the provision is not in itself sufficient if that infringement is not accompanied by the relevant material or non-material damage.

The compensation for non-material damage provided for in the regulation does not cover mere upset which the person concerned may feel as a result of the infringement of provisions of Regulation 2016/679. It is for the national courts to determine when, owing to its characteristics, a subjective feeling of displeasure may be deemed, in each case, to be non-material damage.


1      Original language: Spanish.


2      Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’).


3      Directive of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).


4      According to the report of the European Union Agency for Fundamental Rights (FRA), Access to data protection remedies in the EU Member States, Publications Office of the European Union, 2013, points 3 and 4.


5      Legislative recognition of that right is, to a large extent, a special feature of the EU system of protection. An examination of the validity of legal instruments on the transmission of personal data to third countries takes specific account of whether or not a provision with the same purpose exists. See paragraphs 226 and 227 of Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017 (EU:C:2017:592); and judgments of 16 July 2020, Facebook Ireland and Schrems (C‑311/18, EU:C:2020:559), and of 21 June 2022, Ligue des droits humains (C‑817/19, EU:C:2022:491).


6      At the time of drafting this Opinion, there are another seven requests for a preliminary ruling pending on this subject (Cases C‑340/21, C‑667/21, C‑687/21, C‑741/21, C‑182/22, C‑189/22 and C‑456/22). At the same time, the European Parliament Committee on Petitions has been asked to ‘clarify the recitals of the GDPR, in particular with regard to non-material damages, in order to avoid further misjudgements by German courts’ (petition No 0386/2021).


7      It did, however, grant the request for an injunction which was confirmed on appeal. The appeal for review (cassation) brought by Österreichische Post against the injunction was dismissed.


8      I use that term within the meaning of Article 4(1) of the GDPR.


9      Sometimes, the data subject does not even have to show that he or she did not consent, since, pursuant to Article 7(1) of the GDPR, ‘where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data’. It is appropriate to require the applicant to adduce evidence which makes it possible to quantify the damage.


10      The term ‘indemnización’ is used in the Spanish and Portuguese (‘indemnização’) versions. ‘Schadenersatz’, in the German version, is also very expressive. The French version uses ‘réparation’ rather than ‘indemnisation’, while the English uses ‘compensation’. I believe that the outcome is identical in any of those, and other similar, versions: damage continues to be an essential element of civil liability.


11      Recital 146 of the GDPR. The compensation is intended to restore the balance of the legal situation which has been negatively affected (damaged) by infringement of the right.


12      Punitive damages are a feature of common law systems. Other legal systems use punitive damages as a response to particularly intentional or seriously negligent conduct. On occasions, punitive damages are associated with the assessment of non-material damage as a consequence of physical injury or an infringement of personal privacy.


13      Judgment of 13 July 2006, Manfredi and Others (C‑295/04 to C‑298/04, EU:C:2006:461, paragraph 92): ‘As to the award of damages and the possibility of an award of punitive damages, in the absence of Community rules governing the matter, it is for the domestic legal system of each Member State to set the criteria for determining the extent of the damages, provided that the principles of equivalence and effectiveness are observed.’ No italics in the original.


14      Judgment of 11 October 2007, Paquay (C‑460/06, EU:C:2007:601, paragraph 44 et seq.), in relation to Article 6 of Council Directive 76/207/EEC of 9 February 1976 on the implementation of the principle of equal treatment for men and women as regards access to employment, vocational training and promotion, and working conditions (OJ 1976 L 39, p. 40).


15      Article 28 of Directive 2004/109/EC of the European Parliament and of the Council of 15 December 2004 on the harmonisation of transparency requirements in relation to information about issuers whose securities are admitted to trading on a regulated market and amending Directive 2001/34/EC (OJ 2004 L 390, p. 38), and Article 25 of Directive 2006/54/EC of the European Parliament and of the Council of 5 July 2006 on the implementation of the principle of equal opportunities and equal treatment of men and women in matters of employment and occupation (OJ 2006 L 204, p. 23).


16      In that connection, see recital 26 of Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights (OJ 2004 L 157, p. 45). In that situation, the adoption of a punitive measure is not prohibited but nor is it obligatory: judgment of 25 January 2017, Stowarzyszenie Oławska Telewizja Kablowa (C‑367/15, EU:C:2017:36, paragraph 28).


17      Article 3(3) of Directive 2014/104/EU of the European Parliament and of the Council of 26 November 2014 on certain rules governing actions for damages under national law for infringements of the competition law provisions of the Member States and of the European Union (OJ 2014 L 349, p. 1), and recitals 10 and 42 of Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (OJ 2020 L 409, p. 1), which covers the area of data protection.


18      Article 18(2) of Commission Regulation (EC) No 1768/95 of 24 July 1995 implementing rules on the agricultural exemption provided for in Article 14(3) of Council Regulation (EC) No 2100/94 on Community plant variety rights (OJ 1995 L 173, p. 14) is usually cited as an example: ‘the liability to compensate the holder for any further damage … shall cover at least a lump sum calculated on the basis of the quadruple average amount charged …’


19      Point 47 below.


20      I use the terms ‘public enforcement’ and ‘private enforcement’ here in the same sense as Directive 2014/104.


21      Recital 55 announced the subject matter of Chapter III (‘Judicial remedies, liability and sanctions’) of Directive 95/46. Articles 22, 23 and 24 of the directive corresponded, respectively, to each term. Chapter VI dealt with supervisory authorities.


22      The Court has confirmed the central role of those authorities in the system: for example, in its judgment of 9 March 2010, Commission v Germany (C‑518/07, EU:C:2010:125, paragraph 23). Supervisory authorities are referred to in Article 8(3) of the Charter of Fundamental Rights of the European Union (‘the Charter’) and Article 16(2) TFEU, in fine.


23      Estonia and Denmark have special rules, to which recital 151 of the GDPR refers.


24      Although the GDPR does not include a direct reference to the importance of private enforcement of the rules, similar to that in recital 3 of Directive 2014/104.


25      Collective actions were already possible before the GDPR: judgment of 29 July 2019, Fashion ID (C‑40/17, EU:C:2019:629). Pursuant to Article 80(1) of the GDPR, bodies defending the rights of data subjects are not permitted to act in matters relating to compensation unless the Member States provide for this and the data subject grants the required mandate. The situation may change as a result of Directive 2020/1828.


26      As Advocate General Richard de la Tour states in his Opinion in Meta Platforms Ireland (C‑319/20, EU:C:2021:979), the action provided for under Article 80 of the GDPR is suited to assisting with the protection of private and general interests. That case concerned an action for an injunction.


27      Particularly in Member States reluctant to allow the award of non-material damages without a statutory provision in that regard.


28      Such as the capacity to be sued, grounds for exclusion of liability, and the rules on liability of joint controllers and joint processors. The following question from the Belgian delegation is reflected in a Council document: ‘whether a violation of the principles of the Regulation was enough to constitute a damage or whether the data subject had to prove a specific damage’. The Commission’s response was that proof of damage was necessary: see, for the first time, in Note from the Presidency No 17831/13 of 16 December 2013, footnote 541. It does not appear that further discussion of that question took place.


29      I refer to the preparatory work for Directives 2004/48 and 2014/104. An interpretation which extended the scope of Article 82 of the GDPR to include punitive damages would have important consequences for Member States: they would have to address, for example, who was to receive punitive damages, how to calculate those damages so that they met their objective and how to coordinate them with administrative fines and criminal penalties in order to avoid excessive punishment.


30      Those ‘other penalties’, which may be criminal or administrative in nature, are not harmonised. Like fines, they must be ‘effective, proportionate and dissuasive’ (Article 84(1), in fine).


31      I am not ruling out that, in the abstract, it is possible that some factors may be transferred in the context of civil liability (I am thinking, for example, of the ‘intentional or negligent character’ of the infringement, under Article 83(2)(b) of the GDPR) or be reflected in the compensation (for example, the ‘categories of personal data affected by the infringement’, under Article 83(2)(g)). Even in those cases, the transfer of each factor from one sphere to another does not happen automatically.


32      Article 83(2)(a) of the GDPR.


33      Either as a parameter for calculation or in order to deduct it from the amount.


34      Article 1 and recitals 6, 9 and 170 of the GDPR. Recital 9 recalls that those were the objectives of Directive 95/46 and stresses that they remain sound. The point is usually made that, in Directive 95/46, the objective of free movement of personal data took precedence over the objective of protection, whereas, in the GDPR, the opposite occurs, which is explained by the formal recognition of the right in Article 8 of the Charter, which must transcend the new legislation. However, Article 1 of the GDPR is clear with regard to the aim of reconciling the protection of personal data with the free movement of such data. That means, of course, ensuring that the level of protection is equivalent in all the Member States, thereby preventing obstacles derived from legislative fragmentation, but also neutralising individuals’ reluctance to share or provide personal data for processing by creating confidence that those data are protected.


35      In paragraph 53 of its observations, Ireland states: ‘… very many claims for compensation under Article 82 GDPR arise in the context of very minor, marginal or speculative non-material damage’ (italics added). In Germany, some legal commentators warn of the risk of abuse of legal proceedings and the need to prevent the emergence of a ‘datenschutzrechtliche Klageindustrie’: Wybitul, T., Neu, L., Strauch, M., ‘Schadensersatzrisiken für Unternehmen bei Datenschutzverstößen’, Zeitschrift für Datenschutz, 2018, p. 202 et seq., in particular p. 206; Paal, B.P., Kritzer, I., ‘Geltendmachung von DS-GVO-Ansprüchen als Geschäftsmodell’, Neue Juristische Wochenschrift, 2022, p. 2433 et seq.


36      A ‘pull’ or multiplying effect resulting from the success of a civil liability claim without damage cannot be ruled out. That would increase the likelihood that economic operators would be faced with collective claims or multiple individual claims (as the case may be, abusive to varying degrees) in addition to a possible administrative or criminal penalty.


37      The parties’ observations merely suggest this position but do not develop it. For example, it is not explained whether this presumption would be irrebuttable or rebuttable. The first possibility is the most consistent with the referring court’s question and I shall therefore confine my remarks to it.


38      See Article 7 of Regulation (EC) No 261/2004 of the European Parliament and of the Council of 11 February 2004 establishing common rules on compensation and assistance to passengers in the event of denied boarding and of cancellation or long delay of flights, and repealing Regulation (EEC) No 295/91 (OJ 2004 L 46, p. 1), and Article 19 of Regulation (EU) No 1177/2010 of the European Parliament and of the Council of 24 November 2010 concerning the rights of passengers when travelling by sea and inland waterway and amending Regulation (EC) No 2006/2004 (OJ 2010 L 334, p. 1).


39      Without going further, in Article 82(3) and (4) of the GDPR.


40      ‘Where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data’.


41      ‘A personal data breach may … result in … loss of control [for natural persons] over their personal data …’.


42      The consequences listed in that recital are not automatic. Under Article 34 of the GDPR, the controller must assess in each case whether it is necessary to notify the data subject of the breach.


43      The emotional consequences linked to loss of control over data, such as fear or anxiety regarding what may happen with such data, are derived from, but not identical to, the loss.


44      A number of Member States have established a presumption of damage in sectors close to the data protection sector. In that connection, in Spain, Article 9(3) of Basic Law 1/1982 on the protection in civil law of the right to honour, personal and family privacy and personal image (Ley Orgánica 1/1982 de protección civil del derecho al honor, a la intimidad personal y familiar y a la propia imagen) of 5 May 1982 (BOE No 115 of 14 May 1982, pp. 12546-12548) provided that ‘the existence of damage shall be presumed, provided that unlawful interference [in the rights guaranteed by this Law] is established’.


45      It should be recalled that, in these proceedings, the unlawfulness of the conduct is linked specifically to the data subject’s lack of consent. The arguments concerning the place of the right to compensation among the guarantees for compliance with the provisions of the GDPR are equally valid here.


46      It is, however, only one basis for lawful processing, and all the bases listed in the GDPR are equally valid. See Opinion 06/2014 of the Article 29 Data Protection Working Party on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, adopted on 9 April 2014, p. 10. The controller may not change the basis for processing once processing has been started: European Data Protection Board, Guidelines 5/2020 on consent under Regulation 2016/679, paragraphs 121 to 123.


47      Article 17(1) of the GDPR. It does not mean that there is no right to compensation for damage which may have been caused by processing carried out until erasure of the data.


48      Judgment of 13 May 2014, Google Spain and Google (C‑131/12, EU:C:2014:317, point 4 of the operative part).


49      Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM(2012) 011 final), p. 2, and recital 6 of the proposed text. See also point 2 of the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions ‘Safeguarding Privacy in a Connected World. A European Data Protection Framework for the 21st Century’ (COM(2012) 9 final).


50      I do not believe that that silence is accidental. Aside from conceptual considerations regarding ownership of personal data, the question is whether to accept that control over personal data equates to natural persons having property rights over information which concerns them (which, in all likelihood, would not be compatible with the interests of third parties and society as a whole). The recommendation that property rights should be granted over personal data appears in the Opinion of the European Economic and Social Committee on ‘Proposal for a Regulation of the European Parliament and of the Council on European data governance (Data Governance Act)’, COM(2020) 767 final (OJ 2021 C 286, p. 38), at point 4.18: ‘The EESC therefore recommends recognising European property rights on digital data in order to enable people (workers, consumers, entrepreneurs) to control and manage the use of their data or prohibit their use’ (italics added). On the other hand, rejecting the proposition that data are a commodity, see footnote 53 in fine.


51      The Spanish version states that ‘las personas físicas deben tener el control de sus propios datos personales’ (italics added) while the English version states that ‘natural persons should have control of their own personal data’ (and not the control). Other versions, such as the Portuguese, provide that ‘as pessoas singulares deverão poder controlar a utilização que é feita dos seus dados pessoais’. Under Article 4 of the GDPR, control over personal data concerns the information represented by those data. Control over the use of data is concerned, rather, with the processing of data.


52      In practice, consent is limited to acceptance or rejection of the proposal of the persons seeking to process the data.


53      I am not ruling out that the body of legal rules is evolving in the direction of granting property rights to the data subject. However, I doubt that this would lead to the maximisation of individual control: a position where data subjects had powers of ownership over personal data may not fit well with the development of the economy and innovation; its compatibility with the fundamental right aspect is questionable. See recital 24 of Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services (OJ 2019 L 136, p. 1): ‘While fully recognising that the protection of personal data is a fundamental right and that therefore personal data cannot be considered as a commodity …’ Italics added.


54      Wording such as that proposed for Article 19 in the Note from the Presidium – Projet de Charte des Droits Fondamentaux de l’Union Européenne, Charte 4284/1/00 REV 1, of 11 May 2000 was not successful: ‘Toute personne a le droit de décider elle-même de la divulgation et de l’utilisation de ses données personnelles’. Nor was the wording suggested for the same provision in the Note from the Presidium – Projet de Charte des Droits Fondamentaux de l’Union Européenne, Charte 4333/00, of 4 June 2000: ‘Toute personne a le droit de décider elle-même de la collecte, de l’utilisation et de la divulgation des données à caractère personnel la concernant’. At national level, the idea of informational self-determination has caught on in a number of Member States, like Germany, following the judgment of the Bundesverfassungsgericht (Constitutional Court, Germany) of 15 December 1983, 1 BvR 209/83. In Spain, see, for example, judgment of the Tribunal Constitucional (Constitutional Court) 292/2000 of 30 November 2000 (BOE of 4 January 2001). I am not sure that that is the case in the EU, although that is the general thrust of the Opinion of Advocate General Szpunar in Orange Romania (C‑61/19, EU:C:2020:158, point 37): ‘The guiding principle at the basis of EU data protection law is that of a self-determined decision of an individual who is capable of making choices about the use and processing of his or her data’, referring, specifically, to German legal literature.


55      Draft report on the Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM(2012) 0011 – C7-0025/2012 – 2012/0011(COD)), PE501.927v04-00, of 16 January 2013, amendment 29.


56      I am not suggesting that the infringement of the provision should go unpunished: what I am saying is that compensation is not the appropriate tool if there was no damage.


57      Having excluded that allowing an individual control over his or her data is itself an aim of the GDPR, I do not rule out having regard to loss of control as a guide for recognising non-material damage, in the sense of taking into account the responses which follow that loss of control.


58      See point 51 of this Opinion. The free flow of data is the sole objective in relation to non-personal data: Article 1 of Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union (OJ 2018 L 303, p. 59).


59      Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions ‘Safeguarding Privacy in a Connected World. A European Data Protection Framework for the 21st Century’ (COM(2012) 9 final), point 1. Later, at p. 5: ‘concerns about privacy are among the most frequent reasons for people not buying goods and services online’.


60      Recital 2 of the GDPR: ‘… contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.’ Recital 4: ‘… The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society …’ On the same lines, see judgment of 24 September 2019, Google (Territorial scope of the right to de-referencing) (C‑507/17, EU:C:2019:772, paragraph 60), and other references.


61      That is a common aim of the regulatory framework designed to strengthen the single market for data. In that connection, the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, ‘A European strategy for data’, COM(2020) 66 final, paragraph 1, explains: ‘In a society where individuals will generate ever-increasing amounts of data, the way in which the data are collected and used must place the interests of the individual first, in accordance with European values, fundamental rights and rules. Citizens will trust and embrace data-driven innovations only if they are confident that any personal data sharing in the EU will be subject to full compliance with the EU’s strict data protection rules.’


62      It appears to concern the referring court (order for reference, paragraph 5 of the grounds for the questions) that the compensation may become punitive in nature since the GDPR provides for high fines, and therefore a high level of compensation for non-material damage would not also be required for the GDPR to be effective.


63      Braathens Regional Aviation (C‑30/19, EU:C:2021:269, paragraph 49): ‘the payment of a sum of money is insufficient to meet the claims of a person who seeks primarily to obtain recognition, by way of compensation for the non-material damage suffered, of the fact that he or she has been the victim of discrimination, meaning that the payment cannot, for that purpose, be regarded as having a satisfactory compensatory function.’ That case concerned Council Directive 2000/43/EC of 29 June 2000 implementing the principle of equal treatment between persons irrespective of racial or ethnic origin (OJ 2000 L 180, p. 22).


64      See Magnus, U., ‘Comparative Report on the Law of Damages’, Unification of Tort Law: Damages, Kluwer Law International, 2001, p. 187, paragraphs 14 and 15.


65      Typically, in common law systems,  in particular in the United States, where claims for nominal damages are the last resort for the defence of constitutional rights. For a summary of the discussions on their usefulness in that country, see Grealish, M.‑B., ‘A Dollar for Your Thoughts: Determining Whether Nominal Damages Prevent an Otherwise Moot Case from Being an Advisory Opinion’, Fordham L. Rev., vol. 87, p. 733; and, recently, the decision of the United States Supreme Court of 8 March 2021 in Uzuegbunam v Preczewski. Nominal damages are not accepted without debate in the United Kingdom either: it is assumed that, in practice, the importance of an award of nominal damages depends on the recipient being deemed successful for the purpose of the award of legal costs, something which is not automatic following the judgment in Anglo-Cyprian Trade Agencies Ltd v Paphos Wine Industries Ltd [1951] 1 All ER 873.


66      In the context of (the then) Article 215 of the EEC Treaty, the Court required proof of damage, including where, in view of the difficulty of proving damage, the applicant applied for nominal damages; judgment of 21 May 1976, Roquette Frères v Commission (26/74, EU:C:1976:69, paragraphs 23 and 24).


67      In the context of intellectual property, compensation as a response to the breach of a provision serves to achieve the aim itself, which is essential in that area, of protecting the economic integrity of the right. Article 13(1)(a) of Directive 2004/48 refers to the ‘unfair profits made by the infringer’ as one of the factors which judicial authorities are to take into account when setting damages.


68      There is a similar provision in Article 94(2) of Council Regulation (EC) No 2100/94 of 27 July 1994 on Community plant variety rights (OJ 1994 L 227, p. 1): ‘In cases of slight negligence, such claims may be reduced according to the degree of such slight negligence, but not however to the extent that they are less than the advantage derived therefrom by the person who committed the infringement.’


69      The ineffability of emotions or feelings, particularly if they are related to risks concerning what may happen to data in the future, has resulted in these not being regarded as damage because they lack sufficient clarity or are hypothetical in nature.


70      In other words, the chefs de préjudice or heads of damage.


71      In accordance with that recital, data subjects should receive ‘full and effective compensation’. I do not believe that that wording is relevant for the purposes of the third question because it does not refer to the categories of data for which compensation may be awarded but rather to the calculation of compensation (a step which logically comes later than and cannot be confused with the identification of damage which may be compensated). Taking into account the preparatory documents for the GDPR, the emphasis on ‘full and effective’ compensation ensures that the involvement of more than one controller or processor does not mean that the data subject will receive only partial compensation. Therefore, Article 82(4) of the GDPR states that ‘… each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject’.


72      Article 23 of Directive 95/46 did not specify the damage that was eligible for compensation, which gave rise to discussions about which damage was covered. The negotiations prior to the adoption of the GDPR centred on dispelling the doubts surrounding the inclusion of non-material damage. Recital 118 of the Commission’s proposal, cited in footnote 49, referred to the compensation of any damage. Subsequent stages of the co-legislative procedure referred to ‘any damage, whether pecuniary or not’, which led to the wording ‘non-pecuniary damage’ and resulted finally in the current wording ‘non-material damage’.


73      It had not done so in connection with Article 23 of Directive 95/46 and nor has it done so, to date, in connection with Article 82 of the GDPR. Nor, unless I am mistaken, has the Court given a ruling on Article 56 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ 2016 L 119, p. 89), or Article 19 of the repealed framework decision.


74      Nor has it stated a preferred method of interpretation – whether autonomous or by reference to national legal systems: it depends on the matter under examination. Compare the judgments of 10 May 2001, Veedfald (C‑203/99, EU:C:2001:258, paragraph 27), on the subject of defective products; of 6 May 2010, Walz (C‑63/09, EU:C:2010:251, paragraph 21), on the liability of air carriers; and of 10 June 2021, Van Ameyde España (C‑923/19, EU:C:2021:475, paragraph 37 et seq.), in relation to civil liability applicable to accidents resulting from the use of motor vehicles. Documents relating to the negotiations for the GDPR reflect the uncertainties of Member States as to whether or not the notions of damage and compensation in (the then) Article 77 should be autonomous and show the different positions on the subject. The Commission was in favour of leaving the matter to the Court. See Council of the European Union, Note from the Presidency No 17831/13 of 16 December 2013, footnote 539.


75      For example, consumers of products or victims of traffic accidents.


76      On the subject of package trips, judgment of 12 March 2002, Leitner (C‑168/00, EU:C:2002:163); in connection with civil liability derived from the use of motor vehicles, judgments of 24 October 2013, Haasová (C‑22/12, EU:C:2013:692, paragraphs 47 to 50); of 24 October 2013, Drozdovs (C‑277/12, EU:C:2013:685, paragraph 40); and of 23 January 2014, Petillo (C‑371/12, EU:C:2014:26, paragraph 35).


77      Judgment of 23 January 2014, Petillo (C‑371/12, EU:C:2014:26, operative part): EU law does not preclude ‘national legislation … which lays down a specific compensation scheme for non-material damage resulting from minor physical injuries caused by road traffic accidents, limiting the compensation payable for such damage in comparison with the compensation allowed for identical damage arising from causes other than those accidents’.


78      For example, judgments of 12 March 2002, Leitner (C‑168/00, EU:C:2002:163), on the loss of enjoyment of holidays, and of 6 May 2010, Walz (C‑63/09, EU:C:2010:251), on loss of baggage in the context of package travel.


79      The judgment of 17 March 2016, Liffers (C‑99/15, EU:C:2016:173, paragraph 17), on the interpretation of Directive 2004/48, observed that moral prejudice constitutes a component of the prejudice actually suffered, ‘provided that it is proven’. Logically, proof presupposes the reality of the damage; that, in turn, is close to the notion of seriousness of the damage, although it is not the same.


80      Point 51 above.


81      Point 45 et seq. above.


82      Recently, in relation to data protection in Italy, Tribunale di Palermo, sez. I civile, sentenza 05/10/2017 No 5261, and Cass Civ. Ord. Sez 6, No 17383/2020. In Germany, inter alia, AG Diez, 07.11.2018 – 8 C 130/18; LG Karlsruhe, 02.08.2019 – 8 O 26/19; and AG Frankfurt am Main, 10.07.2020 – 385 C 155/19 (70). In Austria, OGH 6 Ob 56/21k.


83      See judgment of 23 October 2012, Nelson and Others (C‑581/10 and C‑629/10, EU:C:2012:657, paragraph 51), on the distinction between ‘damage’ within the meaning of Article 19 of the Convention for the Unification of Certain Rules for International Carriage by Air, concluded in Montreal on 28 May 1999, and ‘inconveniences’ within the meaning of Regulation No 261/2004, for which compensation is payable under Article 7 thereof, pursuant to the judgment of 19 November 2009, Sturgeon and Others (C‑402/07 and C‑432/07, EU:C:2009:716). In that sector, as in the sector for the transport of passengers by sea and inland waterway, to which Regulation No 1177/2010 relates, the legislature was able to recognise an abstract category as a result of the fact that the factor which creates the trouble and the essence of that trouble are identical for all those affected. I do not believe that that inference is possible in relation to data protection.


84      The typical mechanism for exercising the right under Article 82 of the GDPR is proceedings before the ordinary courts. The principle of effectiveness may, naturally, place conditions on the application of national rules on aspects such as procedural costs or evidence. However, the difficulty in accepting that damages may be awarded for mere inconvenience is not only due to the disproportion between its monetary value and the cost of bringing proceedings (apart from the fact that the costs of the administration of justice are not borne only by the parties). I do not believe that it is justified, in view of the silence of the GDPR, to require the Member States to create an ad hoc procedure.


85      It should be recalled that, under Article 82(3) of the GDPR, the controller or processor is exempt from liability only if it proves that it is not in any way responsible for the event giving rise to the damage.


86      By setting out these considerations, I am not prejudging whether, in this case, UI’s situation came under one category or the other, a matter on which the referring court will adjudicate.


87      The same occurs with the amount of compensation.