Background and Main Case
Besides delivering mail to Austrian citizens, Österreichische Post has been involved in selling addresses since 2017. They sell so-called “target group addresses” to organizations enabling them to send targeted advertising. The postal company generates these target groups using an algorithm, which combines several social and demographic criteria. Österreichische Post did this without obtaining prior consent from the individuals concerned.
An Austrian citizen (hereinafter: the applicant) was categorized by Österreichische Post’s algorithm as having a strong affinity for a specific Austrian political party. Österreichische Post did not sell this data to a third party. Nonetheless, the applicant felt angered and embarrassed by this labeling, claiming to have suffered emotional harm. As a result, the applicant sought compensation of 1,000 euros from the Austrian civil court. The applicant also demanded an immediate halt to the processing.
Appeal and Preliminary Questions
The Austrian court granted the request to cease the processing but rejected the request for compensation. The applicant appealed this decision. The appellate court also rejected the compensation claim, stating that a right to compensation only exists if the damage reaches a certain ‘threshold of seriousness.’ According to the court, this threshold had not been reached in the case of the applicant. The applicant did not accept this and appealed to the highest federal court in Austria, the Oberste Gerichtshof.
The Oberste Gerichtshof had doubts about the extent of the right to compensation under the GDPR and requested the Court of Justice to make a preliminary ruling. It posed three questions to the Court: 1) Does a single breach of a provision under the GDPR suffice for granting compensation under Article 82 of the GDPR, 2) must a certain level of severity be reached for compensation for non-material damage, and 3) are there EU provisions for determining the amount of compensation? All three questions were found to be admissible.
Answers to the Preliminary Questions
The Court answered the first preliminary question as follows. From the wording of Article 82(1), it’s evident that the existence of suffered damage is only one of the three conditions for a successful right to compensation. Apart from the existence of suffered damage, a provision under the GDPR must have been breached, and there must be a causal link between the specific damage and the breach. These conditions must be cumulatively fulfilled for a right to compensation to arise.
Hence, it can be concluded that a single violation of a GDPR provision on its own doesn’t automatically lead to a right to compensation.
Addressing the second preliminary question, the Court delves into the meaning of ‘damage’ in Article 82 of the GDPR. Firstly, it can be inferred from Article 82 that, alongside material damage, non-material damage can also justify compensation. So, is there a need for a certain ‘threshold of seriousness’ to speak of non-material damage? According to the Court, this is not the case. The context of Article 82 of the GDPR stipulates that both material and non-material damage can give rise to a right to compensation. The article does not mention any threshold of seriousness. Additionally, the Court highlights that the term ‘damage’ in the GDPR should be interpreted broadly. Demanding a threshold of seriousness would not align with this comprehensive understanding of harm.
Conclusively, there is no requirement for a specific degree of severity for the existence of a right to compensation for non-material damage.
The third preliminary question concerns whether there are EU provisions to determine the amount of compensation. The Court answers this question negatively. The GDPR doesn’t contain provisions that establish rules for determining and assessing damages. Because these rules are absent, it’s up to each member state to establish further rules on a national level. The Court also mentions that the principles of equivalence and effectiveness should be taken into account. Lastly, the Court refers to Recital 146 of the GDPR, which states that data subjects should receive ‘full’ and ‘actual’ compensation for their suffered harm. The right to compensation under the GDPR serves a compensatory purpose: suffered harm should be redressed.
Source: CJEU May 4, 2023, C-300/21, ECLI:EU:C:2023:370
This article was published on May 23, 2023, as a news report for Sdu OpMaat Privacyrecht.
