A couple of developments on data protection damages: one from the EU which indicates that the likely direction of travel for the block’s highest court is that there’s no entitlement to compensation under the GDPR without showing harm which is more than “mere upset”; and the other from the UK which assessed damages for a personal data breach with no privacy implications at £250. Defendant organisations are likely to find these developments helpful when it comes to answering the fraught questions of how much a data claim is worth, or whether it should even be brought.  

Austrian Post case

The AG’s opinion in Case C-300/12 UI v Österreichische Post AG (a.k.a. the ‘Austrian Post’ case) has given us a clue as to the CJEU’s likely reasoning on two questions which have, for some time, been of interest to UK defendants given both the spectre of ‘opt-out’ class actions, and plague of ‘(no-to-)low-value’ identikit claims brought by personal injury firms.

Austrian Post publishes directories and, through profiling using socio-demographic data, had classified the claimant as having a high affinity with a particular political party. The claimant was described as being various shades of “upset”. Descriptors included: “great upset”; “angered and offended”; “insulting and shameful”; “extremely damaging to his reputation”; “loss of confidence”, and “a feeling of public exposure”. Compensation of €1k was sought for non-material damage.

The domestic courts weren’t impressed. They held that compensation doesn’t automatically follow a breach of the GDPR; and that the principle underlying Austrian law is that damage claimed must be of a certain significance, so mere discomfort and feelings of unpleasantness must be borne by everyone without a right to compensation.

The AG’s opinion on each of these issues was as follows:

(1) Can compensation be awarded merely to vindicate a contravention of the GDPR?no. The AG: 

Short answer:

  • examined the wording of Article 82(1) to determine whether there can be compensation without damage. He found that the wording doesn’t allow for ‘infringement’ to be automatically associated with ‘compensation’ without any damage;
  • discussed whether the GDPR allows for recovery of punitive damages. He found that it didn’t, having considered the legislation's wording, history and purpose, as well as the possibility that supervisory authorities could become redundant if data subjects were instead to prefer litigating for a 'punitive' profit; and
  • analysed whether there’s a presumption of damage because an infringement always leads to loss of control over data. He found that there wasn’t, observing that recitals 75 and 85 only recognise that loss of control is a possible risk and could occur; and that control through consent isn’t absolute in the GDPR, and wasn’t the aim of the legislation in any event (there being no "right of informational self-determination"). He observed that: "The aim of the GDPR is not ... to limit systematically the processing of personal data but rather to legitimise it under strict conditions."

(2) Is there a minimum threshold of seriousness, beyond “mere upset”, which must be met in order to be awarded compensation for non-material harm?yes, but it’s up to the national courts to decide on that threshold. The AG:

Short answer:

  • didn’t find a direct answer in the recitals but noted, in the context of Recital 146 which requires the concept of damage to be broadly interpreted in the light of CJEU caselaw, that whilst "a principle of compensation for non-material damage exists in EU law, I do not believe, however, that it is possible to infer from this a rule pursuant to which all non-material damage, regardless of how serious it is, is eligible for compensation"; 
  • found relevant the distinction in national laws between non-material damage for which compensation could be awarded, and other inconveniences arising out of an abuse of the law which, due to their insignificance, didn’t necessarily create a right to compensation. He observed that this distinction was an “inevitable corollary of life in society” (echoing, perhaps, Lord Neuberger’ s words back in 2011: “While respect for family and private life is of fundamental importance, it seems to me that the courts should, in the absence of special facts, generally expect people to adopt a reasonably robust and realistic approach to living in the 21st century”);
  • referenced practical matters such as the typical inconveniences and difficulties in bringing and defending legal proceedings, making it “inefficient” to enable claims for “mere upset” to be brought; and
  • observed that an inability to bring compensation claims for “vague, fleeting feelings or emotions” wouldn’t leave data subjects without recourse either, given that the underlying contravention could be referred to the supervisory authority.

The AG's opinion certainly reads like he closely studied, and perhaps sought inspiration from, Lord Leggatt's leading judgment in Lloyd v Google (see our analysis of that decision here). If, as is usually the case, the AG’s opinion is in due course followed by the CJEU, then both Europe and the UK’s highest courts will have effectively poured water on claimants’ ability to pursue representative actions in the form contemplated in Lloyd. It also suggests that the Supreme Court’s reasoning in that case, which was under the ‘old’ 1998 Act, is likely to be applicable to the GDPR. 

Post-Brexit, whilst a CJEU decision following this opinion would nonetheless be useful (if not binding) in developing the minimum threshold of seriousness in domestic law, there’s likely to be plenty of further squabbling, both on the Continent and here, about where to draw the line between a “mere feeling of displeasure” and compensatable harm.

Driver v CPS

The second development is Knowles J's decision in Driver v CPS [2022] EWHC 2500 (KB) which involved an email sent to a member of the public by a CPS lawyer about a criminal investigation in which the claimant politician was a suspect. The email did no more than to repeat what was in the public domain. It was forwarded, with some added commentary, to various recipients – including to electoral candidates who were political opponents of the politician in question. The claimant alleged breaches of data protection law and misuse of private information, and claimed £2k in damages.

The case brings up various issues. On the particular issue of damages, however, the court held that the CPS had failed to have appropriate security in place (given an absence of policies dealing with how it should react to enquiries by random members of the public about ongoing investigations), and that the disclosure constituted a personal data breach.

The judge was prepared to accept at [168] that the claimant “would have experienced a very modest degree of distress upon discovering that the CPS's email had been sent to political opponents and the media by someone who had a grievance against him in an effort (as I find) to embarrass him”. However, he rejected the claimant’s evidence that “it could reasonably or properly have caused him anything like the level of anguish which he claimed”. Whilst the judge accepted that the claimant consulted his GP, he was unable to conclude this was as a result of the emails rather than, for example, of the stress of having been under police investigation for some six years. 

The judge therefore characterised the data breach as being “at the lowest end of the spectrum” and awarded the claimant £250. 

Given the limited authorities on data breach damages in particular, this case provides a helpful steer about what a data breach claim is worth where a claimant has no reasonable expectation of privacy in the information disclosed.