Skip to main content

Predicted surge in data privacy litigation claims

30 May 2023

The European Court of Justice (ECJ) ruled in May that individuals can seek compensation for non-material damages resulting from General Data Protection Regulations (GDPR) violations. In this article we consider the potential implications for insurers.

The case

The case considered an Austrian citizen who sued the country’s postal service for processing their data without their consent. The Claimant sought reparations for ‘non-material damage’ under GDPR’s liability regime, alleging that they had been caused substantial distress. In its defence the postal service asserted that the Claimant data subject had not suffered sufficient damage.

The national court was unsure as to the extent to which compensation rights for non-material damages apply under GDPR’s Article 82, so it referred the case to the ECJ.

ECJ decision

The ECJ ruled that:

Not every infringement of the GDPR gives rise, in itself, to a right of compensation’.

However, there is no requirement for non-material damage to reach a certain threshold of seriousness to confer a right to compensation. As such, data subjects seeking compensation for GDPR breaches can do so without proving that a specific threshold for the seriousness of the harm is met. It is then for national courts to decide on the appropriate level of damages.

Considerations for insurers

Despite the claimant still having to prove a GDPR violation and a causal link between the violation and the harm, this decision could result in an increase in data privacy claims against businesses.

However, this case must be balanced against the case of Lloyd v Google, in which the Supreme Court held that a mere loss of control over data does not automatically result in compensation. Indeed, the ruling of the ECJ is not binding on English courts following Brexit. Nevertheless, the decision could still be persuasive and influential in judges’ decision making in the UK. As such, insurers and underwriters should consider the scope of coverage they offer to policy holders, particularly under management liability, professional indemnity and cyber wordings, where cover for data privacy claims is often provided.

Additionally, insurers may also wish to consider incorporating tighter conditions into their wordings in relation to GDPR compliance.

Key contact

Key contact

Tim Johnson


+44 (0)115 976 6557

View profile Connect on LinkedIn
Can we help you? Contact Tim

You may be interested in...