Update on data protection claims - Austrian Post Case
The CJEU has handed down its decision in the much-awaited Austrian Post Case. This case sets out important principles of EU data protection law surrounding the interpretation of Article 82 of the GDPR, most notably, that there is no sufficiency of damage requirement under that Article. The Austrian Post Case is being monitored heavily from an Irish (and broader EU) perspective.
A relevant Irish case, Cunniam v Parcel Connect Limited trading as Fastway Couriers Ireland and Others [2023] IECC 1 (“Fastway Couriers Case”) has been stayed pending the result of the Austrian Post Case. This article looks firstly at the Irish backdrop of the Fastway Couriers Case which is informed by the later discussion on the Austrian Post Case.
The Irish background: the Fastway Couriers Case
The Fastway Couriers Case relates to a data breach in which the personal data of a significant number of Irish data subjects were compromised. A claim for damages arising from that data breach was made by the plaintiff under Article 82 of the GDPR. Any claim under Article 82(1), may be a claim for material, or non-material damage, with an accompanying right to compensation for the damage suffered.
The Fastway Couriers Case was a claim for non-material damage, and the plaintiff claimed relief for interference with his peace, privacy and apprehension about the use of his data together with the associated loss of his ability to effectively exercise his GDPR rights in respect of that data.
Against the backdrop of several ongoing referrals to the CJEU (one of which being the Austrian Post Case) on similar areas of law, Judge O’Connor stayed the Fastway Couriers Case pending the outcomes of the referrals to the CJEU. The stay was in large part arising out of the importance of the CJEU decision in the Austrian Post Case which would give greater guidance on the proper interpretation of Article 82 GDPR, and in particular, compensation for non-material damage.
The present decision: the Austrian Post Case
The Austrian Post Case arose out of a claim seeking compensation for non-material damage suffered as a result of non-consensual processing of personal data. This processing related to the claimant’s political affiliation.
The three main questions for the CJEU in the Austrian Post Case were as follows:
- Does the award of compensation under Article 82 [of the GDPR] also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
- Does the assessment of the compensation depend on further EU law requirements in addition to the principles of effectiveness and equivalence?
- Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence [or effect] of the infringement of at least some weight that goes beyond the upset caused by that infringement?
Q 1 – What is necessary to sustain a claim for damages under Article 82?
The Court clarified that there is no reference in Article 82, or the recitals, to member state law regarding the concepts of “material or non-material damage”. These concepts must then be EU concepts, which must be interpreted on a harmonised basis. The Court then provided the necessary cumulative test for how material or non-material damage should be interpreted to ensure consistency and harmonisation:
- Damage must have been suffered, and
- An infringement of the GDPR, and
- A causal link between the damage and the breach of the GDPR (i.e., a causal link between (a) and (b) above).
The Court clarified that an infringement of the GDPR on its own is not sufficient to ground a claim; there must be associated causal damage linked to that infringement.
Q 2 – Is the Court mandating any particular requirements on member state courts in calculating damages?
The Court took a relaxed view and noted that there is nothing in the GDPR to require prescriptive court rules on compensation. National courts must now apply the domestic rules of each member state relating to financial compensation. In doing this, they must have regard to the familiar principles of equivalence and effectiveness of EU law which are broad EU guidelines which apply to assessment of damages in a general sense. The Court noted that there is no express reference in the GDPR requiring any particular adherence to these principles.
Q 3 – Is there a de minimis threshold of harm necessary to sustain a claim under Article 82?
The Court’s decision is clear that there should be no member state rules which would have the effect of setting a de minimis threshold of damage before a claim under Article 82 can be made. As noted above, the Court views “damage” and “non-material damage” as EU law concepts in the absence of a reference to member state law being used to interpret these concepts.
The Court recites Recital 146 of the GDPR which provides that “the concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation”. The Court makes clear that having a de minimis threshold would lead to fluctuations in the assessment of member state courts and therefore making compensation subject to a de minimis threshold would risk undermining the coherence of the rules established by the GDPR.
Commentary
There is a general sentiment at EU Commission level that the GDPR's effectiveness is constrained by the ability of appeal to the courts of member states. Recent EU legislation such as the Digital Markets Act has been drafted to restrict fines from being as amenable to court challenges by giving regulators a more central role in the enforcement and appeal of fines. The CJEU has taken a broad interpretation of “damage” under the GDPR, which is not subject to de minimis thresholds. This open interpretation ties in with the EU Commission sentiment which is seeking more effective enforcement of EU regulations. The CJEU has subtly noted that while they cannot prescribe the method of implementing a fine for breach of Article 82, they may insist on the fine being "effective and equivalent” which means that the fine must not be arbitrarily low, having regard to national laws which would prejudice the effectiveness of the GDPR. We do not expect this to materially affect member states’ power to decide on quantum of damages.
Conclusion
The court in the Fastway Couriers Case must now take instruction from the Austrian Post Case. The new test and associated guidelines in the Austrian Post Case have direct applicability and will inevitably inform the decision of court judgments in Ireland to ensure a harmonised and consistent approach to Article 82 claims. The decision is significant, and it will be interesting to see how the Irish courts apply this new case.
Related expertise
You may be interested in...
Online Event
Shared Insights: Data and Information Governance Issues
Legal Update
Update on data protection claims - Austrian Post Case
Press Release
Browne Jacobson launches specialist Ascensus programme for in house lawyers and business leaders
Opinion
Mopping up after a leak – how businesses can take steps to protect their confidential information
Legal Update
Cyber security and data breaches
Legal Update
Update on the Digital Services Act (“DSA”) – Important Dates and Deadlines Looming
Legal Update
Government publishes its proposals for expanding the Scope of the Network and Information Systems Regulations 2018
Legal Update
Protecting children and their data in the online environment
Published Article
Bruce Willis AI and the problem with deepfakes
A deepfake of Bruce Willis is advertising Russian mobile phones. Many great artistic and metaphysical questions are raised by this performance. However, this article is going to look at the intellectual property law implications, from a UK perspective.
Legal Update
DSA approved: Targeted Advertising Rules explained
The Digital Services Act (the “DSA”) has today (27 October) been given the go-ahead by the EU Council and will enter into force by early 2024.
Legal Update
Economic crime and cybercrime
It is clear that the digital landscape, often termed cyberspace, is a man-made environment, in which human behaviour dominates and where technology both influences and aids our role in it — through the internet, telecoms and networked computer systems, which are often interdependent. The extent to which any organisation is potentially vulnerable to cyber-attack depends on how well these elements are aligned.
Legal Update
Data reform in the UK
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.
Legal Update
Are local authority companies subject to the Freedom of Information Act 2000?
In this article we look at local authority companies and whether they are subject to the Freedom of Information Act 2000. And for those that are, what information are they legally obliged to submit.
Legal Update
Digital Markets Act and Data Platforms - FRANDs for life?
The Digital Markets Act (the “DMA”) joins the dots between competition law and data protection law and actively targets data-driven platforms. It is also a comprehensive regulation to take note of, with familiar GDPR-style fines tied to turnover.
Legal Update
Avoiding the pitfalls of WhatsApp
The use of social media platforms and applications can have overwhelmingly positive benefits for public bodies. However, regulatory action recently taken by the Information Commissioner, has highlighted various pitfalls that public bodies should seek to avoid if allowing staff to use social media as a communication tool.
Legal Update
ICO consultation on research provisions guidance
The data protection legislation (namely, the UK GDPR and Data Protection Act 2018) contain various provisions that deal with the processing of personal data for research purposes.
Legal Update
More good news for data controllers: High Court finds local authority not vicariously liable for the actions of social worker who went off on a "frolic of her own"
Public bodies will be pleased to hear that another significant court decision (Ali v Luton Borough Council [2022] EWHC 132 (QB)) has been made that is favourable to data controllers.
Published Article
Five top tips for strong data compliance in 2022
This article has five excellent top tips for strong data compliance in 2022, including; embracing near misses, leading from the top, outcomes-focused training, learning walks, consequences.
Legal Update
Stemming the tide of data breach claims: good news for data controllers
The cases summarised give considerable comfort to data controllers seeking to defend themselves against claims that relate to breaches arising as a result of a failure rather than a direct act and/or are based on assertions of damage or distress that are exaggerated, unsubstantiated or bear little relation to the breach itself.
Press Release
Reaction: Supreme Court rules in favour of Google
The Supreme Court has unanimously overturned the Court of Appeal’s 2019 decision in the case Lloyd (Respondent) v Google LLC (Appellant) which allowed the claimant, Mr Lloyd, to serve a representative action on Google on behalf of over four million iPhone users who were seeking damages for ‘loss of control’ of personal data.
Legal Update
What are the requirements of cookie law
Cookies and similar technologies are a useful and often necessary tool for online businesses, but their use is governed by both the Privacy and Electronic Communications Regulations (PECR) and the GDPR.
Legal Update
Steps to take following a data breach: reporting, criminal charges and injunctions
Student and staff files will be full of personal data, much of which may be particularly sensitive such as health information (known under the data protection legislation as “special category” data).
Published Article
Confidential information and subject access disclosure
In February 2021, the High Court handed down judgment London Borough of Lambeth v AM (No. 2) [2021] EWHC 186 (QB), in which Browne Jacobson LLP acted for the Claimant Council. The judgment is critical reading for public bodies who are required to take action to restrict the use of confidential information in circumstances where that information has been inadvertently disclosed to a third-party.
Legal Update
Lloyd v Google – what next?
The Supreme Court’s pending decision could potentially open the floodgates for data privacy litigation going forward.
Training
Claims club - 16 June 2021
Watch our on-demand video for our popular Claims Club where we discussed the risk of data sharing, risks in a changing climate, highway claims and what we can see on the horizon.
Legal Update
High Court grants local authority injunction to prevent breach of confidence
This judgment is critical reading for public bodies who need to take action to restrain the use of confidential information in circumstances where that information has been inadvertently disclosed to a third party.
Legal Update
Brexit - now what for data protection law?
UK organisations need to comply with the UK GDPR and continue to be subject to the EU GDPR where EU data is being processed, so there may be two versions of the GDPR to comply with for some personal data processing.
Legal Update
Health care apps – Part 1 of 2: Exploring the ins and outs of intellectual property (IP)
The adoption of smart technology solutions by the health and care sector has exploded in 2020. The pandemic has driven the sector to increase its use of smart phone technology solutions (“Apps”), an example of which is conducting video consultations and assessments.
Guide
Brexit overview: your use of data and Brexit
Despite the lack of clarity around Brexit, there are key data issues that can be addressed now. We can help you with the steps you need to take to mitigate the risks.
Legal Update
Corporate transparency and register reform: Government response now published
In May 2019 the Government consulted on a range of options to enhance the role of Companies House and increase the transparency of companies and other legal entities. On 18 September 2020 BEIS published the Government's response following a huge response to the consultation.
Training
In-House Lawyers - 12 June 2020
On demand webinar, focusing on practical solutions to utilise from home in agreements and dealings with business, data and digital law and how covid-19 has changed legal privilege.
Published Article
Top tips for implementing ‘Data Protection by Design & Default’
The GDPR requires all businesses to implement ‘Data Protection by Design & Default’ but what does that mean in practice and how can businesses practically comply?
Legal Update
Staff working from home? How do you keep data secure?
Data protection law requires every business that deals with personal data to ensure that they have “Technical and Organisational Measures ” in place to keep that data secure. Losing that data could seriously damage the company’s reputation and potentially land it with a fine from the ICO and with claims for compensation.
Legal Update
Data protection and Coronavirus
The ICO has recently released updated guidance for businesses who are grappling with concerns around data protection compliance during the ongoing Covid-19 (Coronavirus) pandemic
Training
Common contractual pitfalls and what you can do to avoid them
During this short webinar our experts will deconstruct the most typically occurring contractual disputes.
Published Article
Protecting your business from cyber threats
Did you know that cyber attackers can use publicly available information about your business and employees to make their attacks more successful? Information is often gleaned from websites and public social media accounts.
Opinion
Do you collect personal data from children, whether deliberately or by accident? If so you’d better read this…
If you provide goods or services online that might be of interest to children then you’re going to want to go through the ICO’s “Age Appropriate Design Code of Practice” - a code requiring minimum standards of any online service aimed (or which is likely to interest) children.
Legal Update
FOIA and data protection: the difficult balancing exercise for public authorities when a request is made for third party personal data
The Freedom of Information Act 2000 (‘FOIA’) allows members of the public to request information from public bodies. As guidance issued by the Information Commissioner explains, the main principle behind FOIA is that people have a right to know about the activities of public authorities, unless there is a good reason for them not to.
Training
Richard Nicholas provides a data protection update
As part of our regular updates for in-house lawyers, Richard takes a look at what has changed in data protection law over the last six months
Legal Update
Data protection: preparing for Brexit
Although there is uncertainty about what arrangements will apply when the UK leaves the EU, there are a number of practical steps that can be taken now to prepare from a data protection perspective and to ensure that any data flows to and from the EU can continue post Brexit.