Privacy activists warn against removing compensation for data protection breaches

The Advocate General of the Court of Justice of the European Union (CJEU) issued a non-binding opinion, which privacy advocates fear could further limit users’ possibilities to enforce their privacy rights under the GDPR. According to the opinion delivered last week, Europeans would hardly get compensated if their rights are violated under the General Data Protection Regulation, even though the EU’s data protection rulebook foresees a claim for non-material damages. “We have a massive enforcement gap in the GDPR. At the same time, it seems like the opinion entertains any argument to shield the industry from enforcement. This is a very problematic approach coming from the Court of Justice,” lawyer and privacy activist Max Schrems said in a statement on Thursday (13 October).  The opinion came in reaction to an Austrian case where the national postal service illegally calculated the political affiliation of millions of Austrians in violation of the GDPR. Names, addresses and birth dates were used as their algorithm’s underlying data. In October 2019, the Austrian Data Protection Authority issued an €18 million fine to the Austrian national postal service for violating the GDPR after it had used these personal datasets to offer marketing services to various political parties for advertising.A Viennese plaintiff, associated with the right-wing Freedom Party through the algorithm, also sued the postal service for non-material damages, claiming €1,000 for anger, loss of trust and a feeling of exposure. He stated that being associated with the right-wing party was insulting, shameful, and highly damaging to his reputation. His claims were dismissed by the first and second-instance courts, which argued that the discomfort and feelings of unpleasantness were below the threshold that would entitle him to compensation.

The Austrian Supreme Court then referred the matter to the Court of Justice of the European Union, asking whether the award of non-material damages could be limited if the anger of a plaintiff does not go beyond the anger relating to the violation of GDPR rights.

This definition would include all types of anger originating from a GDPR violation, the Austrian-based non-profit organisation noyb, founded by Max Schrems, argues. Therefore, non-material damages for GDPR violations would hardly be granted.

“This case is deeply troubling. If the view of the Austrian Supreme Court and the Advocate General prevails, most users will never see compensation for GDPR violations anymore,” Max Schrems said. While the opinion points to other options than damages, such as declarations, nominal damages or injunctions, according to noyb, this would mean plaintiffs have to invest just to receive a written confirmation that they were right, discouraging them from bringing claims.
The opinion seems to allow EU countries to create their own thresholds that may limit the compensation for non-material damages under the GDPR, leading to fragmentation across the bloc. However, even in this particular case, it is not clear from the opinion whether the plaintiff should be compensated or not. [Edited by Luca Bertuzzi/Nathalie Weatherald]