Privacy & Information Security Law Blog

On May 4, 2023, the Court of Justice of the European Union (“CJEU”) issued a judgment in the Österreichische Post case (C-300/21). In the decision, the CJEU clarified that a mere infringement of the EU General Data Protection Regulation (“GDPR”) is not sufficient to give data subjects the right to receive compensation under Article 82 of the GDPR. Article 82 provides that “any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

Background

The case dates back to 2017 when the Austrian Post (“Österreichische Post”) collected data relating to the political affinities of Austrian residents. In particular, the Austrian Post used an algorithm to define “target group addresses” based on selected socio-demographic features, and classified individuals into target groups. The data was subsequently sold to various organizations to enable them to send targeted advertising in relation to political elections.

One individual filed a complaint relating to this practice and claimed €1,000 in non-material damage.

The CJEU Decision

According to the CJEU, a broad interpretation of the GDPR provision regarding the right to compensation would be contrary to the text of the law. The CJEU highlighted that compensation is required only when three conditions are met: (1) personal data is processed in a manner that infringes the GDPR; (2) the data subject suffered damage; and (3) there is a causal link between the unlawful processing and the damage suffered.

The CJEU also rejected the proposition of a required minimum threshold to award compensation for non-material damage under the GDPR. Instead, the CJEU found that the GDPR requires “full and effective compensation for the damage” and that establishing a minimum threshold would risk undermining the coherent application of the GDPR.

Finally, the CJEU confirmed that, in the absence of rules in the GDPR on the assessment of damages, the matter should be regulated at the EU Member States level, including, in particular, “the criteria for determining the extent of the compensation payable in that context, subject to compliance with [the] principles of equivalence and effectiveness.”