Does this judgment mean you should be preparing for distress-based GDPR claims?

The data protection discourse in recent weeks has been dominated by the EU-U.S. Data Privacy Framework coming into force.  Organisations on both sides of the pond have been living with the uncertainty around transatlantic data flows for nearly three years, so clearly this is a welcome development — even if it may prove to be temporary.

But amid all of the DPF chatter there was another development that, although less flashy than securing the future of trillion dollar data flows, should be of interest to all European businesses.  That development concerns litigation in which damages are sought for non-material harm resulting from GDPR non-compliance and, importantly, it is the first judgment of which I’m aware that has implemented the Court of Justice of the European Union’s recent decision in UI v Österreichische Post AG.

The background

As I’ve written previously, the English courts have mostly refused to award damages for claims alleging non-material harm (e.g., distress, upset).  That has been the case at the group and individual level alike.  The position across the EU has been a little more mixed, albeit still largely in line with the English approach.

Ultimately, it has been difficult for individuals to quantify and/or evidence the harm suffered — and the judiciary has (whether explicitly or impliedly) required that damages must meet a certain minimum threshold.

That all changed in May, when the CJEU issued its long-awaited judgment in Österreichische Post.  Crucially, the CJEU found that there is no requirement for non-material damage to meet a certain threshold, i.e., an individual may be entitled to compensation by proving they have suffered damage, including, potentially, low(ish) level distress, anger or upset.  Following that decision, it is for national courts to determine the threshold for and the amount of damages to be paid (if any) to individuals.

The Irish decision

On 11 July, the Dublin Circuit Court awarded an employee €2,000 in relation to the anxiety and embarrassment he felt after his employer used CCTV footage of him in internal training sessions as an example of poor working practices.  The employee’s evidence stated that he felt anxiety and embarrassment, was more stressed at work and had problems sleeping as a result of the incident.

Given the limited case law in this area, it was helpful to see the court set out the factors that it considered when assessing damages for non-material loss.  Space doesn’t allow me to list them all here (they are at pages 25 and 26 of the judgment, which is linked below), but they include:

• A mere violation of the GDPR is not sufficient to warrant an award of compensation.
• Compensation for non-material damage does not cover “mere upset”.
• Damages must be proved and supporting evidence is strongly desirable (e.g., a psychologist’s report or medical evidence).
• An apology, when appropriate, may be considered in mitigation of damages.
• Even where non-material damage can be proved and is not trivial, damages will often be modest (e.g., below €500 for minor psychiatric damages).

In making its award of €2,000, the court also cited a lack of clarity and transparency in the employer’s internal policies and procedures, as well as its failure to conduct a legitimate interest analysis in relation to the processing. 

These deficiencies perhaps did not aggravate the harm suffered by the employee, who also did not provide medical evidence of his distress (although he was considered by the judge to be a reliable witness).  However, organisations should bear in mind that determining low-level damages may involve a more detailed assessment of their compliance programmes than might otherwise be expected in cases where the value of the claim may look more like a rounding error.

The wider context

Earlier this month, I had the pleasure of speaking on a panel at the Privacy Law & Business conference in Cambridge (England, not Massachusetts), where David Erdos from the University of Cambridge, Alex Lawrence-Archer of AWO Agency and I discussed the topic of de minimis GDPR claims and non-material damages.  The conference took place before the Irish court’s decision, but it was pleasing to see that two of the topics that we addressed at length were also covered in its judgment.

1. Is payment what claimants really want? 

Leaving aside the individuals that file template-based claims against multiple business (and for whom the Österreichische Post decision is unlikely to be well-received), what motivates someone to bring a lawsuit when the outcome is far from certain, the damages will be low and may be spent on legal fees in any event?  I would hazard a guess that most individuals are actually looking for reassurance that their personal data are safe and that the processing in question has not caused them harm.  

Would an apology and confirmation that the unintended recipient of the individual’s personal data has deleted the information suffice in lieu of legal proceedings?  The Irish court seems to suggest so — and my experience is that the businesses which think creatively about defusing these types of complaints tend to be most successful in doing so.

2. What is the role of the regulator?

In this case the employee complained to the Irish Data Protection Commission, but their complaint was not assigned to a complaint handler “due to a backlog of complaints”.  That is unfortunate but not surprising: most data protection regulators are simply unable to spend a significant of time on the majority of the complaints they receive.  

For example, in previous posts I’ve noted that the UK Information Commissioner spends less than five hours in order to close an average complaint.  This is unlikely to change in the near future, meaning that organisations should be alert to the potential for what might seem like minor non-compliance issues to result in damages awards.

The fact the Irish decision was issued a mere two months after Österreichische Post suggests that courts in the EU will now also have to think twice before dismissing claims for non-material damages under the GDPR.  That is not to say that the floodgates are now open — but although the judgment is specific to Ireland (for now…), it should be taken on board by businesses across continental Europe.