On 4 May, the CJEU passed down judgment in the case of UI v Österreichische Post AG, a matter originally brought before the Austrian courts. The claim was for damages, brought against Österreichische Post in relation to the use of an algorithm to determine (based on various social and demographic criteria) that the claimant had a high degree of affinity with a particular Austrian political party. There was no communication of this information to any third party, but the claimant felt offended by the fact that such an affinity had been attributed to him.
The claimant claimed (amongst other things) a sum of EUR 1000 (£870) in compensation for non-material damage under GDPR. The court which heard the claim rejected it and the case proceeded all the way to the Supreme Court, which then made a referral to the CJEU.
There were several interesting points made in the decision:
- an infringement of GDPR does not, in of itself, give rise to a right to compensation. There must be material or non-material damage and a causal link between the damage and the breach.
- the concept of ‘damage’ within Article 82 GDPR (which provides for the right of compensation in respect of damage as the result of an infringement of GDPR) and, specifically in the present case, the concept of ‘non-material damage’, must have a definition under EU, not national law.
- there is no threshold of seriousness which damage must meet in order to be compensated.
- national courts must apply the domestic rules relating to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law (which ensure that remedies for actions based on EU law are not less favourable than those for actions under similar national laws) are complied with.
So, it seems the CJEU has not sought to discourage minor or low value damages claims from being brought by data subjects who suffer harm as a result of a breach of the GDPR, although it has called for such harm to be evidenced.
The case report can be found here.