Suffering, damage, the GDPR – and all that
One of the paradoxes of the data protection regime is that while the regulator may (and does) impose civil penalties for tens of millions of pounds for infringements of the regulations – helping government finances in the process – those whose personal data has been misused, abused or over-used by the infringement have fared rather less well. Often those individuals will not have suffered any pecuniary loss. A few might suffer “distress.” But in the case of most large-scale infringements, the consequences for the great majority of data subjects are more diffuse. This has led some to place their hope in concepts such as “loss of data integrity,” “loss of control” and the like. Recitals (85) and (146) UK GDPR tend to support the concept. If correct, the absence of pecuniary loss, physical or mental harm, or distress would not preclude an award of damages. The courts have allowed for it in relation to the tort of misuse of private information: see Gulati v MGN [2015] EWCA Civ 1291 at [45]-[46].
Despite this, when it comes to data protection the notion has found little support from courts in this country: see for example Lloyd v Google LLC [2021] UKSC 50 at [6], [108-110] and [138] (dealing with the DPA 1998); Driver v CPS [2022] EWHC 2500.
The CJEU has now come out and taken a similar, but not identical, line. In Case C-300/21 (judgment 4 May 2023), it held that the mere infringement of the GDPR does not give rise to a right to compensation. Damage, it said, whether pecuniary or otherwise, must be “suffered.” No gain without pain, it would seem.
In its judgment, the CJEU held that the right to compensation is subject to three specific requirements:
- an infringement of the GDPR;
- material or non-material damage “suffered” by the data subject; and
- a causal link between the damage suffered and the infringement [32], [37].
It follows from this that not every infringement of the GDPR will give rise to a right to compensation.
On the other hand, the CJEU also held that the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness. The Court thus did not adopt the distinction proffered by its Advocate General between “mere upset” and “non-material damage.” The Advocate General’s position was closer than the CJEU’s to that taken by the courts in this country: see Johnson v Eastlight Community Homes Ltd [2021] EWHC 3069 (QB) at [22(e)]; Stadler v Currys Group Ltd [2022] EWHC 160 (QB) at [36]; Rolfe & ors v Veale Wasborough Vizard LLP [2021] EWHC 2809 (QB) at [12]-[13]. Thick skins, rather than eggshell skulls, apply to this wrong.
Finally, the CJEU observed that the GDPR does not contain any rules governing the assessment of damages. As a result, each Member State within their own legal systems must prescribe the criteria for determining the extent of compensation payable, provided that the principles of equivalence and effectiveness are complied with.
While the UK has left the EU, the UK GDPR contains the same provisions in respect of compensation as in the GDPR, namely Art 82. Decisions of the CJEU should continue to provide guidance for domestic courts and tribunals. Whether leaving the EU means that its jurisprudence in this regard is to be treated as dearly departed remains to be seen.