Skip to main content

Austrian Court Ruling on Immaterial Damages for GDPR violation – A Mere Violation Of Data Protection Regulations Is Not Enough

|

In February, the first decision of an Austrian Appellate Court regarding a claim for immaterial damages under Art 82 GDPR has been issued. In its final decision (13th February 2020, 1 R 182/19b), the Higher Regional Court of Innsbruck, as the court of appeal, overturned a much-noticed decision of the Regional Court of Feldkirch:

Instead of EUR 800 granted to the plaintiff in the first instance, the Court of Appeal entirely dismissed the action on the ground that the plaintiff had neither sufficiently claimed nor proved the immaterial damage caused by the defendant's infringement. A mere violation of data protection regulations, even if it has led to short-term negative thoughts, does not reach the "materiality threshold" for immaterial damages. 

 

1.    Case fact

Just over a year ago, a data protection scandal drew considerable media attention in Austria: The Austrian Post had unlawfully collected and sold personal data of millions of individuals. It had calculated the "political affinity" of millions of Austrians based on sociodemographic factors and sold this data to business partners. The subsequent proceedings before the data protection authority led to the highest (not yet final) fine imposed in Austria under the GDPR, to date – EUR 18 million. In the course of this major data protection dispute, an Austrian lawyer filed suit against the Austrian Post on the basis of Art 82 GDPR for infringing his rights under the GDPR and demanded EUR 2,500 in damages.

The Austrian Post had assigned certain characteristics to the plaintiff, including the plaintiff’s “political affinity”. The plaintiff considered his alleged political opinion a special category of personal data, the storage of which requires the legal basis of his consent according to Art 9 GDPR. In addition, the Austrian Post had not informed the plaintiff about this processing of his data. The plaintiff claimed that, as a result of that unlawful and negligent processing, he irretrievably lost control of his data and suffered immaterial damage.

The Court of first instance held that the “political affinity” of a person must be considered as a special category of personal data, since it reflects the political opinion of that person. The Austrian Post has neither been able to provide a legal basis for the processing of these special categories of personal data (in particular not the consent of the plaintiff), nor has it informed the plaintiff about such processing. As a result, the Austrian Post was held liable for a material breach of Art 9 GDPR as well as Art 14 GDPR. Both violations were considered to constitute a material impairment of the basic rights and freedoms of the plaintiff and the court awarded the plaintiff the amount of EUR 800 as immaterial damages.  

2.    Appellate Decision

The Court of Appeal held as follows:

According to the general principles of Austrian tort law, a plaintiff must, even in the case of GDPR damages, specifically demonstrate the considerable disadvantage in his or her emotional life that was caused by the alleged violations of the GDPR and the resulting impairment of personality rights.
The case-law of the Union Courts has also established as a condition for compensable damage that it must have been 'factual' and 'certain'. Thus, purely hypothetical and indefinite damages are to be excluded. There must be an actual impairment in the emotional world in order for immaterial damages to be awarded under the GDPR. The European Court of Justice considers psychological and mental suffering to be such impairment. The mere fact of a violation of data protection regulations, even if it has led to short-term negative feelings, is not in itself a disadvantage that could lead to a claim for damages. Thus, a minimum of personal impairment must be demanded for the existence of immaterial damage.

Although, according to the clear wording of Art 82 GDPR, no serious violation of the right of personality is required in order to claim immaterial damages, the assumption that every GDPR violation leads to a compensatory obligation solely for general preventive reasons is incorrect. The obligation to compensate for immaterial damages must be counterbalanced by an identifiable and insofar factual violation of the right of personality, which may lie, for example, in the "exposure" resulting from unlawful access to data.

In the specific case, the plaintiff had merely put forward general statements that he had suffered " immaterial damage ", "adversity", "uncertainty", "disadvantage". However, he did not claim or prove the necessary concrete emotional impairment in his person nor that the breach of data protection had actually impaired his emotional world. The description of the damage only by verba legalia or only in general form was not sufficient for the assertion of a claim under Art 82 GDPR.

 

3.    Conclusion and what to expect

With this decision, the Higher Regional Court has clearly ruled against extensive liability under Art 82 GDPR. While immaterial damages claims will of course remain possible, the consequences of an infringement must reach a certain "materiality threshold". Also, a comparison with an "average person" must now be made, which will presumably lead to a strong individual assessment, especially since the criteria to be applied for such an objective understanding are still unclear. The specific consideration of the individual case will also make the mass assertion of such claims for damages more difficult in the future. 

It remains to be seen whether the other Austrian Higher Regional Courts will follow this case law, and how the Supreme Court will decide such a case if one is ever brought before it (which was not possible in the present case due to the small value in dispute).

 

Article provided by: Stephan Winklbauer (AHW Law, Austria)

 

 

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}