This article, relating to Irish law, was written by the team in our Dublin office for Browne Jacobson Ireland LLP
The CJEU has handed down its decision in the much-awaited Austrian Post Case. This case sets out important principles of EU data protection law surrounding the interpretation of Article 82 of the GDPR, most notably, that there is no sufficiency of damage requirement under that Article. The Austrian Post Case is being monitored heavily from an Irish (and broader EU) perspective.
A relevant Irish case, Cunniam v Parcel Connect Limited trading as Fastway Couriers Ireland and Others [2023] IECC 1 (“Fastway Couriers Case”) has been stayed pending the result of the Austrian Post Case. This article looks firstly at the Irish backdrop of the Fastway Couriers Case which is informed by the later discussion on the Austrian Post Case.
The Irish background: the Fastway Couriers Case
The Fastway Couriers Case relates to a data breach in which the personal data of a significant number of Irish data subjects were compromised. A claim for damages arising from that data breach was made by the plaintiff under Article 82 of the GDPR. Any claim under Article 82(1), may be a claim for material, or non-material damage, with an accompanying right to compensation for the damage suffered.
The Fastway Couriers Case was a claim for non-material damage, and the plaintiff claimed relief for interference with his peace, privacy and apprehension about the use of his data together with the associated loss of his ability to effectively exercise his GDPR rights in respect of that data.
Against the backdrop of several ongoing referrals to the CJEU (one of which being the Austrian Post Case) on similar areas of law, Judge O’Connor stayed the Fastway Couriers Case pending the outcomes of the referrals to the CJEU. The stay was in large part arising out of the importance of the CJEU decision in the Austrian Post Case which would give greater guidance on the proper interpretation of Article 82 GDPR, and in particular, compensation for non-material damage.
The present decision: the Austrian Post Case
The Austrian Post Case arose out of a claim seeking compensation for non-material damage suffered as a result of non-consensual processing of personal data. This processing related to the claimant’s political affiliation.
The three main questions for the CJEU in the Austrian Post Case were as follows:
- Does the award of compensation under Article 82 [of the GDPR] also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
- Does the assessment of the compensation depend on further EU law requirements in addition to the principles of effectiveness and equivalence?
- Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence [or effect] of the infringement of at least some weight that goes beyond the upset caused by that infringement?
Q 1 – What is necessary to sustain a claim for damages under Article 82?
The Court clarified that there is no reference in Article 82, or the recitals, to member state law regarding the concepts of “material or non-material damage”. These concepts must then be EU concepts, which must be interpreted on a harmonised basis. The Court then provided the necessary cumulative test for how material or non-material damage should be interpreted to ensure consistency and harmonisation:
- Damage must have been suffered, and
- An infringement of the GDPR, and
- A causal link between the damage and the breach of the GDPR (i.e., a causal link between (a) and (b) above).
The Court clarified that an infringement of the GDPR on its own is not sufficient to ground a claim; there must be associated causal damage linked to that infringement.
Q 2 – Is the Court mandating any particular requirements on member state courts in calculating damages?
The Court took a relaxed view and noted that there is nothing in the GDPR to require prescriptive court rules on compensation. National courts must now apply the domestic rules of each member state relating to financial compensation. In doing this, they must have regard to the familiar principles of equivalence and effectiveness of EU law which are broad EU guidelines which apply to assessment of damages in a general sense. The Court noted that there is no express reference in the GDPR requiring any particular adherence to these principles.
Q 3 – Is there a de minimis threshold of harm necessary to sustain a claim under Article 82?
The Court’s decision is clear that there should be no member state rules which would have the effect of setting a de minimis threshold of damage before a claim under Article 82 can be made. As noted above, the Court views “damage” and “non-material damage” as EU law concepts in the absence of a reference to member state law being used to interpret these concepts.
The Court recites Recital 146 of the GDPR which provides that “the concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation”. The Court makes clear that having a de minimis threshold would lead to fluctuations in the assessment of member state courts and therefore making compensation subject to a de minimis threshold would risk undermining the coherence of the rules established by the GDPR.
Commentary
There is a general sentiment at EU Commission level that the GDPR's effectiveness is constrained by the ability of appeal to the courts of member states. Recent EU legislation such as the Digital Markets Act has been drafted to restrict fines from being as amenable to court challenges by giving regulators a more central role in the enforcement and appeal of fines. The CJEU has taken a broad interpretation of “damage” under the GDPR, which is not subject to de minimis thresholds. This open interpretation ties in with the EU Commission sentiment which is seeking more effective enforcement of EU regulations. The CJEU has subtly noted that while they cannot prescribe the method of implementing a fine for breach of Article 82, they may insist on the fine being "effective and equivalent” which means that the fine must not be arbitrarily low, having regard to national laws which would prejudice the effectiveness of the GDPR. We do not expect this to materially affect member states’ power to decide on quantum of damages.
Conclusion
The court in the Fastway Couriers Case must now take instruction from the Austrian Post Case. The new test and associated guidelines in the Austrian Post Case have direct applicability and will inevitably inform the decision of court judgments in Ireland to ensure a harmonised and consistent approach to Article 82 claims. The decision is significant, and it will be interesting to see how the Irish courts apply this new case.
Related expertise
You may be interested in...
Online Event - Shared Insights
Share your thoughts to help shape the development of the Statutory Duty of Candour
Published Article
English Commercial Court rules against Russian exclusive jurisdiction clauses
Online Event - Shared Insights
Shared Insights Data: Strategies for handling cyber attacks and data breaches
Press Release
‘Privacy by design’ approach will help health and care organisations gain public trust in using technology as ICO publishes new guidance
Legal Update
Understanding the ICO's new fining guidance
Guide
Demystifying international healthcare contracting
Legal Update
ICO consultation on accessing care records: A legal perspective
Legal Update
Cyber-attacks in UK universities: Why failing to prepare is no longer an option
Press Release
Browne Jacobson Ireland LLP rank across Dispute Resolution, Intellectual Property and Technology in the Legal 500 EMEA 2024
Legal Update
Artificial intelligence – shaping a sustainable future
Press Release
Spring Budget 2024: Browne Jacobson reaction
Legal Update
Not quite a blanket ban on mobile phones in schools: DfE guidance insights
On-Demand - Shared Insights
Shared Insights: Sexual safety in the workplace — how leaders can help to create a sexual safety culture
Legal Update
Gatekeepers under the DMA – TikTok’s battle to have its designation revoked
Legal Update
A ‘One-Stop-Shop’ to the Unified Patent Court in Ireland
Legal Update
Progress on the Automated Vehicles Bill
Legal Update
Data protection in higher education: what to expect in 2024
Legal Update
The rise of AI in construction
Legal Update
Government foreshadows significant savings for public bodies as part of data protection overhaul
Legal Update
ICO consultation on transparency in health and social care
Legal Update
How to mitigate risk in disputes arising from AI use in technology projects
Opinion
Monitoring workers – ICO guidance
Press Release
Browne Jacobson partner Jeanne Kelly elected President of the British Irish Chamber of Commerce
Legal Update
A new digital safe space – How does the EU Digital Services Act affect insurers?
Legal Update
ICO consultation on fertility tracking apps
Published Article
Investing in healthcare in Saudi Arabia under the new regulatory framework
Published Article
UK: Legal issues with deepfakes
Press Release - Firm news
Dublin firm Browne Jacobson strengthens growing TMT practice with promotion of dispute resolution specialist
Legal Update
New guidance for employers on subject access requests published by the ICO
Legal Update
Ali Round 2 - High Court gives further guidance on causation and quantum for data breaches
Press Release
Browne Jacobson welcomes former ICO lawyer to support growing UK&I data privacy and tech practice
Legal Update
Update on data protection claims - Austrian Post Case
Press Release
Browne Jacobson launches specialist Ascensus programme for in house lawyers and business leaders
Opinion
Mopping up after a leak – how businesses can take steps to protect their confidential information
Legal Update
Cyber security and data breaches
Press Release
Browne Jacobson advise on disposal of Sella Controls to HIMA Group
Legal Update
Update on the Digital Services Act (“DSA”) – Important Dates and Deadlines Looming
Legal Update
Government publishes its proposals for expanding the Scope of the Network and Information Systems Regulations 2018
Legal Update
Protecting children and their data in the online environment
Press Release
Law firm Browne Jacobson reveals strategic growth plan for new Dublin office
UK law firm Browne Jacobson, which opened its first overseas office in Dublin in September, has outlined its strategic plans to grow its legal team over the next four years.