ECJ rulings data protection breaches | IT-Medienrecht

Learn how ECJ rulings clarify compensation for data protection breaches under Art. 82 GDPR. Understand your rights and claims for non-material damage.

Analysis of ECJ Rulings on GDPR Compensation

In its recent decisions C-687/21 and C-340/21, the European Court of Justice (ECJ) provided important clarifications on the right to compensation under Art. 82 GDPR. These rulings build upon previous case law, further defining the scope of data protection liability.

Key Clarifications on GDPR Compensation by the ECJ

Distinction Between GDPR Breach and Resulting Damage

A clear distinction must be made between a breach of the GDPR and the resulting damage. In decision C-300/21 of May 4, 2023, the ECJ emphasized that a mere breach does not automatically lead to a claim for damages.

However, the loss of control over personal data due to a GDPR breach can constitute non-material damage. This principle aligns with Recital 85 of the GDPR and was reaffirmed by the ECJ in decision C-340/21. Importantly, a specific misuse of the data is not a prerequisite for such damage.

A well-founded fear of future misuse may suffice. Different standards apply to the infringement itself and the ensuing damage:

  1. For a GDPR breach, no subjective element from the controller is required. Objective non-compliance with GDPR requirements is sufficient.
  2. For damages related to loss of control, a subjective element from the data subject is relevant. They must explain and, if necessary, prove actual worry, anxiety, or discomfort due to the loss of control.

Judicial Assessment of Damages

In C-340/21, the ECJ clarified that national courts must conduct a concrete assessment of damage claims. Courts need to evaluate if the data subject's expressed fears are justified given the specific individual circumstances.

However, the ECJ also set limits in C-687/21. If it is proven that a third party gained knowledge of the data, mere concern about potential misuse is insufficient to justify a claim for damages. This requires a higher threshold for proving harm.

This differentiated approach by the ECJ safeguards the rights of data subjects while preventing excessive claims. It mandates national courts to carefully weigh each individual case, ensuring a balanced application of Art. 82 GDPR.

Recent Regional Court Rulings on GDPR Damages

A recent ruling by the Freiburg Regional Court provides further insight into the practical application of these principles.

Key Points from the Freiburg Regional Court Decision

Recent OLG Rulings on Data Protection and Data Anxiety

In recent months, several higher regional courts (OLGs) have also addressed similar issues concerning data protection. Here is an overview of recent OLG rulings on data protection and data anxiety, sorted by date of decision:

  1. OLG Celle, 04.04.2024, Ref. 5 U 77/23: Admissibility of an appeal in proceedings for damages due to GDPR infringement. Source
  2. OLG Dresden, 23.04.2024, Ref. 4 U 3/24: Compensation for unauthorized disclosure of health data. Source
  3. OLG Munich, 24.04.2024, Ref. 34 U 2306/23: Injunctive relief and interest in a declaratory judgment in the event of data protection violations. Source
  4. OLG Oldenburg, 19.04.2024, Ref. 13 U 59/23, 13 U 79/23, 13 U 60/23: No compensation for scraping of telephone numbers. For similar cases, read about no compensation for scraping incidents on Facebook. Source
  5. OLG Cologne, 07.12.2023, Ref. 15 U 67/23: Scraping due to a data leak on a social media platform. Source
  6. OLG Hamburg, 10.01.2024, Ref. 13 U 70/23: 4,000 euros in non-material damages for unauthorized data disclosure. Source
  7. OLG Dresden, 20.02.2024, Ref. 4 U 1634/23: Compensation for unauthorized data processing by employers. This is a critical aspect for businesses and employees alike, tying into broader employment law for startups. Source
  8. OLG Dresden, 09.04.2024, Ref. 4 U 213/24: Compensation for the publication of personal data on the Internet. Source
  9. OLG Hamm, 20.01.2023, Ref. 11 U 88/22: No compensation for damages in the event of a data leak without concrete impairment. Source
  10. OLG Hamm, 15.08.2023, Ref. 7 U 19/21: Burden of presentation and proof in the event of data protection violations. Source
  11. OLG Stuttgart, 03.04.2023, Ref. 2 U 34/21: Compensation for damages in the event of proven impairment of well-being due to data protection violation. Source
  12. OLG Düsseldorf, 15.05.2023, Ref. I-20 U 40/21: Compensable damage in the event of loss of control over sensitive health data. Source
  13. OLG Frankfurt, 22.06.2023, Ref. 1 U 152/20: No claim in the event of a technical fault without proof of specific damage. Source
  14. OLG Munich, 07.07.2023, Ref. 18 U 2737/21: No compensation for damages in the event of mere fear of data misuse without concrete evidence. Source
  15. OLG Hamburg, 14.09.2023, Ref. 3 U 43/20: Minor non-material damage in the event of unauthorized disclosure of e-mail addresses. Source
  16. OLG Cologne, 03.11.2023, Ref. 6 U 58/23: Unlawfulness of data transfer to Google LLC in the USA. Source
  17. OLG Cologne, 08.07.2022, Ref. 20 U 75/21: Data protection in company integration management. For related insights into data protection during company changes, see our article on data protection implications of company acquisitions. Source
  18. OLG Celle, 20.05.2022, Ref. 13 U 406/21: Interpretation of the rights to information and copy according to Art. 15 GDPR. Source
  19. OLG Frankfurt, 24.01.2022, Ref. 1 U 369/19: Compensation for unlawful data processing by a credit agency. Source
  20. OLG Düsseldorf, 16.12.2021, Ref. I-16 U 264/20: Data protection requirements for declarations of consent. Source

Conclusion

The ECJ's nuanced approach, complemented by regional court decisions, underscores the complexity of GDPR compensation claims. Courts continue to differentiate between mere breaches and actual damages, requiring concrete proof of harm. For both companies and data subjects, navigating the landscape of data protection liability remains a significant legal challenge, promising ongoing developments in this field.