ECJ rulings on compensation for data protection breaches

Analysis of the ECJ rulings

In its recent decisions C-687/21 and C-340/21, the European Court of Justice (ECJ) provided important clarifications on the right to compensation under Art. 82 GDPR, building on previous case law.

First of all, it is important to make a clear distinction between the breach of the GDPR and the resulting damage. In decision C-300/21 of 4 May 2023, the ECJ had already emphasized that a mere breach of the GDPR does not automatically give rise to a claim for damages. The loss of control over personal data that occurs as a result of a GDPR breach can in itself constitute non-material damage. This follows from Recital 85 of the GDPR and was confirmed by the ECJ in Decision C-340/21. It is not necessary for a specific misuse of the data to have already taken place. A well-founded fear of possible future misuse may be sufficient; it is important to note that different standards apply to the infringement and the resulting damage:

1. No subjective element on the part of the controller is required for a breach of the GDPR. It is sufficient to objectively establish that the requirements of the GDPR have not been complied with.
2. However, a subjective element on the part of the person concerned is relevant for the damage in the form of loss of control. The person must explain and, if necessary, prove that they actually feel worry, anxiety or discomfort due to the loss of control.

The ECJ clarified in C-340/21 that the national courts must make a concrete assessment when examining the claim for damages. They must examine whether the fears expressed by the person concerned can be considered justified in view of the specific circumstances of the individual case.

It should be noted that the ECJ also set limits in C-687/21: If it can be proven that a third party has gained knowledge of the data, mere concern about possible misuse is not sufficient to justify a claim for damages.

This differentiated approach of the ECJ ensures that, on the one hand, the rights of the persons concerned are safeguarded and, on the other hand, that no excessive claims arise. It requires the national courts to carefully weigh up each individual case and thus contributes to a balanced application of Art. 82 GDPR.

Update:
Incidentally, the Freiburg Regional Court has just ruled in this regard

1. in the event of an action for damages under Art. 82 GDPR, it is incumbent on the party bringing the action to prove that it has been affected by a data protection incident to the full satisfaction of the court using the standard of proof set out in Section 286 ZPO. This requirement is not satisfied by a mere reference to the results of a query on the website https:///haveibeenpwned.com, at least not if the defendant has previously stated decidedly on the basis of which specific circumstances it assumes that the hit report of the website https://haveibeenpwned.com/ is not a reliable basis for the assumption that the party to the present proceedings is actually affected by the API bug 2021 at the defendant.

2. if a party to the action alleges that the defendant party has violated provisions of the GDPR that protect it, that it has suffered (non-material) partial damage within the meaning of Art. 82 GDPR as a result, but that further damage is possible, then this procedural constellation is comparable to that involving the violation of an absolute right, not that of the sole assertion of pecuniary damage (a.A.
Regional Court of Stuttgart, judgment of 24.1.2024 27 O 92/23
juris Rn. 33). An interest in a declaratory judgment within the meaning of Section 256 para. 1 ZPO is therefore already to be affirmed if the subsequent realization of further damage in the foreseeable future appears possible according to the nature of the injury, a probability of the occurrence of further damage is not required (contrary to
LG Stuttgart, judgment of 24.1.2024 27 O 92/23
juris Rn. 33)

3. a request for injunctive relief that is not related to the specific form of infringement and is based on the vague term “prior art”, which is subject to interpretation, does not meet the requirements of Section 253 (2) No. 2 ZPO and is inadmissible. A formulation of the application that is subject to interpretation is not acceptable in order to ensure effective legal protection if the party bringing the action could use the formulation of the application to orient itself to the specific form of infringement without jeopardizing effective legal protection (connection BGH, judgment of 6 October 2011 – I ZR 54/10; BGH, judgment of 2 June 2022 – I ZR 140/15 and BGH, judgment of 9 September 2021 – I ZR 113/20).(para.71) (para.72) (para.73)

This topic will probably keep us busy for a while yet!

Current OLG rulings on the subject of data protection

In recent months, several higher regional courts have also dealt with similar issues. Here is an overview of twenty recent OLG rulings on the subject of data protection and data anxiety, sorted by date of decision:

1. OLG Celle, 04.04.2024, Ref. 5 U 77/23Admissibility of an appeal in proceedings for damages due to GDPR infringement. Source
2. OLG Dresden, 23.04.2024, Ref. 4 U 3/24Compensation for unauthorized disclosure of health data. Source
3. OLG Munich, 24.04.2024, Ref. 34 U 2306/23Injunctive relief and interest in a declaratory judgment in the event of data protection violations. Source
4. OLG Oldenburg, 19.04.2024, Ref. 13 U 59/23, 13 U 79/23, 13 U 60/23No compensation for scraping of telephone numbers. Source
5. OLG Cologne, 07.12.2023, Ref. 15 U 67/23Scraping due to a data leak on a social media platform. Source
6. OLG Hamburg, 10.01.2024, Ref. 13 U 70/234,000 euros in non-material damages for unauthorized data disclosure. Source
7. OLG Dresden, 20.02.2024, Ref. 4 U 1634/23Compensation for unauthorized data processing by employers. Source
8. OLG Dresden, 09.04.2024, Ref. 4 U 213/24Compensation for the publication of personal data on the Internet. Source
9. OLG Hamm, 20.01.2023, Ref. 11 U 88/22No compensation for damages in the event of a data leak without concrete impairment. Source
10. OLG Hamm, 15.08.2023, Ref. 7 U 19/21: Burden of presentation and proof in the event of data protection violations. Source
11. OLG Stuttgart, 03.04.2023, Ref. 2 U 34/21Compensation for damages in the event of proven impairment of well-being due to data protection violation. Source
12. OLG Düsseldorf, 15.05.2023, Ref. I-20 U 40/21Compensable damage in the event of loss of control over sensitive health data. Source
13. OLG Frankfurt, 22.06.2023, Ref. 1 U 152/20No claim in the event of a technical fault without proof of specific damage. Source
14. OLG Munich, 07.07.2023, Ref. 18 U 2737/21No compensation for damages in the event of mere fear of data misuse without concrete evidence. Source
15. OLG Hamburg, 14.09.2023, Ref. 3 U 43/20Minor non-material damage in the event of unauthorized disclosure of e-mail addresses. Source
16. OLG Cologne, 03.11.2023, Ref. 6 U 58/23Unlawfulness of data transfer to Google LLC in the USA. Source
17. OLG Cologne, 08.07.2022, Ref. 20 U 75/21Data protection in company integration management. Source
18. OLG Celle, 20.05.2022, Ref. 13 U 406/21Interpretation of the rights to information and copy according to Art. 15 GDPR. Source
19. OLG Frankfurt, 24.01.2022, Ref. 1 U 369/19Compensation for unlawful data processing by a credit agency. Source
20. OLG Düsseldorf, 16.12.2021, Ref. I-16 U 264/20Data protection requirements for declarations of consent. Source

These decisions show that the courts take a differentiated view and carefully examine the circumstances of the individual case. For companies and data subjects, the issue of compensation for data breaches therefore remains complex and legally challenging.