The Court of Justice of the European Union (CJEU) is deciding on a crucial question of fundamental rights and data protection. An advisory opinion by Advocate General (AG) Campos Sánchez-Bordona, if relied upon by the Court, could undermine the practical enforcement of the data and privacy rights of 400 million EU citizens.
Article 82 of the GDPR says: "Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered."
When our rights are infringed, must we prove that we have “suffered material or non-material damage” above an as yet undefined threshold such that the routine intangible harms of the digital age go unpunished?
These questions arise in the Case C-300/21 UI v Österreichische Post AG. A claimant seeks compensation for “non-material damage” suffered when Österreichische Post (Austrian postal service) illegally created a profile of his political affiliations. He says he was incorrectly associated with a far-right party, which damaged his reputation and greatly upset him. The illegality of Österreichische Post profiling him is not at issue as the Courts already found this to be illegal. The question is, is he entitled to compensation?
Recital 146 of the GDPR says that “the concept of damage should be broadly interpreted” to reflect the objectives of the Regulation. But Campos Sánchez-Bordona’s opinion suggests a far more narrow interpretation.
First, it claims there is no right to automatic compensation from a GDPR infringement.
Second, it makes the troubling suggestion that loss of control over one’s personal data does not necessarily create damage. But isn’t it damaging to lose control over your data when your personal data is being sold on the darknet after a data breach or when data brokers sell your personal profiles to foreign state actors or corporations?
Third, and most alarmingly, it implies that fundamental rights are to be balanced and reconciled with the economic objective of promoting the free movement of data.
Finally, the opinion recommends that the CJEU leave to each Member State’s courts the task of introducing new minimum thresholds for the seriousness or “harm” required to receive compensation. This threatens to fragment the already weakly enforced GDPR and create legal uncertainty for data subjects and businesses.
Digital and data harm is often not directly perceptible. Creating vague new national thresholds for compensation would be a huge blow to victims of intangible digital violations.
If the Court agrees with these recommendations, people will be far less likely to litigate to vindicate their fundamental rights where data protection supervisory authorities have failed to act on their behalf. Simultaneously, it will embolden data controllers to continue breaking the law and walk away with spectacular profits with little risk of consequences.
- All Out
- Bits of Freedom
- Centre for Peace Studies
- Civil Liberties Union for Europe (Liberties)
- Coalition For Women In Journalism (CFWIJ)
- Corporate Europe Observatory
- Dare to be Grey
- Defend Democracy
- Elektronisk Forpost Norge
- Estonian Human Rights Centre
- Eticas Foundation
- European Digital Rights (EDRi)
- Fair Vote UK
- Freedom Internet BV (NL)
- Föreningen för digitala fri- och rättigheter (DFRI)
- Homo Digitalis
- Internet Society Netherlands (ISOC NL)
- Irish Council for Civil Liberties
- KaskoSan Roma Charity
- Lie Detectors
- Privacy First
- Superbloom (previously Simply Secure)
- The Privacy Collective (NL)
- The Real Facebook Oversight Board
- WeMove Europe
Malte Spitz, Secretary General GFF (Gesellschaft für Freiheitsrechte/ Society for Civil Rights)
If you wish to add your signature to the statement please email email@example.com