Skip to content
BY 4.0 license Open Access Published by De Gruyter August 5, 2022

The Compensation of Non-Pecuniary Loss in GDPR Infringement Cases

  • Jonas Knetsch EMAIL logo

Abstract

According to art 82(1) of the General Data Protection Regulation (GDPR), ‘any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered’. This provision is at the core of the private enforcement of data protection rights; its interpretation could thus have major implications for business, administration and other organisations. Despite its potential for mass litigation, the case law under art 82(1) GDPR is limited and, five years after the Regulation entered into force, several questions remain still unanswered. This paper gives an overview of the most significant issues relating to the right of data subjects to the compensation of non-pecuniary loss, pending five significant CJEU judgments, which are expected to be delivered in 2023.

I Introduction

This paper will focus on the potential impact of the private enforcement of EU data protection rules through the compensation of non-pecuniary loss caused by a violation of the General Data Protection Regulation (GDPR).[1] The starting point of the debate on actions for damages is similar to that for the private enforcement of EU antitrust rules. As in the field of competition law, the GDPR provides a set of rules and sanctions, which are enforced by national data protection authorities under the coordination of a European Data Protection Board. As was the case for the enforcement of EU competition law several years ago, the enactment of the GDPR and the encouragement of private actions are seen as a ‘Copernican Revolution’.[2]

When we talk about private enforcement in the field of EU law, it is important to recall its characteristics in comparison with public enforcement and to point out why there is a growing awareness of the potential of private enforcement, in competition and data protection law, but also in other fields of law.[3] Public enforcement refers to the enforcement of regulation by the government, for example by national competition or data protection authorities or public prosecutors, imposing administrative or criminal sanctions such as fines, reprimands or bans. By contrast, private enforcement designates litigation initiated by an individual or a legal entity, aimed to establish an antitrust or data protection infringement and to obtain from a court pecuniary compensation for the harm suffered or an injunctive relief.

There is a broad agreement among policy makers and legal academics that private enforcement can substantially improve the effectiveness of antitrust or data protection rules, for the compliance with those rules does not only depend on the efficiency of public prosecutors and administrative bodies.[4] At the same time, lawmakers, administrative authorities and courts must be conscious of the importance of striking the right balance between public and private enforcement so that private enforcement encourages greater compliance with antitrust and data protection rules, while avoiding litigation that could discourage socially beneficial conduct.[5]

It is important to bear in mind that competition law and data protection law do not aim to fulfil identical objectives and that the differences necessarily have an impact on the relationship between public and private enforcement.[6] While EU antitrust rules primarily serve the public interest (ie safeguarding competition as a basic mechanism of market economy), the purpose of data protection rules is mainly directed towards the protection of private interests. The scope of application of the GDPR and the wide definition of the terms ‘personal data’ and ‘processing’ make the field of data protection law more ‘open’ to private litigation, as an infringement of the Regulation can lead directly to the violation of an individual personality right,[7] as is emphasised in Recital 1 GDPR.[8]

II The importance of non-pecuniary harm for privacy litigation cases

Surprisingly, this more-open ended approach of compensation claims in the field of data protection litigation has not yet led to a rapid expansion of actions for damages. Unlike in the field of antitrust litigation where private enforcement has been a hot topic for the last 15 years and has given rise to substantial case law developments on the EU level and before national courts, the focus continues to be on administrative sanctions and not on the private enforcement, even though compensatory damages are the only possible means to enforce data protection rules in certain cases, for example when a data breach is attributable to the administration.[9]

A possible explanation for this discrepancy might be the nature of the loss caused to the claimant. While in antitrust litigation the compensable loss is regularly a pecuniary one, this is rarely the case in the area of data protection law, where the claimants often have no other option than to invoke a non-pecuniary loss, varying from a mere subjective discomfort to a major violation of their reputation or their private lives. The difficulty is that there is hardly any other issue in tort law which is assessed so differently throughout Europe[10] and which is, at the same time, so rapidly evolving, than the compensation of non-pecuniary loss. Indeed, there is a tendency in recent case law to increasingly award broadly monetary compensation for non-pecuniary losses. However, it is still true that this question leads to diverging answers in Europe.

One of the many challenges of this issue is to find a way to frame the very concept of non-pecuniary loss. At first sight, it recovers all those negative consequences of a harm which are not per se subject to an assessment in monetary terms.[11] It is difficult to find a way to describe this category of losses in a positive way, especially when you try to cover all its facets.[12]

In the French language, you might use the term ‘souffrance morale’, ie ‘moral suffering’. However, the word ‘suffering’ is not the most adequate one, as there are disturbances leading to a compensable loss which are not substantial enough to be qualified as ‘mental distress’. As for the term ‘moral’, it does not take into account that, for medical science, some types of ‘suffering’ also have a physiological meaning. French speaking tort law scholars in Switzerland use the words ‘tort moral’, that is ‘moral tort’,[13] which is more general, but using the term ‘tort’ with its common law connotation is misleading. One could say that non-economic loss refers to every kind of disturbance affecting the claimant’s feelings and not subject to a monetary assessment.[14]

Leaving aside these terminological issues and the even thornier issue of the delineation of the concept of non-pecuniary loss, one can observe two contradictory trends in legislation and case law throughout Europe. On the one hand, there is a clear tendency in tort law towards a more systematic recognition of non-economic loss and fewer barriers to the recovery of monetary damages.[15] On the other hand, this ‘boom’ of préjudice moral (palpable in almost every European jurisdiction)[16] is accompanied by an emerging reflection on the limits of this trend and, more generally, on where exactly the boundaries of modern tort law should be in our society:[17]

  1. What are the disturbances that deserve monetary compensation?

  2. Is it legitimate to take into account the seriousness of the tortfeasor’s actions? Or do we have to assess damages on the sole basis of the claimant’s situation as we do for material harm?

  3. What is the ‘fair price’ of human suffering?

  4. And what should be the place of the compensation of non-economic loss in public discourse and discussions of legal policy?

We have to bear these questions in mind when it comes to damages for nonpecuniary loss in GDPR infringement cases, as there are numerous aspects which are still unresolved in legislation and case law.

III Art 82(1) GDPR: a statutory basis for a compensation claim

The right to compensation is specified in art 82(1) GDPR that reads as follows: ‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.’[18]

The wording of this provision is quite clear at first sight; it seems to be a genuine statutory basis for a compensation claim.[19] There is no need to invoke another provision, national or European, as EU regulations such as the GDPR have general application, are binding in their entirety, and are directly applicable in all EU countries. Yet, in some Member States (such as Ireland or the United Kingdom before Brexit), there has been a debate about the necessity to incorporate into national legislation some parts of the GDPR and, in particular, the right to compensation in case of an infringement of the GDPR provisions.[20] One explanation could be that the GDPR leaves it to the Member States, if need be, to complete the provisions with additional data protection rules pursuant to so-called ‘open clauses’.[21] That is why in some jurisdictions a specific act was adopted by national Parliaments in order to adjust and to complete the existing national data protection rules:[22] the UK Data Protection Act of 2018,[23] the Spanish Data Protection Act of 2018[24] or the 2017 amendments to the German Federal Data Protection Act.[25]

The debate about the ‘transposition’ of the GDPR can also be explained by the specific place of civil liability in EU law. Claims for compensation are typically provided for in directives rather than regulations. Article 82(1) GDPR is unusual in that respect. However, five years after the GDPR came into effect, there can be no doubt that art 82(1) is intended to give a direct right to compensation to the plaintiff without any detour via the national law.[26]

In other words, art 82(1) GDPR is a statutory basis for a claim to compensation in the case of material and non-material damage caused by an infringement of EU data protection rules. Yet, one must admit that the vindication of that right cannot be as direct as other rights resulting from chapter III, such as information rights (right to access, right to erasure, etc), which can be fulfilled directly by the controller or the processor. In other words, art 82(1) needs the intervention of the court or at least an out-of-court settlement to determine both, whether the claimant has suffered the relevant ‘material or non-material damage’ and what the appropriate level of ‘compensation’ would be.[27] As for the compensation of ‘non-material damage’ (which is explicitly mentioned in the GDPR, upon the request of the European Parliament), it is of particular importance, since infringement cases often imply only non-pecuniary rather than pecuniary harm.

One can imagine, for example, that personal data given to an online platform, to a doctor, to an insurance company or to an administrative body was hacked or was involuntarily released, because the data had been processed without the appropriate security measures taken in accordance with art 5–1 letter f) GDPR or simply because the technical capacities of a hacker were stronger than the security measures taken. In such a case, the GDPR entitles the victim of this data breach to claim compensation of the loss, which will be, in most cases, emotional distress or at least a certain subjective discomfort.

When dealing with such a claim, courts have to address an issue which is diversely appreciated throughout Europe. It is all the more intriguing that in jurisdictions where damages for non-pecuniary harm are not part of the legal tradition and are still viewed with caution, the doctrinal output on compensation of non-material damage caused by a GDPR infringement is impressive. This is particularly the case in Germany[28] as well as in the Netherlands,[29] but also in Poland,[30] Romania[31] and Spain,[32] not forgetting the pioneer work done in this field by Eoin O’Dell from Ireland.[33] By contrast, there is hardly anything on the issue in French-speaking legal literature[34] or even in jurisdictions such as Italy, the UK[35] or the Nordic countries, where damages for non-pecuniary harm are more common.

This very uneven doctrinal landscape also reflects the way that claimants have raised the issue of compensation of non-material loss before national courts over the last five years. Despite thorough research, it was impossible to find any French judgment, even from trial courts, applying art 82 GDPR, whereas German courts had to interpret this provision on countless occasions.[36] It is therefore no surprise that requests for preliminary rulings mainly came from Germany, where three different courts decided to refer questions to the European Court of Justice (CJEU).[37] All in all, there are currently five different requests on art 82 GDPR, arising from different kinds of national courts: the German Federal Labour Court,[38] a German local court,[39] a German district court,[40] the Austrian Supreme Court[41] and the Bulgarian Supreme Administrative Court.[42] The reason why there are so many requests lies in the fact that art 82(1) GDPR is one of the rare genuine statutory provisions for compensatory damages enshrined in an EU regulation[43] and that this provision cannot be regarded as self-sufficient, as it involves the application of national tort rules.

The following lines focus on the outstanding issues related to art 82(1) GDPR, as their answers determine greatly the potential of private enforcement of data protection rules through so-called ‘privacy litigation’.[44]

IV The requirements for damages in ‘privacy litigation’ cases

As the application of art 82(1) GDPR requires a subtle interaction between EU and national tort rules, it is essential to define the conditions that need to be met in order to award damages to claimants in GDPR infringement cases.

A The cause of action: an infringement of the GDPR

When it comes to the exact cause of action enabling a claimant to seek damages, the wording of art 82(1) GDPR seems to give a straightforward answer. The claimant is required to establish an ‘infringement of this Regulation’, ie a violation of the GDPR. But what does that mean exactly?

If one believes Recital 146 GDPR, the infringement refers to the ‘processing’ of personal data that is not in compliance with the data protection rules laid out in the Regulation.[45] However, it is not without reason that the European Parliament insisted on the general term ‘infringement’. Indeed, this term can also be interpreted in a way that any kind of infringement is sufficient to give a cause of action to the claimant. If so, this would also include violations of information rights laid out in arts 12–15 GDPR: some German labour courts and an Austrian court acknowledged this wide understanding, holding that the mere failure to provide relevant information related to the processing of personal data may give rise to the controller’s liability.[46]

A question mark may also be put on the legal nature of the liability under art 82(1) GDPR:[47] is it a strict liability, ie a liability detached from the idea of fault, or does the provision only lead to a reversal of the burden of proof, in other words a liability based upon the presumption of fault? This question is far from being purely theoretical, as the answer will decide the precise outlines of the defence specified in art 82(3) GDPR. This text provides that controllers and processors are exempt from liability if they prove that they are not ‘in any way responsible for the event giving rise to the damage’. Does this provision refer to the proof of lack of negligence? Or do we have to interpret it more strictly, allowing an exemption only in cases in which the defendant had nothing to do with the illegal data processing, so that there actually is a lack of causation? On both issues, the CJEU will have to clarify matters in response to one of the German courts and to the Bulgarian Supreme Administrative Court.[48]

The strongest arguments are in support of an interpretation of art 82 GDPR as the statutory basis of a strict liability, which does not allow an exemption for the mere lack of fault, contrary to what may be suggested by the German version of art 82(3).[49] In fact, art 82(3) GDPR can be considered as the continuation of art 23(2) of the 1995 European Data Protection Directive,[50] which allowed Member States to implement an exemption clause, but only in the case of an event beyond the defendant’s control, such as force majeure.[51] Moreover, the addition of the words ‘in any way’ suggests the willingness of the GDPR drafters to narrow even further the causes for exemption in privacy litigation cases. The existing legal literature supports this view,[52] despite the reluctance of a significant part of the German-speaking scholarship to accept such a restrictive understanding of the escape clause of art 82(3).[53]

B The proof of ‘material or non-material damage’

The central question which the European Court of Justice will have to address concerns the requirements regarding the proof of ‘material or non-material damage’.[54] Can we infer non-material damage from the mere breach of data protection rules? Or is the sole subjective discomfort not sufficient for compensation, which would mean that a claimant has to establish a ‘non-pecuniary loss’ that exceeds a certain threshold? If so, how can the level of gravity that has to be met by the claimant’s personal situation be determined?

In some EU Member States, such as France or Belgium, the simple suggestion of a de minimis rule will be met with a sceptical frown, either because such a rule is widely unknown in those tort law systems, or because it is seen as a heresy to reject a compensation claim on the grounds that the loss has not reached a certain level of materiality.[55] This issue is of particular importance in the field of GDPR infringement cases. Before the GDPR came into force, some national courts decided that the plaintiff had to establish a ‘severe violation of a personality right’ before being entitled to claim compensation.[56]

The question is the extent to which the mere violation of GDPR data protection rules can give rise to a claim for compensation, even though the infringement has not had any serious impact on the everyday life of the plaintiff. There are many cases in which a data breach causes only a slight inconvenience to the concerned person, for example an avalanche of spam emails or an unwanted advertisement or solicitation. Under the former case law, German, Dutch and English courts did not allow damages for non-pecuniary loss in those cases,[57] but this practice is likely to change under the influence of art 82(1) GDPR, which does not provide for such a gravity threshold.

Indeed, in the light of Recital 146 and the aim of ‘full and effective compensation’, such a strict interpretation seems too restrictive and may not be in full accordance with the political rationale of the GDPR.[58] Compensation claims, asserted via individual or class actions, are designed as an instrument for the private enforcement of data protection rules, which rather calls for a wider interpretation of the concept of ‘non-material damage’.[59] Some national courts followed this argumentation recently, considering that the implementation of a gravity threshold would be contrary to the intent of the GDPR.[60] Other national courts, however, adhere to the traditional approach and deny a right to compensation in cases in which the claimant cannot establish a significant non-pecuniary loss and attempts to infer from the sole infringement of data protection rules non-material harm.[61]

Ultimately, it will be up to the European Court of Justice to decide whether compensation claims for non-pecuniary loss will be an effective means to protect personal data or if the economic impact of a broader compensation system will act as a deterrent for such a wide understanding. It is clear that the broader the concept of ‘non-material damage’ is interpreted, the more effective private enforcement of data protection rules will be.

Both approaches are defensible and, in the end, it is a political issue rather than a legal-technical one, which the CJEU judges will have to address. One cannot exclude the possibility, albeit rather unlikely, that the European Court of Justice decides to avoid this sensitive issue by conferring to the courts of the Member States a margin of appreciation.[62] This, however, proves to be the worst possible option, as it would inevitably introduce diverging case law throughout the European Union: depending on cultural sensibilities and recent legal developments, courts of the Member States would most likely adopt different solutions, exacerbating further legal uncertainty and generating a genuine risk of forum and law shopping.[63]

C The proof of causation

According to art 82(1) GDPR, claimants have to establish that their damage is ‘a result of’ the infringement of the Regulation. There is no indication that the drafters of the GDPR intended to abandon the interpretation given of art 23 of the repealed 1995 Data Protection Directive that claimants have to bear the burden of proving that the data breach was connected with their damage in terms of causation.[64] The common rules on the burden of proof support this position, for it is widely recognised under national law and EU law that, as a general principle, the burden of proof rests with claimants as regards the factual elements which establish their right against the defendants.[65]

Yet, it is important to remember that in several areas of EU tort law, the CJEU has taken a more flexible approach to the issue of causation over the last years. In particular, in cases of product liability, the CJEU did not hesitate, despite an explicit provision in art 4 of the 1985 Directive, to allow national courts to admit proof of causation between the product defect and the harm via presumptions based on factual evidence.[66] It is not yet clear whether this solution could be transposed to privacy litigation cases. In this regard, it is particularly noteworthy that the Bulgarian Supreme Administrative Court called for the CJEU to address precisely the question of the burden of proof.[67]

One of the reasons that could lead to a departure from the principle according to which claimants have to establish their loss as well as the causal link could lie in Recital 146 GDPR. According to this text, ‘the concept of damage should be broadly interpreted in the light of the case law of the Court of Justice in a manner which fully reflects the objectives of this Regulation’. Although the text only refers to the concept of damage, a wide interpretation of the reference to the CJEU case law could also lead to a weakening of the existing rules governing causation, as the requirements of a reparable loss and a causal link are closely related.

Indeed, several voices, mostly in the German legal literature, have raised the question as to whether the CJEU case law related to litigation involving EU competition law could or should be applied.[68] As is known, over the last decades, the CJEU has developed a claimant-friendly approach to evidentiary problems in cases of the infringement of antitrust rules. This ‘proof-proximity principle’ provides that the evidentiary burden of proof is allocated to the party in whose hands evidence is more likely to be available.[69] Although this principle is not explicitly affirmed in the case law, it correctly describes the presumptions of causation, which the CJEU acknowledged in cases of horizontal concerted practices under the principles of equivalence and effectiveness.[70]

There is a strong case for transposing this reasoning to privacy litigation. The principles of equivalence and effectiveness also govern the enforcement, public and private, of European Union data protection rules, as is laid out by Recital 10 of the GDPR.[71] However, it should not be forgotten that, as mentioned above, data protection law and competition law do not pursue the same objectives[72] and that the assessment of a causal connection becomes more uncertain when a non-pecuniary loss is at stake. The parallels drawn between the private enforcement of data protection law and competition law are not limitless and it is far from certain, contrary to what may have been asserted,[73] that the CJEU will decide to model the case law on privacy litigation on what has been decided in the field of competition law.

V The monetary evaluation of ‘non-material damage’

The GDPR does not provide any guidelines on the assessment of damages, which shall be awarded in order to compensate ‘material or non-material damage’. In Recital 146, the GDPR drafters stressed that ‘data subjects should receive full and effective compensation for the damage they have suffered’. The clarification that the compensation should be ‘full’ clearly refers to the principle of full compensation (restitutio in integrum), which means that the damages awarded to the plaintiff have to cover every head of the loss suffered and that there shall be no capping or limitation of damages. As for the ‘effective’ nature of compensation, the significance is less clear. It might refer to the monetary assessment of ‘non-material damage’, ie non-pecuniary harm, which is not an accurate science, leaving an important margin of appreciation to the trial courts.

In those Member States that have a long tradition of awarding damages for non-pecuniary loss, the courts use more or less formal assessment guidelines, especially for pain and suffering and loss of amenities caused by personal injury.[74] In the UK, tort lawyers use the Guidelines for the Assessment of General Damages in Personal Injury Cases published by the Judicial Studies Board,[75] which indicate the appropriate bracket of award for particular injuries on the basis of precedents. In France, similar ranges can be found in a document issued by the board of Court of Cassation Judges, the Référentiel Mornet.[76] In Germany, practitioners use so-called Schmerzensgeldtabellen, which list categories of precedents, for assessing damages in personal injury cases.[77]

However, in cases of the infringement of personality rights such as the right to privacy or the right to protect one’s image or honour, the assessment methods are often more inaccurate.[78] It is not unusual in those cases that judges take into account the type, duration and seriousness of the violation, as well as the satisfactory or even the punitive function of damages for non-pecuniary loss, referring even to the benefits the tortfeasor has taken from the situation or to the prominent public position of the claimant.[79]

Thus, it is not unlikely that the ‘effective compensation’ referred to in Recital 146 implies a similar approach, so that the calculation of damages shall not only take into account the situation of the claimant, but also other external elements. It does not come as a surprise that there are calls, in the legal literature,[80] to transpose the criteria referred to in art 83(2) GDPR concerning the calculation of administrative fines.[81]

Yet, the assessment methods used by the national courts in those cases are very diverse and the issue is even more complex, as data protection litigation involves additional criteria, such as the type of personal data concerned (it is fundamentally different to divulge health data or information about the personal residence or the number of children) and the concrete impact of the data breach on the claimant’s personal life. One could even argue that the idea of taking into account the profits generated through the data breach takes on a new meaning, knowing that there are several attempts to determine the monetary value of different types of personal data. One can read in a 2013 OECD paper that the range of prices for credit card information is from 0.85 to 30 US dollars (USD) and that the value of website administration credentials goes from USD 2 to 30.[82]

Given the diversity of the criteria for the assessment of damages, it is all the more surprising that the application of art 82(1) GDPR by the national courts did not give rise to a highly differentiated court practice. The amounts awarded so far by national courts range from € 250 per claimant to € 5,000, which is a 20:1 ratio, but at a fairly low level. In Germany, where you can find more than 50 decisions from the lower courts, a law firm even established a so-called Schadensersatztabelle,[83] a digest of cases from lower courts, intended to play the same role as the digests used to assess damages for pain and suffering in personal injury litigation.

In one of the requests for preliminary rulings, the national court asked the CJEU explicitly about the criteria for the calculation of damages under art 82(1) GDPR[84] and it is expected that the judges in Luxemburg will give at least some indications on the material facts which the national courts should take into consideration.

One might wonder whether the CJEU should not go a step further and establish genuinely European guidelines for the assessment of damages for nonmaterial harm in privacy litigation cases. What appeared extremely unlikely a couple of years ago cannot entirely be excluded if we consider that, in the most recent consultation about the revision of the 1985 Product Liability Directive, the European Commission mentioned the possibility of a harmonisation of court practices in this area.[85] However, one should not forget that the enactment of standardised assessment rules also faces economic barriers, as the discrepancies between the level of damages awarded to claimants also reflect the differences regarding the cost of living and the purchasing power in the EU Member States.[86]

VI New procedural ways to enforce the right to compensation

A final challenge is the procedural enforcement of the right to compensation specified in art 82(3) GDPR. As in the field of antitrust litigation,[87] law firms have discovered the potential of private enforcement and, more specifically, the compensation of harm caused by the infringement of data protection regulations. There is a clear tendency in some jurisdictions to develop privacy litigation as a business model, not only for law firms specialised in data protection law, but also for ‘legal tech’ and litigation funders.[88] In Germany, the ‘European Society for Data Protection’ (Europäische Gesellschaft für Datenschutz)[89] is known for promoting largely its support of individuals affected by data leaks. Yet, contrary to what is suggested by the name, it is not a learned society or a non-profit voluntary association, but a private company established to make a profit from the enforcement of compensation claims of groups of individuals affected by an infringement of data protection rules.[90]

The procedural manner to bundle compensation claims is also highly dependent on the legal context.[91] Article 80 GDPR provides explicitly that, in order ‘to exercise the right to receive compensation referred to in Article 82’, data subjects may mandate a ‘not-for-profit body, organisation or association which (...) has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedom’. However, this collective redress model is subject to an ‘act of transposition’ by the Member States, in application of a so-called ‘open clause’.[92] While in some jurisdictions, such as France and Belgium, the national lawmakers implemented specific ‘group actions’ or ‘collective actions’ for GDPR infringement cases, this is not the case in many other EU Member States where existing collective redress mechanisms are not necessarily consistent with the requirements arising from the GDPR.[93]

When it comes to the enforcement of damages actions via LegalTech or specialised law firms, one of the crucial issues will be the ‘assignability’ (or transferability) of the right to compensation. In many jurisdictions, this question remains unresolved, as the infringed right belongs to the category of personality rights which traditionally are not eligible to be subject to assignment agreements.[94] The potential of the enforcement also depends on the effectiveness of collective redress mechanisms which have been (and will be) implemented in the EU Member States in transposition of EU Directive 2020/1828 on representative actions for the protection of consumer interests.[95] The current situation varies significantly from one jurisdiction to another.[96] It is likely, however, that, under the influence of CJEU case law, collective redress mechanisms will be widely available to all EU citizens. In fact, in a recent landmark case from April 2022, the CJEU decided that a consumer protection association still had standing to bring proceedings in the civil courts against GDPR infringements under national civil procedure rules, even after the Regulation came into force.[97]

VII Concluding remarks

This paper aimed to outline the complexity of the issue of compensating non-material damage caused by an infringement of data protection rules. It is a complex issue because the provision of art 82(1) GDPR highlights the shortcomings of the coordination between EU tort law rules and the national tort law traditions,[98] in particular regarding the concept of damage, the methods of calculation of damages and the procedural enforcement of compensation rights. Will privacy litigation contribute to resolve the problem of interaction between national courts and EU tort law rules? To what extent is the CJEU willing to ‘Europeanise’ issues which, for now, are deeply entrenched in national thought patterns? And what can be the role of national data protection authorities to enhance the effectiveness of private enforcement?

The CJEU judgments in response to the requests for preliminary rulings are expected to be delivered at the beginning of 2023. They will provide valuable inputs to answer those fundamental questions on the interplay between national and EU tort law. Moreover, it is crucial that the CJEU judges clarify policy matters in the field of data protection law and answer the many questions related to the compensation of non-pecuniary harm, more than five years after the GDPR came into force.

Published Online: 2022-08-05
Published in Print: 2022-08-04

© 2022 Jonas Knetsch, published by Walter de Gruyter GmbH,Berlin/Boston

This work is licensed under the Creative Commons Attribution 4.0 International License.

Downloaded on 8.2.2023 from https://www.degruyter.com/document/doi/10.1515/jetl-2022-0008/html?lang=en
Scroll Up Arrow