ECJ: Damages for Suspected Data Misuse?
Strengthening the rights of consumers, the European Court of Justice (ECJ) has once again ruled on non-material damage under the General Data Protection Regulation (GDPR).
The plaintiffs in the original case were clients of a tax advisory firm and had informed the firm of their change of address. The new residents at the former address of the plaintiffs informed them that they had received a letter from the tax consultancy firm and that they had opened it by mistake. The plaintiffs assumed that the envelope contained the original of their tax return, which obviously also contained personal data. It was not possible to determine which documents had originally been in the envelope, nor to what extent the new residents of the former address of the plaintiffs in the original proceedings had obtained knowledge of the contents of this envelope.
The plaintiffs brought an action for non-material damage before the Landgericht Wesel (District Court of Wesel, Germany), the referring court. They based their claim on Article 82(1) of the GDPR. The referring court asked the ECJ whether the mere fear of personal data falling into the hands of third parties could amount to non-material damage.
The ECJ concluded and stated as follows:
A mere infringement of Art. 82 (1) GDPR is not sufficient to give rise to a claim for damages. There must be damage as well as a causal link between the damage and the breach. The data subject must also prove the existence of damage caused by that breach, but that damage need not reach a certain level of severity.
The mere fear that personal data may be misused by third parties may constitute non-material damage within the meaning of Art. 82 (1). Consequently, provided that the data subject proves that they have suffered actual damage, the loss of control over the data is sufficient to justify compensation.
ECJ C-590/22 (20 June 2024)
Efficient Legal Information 
Legal Jobs 
Innovative LegalTech Solutions