In its judgment of 4 October 2024, the Court of Justice of the European Union ruled that an apology may be sufficient as reasonable compensation for non-material damage under Art. 82 GDPR (ECJ, judgment of 4.10.2024, Ref. C-507/23).
Background
The plaintiff is a journalist from Latvia who filed a lawsuit against a Latvian company. The reason for this was a video sequence depicting the plaintiff, which was distributed on several websites as part of a campaign by the defendant. The plaintiff neither consented to this distribution nor was the sequence deleted, although he expressly objected to the distribution after its publication.
Course of proceedings
The journalist brought an action before the competent district administrative court and demanded that the unlawful dissemination be stopped as well as compensation for his immaterial damage in the form of an apology and compensation in the amount of EUR 2,000.00.
At second instance, the court of appeal, the Regional Administrative Court of Latvia, ruled that the dissemination was unlawful under the GDPR. However, the court rejected the claim for financial compensation for non-material damage on the grounds that the infringement was not serious, as the video sequence had served to fulfil a task in the public interest and was not intended to damage the plaintiff’s reputation, honour or dignity.
On the other hand, following the plaintiff’s appeal in cassation, the Supreme Court ruled that the Court of Appeal had infringed Article 82 GDPR by awarding damages to the plaintiff without finding any injury to his reputation, honour or dignity in the original proceedings.
In the circumstances, the Senate of the Supreme Court decided to stay the proceedings and to refer three questions to the ECJ for a preliminary ruling.
The decision of the ECJ
In the context of the first question referred, it had to be decided whether Art. 82 para. 1 GDPR in conjunction with Art. 8 para. 1 of the Charter must be interpreted as meaning that a breach of the provisions of this regulation is in itself sufficient to constitute “damage” within the meaning of Art. 82 para. 1 GDPR. The court answered this question in the negative, partly due to the required causal link between the infringement and the damage, and clarified that an infringement of the GDPR alone is not sufficient to constitute suitable “damage”.
With regard to the second question referred, it was necessary to examine whether Article 82(1) GDPR must be interpreted as meaning that an apology can constitute appropriate compensation for non-material damage on the basis of that provision, in particular if it is not possible to restore the situation before the damage occurred. According to the Court of Justice, it is in principle possible to consider an apology as adequate compensation for non-material damage under Art. 82 GDPR, in particular if it is not possible to restore the situation before the damage occurred. However, this only applies if the principles of equivalence and effectiveness are upheld by the form of compensation. Finally, it must be possible to fully compensate for the non-material damage caused by the infringement of the regulation.
In order to clarify the third question referred, it was necessary to discuss whether Article 82(1) GDPR must be interpreted as precluding the possibility of taking into account the attitude and motives of the controller in order to award the data subject compensation that is less than the actual damage suffered. Here, the Court states that the controller’s motivation is not relevant when awarding damages under Art. 82 GDPR, as the standard does not have a punitive but a compensatory function and the motives of the unlawful actor must therefore be disregarded. Thus, the damages may not be assessed in an amount that exceeds the full compensation of the damage.
Conclusion
The ECJ continues its previous case law on non-material damages and thus specifies the requirements for a claim for damages under Art. 82 GDPR.
Once again, the judgement of the European Court of Justice confirms that a breach of the GDPR is not in itself sufficient to justify a claim for damages. It is worth noting that an apology may be sufficient in individual cases to fully compensate for non-material damage. This development confirms that the importance of communication between the controller and the data subject following a data protection incident should not be underestimated, also with regard to liability. The latter is particularly welcome in light of the fact that claims for damages under the GDPR are increasingly being misappropriated, for example to exert pressure on employers in the context of unfair dismissal proceedings.