On June 5, 2024, the Administrative Law Division of the Raad van State ("Division") ruled on the right to immaterial damages following a data breach. In this post, Rosalie Brand highlights the right to immaterial damages compensation under the AVG.
The Administrative Law Division rejected the award of immaterial damages. Although the case falls within the existing legal framework, it provides a good opportunity to refresh knowledge about immaterial damages under the General Data Protection Regulation ("AVG" or "Regulation"). Other literature on this topic: C. Jeloschek, "The right to compensation for immaterial damages under the AVG. Back to square one because leaving calculation to member states? An analysis of ECJ EU judgment of May 4, 2023 (UI v. Österreichische Post),' TvIR 2023, vol. 6. See also: C. Jeloschek & R.H.G. Van Schaik, 'The right to compensation for immaterial damages under the AVG. Further clarity from the Court of Justice of the EU. An analysis of four judgments following the UI v. Österrechische Post judgment,' TvIR 2024, vol. 2.
The case was between a resident and the Municipal Executive of the Municipality of Heemskerk. In a previous dispute between the parties, the claimant filed a notice of objection. For consideration, the college appointed a hearing and advisory committee and compiled a case file. The file contained the claimant's name and address, citizen service number, contact information and medical information. The college sent the file to the members of the hearing and advisory committee, with one of the files lost in the mail. The college reported this data breach to the Autoriteit Persoonsgegevens and to plaintiff. The plaintiff claims that the college informed her that due to the lost process file, the said personal data may have (been) accessible to third parties. Because of the anxiety and stress symptoms she experienced as a result of this incident, the plaintiff asks for damages of €2,000.
At first instance, the claimant's claim was dismissed. The court reached this decision because it did not consider it plausible that the claimant's data had ended up with third parties. In addition, the claimant did not substantiate with concrete and objective data that she suffered mental injury as a result of the data breach. Thus, her claim for damages based on non-material injury fails. The plaintiff disagreed and appealed.
To place the court's and later the Division's ruling in the legal framework, we first zoom out a bit. Starting with the legal basis for immaterial damages in the AVG. According to Article 82(1) AVG, anyone who has suffered material or immaterial damage as a result of a breach of the AVG is entitled to compensation from the controller or processor. Although the right is clearly enshrined in the AVG, the Regulation provides little guidance on its interpretation. For example, it was unclear for some time whether Article 82 AVG is punitive in nature. The courts have since invalidated this and confirmed that the purpose of Article 82 AVG is to compensate the data subject for damages suffered. CJEU 21 December 2023, C-667/21, ECLI:EU:C:2023:433,(Krankenversicherung Nordrhein), para 86.
To successfully invoke Article 82 AVG, three cumulative elements must be met: (i) the existence of damages, (ii) a breach of the AVG, and (iii) a causal link between the damages and the breach of the AVG. We discuss these elements in more detail below. Other literature on this topic. E Troll, "Are there thresholds for (being allowed to assume) immaterial damages under the AVG?", MoV 2023, para. 9.
According to established case law, the Division should refer to Dutch civil compensation law when assessing a request for compensation for immaterial damages. Immaterial damages are grounded in Section 6:106 (1) (b) of the Dutch Civil Code and include bodily injury, damage to honor or reputation or impairment in person "in any other way. In the present case, the claimant relies on the latter component. A successful reliance on impairment in person 'in another way' must be substantiated with concrete data, unless the nature and seriousness of the infringement make damage plausible. ABRvS April 1, 2020, ECLI:NL:RVS:2020:898.
In this case, the claimant indicated that she suffered (severe) psychological damage from the data breach, in the form of anxiety and stress symptoms. She substantiated this position with two emails from social workers. These emails from the social workers contained merely a representation of claimant's assertion that she has anxiety and stress symptoms, with no additional interpretation. In addition, the claimant indicated that she had been referred to the mental health department by her primary care physician, which would indicate serious psychological injury. The Division considers the foregoing evidence insufficient to prove the claimant's intangible injury. Thus, the appeal is dismissed as unfounded.
It is still important to note that the claimant is not invoking civil law or Section 6:106 (1) (b) of the Civil Code. Since the dispute is public law in nature, she relies on Article 8:88 Awb in conjunction with Article 82 AVG. However, the Division always assesses immaterial damages on the basis of Section 6:106 (1) under b of the Civil Code. A nice interplay between public and private law.
Now that the legal basis is clear, let's walk through how the court tested the elements for immaterial damages in this case.
In general, a data breach does not necessarily mean that there has been a breach of the AVG. In the present case, however, the college did not dispute that there had been a breach of the AVG. Therefore, both the court and the Division assumed this.
Because a violation of the AVG does not automatically lead to damages, it is important to prove causality between these two elements. In doing so, the nature and seriousness of the breach of standards in specific cases may mean that damage is so obvious that causality may be assumed. In the present case, the Division indicates that the nature of the breach of standards does not mean that the adverse consequences for the plaintiff are obvious. Thus, the plaintiff would have had to prove causation between the alleged harm and the data breach.
With its ruling, the Division confirms the line we see in case law, namely that not every data breach automatically means a right to immaterial damages. In our opinion, a correct line to take.
