Een analyse van recente besluiten van het Europese Hof van Justitie over immateriële schade onder de GDPR. Dit artikel gaat verder in het Engels.
Foto: Luxofluxo
The General Data Protection Regulation (GDPR) has marked a transformative shift in the landscape of privacy rights, establishing rigorous standards for data processing and increasing liability for GDPR non-compliance. To that effect, Article 82 of the GDPR grants individuals the right to seek compensation for both material and non-material damages suffered as a consequence of GDPR infringements.
In the Netherlands, litigation to seek compensation for damages related to breaches of GDPR have been common ever since the GDPR entered into force. In this article we assess recent Court of Justice of the European Union (CJEU) decisions relating to non-material damages arising under the GDPR and explores the development of the concept of non-material damages under the GDPR both at the EU level and within the Dutch legal framework.
CJEU case law has had a noteworthy influence on the Dutch legal framework regarding non-material damages. In particular, the following five notable cases have significantly impacted the interpretation of such damages:
Case C-300/2021 - Österreichische Post
Case C-340/2021 - Natsionalna agentsia za prihodite
Case C-456/22 - VX, AT v. Gemeinde Ummendorf
Case C-667/21 - ZQ v. Medizinischer Dienst
Case C 741/21 - GP v. juris GmbH
In the context of GDPR violations, Dutch courts have been proactive in integrating the notion of non-material damages into their legal framework and have been influenced by jurisprudence of the CJEU.
Cases before the Amsterdam and Noord-Nederland District Courts (ECLI:NL:RBAMS:2019:6490 and ECLI:NL:RBNNE:2020:247) illustrate a liberal interpretation of "damage" and the entitlement to comprehensive compensation, aligning with the GDPR's overarching goals.
In the case before the Amsterdam District Court (ECLI:NL:RBAMS:2019:6490) the dispute arose when UWV (Employee Insurance Agency) sent a notification letter about the claimant's long-term illness to her new employer without her consent. This information was deemed sensitive personal data and the sending of the letter was considered a violation of the GDPR, as it lacked the claimant's permission and potentially led to serious adverse effects for her. The court, following Article 82 GDPR and Recital 146 GDPR, considered that individuals are entitled to receive full and effective compensation for the damage suffered. Importantly, in this case, the court read Article 82 GDPR in conjunction with Article 6:106(1.b) Dutch Civil Code to interpret the notion of non-material damages. It was determined that the claimant had indeed suffered non-material damages due to the unauthorized disclosure of her health status, leading to a compensation award of €250, along with interest.
In case before the Noord-Nederland District Court (ECLI:NL:RBNNE:2020:247), the District Court ruled that wrongful disclosure of personal data warrants compensation for non-material harm. The court held that its decision aligns with Article 82 GDPR and Recital 146 GDPR, which advocate for a broad interpretation of “damage” to include psychological distress or other negative effects resulting from privacy breaches. Similarly, to the case above, the court read Article 82 GDPR in conjunction with Article 6:106(1.b) Dutch Civil Code. The court found that the individual impacted by the unauthorized data disclosure suffered a violation of their privacy rights. However, it also considered the limited scope of the breach (from one employee to a third party) and the absence of broader distribution or specific negative consequences to the claimant directly linked to this incident. In assessing the appropriate compensation for the non-material harm suffered, the court acknowledged the difficulty in precisely quantifying such damages, yet emphasized the importance of acknowledging the distress and potential reputational harm the affected party endured. Consequently, the court deemed a fixed amount of €250 as fair and reasonable compensation for the non-material damages, considering the nature of the privacy infringement and its impact on the individual’s personal and professional life.
Judgments in more recent cases before two courts (ECLI:NL:RVS:2023:3130 and ECLI:NL:RBGEL:2023:5435) reflect the adoption of CJEU jurisprudence by the Dutch courts regarding non-material damages, emphasizing the necessity for full and effective compensation without setting arbitrary thresholds for damage severity.
In case ECLI:NL:RVS:2023:3130, the appellant argued that the municipal council unlawfully processed photos of his property because his consent for the use of the photos was limited to a 2012 property value assessment under the Dutch Property Valuation Act (WOZ) and did not cover or extend to subsequent uses. He claimed the right to compensation due to this alleged unauthorized use of the photos, which included the use of his property's images as a reference for assessing the value of other properties. The Administrative Jurisdiction Division of the Council of State (Raad van State) found that the decision by the municipal council to use the photos did not adequately assess whether the processing of the photos was lawful under the GDPR and the lawfulness of the further use of the photos was insufficiently investigated. This oversight led the Council of State to conclude that the municipal council’s decision on the appellant’s request for compensation for non-material damages was inadequately substantiated. Therefore, the Council of State overturned the lower court’s decision, declared the appellant’s appeal justified, and ordered the municipal council to reevaluate the appellant’s claim for non-material damages. Specifically, this re-evaluation should consider whether there was unlawful handling of the appellant’s personal data and, if so, to decide on the compensation request based on the applicable legal standards, explicitly referencing the ones set in the Österreichische Post decision of the CJEU.
With regard to case before the Gelderland District Court (ECLI:NL:RBGEL:2023:5435), the plaintiff (an alumnus of the university, who completed his education with some delay due to personal circumstances) sought compensation for the emotional impact and the breach of his privacy due to the unauthorized access and potential misuse of his sensitive data. With explicit reference to the CJEU’s definition of non-material damages in the Österreichische Post case, the District Court of Gelderland underlined the broad interpretation of “damage” under the GDPR and the necessity to prove a tangible impact on the individual’s personal integrity or privacy. The plaintiff described his emotional distress, loss of trust, and ongoing concerns about the misuse of his sensitive medical information, which had been shared with the university under assurances of confidentiality and security. The court awarded the plaintiff €300 in compensation for non-material damages, recognizing the significant emotional and privacy implications of the breach. The judgment also highlighted that while the exact use of the leaked data by the hacker was unclear, the mere access and potential dissemination of such sensitive information was sufficient to warrant compensation for non-material damages.
These decisions illustrate the way in which the Dutch judiciary makes use of the CJEU jurisprudence in refining the Dutch legal framework for assessing and awarding compensation for non-material damages suffered due to GDPR infringements in the Netherlands. It shows, in any event, that the outcome of the case highly depends on the circumstances of the case. This evolving jurisprudence also illustrates the ongoing complexity of quantifying non-material damages. A critical challenge highlighted in both EU and Dutch case law is the burden of proof on claimants to demonstrate the existence and extent of non-material damages. This requirement ensures that only substantiated claims lead to compensation, preventing potential abuses of the system. However, it also places a significant burden on individuals to quantify harms that are inherently difficult to measure, such as psychological distress or loss of privacy, especially where damages may still materialize in future. We expect that more litigation on GDPR infringements is yet to come. This also follows from the various GDPR/privacy related class actions on Article 82 GDPR currently pending in the Netherlands.
