GDPR infringements and damages claims: the UI-case explained

Dit artikel is in het Engels

Three cumulative conditions for damage claims, and a EU concept for damage

As expected, the ECJ finds that a “mere infringement” of the GDPR is insufficient to claim damages based on article 82 GDPR (1). There are instead three cumulative conditions to bring a damages claim. There must be: (i) an infringement, (ii) some form of damage suffered and (iii) a causal link between the damage and the infringement (finding 32). We note that this fits well with most civil law traditions, and specifically the Dutch civil law system.

Importantly, the UI-case also (re)confirms that the concept of ‘damage’ and ‘compensation for the damage suffered’ are autonomous concepts of EU law which must be interpreted in a uniform manner in all member states (findings 30, 44). This is of relevance, given that in previous case law, the ECJ has already found that feelings of psychological harm can also give rise to non-material damages (See, e.g. ECJ 4 April 2017, ECLI:EH:C:2017:256, findings 129 – 130. CURIA – Documents (europa.eu)) (2)

Barriers such as national de minimis rules are not allowed

The court finds that member states may not introduce rules or practices which make compensation for non-material damage subject to the condition that the damage suffered reaches a certain degree of seriousness (findings 43 – 51). This entails that any form of damage suffered, even a very small amount (such as physical distress), can in principle be deemed ‘damage’ within the scope and ambit of article 82 GDPR.

National procedural rules must comply with principles of equivalence and effectiveness

The member states are free to prescribe the detailed rules for safeguarding the rights individuals derive from article 82 GDPR, given that EU law does not set such rules (finding 54). This includes the right to prescribe the criteria to determine the extent of compensation payable for infringements of GDPR-rights.

However, and importantly, the ability to set procedural rules is subject to compliance with the principles of equivalence and effectiveness. This entails that the procedural rights must be such that the data subject can effectively safeguard his or her rights under the GDPR. There must be full and effective compensation for the damage that is suffered (finding 57).

The ECJ explains what it means by referring by analogy to the well-established case law dealing with competition law damages claims, where the ECJ also decided that victims of EU-law infringements can base damages claims directly on EU law, and that member states may prescribe procedural rules, but only as long as such rules do not undermine the effectiveness of EU law (finding 54, a reference to Manfredi, ECJ 13 July 2006, ECLI:EU:C:2006:461, CURIA – Documents (europa.eu)) (3).

Wil je weten meer weten over het werkterrein van Damiën Berkhout? Kom dan vooral naar de cursus Privacy en massaclaims, op 27 juni.  Hier vind je meer informatie over deze middagcursus.

1. https://curia.europa.eu/juris/document/document.jsf;jsessionid=B12B4997407202A06E420B6458DAD685?text=&docid=273284&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=4873969

2. https://curia.europa.eu/juris/document/document.jsf?text=&docid=189543&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=4883997

3. https://curia.europa.eu/juris/document/document.jsf?text=&docid=56474&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=4886475