This Week In Data/Cyber/Tech: CJEU Further Clarifies The Scope Of GDPR Non-Material Damages

There's rarely a quiet week in data protection — and this one was no exception. Below are two developments from the past seven days that caught my eye.

Story #1: CJEU further clarifies the scope of GDPR non-material damages

Despite the sums at issue being small, particularly in light of the multi-million euro fines handed down under the GDPR, the topic of non-material (i.e., non-financial) damages has played an outsized role in the recent docket of the Court of Justice of the European Union (CJEU).

By my count, the Court has issued more than half a dozen judgments on this topic in the past year or so. And last Thursday the CJEU handed down another pair of judgments on the scope of claims under the GDPR in respect of non-material harms.

These latest judgments reiterate many of the key holdings of previous cases — namely, that (1) there is no minimum threshold of harm for the purposes of awarding compensation, but (2) a breach of the GDPR does not, by itself, confer a right of compensation, and (3) there must be a causal link between the processing and the damage. But they also provide some additional colour, as described below.

JU and SO v Scalable Capital GmbH

• Article 82 of the GDPR fulfils a compensatory, rather than a punitive, function. As such, the financial compensation awarded must allow the relevant individual(s) to be compensated "in full" for the damage suffered.
• Provided that the controller is at fault for the event giving rise to the damage, the severity of the infringement, or whether the processing in question was intentional (or negligent), does not need to be taken into account when assessing the right to compensation.
• The damage caused by a personal data breach is not, as a matter of principle, less significant than physical injury.
• Compensation for non-material damage arising from the theft of personal data is not limited to scenarios in which the data are actually misused. Rather, compensation can be awarded in cases where the theft of personal data did not lead to identity theft or fraud (e.g., where the individual suffered distress as a result of the loss of personal data).

AT and BT v PS GbR, VG, MB, DH, WB and GS

• The loss of control of personal data, even for a short time, can constitute non-material damage for the purpose of Article 82(1) of the GDPR — provided that the individual can show that they have suffered damage, "however slight". That is the case even if it is not possible to prove that the data were disclosed to a third party(ies).
• However, a mere allegation of fear (i.e., regarding what has happened to the individual's personal data) is not sufficient to award compensation.
• The calculation of damages does not require a court to take into account local law provisions relating to personal data protection but which aren't intended to specify the rules of the GDPR.

Story #2: Generational differences in attitudes to privacy?

Busman's holiday: a form of recreation that involves doing the same thing that one does at work.

I'm a sucker for a data protection-related headline, even when I'm supposed to be "switched off". So I didn't stand a chance with a recent piece in the Financial Times, which argues that Gen Z has embraced the ability to track one another — and be tracked — via their smartphones.

Whether or not you believe it, or think that the article speaks to a worrying development, it's a good example of the privacy paradox: individuals say that they value their privacy, but their actions tell a different story.

Some data protection practitioners may claim to be perfect in this regard, but I'm not immune to prioritising convenience over what I know is a more privacy-protective approach. Moving through the world — digital and otherwise — with an absolute focus on privacy is admirable but exhausting. Something has to give, and I suspect that I'm not alone in that.

In any event, the article is worth a read to learn more about how attitudes to privacy and the use of smart phones apparently vary between generations. And it seems that tracking my kids' movements via their phones is okay. But using the devices to call them? Well, apparently that would just be creepy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.