Seriousness of the damage and seriousness of the injury in the unlawful processing of personal data


by Alessandro Candini*

The conclusions of the Advocate General of the European Court of Justice are consistent with the Italian jurisprudence on the matter

Exclusive Norms & Tributes Plus content

On 6 October 2022, the Advocate General at the European Court of Justice presented his conclusions in case C-300/21, concerning the refundability of non-pecuniary damages as a consequence of a violation of the right to the protection of personal data.

The story originates in Austria, where a publishing company had collected personal data on the political preferences of some citizens. In particular, through an algorithm, it identified the addresses of groups of recipients of the electoral advertising of the parties themselves.

One of the interested recipients of the communications appealed to the Court, complaining that he had not given his consent to the processing of his data, asking for an equitable compensation of 1,000 euros by way of non-pecuniary damages suffered as a result of the unlawful processing of the data.

In the first two instances of judgment, the interested party’s request was rejected.

Having reached the third level of judgement, the Austrian Supreme Court asked the European Court of Justice to give a preliminary ruling to establish whether the mere violation of the provisions of the European Regulation 679/2016 (so-called GDPR) gave the right to compensation, so to speak automatic, whether or not damage has occurred.

The Court of Justice is therefore called to ascertain whether the violation of the provisions of the GDPR necessarily causes damage that gives rise to the right to compensation, or whether the damage must be demonstrated, reaching a minimum threshold of damage. In his conclusions, the Advocate General sharedly noted that for the purposes of the recognition of compensation for damages suffered by a person as a result of a violation of the GDPR, the mere violation of the rule is not sufficient, if it is not accompanied by the allegation of the relative damage, pecuniary or non-pecuniary.

The compensation for the damage governed by the GDPR would not therefore extend to the mere irritation or annoyance that the interested party may experience.

From this point of view, the position of the Advocate General is consistent with Italian jurisprudence.

The Court of Cassation has been affirming for some time (recently, with the order 16402/2021) that the damage from violation of the right to the protection of personal data does not exist in re ipsa, since the compensable prejudice does not identify with the mere infringement of the right protected by law, but with the prejudicial consequences caused by the injury itself, which must be submitted and demonstrated by the victim of the offence, reaching a serious and effective threshold of harm.

Identifying the notion of “violation” with that of “compensation” in the absence of damage would not comply with the text of Article 82 of the GDPR, concerning the right to compensation and liability, which makes express reference to the existence of the damage, and not even to the rationes of the GDPR. Under the latter profile, in fact, there are two objectives of the GDPR, set out in its title: i) on the one hand, the protection of natural persons with regard to the processing of personal data; ii) on the other hand, that this protection is organized in such a way that the free movement of such data within the Union is neither prohibited nor restricted.

However, one might wonder whether there is room, in those legal systems that allow it, to believe that the refundability of the damage to the protection of personal data may have a punitive nature, regardless of the existence of a damage.

Well, in the conclusions of the Advocate General it was rightly noted that the GDPR does not contain any reference to the disciplinary nature of the compensation for pecuniary or non-pecuniary damages, nor to the fact that the calculation of its amount must reflect this nature or that said compensation must be dissuasive (the quality it attributes to criminal sanctions and administrative fines). From a literal point of view, therefore, the GDPR would not allow the provision of punitive compensation.

The considerations of the Advocate General are fully shared, and reflect the prevailing orientation in national doctrine and jurisprudence.

Moreover, the prospect of obtaining compensation regardless of any damage would stimulate the proliferation of instrumental civil disputes, discouraging the processing activity itself and consequently the circulation of data that the European legislator intended to ensure.

*by Avv. Alessandro Candini, DigitalMediaLaws

Seriousness of the damage and seriousness of the injury in the unlawful processing of personal data