Damages for GDPR violations – the German Federal Labor Court requests clarification of essential questions by the European Court of Justice
Update Data Protection No. 105
The circumstances under which a data subject may make a claim for damages due to a violation of data protection law are still highly controversial. The German Federal Labor Court (Bundesarbeitsgericht, BAG) has submitted two essential questions in this regard to the European Court of Justice (ECJ) for clarification (decision of August 26, 2021 – 8 AZR 253/20 (A)). Here, the BAG has taken a very plaintiff-friendly position, which, if confirmed by the ECJ, would mean considerable additional risks for companies.
Need for clarification regarding the application of Art. 82 GDPR
Under Art. 82 (1) GDPR, any person who has suffered material or non-material damage as a result of a GDPR violation is entitled to receive compensation from the controller or the processor for the damages suffered. When it comes to the practical implementation of this regulation, opinions differ widely.
For a claim for damages under Art. 82 (1) GDPR, some courts require proof of specific and noticeable damage that goes beyond the pure violation of data protection regulations (e.g. Brandenburg Higher Regional Court, decision of August 11, 2021 – 1 U 69/20; Bremen Higher Regional Court, decision of July 16, 2021 – 1 W 18/21; Bonn Regional Court, decision of July 1, 2021 – 15 O 372/20; Munich Higher Regional Court, decision of December 8, 2020 – 18 U 5493/19). According to this opinion, compensation under Art. 82 GDPR is aimed at compensation for damage that has actually occurred, but not for purposes that go beyond this, such as the prevention of further data protection violations.
Other courts assume that proof of specific damage is not required within the framework of Art. 82 (1) GDPR. The mere violation of the provisions of the GDPR should justify compensation for non-material damage (e.g. Neumünster Labor Court, judgment of August 11, 2020 – 1 Ca 247 c/20; Düsseldorf Labor Court, judgment of March 5, 2020 – 9 Ca 6557/18). According to this view, the regulatory context results in a preventive character from Art. 82 GDPR, in particular from the provisions in recital 146 of the GDPR. The claim for damages should then also serve as a deterrent (Dresden Labor Court, judgment of August 26, 2020 – 13 Ca 1046/20).
The German Federal Constitutional Court had already pointed out the need for clarification of the interpretation of Art. 82 GDPR and, with reference to the constitutional guarantee of one’s lawful judge, asked the courts to obtain a decision of the ECJ on the interpretation of the concept of damage, if necessary (decision of January 14, 2021 – 1 BvR 2853/19). The BAG has now implemented this mandate. By means of a request for a preliminary ruling, it submitted various questions about the interpretation of the GDPR to the ECJ and suspended the underlying appeal proceedings until the ECJ has made a decision.
Background to the proceedings
The plaintiff in the underlying proceedings worked as an IT specialist for a medical service of the health insurance funds (MDK). The plaintiff suffered sustained illness from 2017 onward. His health insurer then requested that the plaintiff's employer provide an occupational health report on the plaintiff. This report, from which, inter alia, the diagnosis of severe depression emerged, was saved in the MDK’s system and was not protected from access by colleagues. After the expert opinion on his individual case was forwarded to him by a work colleague, the plaintiff demanded compensation for non-material damage from the MDK in the amount of EUR 20,000.00 as well as compensation for material damage in accordance with Art. 82 (1) GDPR.
The Düsseldorf Labor Court (judgment of February 22, 2019 – 4 Ca 6116/18) and the Düsseldorf Regional Labor Court (judgment of March 11, 2020 – 12 Sa 186/19) dismissed the action in the lower instances. According to theses judgments, the data processing by the MDK did not violate the provisions of the GDPR.
German Federal Labor Court’s request for preliminary ruling by the ECJ
The BAG takes a different view. The processing of the plaintiff’s health data by the MDK could have violated the requirements of the GDPR for the processing of special categories of personal data according to Art. 9 GDPR. In this case, the plaintiff is, in principle, entitled to damages under Art. 82 (1) GDPR.
In order to determine the damage to be compensated, the BAG has asked the ECJ for a preliminary ruling on the following questions:
- Does Art. 82 (1) GDPR have a special or general preventive character and does this have to be taken into account when assessing the amount of non-material damage to be compensated on the basis of Art. 82 (1) GDPR at the expense of the controller or the processor?
- When assessing the amount of non-material damage to be compensated on the basis of Art. 82 (1) GDPR, is the degree of fault of the controller or processor decisive? In particular, may a non-existent or minor fault on the part of the controller or processor be taken into account in its favor?
In addition, the BAG submitted further questions to the ECJ concerning the interpretation of Art. 9 GDPR. These included, in particular, the controversial question of whether the processing of special categories of personal data requires the cumulative presence of the requirements of Art. 6 (1) GDPR and Art. 9 (2) GDPR or whether the processing can be based solely on Art. 9 (2) GDPR. In the request for a preliminary ruling dated August 26, 2021, the BAG also recorded its legal opinion on the referred questions.
According to such, the BAG advocates for a very broad interpretation of the concept of damage and wants to set the lowest possible requirements for damages for data protection violations. Indeed, it believes every violation of the requirements of the GDPR should at the same time justify compensable non-material damage. In the opinion of the BAG, liability under Art. 82 GDPR also does not presuppose any culpable action.
The BAG thus clearly seeks to distance itself from the legal opinion put forward by the Supreme Court of Justice in Austria (ÖOGH) in its request for a preliminary ruling to the ECJ (decision of May 12, 2021 – 6 Ob 35/21x; ECJ C-300/21). The ÖOGH has also asked the ECJ for clarification of questions relating to the interpretation of Art. 82 GDPR, including whether a violation of the GDPR is sufficient to justify compensable non-material damage, irrespective of any damage actually suffered. Just like numerous German courts, the ÖOGH also took the view that the claim under Art. 82 (1) GDPR requires the demonstration of an actual and noticeable disadvantage.
The questions the BAG has raised concerning claims for damages under the GDPR are of great practical relevance. Companies that process a large amount of customer or employee data are particularly affected. Individual violations of the provisions of the GDPR can lead to a large number of potentially affected parties, and thus to a large number of potential claimants for damages.
If the ECJ confirms the opinion of the BAG from the order of reference of August 26, 2021, it will be much easier for future plaintiffs to successfully sue for damages in the event of GDPR violations. The increase of liability risks under data protection law brought about by the introduction of the GDPR would be significantly intensified for companies that perform data processing. In addition, claims for damages under data protection law could increasingly become the subject of disputes under labor law. It has already been observed that some (former) employees use the rights afforded to data subjects under data protection law as a tactical tool in settlement negotiations. This trend could intensify if the ECJ confirms the opinion of the BAG.
The BAG's legal opinion raises doubts. However, it is very welcome that the BAG would like to have the ECJ clarify the related issues. In view of the expected decision on the request for a preliminary ruling by the ÖOGH, there is reason to hope for more uniformity and clarity in the previously highly diffuse case law on damages under data protection law.
A decision by the ECJ is not expected until 2023. Companies should use the intervening period to identify existing data protection risks and optimize organizational structures. This also includes the defining of processes and responsibilities in the event of data protection violations and claims for damages based thereon.