German court rules on GDPR right to compensation

Out-Law News | 04 Sep 2019 | 3:03 pm | 2 min. read

The commercial interests being pursued when minor infringements of EU data protection laws occur could influence whether organisations are liable to compensate people who suffer damage from those infringements, according to a German court.

In a ruling issued earlier this summer, however, an appeals court in Dresden said that the right to compensation provided for under the General Data Protection Regulation (GDPR) does not apply to "intangible trivial damage" stemming from minor breaches of the Regulation.

This includes where there is "perceived discomfort or minor trivialities" but no "serious impairment to a person's self-image or reputation", the court said.

Data protection law expert Nadia Schaff of Pinsent Masons, the law firm behind Out-Law, said that the Dresden court's ruling is in line with a November 2018 ruling by a district court in Diez, Germany. The Diez court held that damages cannot be claimed where minor data protection law infringements do not cause serious impairment.

In its ruling, the Dresden court said that it may have reached a different view on the question of compensation in cases where a breach of data protection laws impacts multiple people in the same way and where the infringement stems from a conscious, illegal and large-scale act in pursuit of commercial gain.

The court issued its ruling in a case where it was asked by an individual to award damages against a social networking provider that had taken action to remove a post the person had posted on its platform and suspend their account in 'read-only' mode for three days thereafter.

The court ruled that the social network's processing of the person's personal data in deleting their post and blocking their account was justified as the person had consented to the social network's terms of use. The court, however, did not clarify whether it believed the consent given to the terms of use constituted lawful consent to the processing of personal data by the social network.

Under Article 82 of the GDPR, any person who has suffered material or non-material damage as a result of an infringement of the Regulation has the right to claim compensation from the data controller or processor for the damage suffered.

A recital from the GDPR states that "the concept of damage should be broadly interpreted" with CJEU case law and the objectives of the GDPR in mind. The Regulation, however, does not set out precise regulations on the level of compensation that should be awarded or the concrete scope of claims for damages.In its ruling, though, the court said that, in the context of the case before it, the mere blocking of the internet users' data, as well as the deletion of their data, did not constitute 'damage' within the meaning of the GDPR.

The court said that a further factor in favour of the social network in the case was that it had acted in the opposite of its commercial interests by deleting its user's post and suspending their account.

The court also said that there is a risk that the right to compensation under the GDPR could be abused if cases of minor damage can trigger claims for compensation, and added that if it was the intention of EU law makers to provide for compensation to be claimed for minor breaches of the GDPR then an provision making this clear would have been included in the legislation.

"The decision is particularly welcome against the background of the risk of abuse in case of minor damages," Schaff of Pinsent Masons said. "In practice, therefore, in the event of a corresponding claim, it should not only be examined whether a data protection infringement actually exists, but also whether damage asserted is not merely a minor damage. However, it remains to be seen where the line is to be drawn between minor GDPR violations and violations which may successfully lead to claims for damages under Article 82 of the GDPR."