The Court of Justice of the European Union (CJEU) has made a number of judgements in recent months that have significantly improved clarity in relation to claims for data breach compensation. That is, judgments relating to Article 82 of the GDPR– the right to compensation and liability.
Article 82 states that any person who has suffered material or non-material damage as a result of an infringement of this Regulation [EU GDPR] shall have the right to receive compensation from the controller or processor for the damage suffered. However, there has been a lack of clarity on this- not least in relation to claims for non-material damages such as fears and anxiety suffered by a data subject regarding the potential future misuse of their personal data following a data breach.
Five key areas of clarification include;
1. Claimants need to establish (i) an infringement of the GDPR (ii) that they have suffered damage and (iii) that there is a causal link between the infringement and the damage suffered.
2. Non-material damage may include a loss of control over personal data or fear about potential future misuse, but such damage must be proven by claimants.
3. The concept of damage is to be broadly interpreted. There is no minimum threshold of seriousness.
4. The damages regime provided by Article 82 serves a compensatory function only and does not have a punitive or deterrent purpose.
5. An infringement of the GDPR gives rise to a presumption that the technical and organizational measures adopted by the controller / processor were insufficient. This presumption can be refuted by a data controller.
A summary of recent CJEU judgements has been published on The Bar of Ireland Law Library which could make interesting reading for anyone with potential involvement in making or defending these types of claims and could also be useful information for DPOs/ Privacy Leads who are managing the risk of such claims arising.
Comments