On 25 September 2023, the Austrian Supreme Court (OGH) suspended proceedings in order to await the outcome of a request for a preliminary ruling pending before the ECJ (C-667/21). This request for a preliminary ruling was initiated by German courts, which, among other things, asked the ECJ whether or not the award of compensation for immaterial damage under the GDPR was dependent on fault.
Initial case before the Austrian Supreme Court
In the Austrian legal dispute, the plaintiff argued that she had submitted a request for information based on Article 15 GDPR to the defendant. This information would not have been provided to a sufficient extent and in a comprehensible form, contrary to the requirements of the GDPR. For this reason, she claimed compensation in the amount of EUR 2,500.00 for immaterial damage sustained, in addition to the information. She would have lost control of her data and suffered from the "uneasy" feeling that the defendant was in possession of personal information which the plaintiff would never have disclosed voluntarily.
The defendant argued that the information requested had been provided in a sufficient and comprehensible manner and disputed having been at fault (in the event that the GDPR would be found to have been breached at all).
Fault-based liability or no-fault liability?
As already reported in previous blogs, the prerequisites for compensation for immaterial damage are a breach of data protection law, actual (immaterial) damage done and a causal link between the breach of the law and the damage. According to the decision of the ECJ of 04 May 2023 in case C-300/21 (see our KWR blog of 17 May 2023 Gefühlsschaden II), it is not generally required to exceed a materiality threshold for damage to be considered done.
However, the ECJ now also has to clarify the question of fault for a potential claim for compensation. The Advocate General's opinion (ECLI:EU:C:2023:433) is already available. The Advocate General comes to the conclusion that the right to compensation for immaterial damage under the GDPR does not depend on fault. The opinion also emphasises that "not even very minor" fault is necessary.
However, this would lead to an unsatisfactory result in practice: Enterprises would be subject to heightened liability for GDPR breaches. Apart from the elimination of the materiality threshold, this would indicate that the element of fault is eliminated, too.
It remains to be seen how the ECJ will decide.
The KWR Data Protection Team will be happy to answer any questions you may have.