JUDGMENT OF THE COURT (Third Chamber)
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 82(1) – Right to compensation for damage caused by data processing that infringes that regulation – Conditions governing the right to compensation – Mere infringement of that regulation not sufficient – Need for damage caused by that infringement – Compensation for non-material damage resulting from such processing – Incompatibility of a national rule making compensation for such damage subject to the exceeding of a threshold of seriousness – Rules for the determination of damages by national courts)
In Case C‑300/21,
REQUEST for a preliminary ruling under Article 267 TFEU from the Oberster Gerichtshof (Supreme Court, Austria), made by decision of 15 April 2021, received at the Court on 12 May 2021, in the proceedings
UI
v
Österreichische Post AG,
THE COURT (Third Chamber),
composed of K. Jürimäe, President of the Chamber, M. Safjan, N. Piçarra, N. Jääskinen (Rapporteur) and M. Gavalec, Judges,
Advocate General: M. Campos Sánchez-Bordona,
Registrar: A. Calot Escobar,
having regard to the written procedure,
having considered the observations submitted on behalf of:
– |
UI, by himself as Rechtsanwalt, |
– |
Österreichische Post AG, by R. Marko, Rechtsanwalt, |
– |
the Austrian Government, by A. Posch, J. Schmoll and G. Kunnert, acting as Agents, |
– |
the Czech Government, by O. Serdula, M. Smolek and J. Vláčil, acting as Agents, |
– |
Ireland, by M. Browne, A. Joyce, M. Lane and M. Tierney, acting as Agents, and by D. Fennelly, Barrister-at-Law, |
– |
the European Commission, by A. Bouchagiar, M. Heller and H. Kranenborg, acting as Agents, |
after hearing the Opinion of the Advocate General at the sitting on 6 October 2022,
gives the following
Judgment
1 |
This request for a preliminary ruling concerns the interpretation of Article 82 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’), read in conjunction with the principles of equivalence and effectiveness. |
2 |
The request has been made in proceedings between UI and Österreichische Post AG concerning the action brought by the former seeking compensation for the non-material damage which he claims to have suffered as a result of the processing by that company of data relating to the political affinities of persons resident in Austria, in particular himself, even though he had not consented to such processing. |
Legal context
3 |
Recitals 10, 75, 85 and 146 of the GDPR are worded as follows:
…
…
…
|
4 |
Article 1 of the GDPR, headed ‘Subject matter and objectives’, provides in paragraphs 1 and 2: ‘1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. 2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.’ |
5 |
Under Article 4(1) of that regulation, that article being entitled ‘Definitions’: ‘For the purposes of this Regulation:
|
6 |
Chapter VIII of the GDPR, entitled ‘Remedies, liability and penalties’, contains Articles 77 to 84 of that regulation. |
7 |
Article 77 of that regulation deals with the ‘right to lodge a complaint with a supervisory authority’, while Article 78 concerns the ‘right to an effective judicial remedy against a supervisory authority’. |
8 |
Article 82 of the GDPR, entitled ‘Right to compensation and liability’, states in paragraphs 1 and 2: ‘1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. 2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. …’ |
9 |
Article 83 of that regulation, entitled ‘General conditions for imposing administrative fines’, provides in paragraph 1: ‘Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.’ |
10 |
Article 84(1) of that regulation, that article being headed ‘Penalties’, provides: ‘Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.’ |
The dispute in the main proceedings and the questions referred for a preliminary ruling
11 |
From 2017, Österreichische Post, a company incorporated under Austrian law, an address broker, collected information on the political affinities of the Austrian population. Using an algorithm that takes into account various social and demographic criteria, it defined ‘target group addresses’. The data thus generated were sold to various organisations, to enable them to send targeted advertising. |
12 |
In the course of its activity, Österreichische Post processed data which, by way of statistical extrapolation, led it to infer that the applicant in the main proceedings had a high degree of affinity with a certain Austrian political party. That information was not communicated to third parties, but the applicant in the main proceedings, who had not consented to the processing of his personal data, felt offended by the fact that an affinity with the party in question had been attributed to him. The fact that data relating to his supposed political opinions were retained within that company caused him great upset, a loss of confidence and a feeling of exposure. It is apparent from the order for reference that no harm other than those adverse emotional effects of a temporary nature has been established. |
13 |
In that context, the applicant in the main proceedings brought an action before the Landesgericht für Zivilrechtssachen Wien (Regional Court for Civil Matters, Vienna, Austria) seeking, first, an injunction for Österreichische Post to cease processing the personal data in question and, second, an order requiring that company to pay him the sum of EUR 1000 by way of compensation for the non-material damage which he claims to have suffered. By decision of 14 July 2020, that court upheld the application for an injunction but rejected the claim for compensation. |
14 |
On appeal, the Oberlandesgericht Wien (Higher Regional Court, Vienna, Austria) confirmed, by judgment of 9 December 2020, the decision at first instance. As regards the claim for compensation, that court referred to recitals 75, 85 and 146 of the GDPR and held that the Member States’ provisions of national law on civil liability supplement the provisions of that regulation, in so far as the latter does not contain special rules. In that regard, it noted that, under Austrian law, a breach of the rules on the protection of personal data is not automatically associated with non-material damage and gives rise to a right to compensation only where such damage reaches a certain ‘threshold of seriousness’. In its view, that is not the case with regard to the negative feelings which the applicant in the main proceedings has invoked. |
15 |
Hearing the action brought by the two parties in the main proceedings, the Oberster Gerichtshof (Supreme Court, Austria), by interim judgment of 15 April 2021, did not uphold the appeal on a point of law brought by Österreichische Post against the injunction imposed on it. Therefore, only the appeal on a point of law which the applicant in the main proceedings brought against the rejection of his claim for compensation which had been raised against him remains before that court. |
16 |
In support of its request for a preliminary ruling, the referring court states that it is apparent from recital 146 of the GDPR that Article 82 of that regulation established its own rules on liability for the protection of personal data, which superseded the rules in force in the Member States. Therefore, the concepts contained in Article 82, in particular the concept of ‘damage’ referred to in paragraph 1 thereof, should be interpreted autonomously and the conditions for the implementation of that liability should be defined in the light not of the rules of national law, but of the requirements of EU law. |
17 |
Specifically, in the first place, as regards the right to compensation for a breach of personal data protection, that court tends to consider, in the light of the sixth sentence of recital 146 of the GDPR, that compensation based on Article 82 of that regulation presupposes that material or non-material damage has actually been suffered by the data subject. It argues that the award of such compensation is subject to proof of specific damage distinct from that breach, which does not in itself establish the existence of non-material damage. In its view, recital 75 of that regulation refers to the mere possibility that non-material damage may result from the breaches listed therein and, although recital 85 refers to the risk of a ‘loss of control’ of the data affected, that risk is, however, uncertain in the present case, since those data were not transmitted to a third party. |
18 |
In the second place, as regards the assessment of the compensation that may be awarded under Article 82 of the GDPR, that court considers that the principle of effectiveness of EU law must have a limited impact, on the grounds that that regulation already provides for severe penalties for breaches thereof and that it is therefore not necessary to award a high level of compensation in addition to ensure its effectiveness. In its view, any compensation due on that basis must be proportionate, effective and dissuasive, so that the damages awarded may fulfil a compensatory function, but not be punitive in nature, which is extraneous to EU law. |
19 |
In the third place, the referring court questions the argument put forward by Österreichische Post that the award of such compensation is subject to the condition that the breach of personal data protection has caused particularly serious harm. In that regard, it notes that recital 146 of the GDPR advocates a broad interpretation of the concept of ‘damage’ within the meaning of that regulation. It takes the view that non-material damage must be compensated, under Article 82 of that regulation, if it is tangible, even if it is minor. By contrast, such damage should not be compensated if it appears to be completely negligible, as would be the case for the merely unpleasant feelings that are typically associated with such a breach. |
20 |
In those circumstances, the Oberster Gerichtshof (Supreme Court) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
|
Consideration of the questions referred
Whether Questions 1 and 2 are admissible
21 |
The applicant in the main proceedings submits, in essence, that the first question referred is inadmissible on the ground that it is hypothetical. He maintains, first of all, that his claim for compensation is not based on the ‘mere’ infringement of a provision of the GDPR. Next, the order for reference refers to the fact that there is agreement that compensation is due only if such infringement is accompanied by damage actually suffered. Finally, in his view, the only point that appears not to be common ground between the parties in the main proceedings is whether the damage must exceed a certain ‘threshold of seriousness’. If the Court were to answer the third question referred in that regard in the negative – as the applicant himself proposes – Question 1 would then be of no use for the resolution of that dispute. |
22 |
The applicant in the main proceedings also claims that the second question referred is inadmissible, on the ground that it is both very broad in content and too vague in wording, since the referring court refers to ‘EU-law requirements’, without specifying any such requirement. |
23 |
In that connection, it must be borne in mind that, according to settled case-law, it is solely for the national court before which the dispute has been brought, and which must assume responsibility for the subsequent judicial decision, to determine, in the light of the particular circumstances of the case, both the need for a preliminary ruling in order to enable it to deliver judgment and the relevance of the questions which it submits to the Court, which enjoy a presumption of relevance. If, therefore, the question referred concerns the interpretation or validity of a rule of EU law, the Court is, in principle, required to give a ruling, unless it is quite obvious that the interpretation sought bears no relation to the actual facts of the main action or to its purposes or where the problem is hypothetical or the Court does not have before it the factual or legal material necessary to give a useful answer to the question submitted to it (see, to that effect, judgments of 15 December 1995, Bosman, C‑415/93, EU:C:1995:463, paragraph 61; of 7 September 1999, Beck and Bergdorf, C‑355/97, EU:C:1999:391, paragraph 22; and of 5 May 2022, Zagrebačka banka, C‑567/20, EU:C:2022:352, paragraph 43 and the case-law cited). |
24 |
In the present proceedings, Question 1 concerns the conditions required for the exercise of the right to compensation provided for in Article 82 of the GDPR. Furthermore, it is not obvious that the interpretation sought bears no relation to the dispute in the main action or that the problem raised is hypothetical. This dispute concerns a claim for compensation falling within the rules established by the GDPR for the protection of personal data. Moreover, that question seeks to determine whether, for the purposes of applying the rules on liability laid down by that regulation, it is necessary for the data subject to have suffered damage that is distinct from the infringement of that regulation. |
25 |
As regards Question 2, it has already been held that the mere fact that the Court is called upon to give a decision in abstract and general terms cannot have the effect of rendering a request for a preliminary ruling inadmissible (judgment of 15 November 2007, International Mail Spain, C‑162/06, EU:C:2007:681, paragraph 24). A question submitted in such terms may be considered to be hypothetical, and therefore inadmissible, if the order for reference does not contain the minimum of explanatory material that would be necessary to establish a link between the question and the dispute in the main proceedings (see, to that effect, judgment of 8 July 2021, Sanresa, C‑295/20, EU:C:2021:556, paragraphs 69 and 70). |
26 |
However, that is not the case here, since the referring court explains that Question 2 is based on a doubt as to whether, in the context of the assessment of the damages possibly owed by Österreichische Post due to a breach of the provisions of the GDPR, it is necessary to ensure compliance not only with the principles of equivalence and effectiveness, which are referred to in that question, but also with any other EU-law requirements. In that context, the absence of more precise information than that provided by that court concerning those principles does not deprive the Court of its ability to provide a useful interpretation of the relevant rules of EU law. |
27 |
Therefore, Questions 1 and 2 are admissible. |
Substance
Question 1
28 |
By Question 1 the referring court asks, in essence, whether Article 82(1) of the GDPR must be interpreted as meaning that the mere infringement of the provisions of that regulation is sufficient to confer a right to compensation. |
29 |
In that regard, it should be recalled that, according to settled case-law, the terms of a provision of EU law which makes no express reference to the law of the Member States for the purpose of determining its meaning and scope must normally be given an autonomous and uniform interpretation throughout the European Union (judgments of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C‑439/19, EU:C:2021:504, paragraph 81, and of 10 February 2022, ShareWood Switzerland, C‑595/20, EU:C:2022:86, paragraph 21), having regard, inter alia, to the wording of the provision concerned and to its context (see, to that effect, judgments of 15 April 2021, The North of England P & I Association, C‑786/19, EU:C:2021:276, paragraph 48, and of 10 June 2021, KRONE – Verlag, C‑65/20, EU:C:2021:471, paragraph 25). |
30 |
The GDPR makes no reference to the law of the Member States as regards the meaning and scope of the terms set out in Article 82 of that regulation, in particular as regards the concepts of ‘material or non-material damage’ and of ‘compensation for the damage suffered’. It follows that those terms must be regarded, for the purposes of the application of that regulation, as constituting autonomous concepts of EU law which must be interpreted in a uniform manner in all of the Member States. |
31 |
In the first place, as regards the wording of Article 82 of the GDPR, it should be recalled that paragraph 1 of that article states that ‘any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered’. |
32 |
It is clear from the wording of that provision that the existence of ‘damage’ which has been ‘suffered’ constitutes one of the conditions for the right to compensation laid down in that provision, as does the existence of an infringement of the GDPR and of a causal link between that damage and that infringement, those three conditions being cumulative. |
33 |
Therefore, it cannot be held that any ‘infringement’ of the provisions of the GDPR, by itself, confers that right to compensation on the data subject, as defined in Article 4(1) of that regulation. Such an interpretation would run counter to the wording of Article 82(1) of that regulation. |
34 |
Moreover, it is important to point out that the separate reference to ‘damage’ and to an ‘infringement’ in Article 82(1) of the GDPR would be superfluous if the EU legislature had considered that an infringement of the provisions of that regulation could be sufficient, by itself and in any event, to give rise to a right to compensation. |
35 |
In the second place, the foregoing literal interpretation is supported by the context of that provision. |
36 |
Article 82(2) of the GDPR, which specifies the rules on liability – the principle of which is established in paragraph 1 of that article – reproduces the three conditions necessary to give rise to the right to compensation, namely processing of personal data that infringes the provisions of the GDPR, damage suffered by the data subject, and a causal link between that unlawful processing and that damage. |
37 |
In addition, the clarifications provided by recitals 75, 85 and 146 of the GDPR support that interpretation. First, recital 146, which specifically concerns the right to compensation provided for in Article 82(1) of that regulation, refers, in its first sentence, to ‘damage which a person may suffer as a result of processing that infringes this Regulation’. Second, recitals 75 and 85 state, respectively, that ‘the risk … may result from personal data processing which could lead to … damage’ and that a ‘personal data breach may … result in … damage’. It follows, first, that the occurrence of damage in the context of such processing is only potential; second, that an infringement of the GDPR does not necessarily result in damage, and, third, that there must be a causal link between the infringement in question and the damage suffered by the data subject in order to establish a right to compensation. |
38 |
The literal interpretation of Article 82(1) of the GDPR is further supported by a comparison with other provisions also contained in Chapter VIII of that regulation, which governs, inter alia, the various remedies to protect the rights of the data subject in case of processing of his or her personal data that is allegedly contrary to the provisions of that regulation. |
39 |
In that regard, it should be noted that Articles 77 and 78 of the GDPR, contained in that chapter, provide for legal remedies before or against a supervisory authority, in case of an alleged infringement of that regulation, without it being stated that the data subject must have suffered ‘damage’ in order to be able to bring such actions, contrary to the wording of Article 82 of the GDPR with regard to actions for compensation. That difference in wording is indicative of the importance of the ‘damage’ criterion, and therefore of its distinctive nature as against the ‘infringement’ criterion, for the purposes of claims for compensation based on the GDPR. |
40 |
Similarly, Articles 83 and 84 of the GDPR, which permit the imposition of administrative fines and other penalties, have essentially a punitive purpose and are not conditional on the existence of individual damage. The relationship between the rules set out in Article 82 and those set out in Articles 83 and 84 shows that there is a difference between those two categories of provisions, but also complementarity, in terms of encouraging compliance with the GDPR, it being observed that the right of any person to seek compensation for damage reinforces the operational nature of the protection rules laid down by that regulation and is likely to discourage the reoccurrence of unlawful conduct. |
41 |
Last, it is important to note that the fourth sentence of recital 146 of the GDPR states that the rules laid down by the GDPR apply without prejudice to any claims for damages deriving from the violation of other rules of EU or Member State law. |
42 |
In the light of all of the foregoing reasons, the answer to Question 1 is that Article 82(1) of the GDPR must be interpreted as meaning that the mere infringement of the provisions of that regulation is not sufficient to confer a right to compensation. |
Question 3
43 |
By Question 3, which it is appropriate to examine before Question 2, the referring court asks, in essence, whether Article 82(1) of the GDPR must be interpreted as precluding a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness. |
44 |
In that regard, it should be borne in mind that, as has been pointed out in paragraph 30 of the present judgment, the concept of ‘damage’ and, specifically in the present case, the concept of ‘non-material damage’, within the meaning of Article 82 of the GDPR, must be given an autonomous and uniform definition specific to EU law, in the absence of any reference to the domestic law of the Member States. |
45 |
In the first place, the GDPR does not define the concept of ‘damage’ for the purposes of the application of this instrument. Article 82 of that regulation confines itself to expressly stating that not only ‘material damage’ but also ‘non-material damage’ may give rise to a right to compensation, without any reference being made to any threshold of seriousness. |
46 |
In the second place, the context of that provision also tends to indicate that the right to compensation is not subject to the condition that the damage in question has reached a certain threshold of seriousness. The third sentence of recital 146 of the GDPR states that ‘the concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation’. It would be contrary to that broad conception of ‘damage’, favoured by the EU legislature, if that concept were limited solely to damage of a certain degree of seriousness. |
47 |
In the third and last place, such an interpretation is supported by the objectives pursued by the GDPR. In that regard, it must be borne in mind that the third sentence of recital 146 of that regulation expressly calls for an interpretation of the concept of ‘damage’, within the meaning of the regulation, which ‘fully reflects the objectives of this Regulation’. |
48 |
It is apparent, in particular, from recital 10 of the GDPR that the objectives of the GDPR are, inter alia, to ensure a consistent and high level of protection of natural persons with regard to the processing of personal data within the European Union and, to that end, to ensure consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data throughout the European Union (see, to that effect, judgments of 16 July 2020, Facebook Ireland and Schrems, C‑311/18, EU:C:2020:559, paragraph 101, and of 12 January 2023, Österreichische Post (Information relating to the recipients of personal data), C‑154/21, EU:C:2023:3, paragraph 44 and the case-law cited). |
49 |
Making compensation for non-material damage subject to a certain threshold of seriousness would risk undermining the coherence of the rules established by the GDPR, since the graduation of such a threshold, on which the possibility or otherwise of obtaining that compensation would depend, would be liable to fluctuate according to the assessment of the courts seised. |
50 |
The fact remains that the interpretation thus adopted cannot be understood as meaning that a person concerned by an infringement of the GDPR which had negative consequences for him or her would be relieved of the need to demonstrate that those consequences constitute non-material damage within the meaning of Article 82 of that regulation. |
51 |
In the light of the foregoing reasons, the answer to Question 3 is that Article 82(1) of the GDPR must be interpreted as precluding a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness. |
Question 2
52 |
By Question 2 the referring court asks, in essence, whether Article 82 of the GDPR must be interpreted as meaning that, for the purposes of determining the amount of damages payable under the right to compensation enshrined in that article, national courts must apply the domestic rules of each Member State relating to the extent of financial compensation, having due regard in particular to the principles of equivalence and effectiveness of EU law. |
53 |
In that connection, it should be recalled that, according to settled case-law, in the absence of EU rules on the matter, it is for the national legal order of each Member State to establish procedural rules for actions intended to safeguard the rights of individuals, in accordance with the principle of procedural autonomy, on condition, however, that those rules are not, in situations covered by EU law, less favourable than those governing similar domestic situations (principle of equivalence) and that they do not make it excessively difficult or impossible in practice to exercise the rights conferred by EU law (principle of effectiveness) (see, to that effect, judgments of 13 December 2017, El Hassani, C‑403/16, EU:C:2017:960, paragraph 26, and of 15 September 2022, Uniqa Versicherungen, C‑18/21, EU:C:2022:682, paragraph 36). |
54 |
In the present case, it should be noted that the GDPR does not contain any provision intended to define the rules on the assessment of the damages to which a data subject, within the meaning of Article 4(1) of that regulation, may be entitled under Article 82 thereof, where an infringement of that regulation has caused him or her harm. Therefore, in the absence of rules of EU law governing the matter, it is for the legal system of each Member State to prescribe the detailed rules governing actions for safeguarding rights which individuals derive from Article 82 and, in particular, the criteria for determining the extent of the compensation payable in that context, subject to compliance with those principles of equivalence and effectiveness (see, by analogy, judgment of 13 July 2006, Manfredi and Others, C‑295/04 to C‑298/04, EU:C:2006:461, paragraphs 92 and 98). |
55 |
As regards the principle of equivalence, in the present proceedings, the Court has nothing before it that is capable of raising doubts as to whether national legislation applicable to the dispute in the main proceedings complies with that principle and, therefore, of showing that that principle may have a specific effect in the context of that dispute. |
56 |
As regards the principle of effectiveness, it is for the referring court to determine whether the detailed rules laid down in Austrian law for the determination, by the courts, of damages due under the right to compensation enshrined in Article 82 of the GDPR, make it impossible in practice or excessively difficult to exercise the rights conferred by EU law, and more specifically by that regulation. |
57 |
In that context, it should be noted that the sixth sentence of recital 146 of the GDPR states that that instrument is intended to ensure ‘full and effective compensation for the damage they have suffered’. |
58 |
In that regard, in view of the compensatory function of the right to compensation under Article 82 of the GDPR, as the Advocate General pointed out, in essence, in points 39, 49 and 52 of his Opinion, financial compensation based on that provision must be regarded as ‘full and effective’ if it allows the damage actually suffered as a result of the infringement of that regulation to be compensated in its entirety, without there being any need, for the purposes of such compensation for the damage in its entirety, to require the payment of punitive damages. |
59 |
In the light of all of the foregoing considerations, the answer to Question 2 is that Article 82 of the GDPR must be interpreted as meaning that, for the purposes of determining the amount of damages payable under the right to compensation enshrined in that article, national courts must apply the domestic rules of each Member State relating to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are complied with. |
Costs
60 |
Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable. |
On those grounds, the Court (Third Chamber) hereby rules: |
|
|
|
[Signatures] |
( *1 ) Language of the case: German.
( i ) The wording of the header of this document has been amended since it was first put online.