Class wars: time to legislate for hurt feelings? (Damages for data breach - Austrian Post)

So what exactly is the difference between having your data rights infringed, and having them infringed in a way that damages you? And how can an individual really quantify (or even know) the damage caused by the breach of their data rights? The answers to these questions highlight the difficulties inherent in accessing the right to compensation under the GDPR.

Recent case law across the EU and the UK has demonstrated how difficult it is to bring data breach claims on a collective basis when, inevitably, each individual will have suffered damage in different ways and to different degrees.

In this article, we explore the EU data breach landscape and contrast it with the UK position. We also look to the future of data breach claims and consider whether the time has now come to establish a legislative compensatory framework. In other words, a set of tariffs that apply when breaches occur.

The Austrian Post decision

Österreichische Post AG (the Austrian postal service) collected data on the political affinities of the Austrian population using an algorithm and sold that data to various organisations to enable them to send targeted political advertising. An individual claimed that being targeted with the political advertising not only infringed his GDPR rights but also caused him distress (non-material damage) because the political affinity attributed to him (the far-right Freedom Party) was insulting and damaging to his reputation. The Austrian Supreme Court referred two key questions to the CJEU:

1. Is 'mere infringement' of the GDPR sufficient for compensation or must damage have been suffered?
2. Is it compatible with EU law for Member States to impose a requirement that non-material damage must go beyond 'mere upset', i.e. is there a threshold of seriousness'?

Prior to the CJEU's decision, the Advocate General had found that: 1) there must be more than mere infringement; and 2) damage must go beyond 'mere upset'. Breach of data protection legislation, he observed, inevitably causes a 'negative reaction' but this is not sufficient of itself for a compensation claim. The Advocate General also rejected the contention that infringement (or loss of control over data) automatically leads to an irrebuttable presumption of damage. While welcomed by many data controllers and defendants in current or future collective proceedings, this Opinion caused concern for many stakeholders. In particular, the introduction of a threshold level of seriousness in the concept of damage was viewed as creating uncertainty and impracticality.

The CJEU's decision is therefore welcome because it removes that potential element of uncertainty. While the CJEU agreed that infringement by itself does not found a right to compensation, it held there was no threshold of damage which must be passed before compensation can be awarded.

What damage must you prove in data breach claims?

The GDPR does not define the concept of 'damage'. While it expressly provides that compensation is available for material (e.g. financial) and non-material damage, there is no reference to any threshold of seriousness. The CJEU has now made it clear that to impose a threshold level of 'seriousness' could undermine the purpose of the GDPR. However, at the same time, it has confirmed that some damage must be proven.  In the Austrian Post case, it is not hard to envisage damage being caused to a particular individual - for example, an individual living in a shared house who espouses a political viewpoint at odds with the targeted political mailing sent to them but little to no damage being caused to an individual who lives alone and who receives a targeted political mailing which matches their viewpoint. In both cases the targeted mailing is enabled by the misuse of the individuals' personal data.

This means that while every individual whose data rights were infringed may have suffered the type of 'negative reaction' envisaged by the Attorney General, not all of them may actually have suffered damage. A key challenge in data breach cases is the fact that for individuals, it is often not financially viable to bring a claim. The real coercive (civil) power of the legislation is the threat of class action claims. The difficulty here is that, to bring a class action claim, there generally needs to be some homogeneity of damage.

Comparison with the UK

The leading case on data breach claims in England and Wales remains the Supreme Court decision in Lloyd v Google LLC² (for detailed analysis, see our article here). This established that damages are not available under the Data Protection Act 1998 (DPA) without proof of financial loss or distress (i.e. material or non-material damage). It also made it explicitly clear that damages are not available simply for 'loss of control' of data and that there is a 'threshold of seriousness'. However, in that case the Supreme Court restricted itself to consideration of the DPA (which has now been repealed), not the present UK GDPR regime. Some had speculated that linguistic differences between the DPA and the UK GDPR (which, in Recital 85 provides that non-material damage may arise where a person suffers a 'loss of control over their personal data') might indicate that a loss of control over personal data could be sufficient to found a claim under the UK GDPR.

However, this potential chink in the legislative armour was largely dismissed by the High Court in Stadler v Currys Group Ltd [2022] EWHC 160 (QB) . The court confirmed that the requirement for proof of material damage or distress 'appeared to apply equally' to equivalent claims under the UK GDPR and that a de minimis threshold needed to be passed before claims for distress could succeed³.

Where are we now?

Both the UK and the EU courts have interpreted the GDPR as requiring some proof of damage for damages to be awarded; mere infringement of data protection legislation is plainly not enough. However, there now appears to be divergence in the requirement for a threshold of seriousness of damage. The UK courts' approach appears to suggest that a de minimis principle exists, whereas the CJEU has indicated that it would be contrary to the purpose of the GDPR to impose a uniform threshold level of seriousness. English case law will clearly not be persuasive for other EU courts where the CJEU interpretation differs. While CJEU decisions are no longer binding in the UK, they can still be persuasive. It therefore remains to be seen whether or not the CJEU decision in the Austrian Post will influence the direction of travel for data breach claims in the UK. It is also important to bear in mind that as the GDPR does not govern the assessment of damages, variations in the level of compensation payable may continue to exist between member states leading to the potential for forum shopping (although the GDPR retains a baseline requirement that full and effective compensation is made for the damage suffered).

Bringing data breach claims in the UK

One of the challenges for claimants bringing data breach claims is the financial viability of the claim. Litigation in England is expensive and the low value of data protection damages may preclude all but the most financially secure (and motivated) claimants from litigating. There are two key options for bringing group or class/collective actions in England: Group Litigation Orders (GLOs) or Representative Actions (RAs). The difficulty with GLOs in the context of data breach claims is that they are an opt-in procedure, and the costs occasioned in class building, (which are irrecoverable⁴) can be significant. Representative Actions are available as an opt-out procedure, which makes them more feasible from an economic perspective. However, the claimant class in a RA needs to have 'the same interest in a claim'. Following the Supreme Court's decision in Llloyd v Google, the current position is that the nature of damages claims (which will generally require individualised assessment), may mean that an RA is not a 'suitable vehicle'. Alternatives under the existing English procedural mechanisms include seeking a declaration on liability under an RA, with individualised damages assessments following.

Where next for collective redress?

In England and Wales, the decision in Lloyd v Google has, arguably, meant that claimants are effectively left without recourse in relation to many significant breaches of data protection legislation. Without an effective, collective means of addressing the harm caused by breaches of data protection legislation, do the English courts risk losing their position as a pre-eminent centre for international dispute resolution – at least for this type of case?

Legislation is probably the answer in relation to providing a viable procedure for claimants and, potentially, a set of tariffs for compensation. The latter would be somewhat unusual but may be achievable given the success of schemes such as the EU flight delay and cancellation compensation scheme (EU261/UK261⁵), which stipulates a set of fixed tariffs for compensation for delay or cancellation, even though individuals affected by a delayed or cancelled flight may actually suffer in different ways. Some may suffer acute distress because they miss a wedding or other significant event whereas others may be more accepting and rather like the idea of an additional day's holiday due to the delay. But despite these actual variations, they all get paid the same amount (and the statutory compensation is without prejudice to a right to (and deductible from) a right to any further compensation). While the flight delay scheme compensates passengers for contractual (as opposed to statutory) claims, it is hard to see why this sort of approach would not also work in data breach cases. Indeed, one can see the potential (in the UK at least) for such a scheme to apply to both UK GDPR and data claims based on the tort of misuse of private information, given that the two wrongs or underlying behaviours are so closely related.

On the EU side, member states were required to have transposed the EU Collective Redress Directive into national law by the end of 2022. Although many member states have failed to meet this deadline they must, by June 2023, bring the new provisions into effect. Member states need to have in place at least one procedural method which provides consumers with access to collective redress, including for data breach claims. In many EU jurisdictions, implementation will require amending existing national legislation⁶. Given the recent increase in data breach litigation (and its potential expansion if the use of new technologies, including AI technology, triggers a new wave of regulatory investigations and follow-on civil claims), this may present an ideal opportunity for both UK and EU legislators to act. Clearly, some form of accessible compensation is required to ensure that consumers have access to justice and that compliance with existing legislation is policed effectively.

In the meantime, and based on current law, the defendant community appears well-placed to resist civil liability resulting from class actions filed in England & Wales.

¹ For simplicity we refer to both data breach and data privacy type claims as 'data breach' claims in this article, recognising that different terminology may be used in different countries.

² Lloyd v Google LLC [2021] UKSC 50

³ See Rolfe v Veale [2021] EWHC 2809 (QB)

⁴ See Weaver and others v British Airways plc [2021] EWHC 217 (QB).

⁵ European Regulation (EC) 261/2004 on denied boarding, cancellation and long delay, implemented post-Brexit by the Air Passenger Rights and Air Travel Organisers' Licensing (Amendment) (EU Exit) Regulations 2019

⁶ EU Directive on representative actions for the protection of the collective interests of consumers 2020/1828