GDPR: big change for small claims

5th May 2023

When I tell people at cocktail parties that I’m a Technology and Data Protection lawyer they often take a small step backwards, no doubt a little intimidated and awed.

They are, I’m quite sure, immediately imagining that I live a swashbuckling life of derring-do and fascinating intellectual enquiry. A sort of mashup of Suits, The Social Network and Pirates of the Caribbean. It’s hard for them to know what to do in a social situation with someone like that. So they awkwardly excuse themselves and go talk to someone who works in something more mundane like graphic design or professional motorbike racing.

But, to be honest with you, some of the time my work isn’t actually that glamorous.

One of the least glamorous parts is helping big clients to deal with small claims. Specifically, claims about minor breaches of the GDPR and/or PECR that have something to do with a cookie being unlawfully deployed on the claimant’s computer by accident, or them receiving a marketing email that they had not subscribed to.

If you work in any kind of customer facing or in-house legal role at any reasonably large firm in the UK or EU then you will know exactly the kind of claim that I mean.

For those who don’t, it might be interesting to learn that the GDPR created a thriving industry of vexatious litigants. GDPR breaches are the new ‘slip and trip’ cases, served by a wide range of (you might think seedy) firms that specialise in sending out high volumes of low value data protection claims. Worse still, it spawned a new breed of litigant in person, the kind of person who spends their weekend crawling the web on the hunt for improperly configured cookie consent platforms so that they can send out claims seeking £750 (it’s always £750) for the great distress they suffered as a result of downloading a cookie without first clicking ‘I consent’.

They did that because both the UK and EU GDPR say that anyone who has “suffered material or non-material damage as a result of an infringement of [the GDPR] shall have the right to receive compensation from the controller or processor for the damage suffered“. A woefully unclear bit of text that introduced the vague and unhelpful concept of ‘non-material’ damage and which was widely interpreted as meaning that anyone who was on the wrong end of even the slightest breach of GDPR had a right to be paid compensation.

But, happily, their days may be numbered.

We have, at long last, a judgement from the CJEU (Europe’s supreme court) in the Österreichische Post AG case. Which, all joking aside, data protection lawyers were eagerly awaiting.

There are four things that are of real interest in there:

  1. The Court is clear: not every breach of GDPR automatically triggers a right to compensation.
  2. To be eligible for compensation, there has to have been some ‘damage’ to the Claimant. Which is for the Claimant to prove.
  3. The Court is not willing to set any kind of ‘low bar’ that puts a minimum amount of damage in place that needs to be present in order to trigger compensation. So while a Claimant has to show some damage there isn’t a minimum amount that you need in order to qualify. Any will do.
  4. The concept of ‘non-material’ damage remains relevant, but the Court hasn’t given any real clarity about what it is or how the phrase should be interpreted. Which is a bit of a stinker in an otherwise coherent and helpful judgement.

That’s mostly great news for Data Controllers / Defendants. It puts the EU in a very similar position to the UK (whose Supreme Court has already dealt with a similar set of points in Lloyd v Google) and gives Data Controllers two things to be happy about.

First, this is another blow to “class actions” (i.e. group litigation in which lots of data subjects bring a single claim in relation to a large number of similar minor breaches). They are much harder to get off the ground in a world in which you have to prove ‘damage’ to data subjects rather than just a breach. They have always been a worry for large organisations in the UK and EU because, if ever allowed to run rampant they would have created an environment in which Data Controllers could expect both high-fines from regulators for GDPR breaches, and then a high-value class action claim from affected data subjects as an immediate follow up. The costs of which would have been hard to bear.

Second, it’s another nail in the coffin for annoying low-value, low-merit data protection claims. In both the UK and EU now, if your claimant hasn’t suffered any tangible economic loss and is just hand-waving about how upset receiving an email/cookie made them feel, then their claim is probably dead in the water. Because in order to receive compensation, they first need to be able to prove loss.

Put it another way, the next time you receive one of those data-ambulance chasing claims in which a claimant has seen fit to threaten litigation over a trivial breach of the GDPR, a combination of Lloyd v Google and Österreichische Post is likely enough to kill it stone dead without you even needing to argue with them about the merits. Which has to be a good thing.

The only bad news is that we still have the ghost of ‘non-material’ loss wafting around, and the CJEU has declined to help us understand what the boundaries of that phrase are by putting a low bar on it. That does leave the door slightly ajar to claimants hamming up minor inconvenience as non-material harm, and I suspect that we’ll all be back in Brussels for another trial when a suitable test case is found.

But, if you’re a data protection lawyer (or any kind of data controller), today is a pretty great day. This is a judgement that should let you spend a lot less time on mundane claims, and much more time doing the exciting swashbuckling stuff that everyone is so sure we spend our lives on.