OGH - 6Ob35/21x (request for preliminary ruling under Article 267 TFEU)

From GDPRhub
OGH - 6Ob35/21x (request for preliminary ruling under Article 267 TFEU)
Courts logo1.png
Court: OGH (Austria)
Jurisdiction: Austria
Relevant Law: Article 82 GDPR
Decided: 15.04.2021
Published: 14.05.2021
Parties: unknown (claimant)
Österreichische Post AG (defendant)
National Case Number/Name: 6Ob35/21x (request for preliminary ruling under Article 267 TFEU)
European Case Law Identifier: ECLI:AT:OGH0002:2021:0060OB00035.21X.0415.001
Appeal from: OLG Wien (Austria)
14 R 143/20g
Appeal to:
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: n/a

The Austrian Supreme Court requested the CJEU's preliminary ruling under Article 267 TFEU on the requirements of awarding damages for GDPR violations and the assessment of such damage under Article 82 GDPR.

English Summary[edit | edit source]

Facts and underlying disputes[edit | edit source]

For the facts pertaining to the case and the underlying legal disputes see the partial judgement by the Austrian Supreme Court (Oberster Gerichtshof - OGH) here.

Preliminary questions referred to the CJEU[edit | edit source]

The question of the claimant's entitlement to damages under Article 82 GDPR depended on the interpretation of Article 82 GDPR. The claimant had argued that he was entitled to immaterial damage of € 1,000 due to "great inner turmoil" caused by the defendant unlawfully processing data on his "affinity for political parties" and wrongfully assigning the claimant a high likeliness to be interested in the far-right Austrian Freedom Party (FPÖ).

As the GDPR does not contain any provisions on a threshold that must be exceeded in order to entitle a data subject to receive compensation under Article 82 GDPR, the OGH referred the following questions to the CJEU:

  1. Does the award of damages pursuant to Article 82 GDPR, in addition to a breach of provisions of the GDPR, also require that the claimant has suffered a damage or is the breach of provisions of the GDPR as such already sufficient for the award of damages?
  2. Are there other requirements under EU law for the assessment of damages in addition to the principles of effectiveness and equivalence?
  3. Is it in line with EU law that a precondition for the award of non-material damages is that the legal infringement causes a consequence of an extent, which goes beyond the annoyance caused by the infringement?

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Court
OGH
Decision date
15.04.2021
Business number
6Ob35/21x
Head
The Supreme Court, as a court of appeal, by the President of the Senate , Hon.  Prof. Dr. Gitschthaler, as Chairman, the Hofrat Univ.  Prof. Dr. Kodek, the Hofrätin Dr. Faber and the Hofräte Mag. Pertmayr and MMag. Sloboda as further judges in the legal case of the plaintiff Dr. O*****, lawyer, *****, against the defendant Ö***** Aktiengesellschaft, *****, represented by Wolf Theiss Rechtsanwälte GmbH & Co KG in Vienna, on the grounds of EUR 1.000 sA, in the proceedings on the appeal of the plaintiff against the judgment of the Vienna Higher Regional Court as the court of appeal of 9 December 2020, GZ 14 R 143/20g24,  whereby the judgment of the Vienna Regional Court for Civil Matters of 14 July 2020, GZ 8 Cg 34/20h14, was  upheld, in closed session, the following decision
Resolution
captured: 
Saying
I. The following questions are referred to the Court of Justice of the European Union for a preliminary ruling pursuant to Article 267 TFEU:
(1) Does the award of damages under Article 82 of the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC [the General Data Protection Regulation]) require, in addition to a breach of provisions of the GDPR, that the claimant has suffered damage, or is the breach of provisions of the GDPR per se sufficient for the award of damages?
2) Are there other requirements under Union law for the assessment of damages in addition to the principles of effectiveness and equivalence?
3) Is the view compatible with European Union law that a precondition for the award of non-material damage is that there is a consequence or consequence of the infringement of at least some weight which goes beyond the annoyance caused by the infringement?
II. the proceedings before the Supreme Court are suspended until the preliminary ruling of the Court of Justice of the European Union has been received in accordance with section 90a(1) GOG.
Text
Justification:
 [1] 		I. Facts
 [2] 		The defendant holds a business licence as an address publisher and was active as an address trader for ten years with the aim of enabling its advertising customers to send targeted advertising. In this context, it collected information on the party affinities of the entire Austrian population since 2017. For this purpose, opinion research institutes conducted anonymous surveys in which specific questions were asked about interest in election advertising. The results were combined by the defendant with statistics from election results in order to ultimately define "target group addresses" according to socio-demographic characteristics with the help of an algorithm, to which mostly more than a hundred persons were attributed. The individual persons were assigned to one or more marketing groups and classifications depending on their place of residence, age, gender, etc. The defendant also bought statistics from the election results. For this purpose, the defendant also purchased address data from other address dealers or from customer and prospect files of companies. This data was sold to various organisations.
 [3] 		Regarding the plaintiff, the following data were processed by the defendant, but not disclosed to third parties:

Field name	generates	Data set
...	...	...
Possible target group for election advertising ÖVP	statistically extrapolated	very low
Possible target group for Neos election advertising	statistically extrapolated	very low
Possible target group for election advertising Greens	statistically extrapolated	low
Possible target group for FPÖ election advertising	statistically extrapolated	high
…	…	…

 [4] 		The plaintiff, who had not given consent to the data processing, was angered by the storage of his party affinity data. In addition, the plaintiff was angered and offended by the "high affinity" to the FPÖ attributed to him by the defendant. The defendant's actions concerned him again during the preparation of the proceedings. Other, not merely temporary emotional impairments could not be ascertained.
 [5] 		II. submissions of the parties
 [6] 		The plaintiff seeks - as far as still relevant at this stage of the proceedings - the award of damages in the amount of EUR 	1,000. Sympathising with right-wing parties was far from his mind, which is why the party affinity attributed to him was an insult and shameful as well as highly damaging to his credit. The defendant's behaviour had caused him great annoyance and a loss of confidence, but also a feeling of exposure. Due to the great inner unhappiness, he was entitled to compensation of EUR 1,000 for the non-material damage.
 [7] 		C. Procedure to date
 [8] 		The court of first instance granted the request for an injunction and dismissed the request for payment.
 [9] 		The Court of Appeal upheld the first judgment, stating that recital 146 to the GDPR states that the concept of damage should be interpreted broadly in the light of the case-law of the Court of Justice in a way that is fully consistent with the objectives of that Regulation. Recital 85 gives examples of non-material damage resulting from a personal data breach, such as loss of control of personal data or limitation of their rights, discrimination, identity theft or  fraud, financial loss, unauthorised removal of pseudo-anonymisation, damage to reputation, loss of confidentiality of data subject to professional secrecy or other significant economic or social harm. However, the list obviously referred to published data; the plaintiff's data had not been passed on or published. Nor could the plaintiff gain anything from recital 75, according to which the processing of personal data "may" present risks to the rights and freedoms of natural persons which could lead to non-material damage. It had to be assumed that the national rules on damages supplemented the liability laid down in the GDPR, so that the general conditions for claims were decisive, unless the GDPR contained special rules; even under the GDPR, only non-material damage that had actually occurred was compensable. Although every data protection infringement at least briefly evokes negative thoughts in the person concerned, non-material damage is not automatically associated with every infringement. Only a consequence of damage that went beyond the annoyance or emotional damage caused by the infringement was compensable. This was not the case with the personality impairment suffered by the plaintiff. Irrespective of the reservations expressed in isolated cases, the principle underlying Austrian tort law was to be upheld, namely that mere discomfort and mere feelings of unpleasantness must be borne by everyone without any consequence in terms of damages and that there must therefore be a certain "materiality" of the damage.
 [10] 		The Supreme Court ruled on the defendant's appeal against the injunction in a partial judgment of 15 April 2021 and did not uphold it. The subject of the appeal proceedings is therefore only the plaintiff's claim for damages. 
Legal assessment
 [11] 		D. Applicable Union law
Art 82 GDPR:
1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall be entitled to compensation from the controller or the processor.
2. Any controller involved in a processing operation shall be liable for the damage caused by a processing operation which does not comply with this Regulation. A processor shall be liable for the damage caused by a processing operation only if it has failed to comply with its obligations under this Regulation specifically imposed on processors or has acted in disregard of or contrary to lawfully given instructions by the controller.

 [12] 		E. Justification of the questions referred
 [13] 		Pursuant to Art 82 (1) GDPR, any person who has suffered material or non-material damage as a result of a breach of this Regulation is entitled to compensation from the controller or the processor. This establishes an independent liability standard under data protection law, i.e. in addition to the national damages regime. Consequently, not only the term "non-material damage" in Art 2 (1) GDPR is to be determined autonomously by the Union. Rather, the formulation of the other conditions for liability pursuant to Art 2 leg cit, as well as questions of the assessment of the claim for compensation, must primarily be governed by Union law; the liability regime of the Member States is superimposed in this respect (see recital 146 pp. 4 and 5 of the GDPR; cf. further Frenzel in Paal/Pauly, DSGVOBDSG3 Art 82 DSGVO Rz 1; Wybitul/Haß/Albrecht, Abwehr von Schadensersatzansprüchen nach der Datenschutz-Grundverordnung, NJW 2018, 113; Paal, Schadensersatzansprüche bei Datenschutzverstößen - Voraussetzungen und Probleme des Art 82 DSGVO,  MMR 2020, 14). For this reason alone, the principles of case law developed for the compensation of immaterial damages in the national damages regime cannot be relied upon without further ado (aA Schweiger in Knyrim, DatKomm Art 82 DSGVO Rz 2).
 [14] 		According to Recital 146 S 3 to the GDPR, the concept of damage should be interpreted "broadly and in a manner consistent with the objectives of this Regulation" in light of the case law of the ECJ. Data subjects should receive full and effective compensation for the harm suffered (recital 146 S 6 to the GDPR). With regard to the case law of the ECJ on compensation payments for breaches of Union law, it is primarily derived from this that the obligation to pay compensation must be assessed in such a way that it is proportionate, effective and dissuasive, taking into account the principle of effectiveness under Union law (cf. Schweiger in Knyrim, DatKomm Art 82 DSGVO Rz 13 mwN; in detail Wybitul/Haß/Albrecht, NJW 2018, 115).
 [15] 		The amount awarded must go beyond purely symbolic compensation (cf. Frenzel in Paal/Pauly, DSGVOBDSG3 Art 82 DSGVO Rz 12a, who, however, at the same time emphasises the necessary restraint in quantifying immaterial damages). With regard to the compensatory function of liability addressed in this way, it is sometimes emphasised that, with regard to the non-material disadvantages suffered, compensation is intended as satisfaction for alleviation, which is of equal importance to compensation for material losses (cf. Dickmann, Nach dem Datenabfluss: Schadenersatz nach Art 82 der Datenschutz-Grundverordnung und die Rechte des Betroffenen an seinen personenbezogenen Daten, r+s 2018, 345 [352 f] mwN).
 [16] 		There is agreement that, notwithstanding the principle of effectiveness under EU law, compensation under Art 82 GDPR is only due if (non-material) damage has actually occurred (cf. recital 146 p 6: "for the damage suffered") 	due to the central idea of compensation behind liability just mentioned.
 [17] 		In connection with the question of a claim for damages in the case of incomplete information, the Supreme Court held that non-material damage can only be assumed if the person concerned has suffered a disadvantage (6 Ob 9/88). The fact that the person obliged to provide information does not fulfil his legal obligation to disclose the origin of data does not in itself constitute non-material damage to the person concerned (6 Ob 9/88; 1 Ob 318/01y). The infringement per se therefore does not constitute non-material damage, but there must be a consequence or consequence of the infringement which can be qualified as non-material damage and which goes beyond the annoyance or emotional damage caused by the infringement per se (Schweiger in Knyrim, DatKomm Art 82 DSGVO Rz 26; G. Kodek, Schadenersatz- und Bereicherungsansprüche bei Datenschutzverletzungen, in Leupold, Forum Verbraucherrecht 2019, 97).
 [18] 		The effectiveness criterion is only of limited significance in the present context because the GDPR provides for high penalties anyway. It is precisely these high penalties that have shaped the discussion and at least the public perception of the GDPR. Therefore, it cannot be argued without further ado that the effectiveness of the GDPR also requires high compensation for non-material damage (G. Kodek loc. cit.). In this case, there would be a danger of an "effectiveness spiral" (Spitzer, Schadenersatz für Datenschutzverletzungen, ÖJZ 2019/76, 629 [635 f] mwN).
 [19] 		There is also no liability for hypothetical, undefined or imperceptible disadvantages caused by the interference with the right to informational self-determination in the sense of "punitive damages" (see in 	detail Spitzer, ÖJZ 2019/76, 629 [635 f]; also Frenzel in Paal/Pauly, DSGVOBDSG3 Art 82 DSGVO Rz 10; see also OLG Innsbruck MR 2020, 81 [cf. Fritz/Hofer]).
 [20] 		For this reason alone, the plaintiff's argument that he is already entitled to damages because of the "loss of control over personal data" or because of the "processing of political opinions" as such does not hold water. Nothing to the contrary is apparent from recitals 85 and 75 of the GDPR. As the Court of Appeal correctly pointed out, Recital 85 clearly refers to concrete consequences of damage due to an outflow of data; in the given context - in which there was no transfer of data - the non-material damage alleged by the plaintiff, even in the appeal proceedings, with reference to a "loss of control", remains completely undefined. At the same time, Recital 75 makes it clear that the risks inevitably arising from certain data protection violations, listed by way of example, are not to be equated with the non-material damage as such to be compensated under Article 82(1) of the GDPR; they can only "lead to [...] non-material damage".
 [21] 		(7) Compensation for non-material damage under Art 82(1) GDPR therefore requires a concretely demonstrable non-material disadvantage caused by the data protection breach: this may be that the data subject has to spend time and effort to put an end to the infringement or to protect himself against the threatened misuse of his data or consequential damage. Likewise, emotional impairments resulting from the infringement, such as fears, stress or states of suffering due to an exposure, discrimination or similar that has occurred or is only threatened, will lead to an obligation to pay compensation (for more details, see Dickmann, r+s 2018, 353; on the question of whether this should be based on a "person with an average level of awareness of data protection", see Fritz/Hofer, MR 2020, 84; Wirthensohn, Kein immaterieller Schadenersatz für die rechtswidrige Verarbeitung besonderer Kategorien von Daten gemäß Art 9 DSGVO, wenn keine [erhebliche] Gefühlsbeeinträchtigung vorliegt? Critique of OLG Innsbruck 13. 2. 2020, 1 R 182/19b, jusIT 2020/56).
 [22] 		8. It is rightly emphasised in this context that a particularly serious impairment of feelings will not be required (Paal, MMR 2020, 16), if only because Recital 146 S 3 to the GDPR calls for a broad interpretation of the term "the damage", without differentiating between material and immaterial disadvantages (concisely Frenzel in Paal/Pauly, DSGVOBDSG3 Art 82 DSGVO Rz 10, according to which the term "damage, which is already broad under Art 82 (1) DSGVO, is interpreted broadly in case of doubt").
 [23] 		If, on the other hand, a "materiality threshold" for compensation for non-material damage is assumed in 	part - as in the result also by the Court of Appeal - which results from recourse to the Package Travel Directive, which is comparable in content,  and the case law on compensation for "lost holiday enjoyment", according to which feelings of displeasure suffered are only compensable if the impairment of interests is significant (idS Schweiger in Knyrim, DatKomm Art 82 DSGVO Rz 2; following this, OLG Innsbruck MR 2020, 81 [Fritz/Hofer]), this is already not convincing because in the (new) Package Travel Directive  (2015/2302/EU) compensation is explicitly limited to "significant effects" of the lack of conformity or "lost holiday enjoyment as a result of significant problems" (cf. Art 13(6) and Recital 34 leg cit; thus already correctly Fritz/Hofer, MR 2020, 83 f; critically also Wirthensohn, jusIT 2020/56). However, there is no such restriction in the area of the GDPR. The aforementioned circumstance that the EU legislator deliberately insisted on a broad interpretation of the (already broadly defined) concept of damage under Art 82 (1) GDPR rather suggests that, in principle, also non-material disadvantages of rather lesser weight should be taken into account. Recourse to the Package Travel Directive to  fill out the concept of non-material damage is therefore out of the question.
 [24] 		9. Even if, in the area of liability under Article 82(1) of the GDPR, one were to regard minor non-material disadvantages - such as merely temporary states of suffering and feelings of discontent - as in principle compensable, one cannot avoid the point of view of the "perceptibility" of the impairment described above, This must be distinguished from completely unremarkable inconveniences, which are typically associated with the infringement of rights and which, in view of the compensatory function of liability, do not require compensation to alleviate the inconvenience suffered, so that an obligation to pay compensation - even if only a small amount - would have an undesirable punitive effect.
 [25] 		10. In the decision of the Dresden Higher Regional Court 4 U 760/19 (ZUMRD  2020, 26), with reference to Becker (in Plath, DSGVO/BDSG3 [2018] Art 82 DSGVO Rz 4d) , the question  was left open as to whether damages could exceptionally be awarded in such cases for merely individually perceived inconvenience or in the case of petty infringements without serious damage to the self-image or reputation of a person, in which the breach of data protection law affects a large number of persons in the same way and is an expression of a deliberate, unlawful and large-scale commercialisation. Even in this assumed case constellation, however, nothing changes in the fact that there is nothing to compensate in the case of negligible effects of the infringement on the emotional world of the persons affected, so that the obligation to compensate would again amount to punitive damages.
 [26] 		11. The result of interpretation sought by the plaintiff, according to which even such negligible sentiments are to be sanctioned with an obligation to pay compensation, taking into account the principle of effectiveness (Art 4 (3) TEU), thus leads on the one hand - at least in effect - to "punitive damages", which are generally alien to Union law (see ECJ Cases C407/14 , Maria Auxiliadora Arjona Camacho v Securitas Seguridad España SA [ECLI:EU:C:2015:831]; also Case C99/15 , Liffers/Producciones Mandarina SL [ECLI:EU:C:2016:173] on the Enforcement Directive  [para. 17]); on the other hand, it is also clear  from recitals 85 and 75 to the GDPR  cited by the plaintiff himself that the Union legislature clearly did not have such minimal effects on the emotional world of the person concerned in mind when establishing liability for non-material damage.
 [27] 		In the meantime, however, the German Federal Constitutional Court, in its decision of 14 January 2021 (1 BvR 2853/19), has taken the view that it is incompatible with the right to the lawful judge if a court dismisses an action based on Art 82 GDPR for payment of damages for pain and suffering due to a one-off sending of an advertising email without consent due to the absence of significant damage, without having first obtained a decision of the ECJ on the interpretation of the concept of damage in Art 82(1) GDPR.
 [28] 		The Court does not share this view. Nevertheless, in the interest of a uniform application of Union law, it appears expedient to obtain a preliminary ruling from the ECJ.
 [29] 		F. The decision to stay the proceedings is based on § 90a (1) GOG.
European Case Law Identifier
ECLI:AT:OGH0002:2021:0060OB00035.21X.0415.001