One, Two, Three… Fault? CJEU Rules on Civil Liability Requirements under the GDPR
Marco Buzzoni, Doctoral Researcher at the Luxembourg Centre for European Law (LCEL) and PhD candidate at the Sorbonne Law School, offers a critical analysis of some recent rulings by the Court of Justice of the European Union in matters of data protection.
In a series of three preliminary rulings issued on 14th December and 21st December 2023, the Court of Justice of the European Union (‘CJEU’) was called upon again to rule on the interpretation of Article 82 of the General Data Protection Regulation (‘GDPR’). While these rulings provide some welcome clarifications regarding the civil liability of data controllers, their slightly inconsistent reasoning will most likely raise difficulties in future cases, especially those involving cross-border processing of personal data.
On the one hand, the judgments handed down in Cases C-456/22, Gemeinde Ummendorf, and C-340/21, Natsionalna agentsia za prihodite, explicitly held that three elements are sufficient to establish liability under Article 82 GDPR. In so doing, the Court built upon its previous case law by confirming that the right to compensation only requires proof of an infringement of the Regulation, some material or non-material damage, and a causal link between the two. On the other hand, however, the Court seemingly swayed away from this analysis in Case C-667/21, Krankenversicherung Nordrhein, by holding that a data controller can avoid liability if they prove that the damage occurred through no fault of their own.
In reaching this conclusion, the Court reasoned that imposing a strict liability regime upon data controllers would be incompatible with the goal of fostering legal certainty laid out in Recital 7 GDPR. By introducing a subjective element that finds no mention in the Regulation, the Court’s latest decision is nonetheless likely to raise difficulties in cross-border cases by introducing some degree of unpredictability with respect to the law applicable to data controllers’ duty of care. In time, this approach might lead to a departure from the autonomous and uniform reading of Article 82 that seemed to have prevailed in earlier cases.
The Court’s Rejection of Strict Liability for Data Controllers
According to the conceptual framework laid out by the CJEU in its own case law, compensation under Article 82 GDPR is subject to three cumulative conditions. These include an infringement of the Regulation, the presence of some material or non-material damage, and a causal link between the two (see Case C-300/21, UI v Österreichische Post AG, para 32). In the cases decided in December 2023, the Court was asked to delve deeper into each of these elements and offer some additional guidance on how data protection litigation should play out before national courts.
In case C-456/22, the CJEU was presented with a claim for compensation for non-material damage filed by an individual against a local government body. The plaintiff alleged that their data protection rights had been breached when the defendant intentionally published documents on the internet that displayed their unredacted full name and address without their consent. Noting that this information was only accessible on the local government’s website for a short time, the referring court asked the CJEU to clarify whether, in addition to the data subject’s mere short-term loss of control over their personal data, the concept of ‘non-material damage’ referred to in Article 82(1) of the GDPR required a significant disadvantage and an objectively comprehensible impairment of personal interests in order to qualify for compensation. Rather unsurprisingly, the Court (proceeding to judgment without an Opinion) answered this question in the negative and held that, while Article 82(1) GDPR requires proof of actual damage, it also precludes any national legislation or practice that would subject it to a “de minimis threshold” for compensation purposes.
In doing so, the Court followed the road map outlined in UI v Österreichische Post AG, which had already held that the concept of damage should receive an autonomous and uniform definition under the GDPR (Case C-456/22, para 15, quoting Case C-300/21, paras 30 and 44) and should not be limited to harm reaching a certain degree of seriousness. Arguably, however, the Court also went beyond its previous decision by stating that the presence of an infringement, material or non-material damage, and a link between the two were not only “cumulative” or “necessary” but also “sufficient” conditions for the application of Article 82(1) (Case C-456/22, para 14). Remarkably, the Court did not mention any other condition that could have excluded or limited the data subject’s right to compensation. Taken literally, this decision could thus have been understood as an implicit endorsement of a strict liability regime under the GDPR.
This impression was further strengthened by the judgment handed down in Case C-340/21, where the Court was asked to weigh in on the extent of a data controller’s liability in case of unauthorised access to and disclosure of personal data due to a “hacking attack”. In particular, one of the questions referred to the CJEU touched upon whether the data controller could be exempted from civil liability in the event of a personal data breach by a third party. Contrary to the Opinion delivered by AG Pitruzzella, who argued that the data controller might be exonerated by providing evidence that the damage occurred without negligence on their part (see Opinion, paras 62-66), the CJEU ignored once more the question of the data controller’s fault and rather ruled that the latter should establish “that there [was] no causal link between its possible breach of the data protection obligation and the damage suffered by the natural person” (Case C-340/21, para 72).
A few days later, however, the CJEU explicitly endorsed AG Pitruzzella’s reading of Article 82 GDPR in Case C-667/21. In a subtle yet significant shift from its previous reasoning, the Court there held that the liability of the data controller is subject to the existence of fault on their part, which is presumed unless the data controller can prove that they are in no way responsible for the event that caused the damage (Case C-667/21, holding). To reach this conclusion, The Court relied on certain linguistic discrepancies in Article 82 of the GDPR and held, contrary to the Opinion by AG Campos Sánchez-Bordona, that a contextual and teleological interpretation of the Regulation supported a liability regime based on presumed fault rather than a strict liability rule (Case C-667/21, paras 95-100). Formulated in very general terms, the holding in Case C-667/21 thus suggests that a controller could be released from liability not only if they prove that their conduct played no part in the causal chain leading to the damage but also — alternatively — that the breach of the data subject’s rights did not result from an intentional or negligent act on their part.
Lingering Issues Surrounding the Right to Compensation in Cross-Border Settings
According to the CJEU, only a liability regime based on a rebuttable presumption of fault is capable of guaranteeing a sufficient degree of legal certainty and a proper balance between the parties’ interests. Ironically, however, the Court’s approach in Case C-340/21 raises some significant methodological and procedural questions which might lead to unpredictable results and end up upsetting the parties’ expectations about their respective rights and obligations, especially in cases involving cross-border processing of personal data.
From a methodological perspective, the CJEU’s latest ruling does not fit squarely within the uniform reading of the GDPR that the Court had previously adopted with respect to the interpretation of Article 82 GDPR. In the earlier cases, in fact, the CJEU had consistently held that the civil liability requirements laid out in the Regulation, such as the notion of damage or the presence of an actual infringement of data protection laws, should be appreciated autonomously and without any reference to national law (on the latter, see in particular Case C-340/21, para 23). On the other hand, however, the Court has also made clear that if the GDPR remains silent on a specific issue, Member States should remain free to set their own rules, so long that they do not conflict with the principles of equivalence and effectiveness of EU law (on this point, see eg Case C-340/21, para 59).
Against this backdrop, the Court’s conclusion that the civil liability regime set up by the legislature implicitly includes the presence of some fault on the defendant’s part begs the question of whether this requirement should also receive a uniform interpretation throughout the European Union. In favour of this interpretation, one could argue that this condition should be subject to the same methodological approach applicable to the other substantive requirements laid out in Article 82 GDPR. Against this position, it could nonetheless be pointed out that in the absence of explicit indications in this Article, the defendant’s fault should be assessed by reference to national law unless another specific provision of the Regulation (such as Articles 24 or 32 of the GDPR) specifies the degree of care required of the data controller or processor. In the context of cross-border cases, the latter interpretation would thus allow each Member State to determine, based on their own conflict-of-laws rules, the law applicable to the defendant’s duty of care in cases of violations of data protection laws. If generalised, this approach might in time lead to considerable fragmentation across the Member States.
In addition to these methodological difficulties, the Court’s decision in Case C-340/21 also raises some doubts from a procedural point of view. In holding that the data controllers’ liability is subject to the existence of fault on their part, the CJEU calls into question the possible interaction between national court proceedings aimed at establishing civil liability under Article 82 GDPR and administrative decisions adopted by data protection authorities. With respect to the latter, the CJEU had in fact ruled in Case C-683/21, Nacionalinis visuomenés sveikatos centras, that Article 83 GDPR must be interpreted so that an administrative fine may be imposed pursuant to that provision “only where it is established that the controller has intentionally or negligently committed an infringement referred to in paragraphs 4 to 6 of that article” (Case C-683/21, holding). In other words, national supervisory authorities are also called upon to assess the existence of fault on the part of the data controller or processor before issuing fines for the violation of data protection laws.
At first glance, the CJEU’s decision in Case C-340/21 fosters some convergence between the private and public remedies set out in the GDPR. In reality, however, this interpretation might potentially create more hurdles than it solves. Indeed, future litigants will likely wonder what deference, if any, should be given to a supervisory authority’s determinations under Article 83 GDPR within the context of parallel court proceedings unfolding under Article 82. In a similar context, the Court has already held that the administrative remedies provided for in Article 77(1) and Article 78(1) GDPR may be exercised independently and concurrently with the right to an effective judicial remedy enshrined in Article 79 GDPR, provided that national procedural rules are able to ensure the effective, consistent and homogeneous application of the rights guaranteed by the Regulation (see Case C-132/21, Nemzeti Adatvédelmi és Információszabadság Hatóság v BE). Should the same principles apply to actions brought under Article 82 GDPR? If so, should the same rule also extend to conflicts between national court proceedings and decisions issued by foreign supervisory authorities (and vice-versa), even though each of them might have a different understanding of the degree of protection afforded by the Regulation?
Despite the CJEU’s laudable attempt to strike a balance between the interests of personal data controllers and those of the individuals whose data is processed, it is not certain that the Court has fully assessed all the consequences of its decision. Ultimately, in fact, the choice to reject a strict liability rule could lead not only to unequal protection of individual rights within the EU but also to major uncertainties for economic operators regarding the extent of their own liability under the GDPR.