Over the past few years, there have frequently been stories in various media about cease-and-desist orders as well as huge fines imposed by the Data Protection Authority on organisations having failed to meet GDPR requirements in their practices of processing personal data. Far less publicity tends to be given to cases where private citizens have chosen, on their own initiative, to go to court and claim compensation for alleged damages. The right to such compensation is laid down in Article 82 of the GDPR, which states that any person who has suffered material or non-material damage as the result of a processing of personal data infringing on the GDPR, has the right to receive compensation from the controller or processor.
In this blog, we will discuss a recent ruling by the court of the city of Rotterdam in which the claimant was awarded the amount of 2500 Euros in compensation for immaterial damage. Taking a look at the details of this verdict will allow us to trace the outlines of the relevant legal framework and explore the logic used by courts of law when determining the extent of immaterial damage in order to rule on the amount of financial compensation.
Erasure of special categories of personal data
On two occasions, in 2014 and in 2017, a female citizen of Rotterdam asked the city to remove medical data – which fall under the heading of special categories of personal data – from her file. Initially, the city turned down both requests, only to reconsider these decisions at a later point in time when, in 2018, it revoked its ruling from the year before and notified the applicant that all medical data would be erased from the file in question.
With this information in hand, the applicant decides to go to court, claiming illegal retention of special categories of – her – personal data on the part of the city and immaterial damage suffered on her part as a result. She is asking for compensation in the amount of 25,000 euros.
What is important to note, is that in this case there are only two questions in contention. Whether or not the claimant can be said to have suffered immaterial damage and if so, what amount of money should be paid in compensation. The illegitimacy of the processing itself is undisputed, if only because the city admitted to it by implication when, in 2018, revoking its earlier decision and agreeing to the request for erasure after all.
Legal framework – the definition of damage
In order to answer the question whether or not compensation for immaterial damage in the sense of Article 82 of the GDPR is to be awarded, the court must take into account what is argued in Consideration 146 to the GDPR, which is that the processor or controller shall compensate all damage a person may potentially suffer as the result of a processing infringing on the GDPR. For an appeal to be successful, in other words, it must be made reasonably acceptable that a person ‘may have suffered damage’, as opposed to proving ‘damage having been actually suffered’. This is because the concept of damage requires a broad interpretation for it to be in line with CJEU (Court of Justice of the European Union) case law and with the intentions of the GDPR.
There is no such thing as a European-wide agreed-upon legally specified understanding of the term damage as used in Article 82 of the GDPR. There are no CJEU records defining it. Nor has the CJEU ever ruled on what exactly constitutes compensable damage in case of illegal processing of personal data. At best, there is some European jurisprudence to suggest that damage for which compensation is due, has to be realistic and plausible.
So, in the absence of a common European, legally adequate definition of the damage concept as used in Article 82 of the GDPR, we have to turn to national legislation in trying to answer the question whether the damage suffered in any particular case is eligible for compensation. Specifically, we have to look for answers in national civil compensation law.
Ruling of the Rotterdam court
In assessing the claimant’s right to compensation, the Rotterdam court examined the applicable provisions in the Dutch Civil Code of Law where, in this case, Article 6:106, 1, b offers guidance, stating that the aggrieved party – claimant – is entitled to compensation, to be determined in fairness, if having suffered physical injury, having been damaged in his or her honour or good name or having otherwise been affected in his or her person.
In the case at hand, the court ruled that claimant had indeed suffered immaterial damage and was, as such, entitled to compensation. By retaining claimant’s medical data and processing them in her file, the city had acted in violation of the GDPR, affecting, as the court qualified the infringement, the claimant in her person in the sense of Article 6:106, 1, b of the Civil Code. Thus, claimant is entitled to compensation for the immaterial damage suffered.
Amount of the compensation
Having established that the claimant indeed has the right to be compensated for immaterial damage, the court must now rule on the amount of compensation to be paid, in which deliberation a number of facts and circumstances are taken into consideration.
First of all, there is the fact that, for a period of approximately ten years, the city retained special categories of personal data related to one of its citizens, in spite of repeated requests for erasure. Next, in the court’s opinion, it is reasonable to assume that, during this period, there was active processing of the data in question and that multiple organisations or persons had or may have had access to these data without proper authorisation. Thus, the claim of immaterial damage having been suffered is found to be justified.
In the end, the amount of compensation awarded to the claimant was ‘only’ 2500 euros, which is significantly less than the 25,000 claimant was asking for. In assessing the extent of damage, the court referred to a similar case in which an amount of 500 euros was awarded as compensation for short-term illegal processing of medical data. In summary, this previous case centred on an isolated incident, where the director of the Pieter Baan Centrum, a prominent Dutch clinic for psychiatric observation, had given an external healthcare organisation one-time access to medical documents.
All in all, I think the Rotterdam court acted, if anything, pretty generously when it ruled on the actual amount of compensation as it did, seeing as how the assessment of the extent of damage was based on an assumption, not on a demonstration of fact. It was never shown that claimant’s medical data were ever actually shared with other, unauthorised parties. It was simply considered safe to assume that such sharing of information did take place during the ten-year period of data retention. I can’t help but wonder at the fact that prevailing doctrine seems to dictate determination of the amount of compensation based on the assumption of damage being likely to have potentially occurred. As long as there is no established European jurisprudence on the legal definition of the damage concept and no consensus on how to assess the extent of actual damage suffered, this will remain a domain of random decisions where individual judges can stake their personal claims as to the ‘fair determination’ of compensation amounts.