Data Privacy Litigation in Germany – A Risk Here to Stay
Recent developments in the privacy landscape across Germany over the last few years have been marked by a considerable rise in private enforcement activities targeting several industries. Claims for immaterial damages or injunctions for alleged privacy violations are now commonplace and are keeping German courts as busy as ever. What is more, professional litigants are increasingly more active in encouraging data subjects to file lawsuits after data breaches or other supposed privacy infringements.
It is thus that businesses in virtually all sectors face a continuously high risk of being subjected to private enforcement actions in the field of data privacy in Germany.
Immaterial Damages for GDPR Violations
Claiming compensation of immaterial damages pursuant to Article 82(1) of the GDPR for privacy violations has become one of the most common private enforcement practices in Germany. Claims cover an increasingly broad variety of supposed violations and processing situations. For a long time, there had been many legal uncertainties surrounding the provision of Article 82 of the GDPR. While some of the more central questions involving immaterial damages have been resolved by the landmark decision of the Court of Justice of the European Union (CJEU) of 4 May 2023, some issues remain unresolved and await a preliminary ruling by the CJEU.
One aspect formerly the subject of heated debate was the question as to whether any kind of violation can lead to a claim for compensation of immaterial damages in principle or whether there is a “de minimis” threshold that excludes minor damages or “petty” violations of GDPR provisions that do not inflict any meaningful, perceptible damage on an affected data subject. Before the CJEU settled this question, German courts rendered numerous decisions (far more than a hundred published decisions so far) but were not able paint a clear picture.
On 4 May 2023, the CJEU finally decided in case C-300/21:
In answering the first question, the CJEU puts an end with welcome clarity to an approach taken by a substantial number of German courts, including – most prominently – the German Federal Labour Court, which argued that any violation of the GDPR automatically leads to immaterial damages eligible for compensation under the GDPR.
The CJEU found instead, as did the Advocate General (AG) of the CJEU Campos Sánchez-Bordona in October 2022, that the conditions for the right to compensation are that a data subject must have suffered (actual) damage as the result of an infringement of the GDPR. The Court held that these three conditions (ie, (i) damage suffered, (ii) infringement of the GDPR, and (iii) a causal link between the damage and the infringement) have to be met cumulatively. This may provide some relief for companies subjected to mass proceedings, since claimants cannot simply claim they have suffered damages by merely demonstrating a GDPR violation.
In answering the second question, however, the CJEU also put an end to the practice taken by a host of other local, regional, higher regional and labour courts which opposed a broad understanding of damages from the beginning by referring to a “de minimis” threshold. While the courts regularly argued that a merely “perceived impairment” cannot amount to any immaterial damages eligible for compensation under the GDPR, the CJEU pointed in a different direction. The court rejected the general exclusion of minor damages and ruled that the GDPR does not make any reference to such a de minimis threshold. Instead, the CJEU emphasised that the GDPR shall ensure a consistent and high level of protection of natural persons so that the notion of “damages” was to be interpreted in a way that “fully reflects the objectives” of the GDPR. Professional litigants may feel tempted to exploit this interpretation to claim large numbers of small claims (as have been awarded already, see below), which may eventually reach considerable sums and pose serious litigation risks to companies processing large volumes of data, in particular.
The third answer still leaves member state courts considerable leeway in calculating damage amounts. While clarifying that the awarding of punitive damages is not necessary to provide “full and effective” compensation as required by Recital 146 of the GDPR, the CJEU made further clarifications only in so far as it held that the data subject must be compensated for the damage it suffered “in its entirety”. Noting that the GDPR does not provide for any rules to assess damages under Article 82, the CJEU basically provided the “guardrails” of equivalence and effectiveness for the assessment but left it to the member states to define these rules.
However, the fact that the Court only held that punitive damages are not “necessary” to provide full and effective compensation does not quite rule out entirely that courts can award punitive damages nevertheless. Some German courts (as, for instance, the State Labour Court Baden-Württemberg; see below) still take the view that damages should be awarded in an amount capable to pose a chilling effect on infringers and to serve a preventive function.
On 14 December 2023, the CJEU issued two landmark decisions on the requirements for the assertion of claims for compensation for non-material damage. In the one judgment (C-340/21), the CJEU interprets Article 82, paragraph 1, GDPR so that the mere fact that a data subject fears that their personal data could be misused by third parties as a result of a breach of the GDPR can constitute a “non-material damage” within the meaning of this provision. According to the CJEU, a more narrow interpretation would run counter to the purpose of the GDPR, which is to ensure a high level of protection for natural persons with regard to the processing of personal data. However, the CJEU points out that a person affected by a GDPR infringement must prove that the consequences of this infringement constitute a non-material damage within the meaning of Article 82 of the GDPR. In this context, the CJEU refers to paragraph 50 of its judgment of 4 May 2023 (Österreichische Post AG, C-300/21). The CJEU states that where a person claiming damages on this basis relies on the fear that personal data will be misused in the future as a result of such an infringement, the national court must assess whether that fear can be considered well-founded in the particular circumstances and with regard to the person concerned.
In its parallel decision (C-456/22), the CJEU concludes, as already previously ruled, that there is no de minimis threshold for damage and that, consequently, fears a data subject has of possibly being affected by a future misuse of their data following a data leak can also constitute non-material damage. However, the CJEU again ruled that a mere breach of the GDPR alone does not constitute damage, but that damage must be presented and positively established. According to the CJEU, tangible nature of the damage or the objective nature of the infringement are not necessary (paragraphs 14 and 17).
Furthermore, in judgment C-340/21, the CJEU also ruled that controllers can be exempted from the obligation to remedy damage caused by the unauthorised disclosure of personal data or unauthorised access to such data by third parties, if they prove that the relevant fact that caused the damage is in no way attributable to them. In this regard, the CJEU found that the unauthorised disclosure of personal data or unauthorised access to such data by third parties within the meaning of Article 4, paragraph 10, GDPR alone is not sufficient to assume that the technical and organisational measures taken by the controller were not appropriate within the meaning of Articles 24 and 32 of the GDPR. According to the CJEU, the adequacy of the measures taken by the controller pursuant to Article 32 of the GDPR must be assessed by the national courts in each case, considering the specific risks associated with the processing and whether the nature, content and implementation of these measures are proportionate to these risks. The CJEU stated that the controller bears the burden of proof for the adequacy of the security measures taken by the controller within the meaning of Article 82 of the GDPR.
In its decision of 21 December 2023, C-667/21, the CJEU once again commented on immaterial damages under Article 82 of the GDPR. This time, the Court was particularly concerned with the assessment of the amount of damage. According to the CJEU, Article 82, paragraph 1, GDPR must be interpreted as meaning that the right to compensation for damage provided for in this provision serves solely a compensatory function and does not have a punitive or dissuasive character. Monetary compensation should solely make it possible to fully compensate for the specific damage suffered as a result of the GDPR infringement. The CJEU held that the objective severity of a violation of a GDPR obligation alone is not to be considered when assessing the amount of non-material damages under Article 82 of the GDPR. The severity of an infringement may only impact the amount of damages if the infringement leads to serious damage. Therefore, the decision of the CJEU does likely not change the fact that the particular severity of an infringement in an individual case can and often will lead to greater damages that must be compensated. However, the amount awarded should not be calculated in such a way that it exceeds the compensation for the damage that was actually incurred. In short, under Article 82 of the GDPR, only the damage actually incurred in the specific case is compensated. Damages are not to be increased in order to punish the obligated controller or processor simply because the infringement of the GDPR was particularly severe. Article 82 of the GDPR does not have a punitive function. The Court also emphasised once again that the mere violation of the GDPR is not sufficient to justify a claim for damages. It stressed that, in addition, there must be actual damage and that there must be a causal link between the damage and the infringement.
As a result of a “combined analysis” of the different provisions of Article 82 of the GDPR, the CJEU concludes that this Article provides for a fault-based liability in which the burden of proof does not lie with the data subject, but with the controller. The CJEU bases its interpretation on the systematic context in which Article 82 of the GDPR fits and on the objectives pursued by the EU legislator with the GDPR (see paragraph 94 et seq). According to the CJEU, the controller’s liability therefore depends on the existence of fault, which is presumed if the controller does not prove that the act causing the damage is not attributable to it. The CJEU states that the respective degree of fault is not taken into account when calculating the amount of damages. A high degree of fault may therefore not, for example, result in the amount of damages awarded exceeding the actual damage incurred.
In addition, the Court ruled that, in the absence of a specific provision in the GDPR on the assessment of damages, the national courts must apply the national provisions on the amount of financial compensation for this purpose in accordance with the principle of procedural autonomy, provided that the EU law principles of equivalence and effectiveness, as defined by the established case law of the CJEU, are respected.
In its judgment of 25 January 2024 (C-687/21), the CJEU once again had to deal with claims for non-material damage in the event of data protection violations. The decision is further tightening the requirements for non-material claims for damages in the event of data protection violations. In the present case, it declared that a bad feeling alone is not sufficient for damages. In this respect, the CJEU does not consider a brief disclosure of data to constitute damage. Once again, the CJEU emphasises that, in addition to a breach of the GDPR, actual damage must also be proven in the case of non-material damages. The mere risk of unlawful data use is not sufficient. This applies in particular if the data was “demonstrably not taken note of” by the third party. Although fear of data misuse can give rise to a claim, this must actually be suffered and proven. Once again, the CJEU stated that Article 82(1) of the GDPR must be interpreted as meaning that the right to compensation laid down in that provision, in particular in the case of non-material damage, fulfils a compensatory function ‒ in that financial compensation based on that provision must allow the damage actually suffered as a result of the infringement of that regulation to be compensated in full ‒ and not a punitive function. The new CJEU ruling again speaks in the direction of a more restrictive approach to claims for non-material damages.
In addition, given the proliferation of mass privacy litigation and that different jurisdictions (or even different states of a country) may have widely differing views on what can be deemed a “full and effective” compensation, there may also be an increasing risk of “forum-shopping” where claimants try to bring action in a jurisdiction with the highest damage amounts.
In the meantime, German courts have continued to award ever-higher compensation amounts for immaterial damages with damage amounts ranging from as low as EUR25 to approximately EUR10,000, for instance, for the following GDPR violations:
Given these significant differences in the severity of the privacy violations, awarding immaterial damages does not always seem appropriate in all of the cases mentioned above. Indeed, there is good reason to conclude that some of these violations are so trivial that awarding any compensation does not necessarily seem warranted. Either way, predicting the amounts of damages that courts will grant will likely remain a very difficult task.
Current Risk Environment in Germany
The risk environment for private enforcement in Germany has been characterised for years by a growing volume of claims asserted by a diverse set of actors in an ever-broader range of sectors. Areas most often in the crosshairs of privacy litigation are, notably:
In many cases, privacy litigation starts with a data subject access request (DSAR). It is therefore vital to have sufficient DSAR management in place to answer requests sufficiently and in a timely manner, as even a belated or insufficient response to an access request can itself give rise to potential claims for immaterial damages. It also makes sense to adequately identify the risk associated with each type of DSAR (eg, DSARs arising in an employment or post-breach context are often of a greater risk than DSARs sent via a standardised template form by consumers).
Another risk for privacy litigation can stem from negative press following media reports of a data breach or of an inquiry by a supervisory authority. Such reports sometimes lead to a rising number of DSARs and, potentially, subsequent claims for immaterial damages.
Litigation Risks Regarding Data Breaches
A very important and increasingly prominent area giving rise to serious privacy litigation risks involves data breaches and cyber-attacks, including phishing mails, malware, DDoS, Advanced Persistent Threat (APT) and ransomware attacks. Given an ever-evolving cyber threat landscape, there is a growing risk for companies of every sector of being affected by cybercrime, service outages and data leaks, potentially affecting many data subjects at once. Not only have some courts already awarded immaterial damages to data subjects affected by data breaches (such as the Regional Court Munich I in December 2021; see above), but specialised law firms have already started advertising their services specifically to individuals potentially affected by certain data breaches ‒ most notably those that have received great media attention.
Litigation Risks in the Employment Context
As regards the employment context, companies have been witnessing a proliferation of data subject access requests during termination proceedings made with the intention of uncovering and potentially threatening to litigate any GDPR violations as part of subsequent settlement negotiations. Given that some labour courts have granted immaterial damages claimed during termination proceedings, the mere threat of privacy litigation often suffices to significantly leverage the negotiation position of disgruntled former employees. This once again illustrates the importance of a co-ordinated and smooth off-boarding procedure for companies.
Mass Litigation and Representative Action
Considering recent and future developments surrounding mass claims and representative actions, it is large-scale processing of personal data in particular that can increasingly prove a liability for businesses. For instance, specialised law firms have begun representing large numbers of data subjects (in the hundreds or even thousands) affected by data breaches. In addition, there are companies that provide legal assistance to affected data subjects exerting claims for immaterial damages before court.
These efforts have been successful in many cases, further fuelling incentives to expand the business model. Prominent examples of mass litigation in Germany concern so-called scraping of personal data on social media, where bots and crawlers are used to extract personal data provided by social media users on their profiles: while many of the claims have been denied, some have in fact been granted and have thus led to compensation of immaterial damages.
What is more, the EU’s Representative Action Directive (EU) 2020/1828, which was transposed into German national law on 18 July 2023 in the Verbandsklagenrichtlinienumsetzungsgesetz (VRUG), may further incentivise mass claims on behalf of consumers affected by privacy infringements. Representative actions should generally prove to make enforcement of damages considerably easier in cases affecting large numbers of individuals, as is often the case in employment or consumer-related cases. Additionally, the rules provided in the Directive regarding disclosure of evidence will also facilitate private enforcement of privacy violations.
This enhanced environment for mass claims and professional litigation could also make inquiries and/or imposition of fines by supervisory authorities (eg, after breaches or unlawful international transfers) increasingly dangerous starting points for follow-up litigation by entities and individuals that pursue compensation of immaterial damages. Since the Representative Action Directive also provides for actions brought by qualified entities established in other member states, this may expose businesses to even greater risk of litigation by different interest groups across the EU.
However, the German transposition also poses considerable difficulties for claimants: a first obstacle is the German VRUG’s requirement that claimants bring action for “essentially equivalent claims” – a notion so vague that it may be difficult to determine whether or not data subjects fulfil this criterion. This may only prove successful in large-scale data breach events. Another obstacle that is likely to diminish the success of the representative actions is the limit of EUR300,000 regarding the amount in dispute. Conducting these highly complex actions with hundreds of claimants is unlikely to be economically feasible for the majority of law firms given rather modest fee expectations that can be derived from this amount. Also, the possibility of using litigation financiers is limited to a share of 10% of the amount in dispute, which will not be deemed profitable enough for many such financiers.
Litigation Risks Regarding International Transfers
Another area which had been exposed to increased scrutiny through private enforcement activities over the last few years has been international transfers of personal data to third countries outside the EU. Concerns over mass litigation in relation to international transfers were fuelled by the general uncertainty as to the legality of transfers to the USA following the CJEU’s Schrems II decision of 16 July 2020.
However, this somewhat grim outlook has brightened since an adequacy decision is in place for transfers under the EU-U.S. Data Privacy Framework (EU-U.S. DPF) since 10 July 2023. Companies certified under the EU-U.S. DPF can rely on the EU-U.S. DPF principles and the respective adequacy decision adopted by the EU Commission for transfers to the USA.
What is more, companies relying on standard contractual clauses (SCC) for their transfers to the USA are now in a better position as well, given the extensive safeguards put in place for EU citizens by the US government in the area of national security in Executive Order 14086 of 7 October 2022. As noted by the Commission in its Q&A on the EU-U.S. DPF of 10 July 2023, these safeguards facilitate the user of other tools as well, such as SCC and BCR. Additionally, the assessment conducted by the Commission in its adequacy decision can and should be taken into account when conducting the transfer impact assessment (TIA) necessary to employ either SCC or BCR in practice, as the European Data Protection Board (EDPB) emphasised in its Information note on data transfers to the USA of 18 July 2023.
Transfers to other third countries may be judged differently. However, given an ever-growing number of countries that have adopted or are in the process of adopting privacy legislation, the litigation risk in the area of international data transfers is not likely to increase significantly.
Outlook
The assertion of immaterial damages claims has paved the way for ramped-up private enforcement efforts within the last two years and will remain one of the defining privacy topics in Germany and across Europe in 2024 and beyond. With an ever broader range of areas affected, businesses of all kinds will have to expect further increases in private enforcement activities and are well-advised to resolve any shortcomings in their privacy compliance which are particularly vulnerable to litigation. Given considerable obstacles data subjects and consumers still face when engaging in mass litigation, it is questionable, however, how big the impact of the Representative Action Directive/German VRUG will be in practice.
Heinrich-Heine-Allee 12
40213
Düsseldorf
Germany
+49 211 3678 7269
cschroeder@orrick.com www.orrick.com/en/People/E/A/D/Christian-Schroeder