In a recent judgment, the Rotterdam District Court awarded compensation in the amount of EUR 2,500 to a data subject whose medical data had been stored and processed by the Municipal Executive of the municipality of Rotterdam (hereinafter: the “Municipal Executive”) in violation of privacy laws for as long as 10 years!
An award in the amount of EUR 2,500 is highly unusual. Not since the introduction of the GDPR has any Dutch court issued an award of such magnitude. Courts tend to be reluctant to allow claims for compensation for non-material damage, as claimants are required to submit concrete evidence to substantiate the alleged damage. Many have stumbled over this hurdle.
Does infringement always result in compensation?
Although Article 82 GDPR entitles any person who has suffered material or non-material damage as a result of an infringement of the GDPR to compensation, the Regulation is silent on what method to use to calculate or determine such damage. It follows that Member States are free to formulate their own rules, provided such rules take account of the principle of equivalence and the principle of effectiveness. The key here is that, in line with Recital 146 GDPR, the controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. The term ‘damage’ is therefore to be interpreted in the broadest sense.
In the Netherlands, courts tend to seek a link with civil compensation law, laid down in Article 6:106 of the Dutch Civil Code (DCC). This article allows for any non-material damage caused by infringement of the GDPR to be classified as “an affliction of the person”. A person is deemed to have been afflicted in any event if he or she has suffered distress. In more concrete terms, the following applies:
Anyone relying on Article 6:106 DCC as being afflicted in their person is required to present sufficient substantial evidence from which it can be concluded that distress has been suffered in connection with the circumstances of the matter. It must be possible to establish, by reference to objective standards, the existence of distress; or
The injured person must be able to demonstrate that the nature and the severity of the violation of standards entail that the relevant prejudicial consequences for the injured person are so obvious as to warrant the conclusion that there was an affliction of the person.
I should add that under current Dutch law not every violation of a fundamental right constitutes an affliction of the person.
Actually, the door was ajar already
Privacy infringements have actually resulted in a number of awards of compensation for non-material damage these past few years, meaning the option is not novel. The Administrative Jurisdiction Division of the Dutch Council of State (“the Division”) laid down the terms for the scope of the option in a decision issued on 1 April 2020. The Division deemed it reasonable to award an amount of EUR 500 as compensation for the disclosure of medical data (i) without the consent and (ii) without the knowledge of the injured person, which data contained (iii) strictly confidential personal data. This disclosure caused distress, also known as “loss of control of personal data”.
As the data involved were particular personal data, that is, medical data, the Division held that their disclosure would obviously cause prejudice to the person in question. In reaching this conclusion, the Division took into account the facts that there was no legitimate interest for the disclosure of the data, that the data ended up with a small group of professionals sworn to uphold confidentiality, and that an attempt was made to undo the disclosure after the data were sent.
On that same day, incidentally, the Division denied another claim for compensation of non-material damage on the ground that the claimant had failed to submit sufficient evidence of the distress sustained.
So the door is wide open now?
In its judgment, the Rotterdam District Court found that the Municipal Executive had retained privacy-sensitive personal data for a period of ten years. In view of the duration of the infringement and the fact that the data subject made repeated attempts to have her data removed, the court deemed it sufficiently plausible that she had suffered non-material damage. This judgment seems to be in stark contrast to earlier decisions, like those of the Division, where courts would deny claims for compensation as claimants had failed to provide sufficient substantiation for the non-material damage allegedly suffered, or where such claims were awarded because substantive evidence had been submitted.
The Rotterdam District Court justified the amount of the award by referring to the 1 April 2020 decision of the Division, in which - as noted above - an award of EUR 500 was deemed a fair compensation for the brief unlawful processing of medical data. As in the case before it the medical data had been retained and processed over a period of ten years, the District Court held an amount of EUR 2,500 to be a suitable award.
The repercussions of this judgment may ring on in claims for compensation brought by virtue of the Settlement of Large-scale Losses or Damage (Class Actions) Act [Wet Afwikkeling Massaschade in Collectieve Actie - or “WAMCA”], which entered into effect on 1 January 2020. If a large-scale infringement occurs, which can be considered to be an “affliction of the person” and involves a multitude of people, it is highly conceivable that a class action suit is brought on behalf of the injured people, and quite possibly on the basis of the WAMCA. The Rotterdam District Court judgment may have the consequence that more class actions will be initiated, as the threshold for allowing claims appears to have been lowered (in some cases).
The Court of Justice of the European Union (CJEU) is set to consider the scope of Article 82 GDPR in response to questions for a preliminary ruling that have been referred to it from Austria. Although this case is expected to have a considerable impact on any future claims for compensation brought under the GDPR, the magnitude of this impact is as yet unclear.
So while we have yet to see in what way courts will deal with the precedent set by the Rotterdam judgment and the ruling of the CJEU, it appears that a solid foundation has been laid for actions in which substantial sums will be claimed by way of compensation for infringements of the GDPR. As well as local authorities, companies processing large quantities of - sensitive - personal data (and doing so over long periods of time) consequently run the risk of being held liable to pay substantial amounts by way of compensation now that the bar has been raised to EUR 2,500. The WAMCA may have an impact there as well. Apart from that, the Rotterdam judgment also raises the question in what cases prejudicial consequences are held to be obvious to such extent as to warrant the presumption that someone has been afflicted in his or her person.
Does this blog prompt any questions, or would you like more info on the subject? Then don't hesitate to contact us.