The end of low-level GDPR claims?

Before the GDPR took effect there was plenty of talk about whether it would usher in a new era of US-style litigation in Europe.  It’s ironic, then, that the more interesting development has been the rise of low-level claims alleging non-financial harm as a result of GDPR breaches.  Distress, anxiety, being upset — that sort of thing. 

And what we've seen in the emergence of a kind of super complainant.  Those individuals for whom getting through an ordinary digital life causes such deep distress, overwhelming anger, and so on that compensation is the only thing that will make it better.  

Perhaps unsurprisingly, the amount sought by these claimants — £500 here €1,500 there — tends to be pitched in that corridor of uncertainty that can leave businesses with mixed feelings about how to respond.  On the one hand, the cost of instructing lawyers may exceed the amount claimed.  On the other, they don’t want to set a precedent of payment for what, in many cases, amounts to a shakedown.  

Yesterday, the advocate general of the Court of Justice of the European Union issued an opinion that puts the future of these claims in doubt.  With the usual caveats that the CJEU doesn’t have to follow the AG (but often does), this means that:

• Claims for non-material damage don't cover “mere upset” that a claimant may feel as a result of an infringement of the GDPR.  The individual must have suffered “relevant material or non-material damage”.
• It is for national courts to determine whether “a subjective feeling of displeasure” is considered, on a case-by-case basis, to amount to non-material damage.  In the UK, for example, we have consistently seen courts dismiss these type of claims.

What does this mean in practice?  And will it put the brakes on the Complaint Industrial Complex?  For the time being, I think not.  In fact, it may cause some individuals to ramp up their activities before the CJEU issues its judgment (and national courts then put the brakes on these types of claims).  So it could be a busy few months.

To be fair, proving genuine non-financial harm isn’t easy, and there clearly are cases where distress, anxiety or embarrassment (for example) should be actionable.  The avenue to pursue those claims through the courts should also be available, and the AG’s concern that awarding putative damages for GDPR infringements would entice individuals to pursue litigation rather than complaining to a data protection regulator is perhaps overblown.  Both avenues should be available, and it should be for the individual to decide how to exercise their rights.

I've lost count of the number of clients who've asked us for advice on this issue — and am always interested in hearing about others' experiences.  So if you want to compare notes, do get in touch.