Select an area of expertise to find out more about our experience.
Find out more about our barristers and business support teams here.
…you wait ages for one – and then two come along at the same time (14 December 2023).
In Natsionalna agentsia za prihotide, a Bulgarian agency involved in recovering public debts was the target of a cyber-attack, with 6 million data subjects affected and several hundred suing for compensation for non-material damage. The European Court of Justice (‘ECJ’) dealt with five preliminary questions referred to it, most interestingly deciding that:
Municipality of Ummendorf involved a local authority’s erroneous upload on its website of unredacted names/addresses mentioned at a meeting. The error was rectified within a few days. The essential question for the ECJ is whether Article 82(1) of the GDPR must be interpreted as precluding national legislation or a national practice which sets a de minimis threshold in order to establish non-material damage. Back in May, the ECJ decided in Österreichische Post (C‑300/21) that, to show entitlement to compensation, it was “necessary” and (importantly) “sufficient” to satisfy three conditions (i) the existence of ‘damage’ which was ‘suffered’ in Article 82 (1) (ii) infringement of GDPR and (iii) causal link between that damage and the infringement.
The ECJ in both Municipality of Ummendorf and Österreichische Post disparaged any national rule or practice imposing a “certain degree of seriousness” on that damage (i.e. a de minimis threshold). In the former case, the brevity of the period during which the subject was exposed to the damage (e.g. the local authority retaining the unredacted data on its website) was found not to provide a cut-off for damages. However, the ECJ added that “those persons must also demonstrate that they have actually suffered such damage, however minimal”, which differs from demonstrating the fact of the infringement itself.
With both these December judgments providing excellent stocking-fillers for those representing claimants, it remains to be seen what, if any, impact they have on the domestic de minimis doctrine confirmed by the UK Supreme Court in Lloyd v Google [2021] 3 WLR 1268. UK courts and tribunals are not bound by ECJ decisions made after 31 December 2020, but ECJ decisions may have persuasive value when applying legislation sourced from the EU. If continued application of de minimis in this jurisdiction effectively results in a lower level of protection to data subjects than in the EU, might this imperil the EU’s ‘adequacy decision’ in respect of the UK? The field is ripe for a test case on the de minimis issue after these ECJ developments. The author is currently awaiting judgment in one case where Österreichische Post was cited in response to a de minimis argument, so watch this space (but not until after the festive break).
A monthly data protection bulletin from the barristers at 5 Essex Chambers
The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.