Preventive function or empty threat? (1)

2022-06-14 01:47:04

Is the claim for damages under Art. 82 I DS-GVO a blunt sword or a real option to proceed against data protection breaches in German courts? This article discusses the current position of the German courts for and against preventive damages and compares it with the recitals to the GDPR. There is a chance that the ECJ will overturn damages law as we know it in Germany so far.

A.

In principle, damages in German civil law only serve to compensate for damage. This is reflected in the provisions of §§ 249 et seq. BGB. Damages are intended to restore the condition that would exist without the damaging event. The financial circumstances disturbed by the event are to be compensated. In addition to the compensatory function, it does not pursue a preventive function (Oetker, in Münchener Kommentar zum BGB, § 253 Rn. 8f.), whereby the satisfaction function of the compensation for pain and suffering according to § 253 II BGB deviates from this. It is thus based only on the actual damage suffered by the injured party. The tortfeasor, the degree of his fault or his motives are not considered. Punishment or deterrence of the damaging party is not provided for.

According to Art. 82 I GDPR, any person who has suffered damage due to a breach of the GDPR is entitled to compensation. This explicitly refers to material and immaterial damage. However, the standard does not specify the requirements for such non-material damage. According to recital 146 S. 3 to this standard, the concept of damage is to be interpreted broadly in light of the case law of the ECJ and in a manner that is consistent with the objectives of the regulation. S. 6 adds that the persons concerned should receive full and effective compensation for the damage suffered.

It follows from this reference to European case law that damages function not only as compensation, but precisely as prevention(Boehm, in Simitis/Hornung/Spiecker, Datenschutzrecht, 2019, Art. 82 DS-GVO Rn. 26; Moos/Schefzig, in Taeger/Gabel, Art. 82 DS-GVO Rn. 5, 26.). This also corresponds with the European development, as the ECJ requires, with reference to the principle of effectiveness, that national provisions on damages for the implementation of European requirements exceed purely symbolic damages. Instead, damages should deter and provide an incentive to prevent further infringements. As a term of a European regulation, it is to be interpreted autonomously. It is not possible to fall back on national regulations (Bergt, in Kühling/Buchner, DS-GVO BDSG, Art. 82 Rn. 17; EuGH Urt. v. 10.4.1984 – Rs 14/83, NJW 1984, 2021 (2022); EuGH Urt. v. 17.12.2015 – C-407/14, EuZW 2016, 183 (184 f.)).

Also, the interpretation of the term must be consistent with the objectives of the Regulation. Recitals 75 and 85 list some possible harms, including discrimination, identity theft, financial loss, damage to reputation, but also loss of confidentiality or economic or social harm. In addition, Recital 75 also mentions the mere processing of a large amount of personal data of a large number of individuals.

If a data subject asserts a claim for damages under Art. 82 I GDPR, he or she generally bears the burden of proof for the facts giving rise to the claim. However, the accountability principle in Art. 24 I 1 of the GDPR imposes an obligation on the controller to ensure that the processing carried out complies with data protection law and to be able to prove this (Bergt, in Kühling/Buchner, DS-GVO BDSG, Art. 82 Rn. 46). The unlawful handling of the data must be culpable, whereby Art. 82 III GDPR provides for a reversal of the burden of proof with regard to the proof. Initially, culpable conduct is presumed, but the tortfeasor can exculpate himself.

B.

So far, German courts have judged immaterial damage claims differently. In some cases, injured parties were granted a claim, whereby the courts sometimes explicitly referred to the deterrent effect and awarded sums ranging from €300 to €5,000  (LG Lüneburg Urt. v. 14.7.2020 – 9 O 145/19, BeckRS 2020, 36932; AG Pforzheim ZD 2021, 50 Rn. 28; ArbG Dresden ZD 2021, 54 Rn. 17; ArbG Köln Urt. v. 12.3.2020 – 5 Ca 4806/19, BeckRS 2020, 31544; ArbG Düsseldorf NZA-RR 2020, 409 Rn. 85 ff.).

In other cases, a claim was denied due to a lack of immaterial damage. The reason given for these decisions was that the infringement was merely minor and did not have a serious adverse effect. Such an infringement, which does not exceed a certain materiality threshold, should not be sufficient to justify a claim for non-material damage. What is required, on the other hand, is an objectively comprehensible impairment of some weight, such as the public exposure of a person. No compensation for pain and suffering is to be awarded for a merely individually perceived inconvenience  (LG Landshut ZD 2021, 161 Rn. 18; AG Hannover Urt. v. 9.3.2020 – 531 C 10952/19, BeckRS 2019, 43221 Rn. 20; AG Frankfurt a. M. ZD 2021, 47 Rn. 29f; LG Köln ZD 2021, 47 Rn. 14).

Another reason given was that a breach of the GDPR alone does not constitute damage. Not every data protection violation caused by data processing that does not comply with the GDPR automatically constitutes compensable damage. There is no obligation to compensate for general preventive reasons. In principle, non-material damages are compensable in the case of violations of personal rights, but a concrete, perceptible and objectively comprehensible impairment is required. Even if this does not have to be severe, it must still justify the award of compensation for pain and suffering  (LG Frankfurt a. M. ZD 2020, 639 Rn. 45; LG Karlsruhe ZD 2019, 511 Rn. 17; LG Landshut ZD 2021, 161 Rn. 18; AG Hannover Urt. v. 9.3.2020 – 531 C 10952/19, BeckRS 2019, 43221 Rn. 18; AG Frankfurt a. M. ZD 2021, 47 Rn. 29f).