The European General Court's 8 Jan. decision in Case T‑354/22, Thomas Bindl v. European Commission, confirms the EU approach to nonmaterial damage in data breach cases, as set out in Case C‑300/21, UI v. Österreichische Post. Nonmaterial damage is a wide concept and, when it is found that nonmaterial damage has been suffered, the damage simply must be "real and certain," as opposed to hypothetical and indeterminate, and damages will follow, whatever the infringement's level of seriousness.
While Bindl lost on some grounds, he won in respect of his claim that, through a link on a European Commission website, which necessitated him using his Facebook account details, his personal data had been transferred to the U.S., which was not considered to have an adequate level of data protection. He was awarded 400 euros in damages and half his legal costs.
According to the judgment, Bindl claimed nonmaterial damage rather than material loss on the basis that his data was sent to the U.S., which gave rise to a risk of access by the U.S. security and intelligence services, and therefore he was deprived of his rights and freedoms and prevented from exercising control over his data. In other words, on the face of the decision, he was claiming damages for pure loss of control and not for distress.
The General Court awarded damages on the basis that the transfer in question "put the applicant in a position of some uncertainty as regards the processing of his personal data, in particular of his IP address." From the language used — the French version similarly speaks of "situation d'insécurité" — it is not completely clear whether the court considered uncertainty as simply denoting a loss of control or as incorporating an element of distress. However, given the Court's explanation of Bindl's claim, it would appear the damage was awarded simply for loss of control as a category of nonmaterial damage and not for distress.
While the case was averse to the European Commission, against whom a breach is only actionable if it is sufficiently serious according to paragraphs 50-52 of the decision, the court did stress the EU General Data Protection Regulation contained no "threshold of seriousness" applicable to the infringement of the GDPR for compensation to be triggered. Therefore, there was no discussion of the level of seriousness, or triviality, of the breach in question.
How the English courts might have approached this case
Most commentators would consider that the case would have been decided differently by English courts under the U.K. GDPR. That is not because the claim would have no foundation under English law but rather because the English courts would analyze whether there was any element of distress and, if so, whether it was nevertheless de minimis.
As explained by the U.K. Supreme Court in Lloyd v. Google, under the Data Protection Act 1998, damages were not available merely for "loss of control" of personal data without proof of damage or distress; the position is different for claims in the tort of misuse of private information. The Data Protection Act 2018 incorporated the GDPR, now called the U.K. GDPR, and as a result some believe the possibility of recovering damages for loss of control under the statute remains. In other words, they argue the decision on loss of control in the Lloyd case is confined to the DPA 1998 and does not apply to the DPA 2018 or to the U.K. GDPR. In support of that, they point to the specific reference to nonmaterial damage inEU GDPR Article 82(1) and Recital 85, where "loss of control over a subject's personal data" is given as an example of nonmaterial damage.
Indeed, in SMO v. TikTok, the English HighCourt considered, albeit with caution and without the benefit of arguments from the other side, such an argument to constitute a "serious issue to be tried," sufficient to fulfil a gateway requirement for permission to serve a claim outside the jurisdiction. However, the claim was subsequently withdrawn, probably in light of the Supreme Court decision in Lloyd.
Further, in Farley v. Paymaster, the Court of Appeal permitted a party to appeal a decision that held an essential ingredient of a viable claim for misuse of private information or infringement of data protection rights was the claimant's real prospect of demonstrating the communication containing private information was "opened and read by a third party."
The Court of Appeal agreed, if there was no communication in that case, there was no use of data and therefore there could be no misuse and no tort. But the Court of Appeal suggested that was not necessarily the position under the DPA 2018 and the U.K. GDPR.
In an extract that is close to the facts of the Bindl decision, Lord Justice Mark Warby wrote, "what is clear is that in principle an individual may establish that personal data have been processed in breach of their data protection rights without proving that the information or data have in fact been read or otherwise communicated to anyone. One example could be the automatic transfer of data from one secure location to another that is insecure."
However, Warby, who was also a judge in the Lloyd case, went on to say, "cases in which non-trivial emotional harm is caused by processing of this kind, falling short of disclosure in the sense contemplated by the judge, may be rare but it cannot be said that this is impossible as a matter of principle."
The reference to nontrivial emotional harm incorporates two elements — the de minimis principle and the necessity for harm — and these both show how an English court might have approached Bindl differently.
First, the reference to emotional harm is indicative of an approach by the English courts, which would lean against awarding damages under the DPA 2018 for mere loss of control, without more damage, whether material or nonmaterial, such as distress. That is in line with past cases of a similar nature, such as TLT v. Secretary of State for the Home Department in which allegations of distress following a government data leak were examined by considering the rationality of the alleged fear and shock.
It is therefore likely that an English court would have gone further than loss of control as a basis for awarding damages and would have examined the rationality of Bindl's fears about what U.S. intelligence services might do with his data.
Second, and connected perhaps to the first, the reference to nontrivial alludes to the de minimis principle, which is often invoked along with the Jameel principle, which states claims may have merit but may not be "worth the candle." While there are no specific guidelines around its applicability, the de minimis principle looks at the effect of the breach, meaning the accepted distress or loss that has been suffered, and the seriousness of the breach, meaning whether it was trivial or more than trivial, and damages will only be entertained in cases that are above principle.
The principle appears applicable to the DPA 2018 and EU GDPR, and therefore the U.K. GDPR, for example in Johnson v. Eastlight, although that is not settled law. This is in fact similar to the advocate general's opinion in Österreichische Post, which was not followed, that mere upset did not constitute nonmaterial damage and the point at which compensation should kick in for nonmaterial damage should be left to national courts. There is no set precedent for the application of the de minimis principle, but damages awarded for the lowest level of the spectrum were considered to be 250 GBP in Driver v. CPS, which is close to the 400 euros awarded to Bindl.
As well as actions for breach of DPA 2018 and UK GDPR statute, data breach actions under English law also tend to claim for misuse of private information, a separate tort. Court cases since Gulati v. Mirror Group Newspapers in 2015 have confirmed damages for mere loss of control are available in misuse of private information cases. One idea is that these can be calculated as user damages, assessed by what someone may have paid for the user's data rights.
Misuse of private information cases have their own thresholds, including that there must be a reasonable expectation of privacy and a balancing exercise between the rights and the misuse must be a positive action on the part of the defendant party. If those are established, the cases suggest a claimant also needs to show the damages are not trivial, notwithstanding the idea that damages are available for mere loss of control. However, this is generally answered earlier, when considering the nature of the information and breach, as shown in the Prismall v. Google cases from 2023 and 2024.
So, while the European General Court's decision in Bindl has taken the absence of any "threshold of seriousness" in the EU GDPR to indicate there is none, or that it cannot imply one, the English courts would likely consider that the de minimis principle still applies. But this is not definitive by any means, because it is not settled law that damages for mere loss of control are not available under the DPA 2018 and the U.K. GDPR nor that the de minimis principle necessarily applies to such claims.
And one could query whether the English law approach might change, particularly given that the English courts, while not bound by any EU court on the subject, may have regard to European Court decisions under the European Union (Withdrawal) Act 2018. It is somewhat noteworthy that in Johnson v. Eastlight, the English court was comforted in its view by its understanding that German case law considered that "Article 82 does have a de minimis threshold, and that the provision should be interpreted such that damages do not arise unless it reaches a threshold of seriousness (Dresden Higher Regional Court, 11 June 2019, Case no. 2-7 O 100/20)." Yet that does not in fact appear to be the correct EU position following the Bindl and Österreichische Post cases.
For the present moment, it appears mass actions in respect of data claims are considered challenging in England and Wales, at least on a non-bifurcated basis, and it appears claimants requesting damages for mere loss of control face headwinds. But that does not mean organizations operating in the jurisdiction should be any more lax when attempting to mitigate their litigation and privacy risk exposure than they would be in EU member states, in particular in considering which activities and services might facilitate cross-border personal data transfers either advertently or inadvertently.
Greg Lascelles is a partner at Hausfeld.
