Privacy professionals in the legal field have long seen the direct impact of laws on breach notification, unfair and deceptive acts or practices, and direct marketing. Courts commonly see class action lawsuits based on an undisclosed breach that causes consumers to face financial harm, often ending in a class payout. In another, an organization that faces a security incident stemming from an undisclosed practice may face a UDAP claim, leading to monetary damages payable to consumers who faced fraud due to the incident. But, in many legal systems that have long-held precedents on what is and what isn't a privacy harm, there has been increased attention on the question of whether all harms must be compensated for and what sort of compensation fits the harm.

What's harm, but a secondary motion

On 4 May 2023, the Court of Justice of the European Union issued its ruling in UI v. Österreichische Post C-300/21 on the question of the right to compensation for nonmaterial harm under Article 82 of the EU General Data Protection Regulation. In this case, the Austrian postal service allegedly collected political affiliation and affinity data about Austrian residents. Only, such data was generated by an algorithm trained on socioeconomic and wider demographic datasets. The data was then sold to third parties for targeted advertising. Unsurprisingly, the algorithm didn't get everyone's affiliation correct. One individual sued and claimed modest damages of 1,000 euros under the GDPR, as the affinity attributed to them was damaging to their reputation.

The CJEU, hearing the case on a referral from the Austrian Supreme Court, ruled that:

  • Infringement of the GDPR alone is not sufficient to trigger a right to compensation. Indeed, the CJEU constructed the text of Article 82 of the GDPR to require an infringement, harm and a causal link between the infringement and the harm to trigger a right to compensation.
  • The right to compensation may extend to nonmaterial harm, and there is no threshold prescribing how serious the harm must be for compensation to be recoverable. Member states are precluded from imposing thresholds of seriousness for nonmaterial harm to be recoverable compensation.
  • It is for national member state courts to determine the assessment of damages for nonmaterial harm. Aside from Recital 146 of the GDPR, which requires monetary compensation to be "full and effective" for the harm suffered, there is nothing in the GDPR that prescribes the assessment of damages for material or nonmaterial harm.

While, by the first and second points, the CJEU worked to make an expansive approach to permitting compensation claims across the EU more coherent, the third point maintains existing variation in how member states assess damages. That variation is a result of domestic laws, practice rules and conventions that guide the assessment of damages in different ways. Indeed, some member states may even require certain thresholds to be met for damages to be awarded for material or nonmaterial harm.

There is more to come from the CJEU on this issue. Just a week before its ruling in UI v. Österreichische Post, the advocate general of the CJEU issued a nonbinding opinion in Case C-340/21 VB v. Natsionalna agentsia za prihodite. One of the key issues of that case concerns the ability to claim compensation for harm associated with the fear of a possible misuse of data in the future, including by a third party that has obtained unauthorized access to that data. While the CJEU in Österreichische Post confirmed that the harm, even nonmaterial harm, did not need to surpass a threshold of seriousness, it did rule there needs to be harm. The nature of the incidence of harm is one important issue in Natsionalna agentsia za prihodite, with the advocate general opining that the harm needs to be "actual and certain" rather than hypothetical or anticipated. The forthcoming CJEU ruling in this case will be highly relevant for organizations considering their risk exposure, in the event they are subject to a cyberattack or experience a data breach.

They call it London city limits

The most recent and authoritative U.K. precedent on the matter comes from the U.K. Supreme Court’s 2021 ruling in Lloyd v. Google. Lloyd argued that Google's "DoubleClick Ad" cookie on iPhones, which allowed for behavioral profiling, was a breach of U.K. data protection legislation. To serve a claim on Google in the U.S., Lloyd was required to prove they had a "reasonable prospect of success" on the merits of the case. Like the CJEU ruled most recently, the U.K. Supreme Court held that a mere infringement of data protection law does not confer a right to compensation. However, the U.K. approach is quite different to the CJEU's on the issue of the seriousness or materiality of the harm suffered. The U.K. Supreme Court ruled that applicable U.K. data protection legislation did not contemplate compensation for infringements of a legal right that caused no material damage or distress, and so trivial or nonmaterial harm could not be compensated.

This approach was applied most recently on 19 May 2023, by the High Court of England and Wales in Prismall v. Google and DeepMind. In that case, the claim was for damages for the harm caused by a loss of control of personal data in medical records. Such data was held by the Royal Free London NHS Foundation Trust to DeepMind, which was developing an app to assist clinicians. The High Court ruled that the loss of control — in this case the secure storage of the data by DeepMind before its use in the clinician app — did not amount to harm eligible for anything other than nominal or trivial compensation, which was not recoverable.

Cases deep, mountain high

The U.S. has similarly seen consequential legal decisions fall flat when it comes to addressing privacy harms. The Federal Trade Commission is known to bring privacy- and security-focused arguments under complaints alleging unfair and deceptive trade practices in violation of the FTC Act. In August 2022, the FTC filed such a lawsuit against Kochava, a mobile app analytics company.

The complaint alleged Kochava was collecting and selling consumers' mobile device geolocation data without their knowledge or consent, and that the data was tied to each individual user by a unique ID associated with their device. Especially considering the use — or even misuse — of such data in a post-Dobbs v. Jackson Women's Health Organization climate, the FTC argued this geolocation data could be used to identify consumers who visited sensitive locations like those involving mental health, general health care, religion, social services or abortions. The last type of location is especially sensitive, as states that forbid the associated health procedure within their jurisdictional borders may use that data to prosecute residents who received the procedure in another state. At one point, Kochava advertised the ability to identify household locations as one of the potential uses of its data in marketing materials provided to clients.

The sale of these kinds of geolocation data points directly causes privacy harm to consumers, but, as the court reviewing this case noted, that does not count as redressable harm. While the presiding judge agreed that the privacy concerns raised by the FTC were legitimate and consumers could suffer an injury as a result of the nonconsensual sale of their data, he noted these were examples of secondary harms and the mere possibility of actual injury was not sufficient to allow the lawsuit to proceed. Because the FTC failed to allege how Kochava's "purported privacy intrusion practices" created a "substantial injury" to consumers, the case was dismissed and the FTC was given leave to amend their complaint to show the "substantial injury."

Those keeping track may be experiencing déjà vu, as this outcome mirrors the FTC's 2018 action against LabMD, in which the Eleventh Circuit found that the agency failed to prove that LabMD's "alleged failure to employ reasonable data security … caused or is likely to cause substantial injury to consumers" as required by Section 5 of the FTC Act. In a discussion of this case, privacy scholar and University of Washington School of Law professor Ryan Calo said, "you have to be hurt in the wallet in order to prevail in a consumer privacy case." This still seems to be the case five years later. The FTC has since amended its complaint but has filed it under seal in anticipation of Kochava's position that referenced and cited materials may constitute trade secrets.

Big wheels keep on turning

To proceed with a case in the U.S., a complaint must state a claim upon which relief can be granted. The intangible nature of data privacy harms in modern cases directly conflicts with the precedent set by tort law that historically granted damages to a party that could show actual, usually monetary, harm. Washington state's recent My Health My Data Act sidesteps this issue by allowing private citizens affected by a violation of this act to bring suit and claim damages under the state's consumer protection law. Other than statutes like this, U.S. privacy pros have yet to see cases providing damages for privacy harms or creatively utilizing other avenues of redress for intangible harms, although those that come to mind, like a claim for negligent infliction of emotion distress, are unlikely to be successful. Across the pond, the U.K. lands in a similar camp of not providing compensation for an infringement of the legal right to privacy without proof of material and tangible damage. The EU's jurisprudence leans more consumer-friendly in finding EU data subjects have a right to compensation for material and nonmaterial harms, as long as harm has been experienced.

Better than all the rest?

Privacy pros are experiencing an era of consumer protection, the likes of which have not been seen in a while. Regulatory enforcement routinely breaks records and strikes at the core of business practices. Consumers move with their feet when they feel their privacy being threatened. Organizations are facing legal action from enforcement entities and private individuals. With all this movement, one might conclude compensation for harm might be one of the most proximate but one of the least salutary and consequential ways to address a lack of organizational compliance with privacy laws. Consumers who have participated in representative or class action lawsuits can attest to the weight of these legal actions in providing meaningful compensation and disincentivizing business processes that create privacy harms. However, the impact of class action lawsuits in addressing privacy harms themselves merits its own day in court or, at least, its own discussion in a separate article. For now, privacy pros will continue bracing for and reeling from the ongoing stream of enforcement actions, consent decrees, and the shifting and solidifying jurisprudential trends on recoverable harms.