Germany’s Federal Constitutional Court (FCC) has passed a potentially groundbreaking decision, on whether an individual needs to prove material damage caused by the unsolicited use of their personal details to obtain compensation under GDPR rules, onto the European Court of Justice (ECJ).
If the ECJ decides that an individual does not have to prove material damage when a so-called data controller or processor uses or passes on their data to third parties, it could well lead to a flood of claims in Germany and across Europe under the GDPR regime, experts warn.
This comes on the back of a raft of legal, regulatory and legislative changes in Germany and at EU level that are increasing exposure for German companies. This will likely pose headaches for German risk and insurance managers. The new exposures will also make it harder to convince cyber, D&O and wider professional and financial liability underwriters that the recent hard market has gone far enough.
New rules are coming that will raise the exposure of German accountants, lawyers and tax advisers, partly on the back of the recent Wirecard scandal.
The recently enacted Germany Supply Chain Act brings potentially significant new exposures for German companies that fail to police their suppliers properly when it comes to human rights and environmental damage. And of course, a raft of D&O claims are feared following an expected spike in insolvencies after the German government’s insolvency rules introduced to help cope with Covid-19 expire at the end of April.
The ongoing impact of the GDPR combined with the new EU Collective Redress Directive, finally published in the Official Journal of the European Union in December 2020, as well as a spike in cybercrime linked to home working, are also increasing exposure for European companies.
If the ECJ decides that individuals can claim for compensation despite not suffering material damages under the GDPR, it will pile further pressure on risk managers in Germany and across Europe.
Detlev Gabel, partner in the Frankfurt office of US law firm White & Case, certainly believes that this case could send shockwaves through the business insurance community.
“The outcome could have major implications for controllers and processors. If a data subject needs not prove any kind of quantifiable, material damages when his or her GDPR rights have been allegedly infringed, controllers and processors face the prospect of compensating countless individuals who need not prove any sort of concrete, cognisable damages before a court,” he stated in a recent note.
“If a controller falls victim to a hacker, for example, then any data subject who shows their data being compromised in some fashion could be entitled to compensation, even if the hack did not cause any damage to the data subject (other than the fact that their data was exposed). Even with small individual compensations, aggregate totals could quickly add up for controllers and processors if they are required to compensate aggrieved data subjects,” continued Dr Gabel.
The lawyer explained that the case in question stems from an unsolicited commercial email sent by a retailer to its customer, who seemingly did not consent to receive advertising emails. The plaintiff sought compensation of no less than €500, based on Article 82 paragraph one of the GDPR, for non-material damages he suffered by receiving the email.
The GDPR Article states: “Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
Dr Gabel explained that the Magistrate Court of Goslar dismissed the plaintiff’s claim because he failed to show he suffered any relevant damages from the unsolicited email that met the de minimis impairment threshold.
The plaintiff filed a constitutional complaint, arguing that the decision violated his right to a trial before a legal judge under the German constitution. He said the case should have been referred to the ECJ.
The FCC agreed with the plaintiff, ruling that the Magistrate Court was obliged to turn to the ECJ because it was clearly not a case of “settled law” at this point in time.
“If the ECJ… finds that a plaintiff needs not to meet a de minimis threshold to be entitled to damages under Article 82, paragraph one [of the] GDPR, controllers and processers subject to the GDPR may face a somewhat harrowing prospect – the potential for any data subject whose GDPR rights have been violated to be entitled to de facto compensation even in the absence of concrete, material damages,” said Dr Gabel.
“It’s not difficult to imagine damages totals escalating quickly, particularly for companies with millions (or more) customers or users; any alleged, systemic infringement of a user’s GDPR rights would subject the company to countless individual damages claims or, where collective redress is available, high (monetary) stakes litigation,” he added.
Commercial Risk is hosting a Claims Management Conference on 27-29 April 2021. We have worked with a number of European risk management associations to bring together a group of experts in a virtual forum to discuss how best to adapt to emerging long-term risk trends and explore the type of claims patterns that these new exposures are generating. Click here to secure your seat at the event.