. In this article we consider the potential implications for insurers.
The case
The case considered an Austrian citizen who sued the country’s postal service for processing their data without their consent. The Claimant sought reparations for ‘non-material damage’ under GDPR’s liability regime, alleging that they had been caused substantial distress. In its defence the postal service asserted that the Claimant data subject had not suffered sufficient damage.
The national court was unsure as to the extent to which compensation rights for non-material damages apply under GDPR’s Article 82, so it referred the case to the ECJ.
ECJ decision
The ECJ ruled that:
‘Not every infringement of the GDPR gives rise, in itself, to a right of compensation’.
However, there is no requirement for non-material damage to reach a certain threshold of seriousness to confer a right to compensation. As such, data subjects seeking compensation for GDPR breaches can do so without proving that a specific threshold for the seriousness of the harm is met. It is then for national courts to decide on the appropriate level of damages.
Considerations for insurers
Despite the claimant still having to prove a GDPR violation and a causal link between the violation and the harm, this decision could result in an increase in data privacy claims against businesses.
However, this case must be balanced against the case of Lloyd v Google, in which the Supreme Court held that a mere loss of control over data does not automatically result in compensation. Indeed, the ruling of the ECJ is not binding on English courts following Brexit. Nevertheless, the decision could still be persuasive and influential in judges’ decision making in the UK. As such, insurers and underwriters should consider the scope of coverage they offer to policy holders, particularly under management liability, professional indemnity and cyber wordings, where cover for data privacy claims is often provided.
Additionally, insurers may also wish to consider incorporating tighter conditions into their wordings in relation to GDPR compliance.