Last week we discussed the case in which the Dutch Council of State (RvS) overturned a decision by a lower court to award damages for a privacy infringement. This article focuses on the case in which the RvS did award damages, and actually increased the damages. The interesting thing about this case is that it provides an insight in when damages are in order.
In 2018, a director of a psychiatric clinic shared confidential medical information about a patient (claimant) with the Medical Disciplinary Board without the claimant’s consent. After being denied compensation, the claimant started administrative proceedings. The court of Gelderland ruled in favour of the claimant and awarded €300 in damages based on Article 6:106 Dutch Civil Code. The claimant appealed this decision and requested an increase of the amount of damages.
Before ruling on the damages, the RvS addressed the possibility to claim damages via administrative court proceedings. The RvS confirms that data subjects have the option to seek damages in both administrative and civil proceedings if they have suffered damages due to an administrative decision of a governing body as long as the request for damages does not exceed €25,000.
After determining that claimant was able to seek damages via the administrative court, the RvS concluded that the claimant was indeed entitled to damages, and increased the damages to an amount of EUR 500. Similar to the other three cases, the RvS affirms that the calculation of damages is a matter of national law. When assessing whether damages are in order, the RvS focused on the nature, gravity, and duration of the General Data Protection Regulation (GDPR) violation. This assessment aligns with the criteria in Article 83 GDPR and the Dutch Data Protection Authority (DPA) guidelines on administrative fines.
When assessing the nature and gravity of the violation the RvS looks at the type of data that was shared. In this case, giving out sensitive data resulted in a breach of Article 9 GDPR. In the case we discussed last week, the RvS ruled that a mere violation of the GDPR does not automatically result in harm to the integrity of a person and does not justify compensation for damages. According to the RvS in this case, a breach of Article 9 GDPR can be regarded as a breach of the right to private life that warrants compensation for damages.
In determining the amount of the damages, the RvS ruled that medical data are a special category of personal data that require a higher level of protection. Another factor the RvS took into account is that the data was shared in a complaint procedure against the claimant. According to the RvS the detrimental consequences of sharing such data without a lawful basis are evident, especially since the data was intentionally shared in proceedings against the claimant.
A mitigating factor in the RvS analysis appears to be the duration of the violation. The Disciplinary Board destroyed the data after becoming aware of the violation and the data was only shared with a small group of professionals who were all bound by confidentiality obligations.
Why this matters
This decision provides data subjects with more flexibility to seek damages when confronted with a decision from a governing body. For example, a decision by a municipality to not disclose personal data as part of a subject access request. The decision also provides us with a clear framework to assess when damages are in order. This framework is very similar to Article 83 GDPR and the Dutch DPA guidelines on administrative fines. Relevant factors that will need to be taken into consideration are the nature, gravity and duration of the infringements, the number of data subjects involved, any intentional or negligent character of the infringement, and whether any actions were taken to mitigate the damages suffered. Based on this decision, it appears that any unlawful sharing of sensitive data will likely result in a valid claim for compensation of damages.