In 2017 a Dutch citizen filed a data subject access request with the municipality of Deventer. In its response to the SAR the municipality did not inform the claimant that it had shared his name and residence with a number of other municipalities. The claimant argued that the failure to disclose this information violated his fundamental rights under the GDPR. In May 2019, the lower court of Overijssel agreed and ordered the municipality to pay EUR 500 in damages to the plaintiff. This was one of the first GDPR cases to award damages to a data subject for a privacy violation.
The municipality appealed the court’s decision with the Dutch Council of State (RvS), the highest administrative court in the Netherlands. The municipality argued that the mere violation of a fundamental right does not automatically result in damages to a data subject, and that damages should not be awarded in this case because the claimant did not provide evidence that the damages were actually suffered.
The claimant on the other hand used the appeal to argue that the damages of EUR 500 were not a sufficient deterrent to prevent future unlawful processing of personal data, and requested an increase of the damages to EUR 7,500.
In line with Article 6:106 (1)(b) Dutch Civil Code, the burden of proof is on the claimant to demonstrate it suffered damages, which can be particularly challenging in privacy cases. The RvS overturned the court’s decision and ruled that the claimant did not demonstrate he had suffered damages. The court’s decision to require the payment of EUR 500 in damages was therefore unjustified.
The RvS noted that the GDPR does not describe how non-material damages should be calculated, and absent specific EU law, this remains a matter of national law. The RvS added that the European Court of Justice (ECJ) has not ruled on the compensation for damages or non-material damages related to privacy violations. With reference to settled-case law of the ECJ, the RvS reiterated that the damages for which compensation is sought must be actual and certain. The general principle that damages must be substantiated also applies to privacy, a breach of the GDPR does not automatically result in harm to the integrity of a person and thus not justify compensation for damages.
Consequently, the RvS ruled that the plaintiff did not demonstrate that the violation by the municipality resulted in damages, impairment to his honour, integrity or reputation, had detrimental effects or adverse consequences. The RvS also ruled that sharing of name and residency with other municipalities does not qualify as serious culpable behavior with such detrimental consequences that it would result in an infringement of a fundamental right. Finally, the RvS noted the officials and municipalities who received the data did so in their professional functions, and that there was no indication that the municipalities misused the plaintiff’s data.
Why this matters:
The court’s 2019 decision was one of the first cases to award civil damages for a GDPR violation in the Netherlands and opened the door to civil privacy lawsuits. In this case, the RvS overturned the decision to award damages and reaffirms that the bar to demonstrate damages in privacy litigation is high, but not unattainable. The mere violation of a fundamental right is not sufficient to claim damages. Claimants are required to provide sufficient evidence to demonstrate that they suffered damages. The mere sharing of a person’s name and city of residence with other municipalities does not meet this bar. Sharing sensitive medical data of a person without a person’s consent, however, would meet this bar, as the RvS confirmed in a different case, issued on the same date.
This case, and the three other cases, provide a clear and well defined framework for establishing when damages are in order. Moreover, the RvS confirms that the ability to receive compensation for material and non-material damages in Article 82 and Recitals 75, 85 and 146 GDPR remains subject to national law.