Press play to listen to this article
Never spam a German lawyer.
That’s the moral of a story that starts with a spam email, and could end up opening the floodgates to billions of euros worth of compensation claims under the EU’s data protection rulebook.
It all started when a lawyer from Harz, in Germany’s highlands, sued a company over an unwanted marketing email in 2018. While a local court ordered the company to stop emailing him in 2019, the lawyer appealed the ruling, demanding compensation.
Now, a ruling from the Federal Constitutional Court has sent the case back to local judges, with an important message: It’s not for you to decide whether the violation should be compensated. That’s a question for EU law.
The decision means that lawyers at the Court of Justice of the European Union will soon have to consider at what point a violation of Europe’s strict privacy code, the General Data Protection Regulation, should lead to compensation. And that’s because either the local court will refer the case to the Luxembourg court, or another case will make it there before that because it will butt up against the same question which Germany’s constitutional court has said is a matter for the bloc’s top court to consider.
“That’s a highly relevant question,” said Tim Wybitul, a German lawyer at Latham & Watkins who has defended companies against thousands of data protection claims.
Currently, judges dismiss many claims for compensation because plaintiffs can’t prove they’ve been harmed by the violation. But that could be about to change.
“If the European Court of Justice should rule that also insignificant harm needs to be compensated, this is going to generate a huge business model for plaintiff lawyers,” Wybitul said.
A ruling from the EU’s top court that any violation of the GDPR requires compensation would open the lawsuit floodgates.
“This is a multibillion euro question coming up, because it would affect so many cases,” said Thomas Bindl, of the Europäische Gesellschaft für Datenschutz, a group that has launched several data protection claims, including against Amazon, Mastercard and Marriott.
The coming wave
Momentum could be in claimants’ favor.
Before 2018, many EU jurisdictions did not allow people to claim compensation for data protection violations that did not harm them financially. The GDPR changed that.
The EU also finalized a new law called the Collective Redress Directive, which will boost the ability of consumers to bring data protection claims to court.
For data protection specifically there have been encouraging outcomes from courts across Europe.
Last year, a German court awarded a claimant €5,000 because their former employer responded late to a data request. In Austria, a judge sentenced a company to pay €500 in compensation for similar reasons, while in the Netherlands, courts have ordered organizations to pay people for data protection violations too.
Data breach claims have also become de rigueur across the Channel, where a London court last year ruled that a case against Google tracking iPhone users could proceed, overturning a lower court’s decision and potentially widening the scope of claims that can be brought under data protection rules.
Data watchdogs have thrown their backing behind a lower threshold for payouts too. Dutch privacy regulator Aleid Wolfsen wrote last month: “compensation should be the rule, not the exception” in data protection violations.
“The good news is that the GDPR states that the organization responsible must compensate for all material and non-material damage in the event of violations. There is generally little discussion when there is material damage. Loss or lost profit suffered is usually relatively easy to determine,” Wolfson wrote.
“In the case of non-material damage,” he added, “you generally also have to prove that there is a situation in which there is a right to compensation,” which was harder to do.
And while the impact of the spam email case is currently limited to Germany, it could be a harbinger of what is to come across the bloc — especially when the EU’s top judges consider the questions thrown up by the case.
“The German Constitutional Court ruling doesn’t have direct impact on other EU member states,” said Wybitul, but added that “it’s not unlikely” that courts elsewhere in Europe will reach similar conclusions.
“In a nutshell, the decision can make life for plaintiffs and the lawyers easier. It makes it harder for German judges to turn down claims solely on the basis that the immaterial damage allegedly suffered by the plaintiff is insignificant,” Wybitul said.
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email [email protected] to request a complimentary trial.