CA-2024-000578 - [2025] EWCA Civ 1117

In a series of decisions of 2023 and 2024 the CJEU has consistently held that it is impermissible for the domestic courts of EU countries to require proof that the damage suffered reaches a minimum degree of seriousness.

In UI v Österreichische Post AG, Case C-300/21, [2023] 1 WLR 3702, the data subject complained of the use of an algorithm which relied on various social and demographic criteria to infer that the data subject had a high degree of affinity with a certain political party. There had been no communication of the subject’s personal data but he felt offended and claimed compensation against the data processor for “upset, loss of confidence and public exposure”. The domestic court rejected the claim on the basis that domestic law required the damage suffered to reach a certain level of seriousness. On a reference by the Austrian Supreme Court the Advocate-General advised (at [112]) that Article 82 was not a suitable vehicle for countering infringements which only caused “annoyance or upset” . He proposed (at [117]) that the court should hold as follows:

“The compensation for non-material damage provided for in the Regulation does not cover mere upset which the person concerned may feel as a result of the infringement. It is for the national courts to determine when ... a subjective feeling of displeasure may be deemed, in each case, to be non-material damage.”

The CJEU took a different approach. It made clear (at [32]) that the existence of damage which has been suffered is one of the preconditions to that right to compensation; and (at [42]) that mere infringement is therefore not enough to confer such a right; but (at [44]) that the concept of “non-material damage” must be given an autonomous definition in EU law, independent of the domestic law of member states; and (at [51]) that this definition cannot permit the imposition of a threshold of seriousness:

“article 82(1) of the GDPR must be interpreted as precluding a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to a condition that the damage suffered by the data subject had reached a certain degree of seriousness”.

VB v Natsionalna agentsia za prihodite, Case C-340/21, [2024] 1 WLR 2559 arose from a cyber-attack on the Bulgarian National Revenue Agency which resulted in the personal data of six million people being published on the internet. One of these sought compensation for non-material damage in the form of fear that her personal data might be misused, or that she might be blackmailed, assaulted or kidnapped. Her claim was dismissed by the domestic court. On a reference from the domestic appellate court the CJEU confirmed that the claim was not wrong in principle, and (at [78]) reiterated and endorsed the proposition at [51] of the UI case.

VX v Gemeinde Ummendorf, Case C-456/22 (EU:C:2023:988) related to a German municipality which had published on the internet the agenda of a council meeting containing the names and addresses of the applicants. One of the questions referred to the CJEU was whether Article 82 contained a de minimis threshold. The court recalled (at [16]) its decision on that point in the UI case and (at [18]) affirmed in terms that Article 82 “does not require that, following a proven infringement ... the ‘non-material damage’ alleged by the data subject must reach a ‘de minimis threshold’ in order for that damage to be capable of compensation.”

In BL v MediaMarktSaturn Hagen-Iserlohn GmbH Case C-687/21, [2024] 1 WLR 2597 the claimant went to the data controller’s shop and bought an electrical appliance. Another customer who had jumped the queue was mistakenly given the appliance and related documents. The documents contained personal data, including the claimant’s full name and address, his employer’s name and his income and bank details. Within half an hour the documents had been returned to the data subject without the other customer becoming aware that he had been in possession of the personal data. A claim for compensation for non-material damage was stayed by the domestic court pending a reference to the CJEU. The court was asked, among other things, whether a person claiming compensation under Article 82 is required to establish that the infringement led to non-material or material damage. Unsurprisingly, the court’s answer was affirmative. In reaching that answer the court (at [59]) again reiterated with approval the proposition in paragraph [51] of the UI case.

The principle enunciated in this line of decisions would seem to rule out not only the respondent’s contention that “distress” is an essential ingredient of a viable claim but also the respondent’s alternative submission that the appellants’ claims should be dismissed as falling short of a threshold of seriousness.

Mr Sharland did not dispute this but made three main submissions in response. First, he said that this CJEU jurisprudence all post-dates IP Completion Day and is thus non-binding. Secondly, he submitted that domestic authority binds us to conclude that data protection law in England and Wales does include a threshold of seriousness. He relied on the Supreme Court’s decision in Lloyd v Google and the decision of this court in Prismall v Google UK Ltd [2024] EWCA Civ 1516, [2025] 2 WLR 1224. Thirdly, and in the alternative to his second submission, Mr Sharland invited us to depart from the CJEU jurisprudence. He said that we are not required to follow post-completion-date decisions which appear to be flawed or inconsistent (Tower Bridge GP v HMRC [2022] EWCA Civ 998, [2023] 1 CMLR 16 [119] (Lewison LJ)). He submitted that the CJEU’s reasoning was flawed; that the reasoning of the Advocate-General in the UI case was to be preferred; that if the domestic authorities are not binding they (and a number of first instance decisions he also cited) are nonetheless persuasive; and that the imposition of a threshold of seriousness would serve the beneficial aims of eliminating trivial claims and achieving coherence in the law.

Mr Sharland’s first submission is clearly correct: we are not bound by the CJEU decisions I have cited. But I do not accept Mr Sharland’s submissions about the effect of the domestic authorities. Nor do I agree that we should choose to depart from the CJEU jurisprudence.

The first point to make about Lloyd v Google is that the case was concerned with the interpretation and application of the provisions of s 13 of the 1998 Act the language of which provided for awards of compensation for “damage” or “distress”. The GDPR was not in issue and was specifically excluded from the court’s analysis: see the judgment of Lord Leggatt (with whom the other Justices agreed) at [16]. Secondly, no issue arose as to whether a person claiming compensation for non-material damage must prove that the damage crossed a threshold of seriousness. The claimants did not allege any material damage nor any distress. Their contention was that pursuant to s 13 “an individual is entitled to compensation for any non-trivial contravention of [the 1998 Act] without the need to prove that the individual suffered any financial loss or distress”: [88]. The argument was that so long as the contravention was serious enough to count as “non-trivial” the mere fact that it resulted in a “loss of control” was enough to merit compensation, which could be awarded at a standard minimum rate. Accordingly, a representative action could be brought successfully without the need for individualised proof of damage or distress. The court’s decision was that this is wrong; on a true construction of the statute it was necessary for each claimant to prove not only infringement but also that this caused some material loss or distress to them; there was no right to compensation for the “loss of control” complained of which, on a proper analysis, was one and the same as the fact of breach. All of this is clear from the headnote and the body of Lord Leggatt’s judgment: see in particular, paragraphs [105]-[107], [115], [143].

The passages of the judgment on which the respondent relies are in paragraph [153]. That paragraph includes a reference to a “threshold of seriousness” and an assertion that it is “impossible to characterise such damage as more than trivial”. But those words must be read in their context. They appear in a section of the judgment in which Lord Leggatt, having rejected the claimants’ primary case that individualised proof of damage was unnecessary, addressed a separate issue namely, “The need for individualised evidence of misuse” (emphasis added). In this part of the judgment (at [144]-[157]) Lord Leggatt identified a further reason why the representative claimant’s attempt to recover damages under s 13 by means of a representative action could not succeed. This was that

“Even if (contrary to my conclusion) it were unnecessary in order to recover compensation under this provision to show that an individual has suffered material damage or distress as a result of unlawful processing of his or her personal data, it would still be necessary for this purpose to establish the extent of the unlawful processing in his or her case”.

Lord Leggatt reasoned that “on the claimant’s own case” there could be no compensation unless the infringement crossed a threshold of seriousness (that is, that it was “non-trivial”); yet on analysis the claimant was attempting to recover damages on behalf of millions of individuals without proving that this threshold was crossed in any individual case. The passage relied on is thus both obiter and not in point for present purposes.

It is not arguable that Prismall binds us to conclude that English data protection law incorporates a threshold of seriousness. Prismall was a representative action for damages for misuse of private information. In the passages relied on the court did no more than summarise features of the facts and reasoning in Lloyd v Google, so far as they were relevant to the issues in dispute in the case before the court. None of those issues called for, or resulted in, a decision on the threshold of seriousness in data protection law. I therefore reject the submission that the domestic cases dictate the answer to the legal issue raised by the respondent.

The other domestic cases relied on are Rolfe v Veale Wasbrough Vizards Ltd [2021] EWHC 2809 (QB), Johnson v Eastlight Community Homes [2021] EWHC 3069 (QB), and Driver v Crown Prosecution Service [2022] EWHC 2500 (KB). These do not assist the respondent. They are all first instance decisions, two by High Court Masters and one by a High Court Judge. One of them does not address at all the question of a threshold of seriousness. All of them ante-date the CJEU cases I have cited. They do not even assist on the facts. In Johnson the claim was deemed to be of very low value yet survived a strike-out application and was transferred to the County Court. In Driver the claim went to trial before Julian Knowles J who found that the claimant had suffered only “a very modest degree of distress” yet made an award of £250.

That brings me to the question of whether we should choose to plot a different course from the one taken by the CJEU. That is open to the UK as a political choice and a legislative option. But a judicial decision to do so would call for sufficiently compelling legal reasons. In that context I think it right to attach some weight to the fact that the GDPR is an international legal instrument which had direct effect in this jurisdiction at the material time. Further, its domestic successor, the UK GDPR, is post-Brexit legislation in which Parliament decided to adopt the identical language, so far as material to this case. Self-evidently, divergent interpretations of the same legislative text tend to undermine legal certainty. It seems to me that, other things being equal, it makes good legal sense for the court to interpret and apply the GDPR in conformity with settled CJEU jurisprudence.

A threshold of seriousness clearly does exist in the law of misuse of private information. There is ample authority for that proposition, which is rooted in the Strasbourg jurisprudence under Article 8 of the Convention. But I do not find this a persuasive reason for introducing such a threshold in the context of the separate and distinct legal regime for the protection of personal data. One of the arguments advanced in Lloyd v Google was that compensation for loss of control should be available under s 13 of the 1998 Act because it is available in misuse of private information and the two torts share a “common source” in the fundamental right to privacy guaranteed by Article 8. The Supreme Court rejected that argument as flawed. At [124] Lord Leggatt explained that it did not follow from the fact that the two legal regimes aimed at a general level to provide protection for the same fundamental value “that they must do so in the same way or to the same extent or by affording identical remedies”.

This seems to me to apply with equal force to the question I am now considering. Data protection law has an international dimension, and covers a much wider field than the domestic tort of misuse of private information. There is no inherent reason why the contours of these different wrongs should be identical. More generally, whilst I agree that it is a good thing for the law to be coherent the mere fact that differences exist between the ingredients of individual torts is not proof of incoherence.

I can see that the CJEU might have taken a different line. The reasoning of the Advocate-General in the UI case has some attractions. He said, among other things, that “compensation arising as a result of a mere feeling of displeasure ... is easily confused with compensation without damage, which has already been ruled out” ([113]); that “the inclusion of mere upset in the category of non-material damage eligible for compensation is not efficient” ([114]); that “refusal of the right to compensation for vague, fleeting feelings or emotions ... does not leave the data subject without any protection at all” ([115]); and that there is “a fine line between mere upset (which is not eligible for compensation) and genuine non-material damage...” ([116]). Some support for a threshold of seriousness might have been found in the language of Recital (85), quoted above, which speaks of “significant economic or social disadvantage” (emphasis added).

However, the CJEU, having considered the arguments of the Advocate-General, decided to answer the question that had been referred in a different way. Its reasons were, in summary, that Article 82 contains no reference to a threshold of seriousness; that Recital (146) tends to indicate that there is not and should not be such a threshold; and that the imposition of a threshold to be applied by domestic courts would undermine the level of protection afforded to natural persons, and risk incoherence in the application of the GDPR: see [44]-[49]. That same reasoning has been reflected or adopted in the subsequent cases. The reasoning is logical and sufficient. I am not persuaded that the approach of the CJEU is fundamentally flawed. Importantly, I think the significance of the passages cited has been overstated. Those passages focus on the question of whether a claimant alleging non-material harm must establish that the harm reached a certain degree of seriousness. The decisions unequivocally reject that proposition. The respondent has treated that as tantamount to a conclusion that compensation is always recoverable under Article 82 for any negative emotional response to an infringement, however transient and minimal the data subject’s displeasure might have been. But the court’s reasoning does not go that far. And the cases show that there is a separate and prior issue, namely whether the consequences alleged by the data subject qualify as “non-material damage” within the meaning of Article 82. The court has addressed the interpretation of that term in some limited but important respects.

The general principle was stated in UI at [50]:

“The fact remains that the interpretation thus adopted cannot be understood as meaning that a person concerned by an infringement of the GDPR which had negative consequences for him or her would be relieved of the need to demonstrate that those consequences constitute non-material damage within the meaning of article 82 of that Regulation.”

In VX at [21]-[22] the court reiterated the point, emphasising that mere infringement is not sufficient to confer a right to compensation; damage within the meaning of Article 82 must be proved.

In VB the court was asked to interpret the notion of “non-material damage”. The specific question was, in essence, whether Article 82 must be interpreted as meaning that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of the GDPR was “capable in itself, of constituting ‘non-material damage’”. The answer was in the affirmative. Having reiterated that the imposition of a threshold of seriousness was impermissible, the court went on to hold that the GDPR “does not rule out the possibility” that the concept of non-material damage encompasses the fear that the data subject’s personal data will be misused by third parties. But the court added these qualifications:

“84.

However, it must be pointed out that a person concerned by an infringement of the GDPR which had negative consequences for him or her is required to demonstrate that those consequences constitute non-material damage within the meaning of article 82 of that Regulation (see Österreichische Post, para 50).

85.

In particular, where a person claiming compensation on that basis relies on the fear that his or her personal data will be misused in the future owing to the existence of such an infringement, the national court seised must verify that that fear can be regarded as well founded, in the specific circumstances at issue and with regard to the data subject.”

In BL the court took this line of thinking a step further. The question posed by the referring court was, in essence whether “if a document containing personal data was provided to an unauthorised person, and it was established that the unauthorised third party did not become aware of those personal data, ‘non-material damage’ is likely to consist of the mere fact that the person concerned fears that, following that communication which made it possible to make a copy of that document before returning it, a dissemination, even abuse, of those data may occur in the future”: [62]. Building on VB, the court affirmed (at [67]) that Article 82 encompasses a situation in which “the data subject experiences the well-founded fear, which is for the national court to determine, that some of his or her personal data be subject to dissemination or misuse by third parties in the future, on account of the fact that a document containing those data was provided to an unauthorised third party who was afforded the opportunity to take copies before returning it.” But the court added this qualification:

“68.

However, the fact remains that it is for the applicant in an action for compensation under article 82 of the GDPR to demonstrate the existence of such damage. In particular, a purely hypothetical risk of misuse by an unauthorised third party cannot give rise to compensation. This is so where no third party became aware of the personal data at issue.

69..... ‘non-material’ damage, within the meaning of that provision, does not exist due to the mere fact that the data subject fears that, following that communication having made possible to the making of a copy of that document before its recovery, a dissemination, even abuse, of those data may occur in the future.”

These cases seem to me to provide a touchstone by which most if not all of the remaining issues in this case can be fairly resolved. I would put it this way: in principle a claimant can recover compensation for fear of the consequences of an infringement if the alleged fear is objectively well-founded but not if the fear is (for instance) purely hypothetical or speculative.

In all these circumstances I do not see any sufficiently weighty reason for departing on this appeal from the settled CJEU jurisprudence on the threshold of seriousness issue. It follows that there is no need to consider whether the individual claims would cross such a threshold.