Job application data breach: ECJ allows compensation for worries and annoyance

On Thursday, the European Court of Justice (ECJ) once again clarified its case law on compensation for damages based on the General Data Protection Regulation (GDPR). Accordingly, a jobseeker is in principle entitled to compensation and damages in the event of a data protection breach by a potential employer, even if they cannot prove any material damage. Negative feelings triggered can be sufficient.

Background to the case: An applicant who had applied to the Berlin-based Quirin Private Bank online career network received an unexpected notification. The trigger: An employee of the financial institution had sent a confidential message to the job seeker via the network's messenger service to a third person whom the applicant knew. The message contained confidential information about the applicant's salary negotiations, in particular the rejection of his salary expectations and a new salary offer. It was not actually intended for outsiders.

The third party, a former colleague of the applicant, forwarded the message to him to find out if he was seeking employment. The jobseeker then filed a lawsuit against Quirin Bank. He demanded that the bank stop processing his application data in order to prevent further unauthorized disclosures. He also demanded compensation for the non-material damage he had suffered.

According to him, this damage arose because he was concerned that the confidential information could be passed on by the third party from the industry to former or potential employers. The applicant also feared a competitive disadvantage and felt humiliated by the disclosure of his failed salary negotiations. The Federal Court of Justice (Bundesgerichtshof, BGH) referred the case to the ECJ to clarify questions relating to the GDPR.

Perceived loss of control applies

The Luxembourg judges have now ruled in their judgment in case C-655/23 announced on Thursday: Negative feelings such as worry, anger, or the impression of loss of control over one's own data can constitute non-material damage. Financial compensation is possible if the plaintiff can prove that they actually experienced these negative feelings.

According to the ECJ, the amount of compensation may not consider how serious the bank's fault was. Reckless negligence is therefore also sufficient. Furthermore, according to the ruling, the compensation for pain and suffering may not be reduced or replaced simply because the plaintiff has obtained a court order that the bank must refrain from the infringement in the future.

GDPR claims for damages are likely to increase

The court also stated that there is no specific legal right under EU law to prevent a repetition of the data leak in court if the plaintiff does not demand the deletion of their data. Nevertheless, member states such as Germany can provide for such injunctions in their national law. The explicit denial of a European right to injunctive relief under data protection law comes as a surprise to economics professor Alexander Golland, as the ECJ had still affirmed such a right in several Google rulings in 2014 and 2019.

Until now, it was not entirely clear whether purely immaterial damage without concrete financial or physical disadvantages was sufficient for a claim. The ECJ has now emphasized that precisely this type of disadvantage can give rise to a claim for compensation. The ruling thus further lowers the hurdle for those affected to assert claims for compensation. It is sufficient to prove that the infringement caused major concern or distress.

The ECJ previously ruled in 2023: The mere fact that, following a cyberattack on companies or public authorities, a data subject fears that his or her personal data could be misused by third parties as a result of a breach of the GDPR constitutes non-material damage. The Court previously confirmed that the GDPR does not specify a materiality threshold for damages and that broad claims are possible. In 2024, the ECJ clarified that a data protection breach is in principle no less serious than a personal injury.

(kbe)