Liability for nonmaterial damage under the GDPR: Approaches of EU, UK courts

The European General Court's 8 Jan. decision in Case T‑354/22, Thomas Bindl v. European Commission, confirms the EU approach to nonmaterial damage in data breach cases, as set out in Case C‑300/21, UI v. Österreichische Post. Nonmaterial damage is a wide concept and, when it is found that nonmaterial damage has been suffered, the damage simply must be "real and certain," as opposed to hypothetical and indeterminate, and damages will follow, whatever the infringement's level of seriousness.

While Bindl lost on some grounds, he won in respect of his claim that, through a link on a European Commission website, which necessitated him using his Facebook account details, his personal data had been transferred to the U.S., which was not considered to have an adequate level of data protection. He was awarded 400 euros in damages and half his legal costs.

According to the judgment, Bindl claimed nonmaterial damage rather than material loss on the basis that his data was sent to the U.S., which gave rise to a risk of access by the U.S. security and intelligence services, and therefore he was deprived of his rights and freedoms and prevented from exercising control over his data. In other words, on the face of the decision, he was claiming damages for pure loss of control and not for distress.