Amsterdam-based Wouter Seinen of Pinsent Masons, the law firm behind Out-Law, was commenting after a regional court in the Netherlands rejected claims for damages lodged against property platform NederWoon Verhuurmakelaars.
Lawyers raised the claims for damages on behalf of an anonymous house hunter. The house hunter had been notified by NederWoon that their data may have been compromised following a hack on its computer systems in May 2019. The hacker was subsequently convicted of a computer hacking offence following a criminal investigation.
The lawyers acting on behalf of the house hunter asked Gelderland district court to find NederWoon responsible for a breach of the right to privacy and the right to protection of personal data and/or failings in relation to rules on data processing and data security under the General Data Protection Regulation. They also asked the court to order Nederwoon to pay the house hunter €500 in damages or an alternative amount of compensation for the alleged damage suffered – the price value of which would have been determined in separate proceedings.
However, the court dismissed the claims. It found that the claims of damage and distress allegedly experienced by the house hunter following the hacking incident had not been substantiated.
The court said: “The mere assertion that there has been talk of ‘distress’ is insufficient if no substantiation is given showing that [plaintiff] has suffered from this in concrete terms or how this ‘distress’ has manifested itself with him. It has not become evident that [plaintiff], for instance, immediately after receiving the letter from NederWoon asked questions or showed his concern in any other way. Other expressions of distress have also not been made or shown.”
“Other than in the examples from case law mentioned by [plaintiff] in which compensation for immaterial damage has been awarded, it has not been shown that actual abuse was made of the data involved in the hack. On the contrary, it appears from the criminal judgment, as NederWoon also argues, that the hacker had not (yet) sold or transferred the personal data to third parties, while all data carriers that were seized were withdrawn from circulation, so that there is no chance that the data will end up in the wrong hands,” it said.
Wouter Seinen of Pinsent Masons said that the judgment, though from a court in the lowest tier of the Dutch civil judicial system, reflects the conservative approach of the Dutch courts in respect of awarding monetary damages to individuals for loss of control or loss of confidentiality of their data.
“Dutch courts are reluctant to award non-material damages for breach of personal data protection,” Seinen said. “Individuals must be able to demonstrate and prove what damages the precisely suffered as a result of the breach, regardless how serious that breach was. This doctrine will play an important role in recent class action claims raised in other cases that are pending before the Dutch courts.”
A data protection claim brought against Chinese social media app TikTok lodged before a court in Amsterdam by The Market Information Research Foundation (SOMI), is reportedly valued at €1.4 billion in total. More than 64,000 parents across Europe have reportedly paid a fee to participate in SOMI’s claim, which is centred on concerns about the processing of children’s data and the targeting of adverts to children.
Earlier this year, Germany’s Federal Constitutional Court ruled that the EU’s highest court, the Court of Justice of the EU (CJEU), should be asked to clarify when a claim for damages is recognised under Article 82 of the General Data Protection Regulation (GDPR) and when damage is to be assumed.
Article 82 provides a right to compensation for any person who has suffered material or non-material damage as a result of an infringement of the GDPR. Both controllers and processors can be pursued for the compensation, though there are limits on what the processor can be held responsible for. In addition, both controllers and processors have a defence to compensation claims if they can prove they are “not in any way responsible for the event giving rise to the damage”. Where a controller or processor is ordered to make a full compensation payment, it is open to them to seek to claim back all or a portion of the value paid from other controllers or processors involved that may have been wholly or partially responsible for the breach.
According to the German Federal Constitutional Court, the law on claims for financial compensation “has not been exhaustively clarified” in CJEU case law. It also said that the individual requirements to be satisfied in the context of compensation claims deriving from data protection failings specifically cannot “be determined directly from the GDPR” either, adding that there is still “room for reasonable doubt” as to when damage should be assumed. “This is all the more true as Article 82 of the GDPR expressly includes non-material damages,” it said.