back to article Fresh GDPR ruling says even 'minor anxiety' could mean payouts for EU folks

A major decision on GDPR compensation rights handed down today includes what looks like a nasty surprise for many businesses: there is no threshold that non-material damage needs to pass before data subjects can make a claim. As we explained yesterday, "non-material" loss or damage means it didn't directly cost you any money, …

  1. The Mole

    So they don't want to set a minimum level of seriousness before a claim is made as that may fluctuate by judge.

    However the amount of compensation you may get is completely up to and may fluctuate by judge.

    The only winners are going to be lawyers (but that's generally a given)

    1. UCAP Silver badge

      The lawyers are always the only winners.

    2. Woodnag

      Winners?

      It's not about winners. It's about making sure that companies like FB that flout GDPR can be penalised for privacy violations under GDPR. Without rulings like this, GDPR is toothless.

      1. Anonymous Coward
        Anonymous Coward

        Re: Winners?

        But there will be losers - the organisations that try to comply with the law and no have to take even stricter (and costlier) measure to ensure they don't get caught out (perhaps through no direct fault of their own) - but who will end up in court through actions of a third party they didn't anticipate.

        Even if a court rules in their favour, or administers a token punishment, a low threshold for prosecution means unnecessary cost to them (and profit to lawyers). Prosecution lawyers may work pro-bono, in return for a share of any award, defence lawyers rarely have such an incentive.

        As said in a previous post, hell is EU law and US courts.

        Laws based on ideologies (political or otherwise) usually end up penalising the law abiding more than the law-breakers.

        1. heyrick Silver badge

          Re: Winners?

          "that try to comply with the law"

          So many MANY MANY times companies have asked me for information claiming it was somehow necessary, and I've been wondering why they think they need that.

          Maybe this ruling will concentrate business minds into only asking for information that they actually require, and not just bung in a bunch of other things "just in case", and in the case of the original complaint, stop harvesting partial information of dubious validity and making up shit from it. If the information is garbage, so to would be any conclusions drawn.

          Therefore I think the best way to comply with the law is to understand that the data free for all is over. Now I've should be asking "why do I need to know this". If you don't, don't ask.

  2. alain williams Silver badge

    Anxiety & upset are very subjective

    What to one person is reasonable another could claim makes them anxious and/or upset. The result will be a minefield even for websites & businesses that are trying to do the right thing. This could be a gift for those who have a beef with an entity and so make claims of anxiety/upset; even if the result is that they were acting correctly the costs in the determination could be huge.

    Do not get me wrong: I am not defending those who abuse privacy, etc, but am concerned that a lack of objectivity could cause mayhem.

    I suppose that we will have to wait for the courts to make judgements that can provide clarity ... except that these will differ in different jurisdictions.

    The lawyers must be rubbing their hands in anticipation ...

    1. Anonymous Coward
      Anonymous Coward

      Re: Anxiety & upset are very subjective

      Crazy idea here: maybe businesses should start looking at what's required of them under the GDPR and related local privacy regulations?

      Because right now, it seems the general MO is to pretend they don't exist, or if they do, don't apply to them and act all surprised when told they actually do.

      I'm an employee representative and in the process of getting my employer, the French branch of a US company, to respect the law.

      The answer I got so far? "The laws are so complicated, you can't really expect us to respect them". Really.

      1. Potemkine! Silver badge

        Re: Anxiety & upset are very subjective

        "The laws are so complicated, you can't really expect us to respect them". Really.

        Tell that to the CNIL, it will be delighted.

    2. LybsterRoy Silver badge

      Re: Anxiety & upset are very subjective

      and don't forget the professional offence takers who will be offended/anxious on your behalf. I predict masses of class actions or their equivalent.

      1. heyrick Silver badge

        Re: Anxiety & upset are very subjective

        The GDPR doesn't cover whether or not a website made your blood boil. You need to wait for a leak of personal information and that could cause you massive distress, irreparable harm, blah blah. But simply being angry about something isn't enough.

  3. Khaptain Silver badge

    If such is the case then the majority of all the major Social Media sites will simply have to pulled of the Internet immediately.

    "Minor Anxiety" within a certain community of very sensitive people happens every time they read their Facebook page's, watch YT or even glance at Twitter..

    I don't see how such a law cannot is not complete contradiction to all of the Social Media's Industries goals: ie that of thriving on scandal, shock and horror.

    1. UCAP Silver badge

      If such is the case then the majority of all the major Social Media sites will simply have to pulled of the Internet immediately.

      Is that such a bad thing?

    2. Anonymous Coward
      Anonymous Coward

      Not everything hurtful counts.

      This only applies if there's a breach of GDPR that leads to non-material damage.

      The easy way to avoid this is not to breach GDPR.

      1. Doctor Syntax Silver badge

        Re: Not everything hurtful counts.

        Not so easy if your entire business plan is to breach GDPR.

        Oh, goody.

      2. LybsterRoy Silver badge

        Re: Not everything hurtful counts.

        Ever heard of function creep? The more you lower the bar the more will jump over it, even if they have to make a major detour to get there.

    3. Anonymous Coward
      Anonymous Coward

      I don't see what GDPR has to do with what people post on social media. That would be like having a go at your email provider when you receive a nasty email. GDPR is about obligation by business around personal data not what some clown posts on social media. Unless you are thinking that someone posting someone's personal data on social media becomes a data issue for the company but again that would be the same with email if it was sent to multiple recipients. Social media also allows you to report and take down. It would be difficult to hold them accountable.

      1. Anonymous Coward
        Anonymous Coward

        I think the issue with social media is not so much what people willingly put on there but the amount of data that they obtain about others from having access to their members devices (with the contact list being the holy grail).

        Even if you don't have an account with social media sites and actively block any interaction with them social media sites still probably have a ghost profile of you with your name, telephone No and a partial circle of friends / aquaintances, and depending on info held in other peoples contact lists may also know your email addresses, job, work and home addresses

        1. Anonymous Coward
          Anonymous Coward

          I agree on that but it wasn't the original posts intention. That's how I read it.

      2. Cynical Pie

        Its also defined DP precedent (https://curia.europa.eu/juris/document/document.jsf?docid=48382&doclang=EN) that once data is posted on Social Media it is no longer for personal use and so the personal use exemption no longer applies.

        Its a ruling issued under the previous legislation but the precedent is still the way 'personal use' is interpreted by DP bods.

        The onus doesn't lie on the platform it lies with the person posting - they would be the ones subject to GDPR.

  4. Potemkine! Silver badge

    This in turn could open the way for not only frivolous or vexatious claims, but also large class actions in the event of, for example, a data breach.

    That doesn't sound as a bad news, on the contrary. If there are serious consequences, companies will begin to take cybersecurity seriously, and will allocate the appropriate means to do it.

    1. Paul Crawford Silver badge

      I wish i could up-vote this more!

      Avoiding GDPR trouble could be a lot easier if companies only kept data they really, really need, and also took security seriously.

      Before a breach that results in the PR bullshit about doing so...

    2. M.V. Lipvig Silver badge

      Nah, the only solution to that is "your company has a breach, the CEO goes to jail."

  5. Barrie Shepherd

    Bring back the 'Man on the Clapham Omnibus' to decide what is upsetting/worrying/frightening - less the Karens take over completely

    1. TheMaskedMan Silver badge

      "Bring back the 'Man on the Clapham Omnibus' to decide what is upsetting/worrying/frightening"

      Absolutely. Though doubtless well intentioned, any ruling that sets no threshold opens the door for vexatious claims. People absolutely will purport to have been upset / distressed / whatever, even when their first and only thought was Aha! A minor technical breach - pass me the claim form!

      Indeed, there will be some folks already looking to make spurious claims just on the offchance that they might make it stick. Vexatious litigants are real, and are very hard to stop.

      None of which is to suggest that companies should not comply with the law, or that they shouldn't have to cough up when they don't. They absolutely should. But it's also necessary to take"career litigants" into account; often litigants in person with few if any assets, they have the time to bring the claim themselves often using fee exemptions to avoid fees, don't need to pay lawyers and can't pay their opponent's costs if they lose. It's often easier and cheaper for the respondent to simply pay them off with a settlement than defend the claim. This ruling sounds like it will be music to their ears.

      1. abend0c4 Silver badge

        The point was addressed by Schrems when he said "You can also bring a lawsuit over 5 cents". People don't do that because the cost of litigation (in both time and money) is a deterrent. The law has coped with vexatious litigants and crusaders in search of pyrrhic victories for rather longer than the existence of information technology and will continue to do so without the aid of special cases.

  6. Woodnag

    UK?

    Data privacy lawyer Kingsley Hayes, head of data and privacy litigation at Keller Postman UK, said the "ruling is good news for people seeking compensation in data breach cases, as it provides a clearer path to seeking damages for GDPR violations."

    Except GDPR doesn't apply in UK since Brexit.

    1. Doctor Syntax Silver badge

      Re: UK?

      It does. It's enacted in the current DPA. What doesn't apply is the court's ruling. Until a UK court rules on this we don't know but the article points out that there may be an existing precedent that suggests the UK courts might be less sympathetic to plaintiffs.

      1. Woodnag

        Re: UK?

        The UK is under DPA, as you say, not the GDPR.

        Sure, the DPA wording was copied across because UK was subject to GDPR before Brexit.

        But now, the UK can change what's in the DPA, and I'm sure they will to weaken citizen protections and attempt to attract FB from Ireland. And then spend 10 years pretending to the EU that the changed DPA is equivalent to GDPR...

        1. Anonymous Coward
          Anonymous Coward

          Re: UK?

          "The UK is under DPA, as you say, not the GDPR."

          Nope, in the UK the *UK* GDPR and UK DPA 2018 are in effect. Because of Brexit the (EU) GDPR text was slightly modified to create the UK GDPR - Keeling Schedule here: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/685632/2018-03-05_Keeling_Schedule.pdf

          The UK DPA 2018 was always designed to work in conjunction with EU/UK GDPR, not to replace it.

          Likewise the UK DPA 2018 was revised at the same time, however I can't find the "official" Keeling Schedule for that change, it appears to have disappeared from the UK Gov website. I found a *later* (2nd? 3rd) Keeling Change which has what appear to be additional proposed changes at: https://www.cliffordchance.com/content/dam/microsites/talkingtech/PDFs/2022.09.07%20-%20UK%20DPA%20Keeling%20Schedule.pdf?.html

          Likewise there appears to be a Keeling Schedule for proposed changes to PECR (the UK law that covers cookies etc): https://www.cliffordchance.com/content/dam/microsites/talkingtech/PDFs/2022.09.12%20-%20UK%20PECR%20Keeling%20Schedule.pdf?.html

  7. DS999 Silver badge

    Can I sue the EU

    For anxiety caused by infecting the entire internet with all the stupid and completely useless click throughs for cookie permissions?

    1. Doctor Syntax Silver badge

      Re: Can I sue the EU

      Did this involve a misuse of your personal information?

      1. LybsterRoy Silver badge

        Re: Can I sue the EU

        That depends on the definition of personal information. The very fact that I clicked on something and that was recorded would be regarded by some as personal information. We have gone bonkers over this.

        1. imanidiot Silver badge

          Re: Can I sue the EU

          "The very fact that I clicked on something and that was recorded would be regarded by some as personal information"

          No. You clicking on a "deny all cookies" button does NOT fall under GDPR rules and does NOT count as PII under GDPR. At the very least get your facts right before you complain about GDPR. The rules really aren't as nebulous and difficult as people make them out to be, unless you're in the business of operating right on the very edge of what may or may not be allowed and getting away with it because of "gray area". And the simple solution then is to stop doing that shit.

          1. Anonymous Coward
            Anonymous Coward

            Re: Can I sue the EU

            "...does NOT count as PII under GDPR. At the very least get your facts right before you complain about GDPR."

            GDPR is not about "PII" (that's basically an American term), it is about "personal data" - at the very least get your facts right ;-)

    2. Lars
      Happy

      Re: Can I sue the EU

      @DS999

      I am sure you can sue the EU and you will win and they will decide that anybody can use their cookies just the way they like not to offend you.

      Happy now.

      But I do hope we could eventually define that in the browser we use but I am not too optimistic about it.

      We are the product and changing that might be problematic.

      1. DS999 Silver badge

        Re: Can I sue the EU

        I was referring more to the fact that Google has already told us it is planning on getting rid of cookies and replacing them with something else - something that claims to protect privacy but more likely will protect Google from those attempting to preserve their privacy. So the countless thousands of man hours the EU spent on this over the years to get that established, and the countless millions of man hours of everyone else's time they've wasted with the cookie dialogs, will all be for naught when Google gets rid of cookies.

        I've been using the Cookie AutoDelete extension on Firefox for years so I can just click "accept" on those dialogs to make them go away and not care, because the moment I close the last active tab on that site all its cookies are deleted. I have a little over a dozen sites whitelisted to preserve cookies, The Register is one of the few to win that honor so I don't have to login every time I visit. Its cookies are deleted when the browser closes, which is about once a month.

        Everything else can spit cookies at me all it wants, they will only last the few minutes I have their site open. What you want "define that in the browser" already exists, at least if you are using the right extensions.

        1. Norman Nescio

          Re: Can I sue the EU

          The GDPR applies to all collection of personal data, not just cookies. If Alphabet/Google are using a magic anonymising technology, there's quite a few academics happy to show how easy it is to de-anonymise data (it's a big problem in medical study circles), and the GDPR is quite explicit:

          ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
          GDPR Article 4

          Note the bolding.

    3. storner

      Re: Can I sue the EU

      Sue the website for requiring you to hand over your personal data. Don't shoot the messenger.

    4. joepie91

      Re: Can I sue the EU

      You probably should be blaming the websites in question, not the EU. The vast majority of those nag-walls aren't even GDPR-compliant, because their sole purpose is to bully you into giving 'false consent' (which does not count as consent under the GDPR).

      A website that handles your data legitimately does not even need such a nag-wall, because legitimate purposes are already automatically allowed. The only reason these sites show you such a wall, is because they're trying to use your data for sketchy purposes.

      1. DS999 Silver badge

        Re: Can I sue the EU

        The only reason these sites show you such a wall, is because they're trying to use your data for sketchy purposes

        I'll bet most of them are doing it not because they know they are using your data for sketchy purposes, but because they aren't clear exactly where the line is / are worried some middle manager will intentionally or unintentionally step over that, so they have the dialog out of an abundance of caution.

    5. Norman Nescio

      Re: Can I sue the EU

      The stupid implementations are down to the people who want to make opting out difficult and unpopular. The idea is sound; and in fact applies to any tracking technology used, not just cookies, as tracking requires storing identifiers which are personal data. The point is, you should have 'personal sovereignty' and be requested to opt-in to any tracking, with opting out not preventing you from accessing the website. The default should be opted-out.

      Needless to say, quite a few organisations don't like these simple and clear rules, and it requires the likes of Max Schrems to fight for it.

      Don't blame the EU: blame the deliberately awful, and often illegal, implementations.

  8. Rob Fisher

    Unseen costs

    Between this and the Online Safety Bill, It bothers me that a lot of things won't get done because of fears of falling foul of regulations. Big incumbent companies can afford the lawyers. Anyone trying anything new is going to need more lawyers than engineers, and is more likely to not bother. We'll never get to see the things they might otherwise have done.

    1. M.V. Lipvig Silver badge

      Re: Unseen costs

      And you can blame big business for it. Had they not abused our privacy like the proverbial red headed stepchild, these laws would not have been necessary to begin with. And since the corps are STILL trying to beat that child by reaching around the cop with a bigger stick, it's going to take a wall of cops to put a stop to it. Or, the cop can put the CEO in prison every time the company swings at the child.

      Seriously, jail time is the only deterrent here, and I mean general population prison for C-Suite execs and not the middle management doing the actual implementation. If the top isn't forced to feel physical pain, nothing will change. Huge fines won't even hurt as even if the company is bankrupted, the C-suite gets a golden parachute worth enough to live worry-free on the French Riviera for 10 lifetimes before parachuting into another company.

  9. Zippy´s Sausage Factory
    Devil

    To be honest I'd be happy to go without compensation in most cases, provided that you require the defendant to use their BEST* endeavours (at their own cost) to track down all occurrences of the data, delete it, and provide the court with a list of every third party that they sold it to and require them to use their best endeavours to delete it as well (as well as doing the same for every person they sold the data to, and so on).

    * this has a specific meaning under English law. And no, I don't mean "all reasonable" endeavours. No, I am not Satan, nor has the Prince of Darkness ever popped round for a quick cuppa and a hob nob.

  10. Anonymous Coward
    Anonymous Coward

    Let me tell you about the ADA in California..

    In 1990 the Federal government signed the Americans With Disabilities Act in to law. Which set the usual level of proof with civil cases like this.

    Then a few years later a bunch of (Democratic) Assembly members in Sacramento decided that the ADA was different - they passed a law which changed the normal civil litigation evidence rules so that it basically made it impossible for the plaintiff to lose an ADA case. No matter how frivolous, stupid or outright fraudulent the complaint might be. Result over the decades is a deluge of ADA cases, many tens of thousands, and not only do literally 99% of them have no merit but a good 90% plus are outright fraudulent. A shakedown of one form or another.

    Due to the way the state law is written even though it is obvious that a lawyer is filling dozens / hundreds of fraudulent ADA cases with patsy "disabled" people as the nominal plaintiff it is impossible to file a complaint with the state bar, have the lawyer disbarred, and prosecuted. I can think of one lawyer in Marin County who made millions of dollars through fraudulent ADA lawsuits over several decades. (he has now retired to Nevada). If the lawyer had tried this type of fraud in any other area, such as insurance or workmans comp, he would have gone to jail many years ago. But with ADA cases its impossible to prosecute lawyers who bring fraudulent lawsuits. As the law is worded and interpreted in case law in the state of California.

    Just trying to remember the last genuine ADA lawsuit in the state. Would have been about 20 years ago. The person bringing the lawsuit had a genuine grievance and the case had real merit. The rest, all fraud. Or one form or other.

    And thats what "good intentions", bad decisions by lower court judges, and a badly drafted law gets you. Just like with GDPR.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like