Can a claimant claim damages in respect of a data breach for the mere loss of control over the personal data in question? Does a claimant have to prove an actual loss of control, and should damages be restricted only in circumstances where that has been proved and the claimant also suffers distress?
In recent times, a range of decisions have emerged from Europe which recognise and reject various permutations of potential damages for loss of control as a result of data breaches. It has resulted in an incredibly complicated picture. In this article, we review the key decisions and attempt to draw a consistent conclusion across this muddled area.
Background
On 18 November 2024, Germany's Federal Court of Justice ("BGH") had decided1 that the mere and short-term loss of control over personal data, in itself, constitutes non-materiel damage.2 The five BGH judges, in crimson robes and renowned for their legal acumen, declined to refer to the European Court of Justice ("ECJ") the question whether the mere loss of control was sufficient to claim for damages by making use of the preliminary reference procedure set out in Art. 267 TFEU. Arguing that the acte éclairé doctrine3 applied, the question could, in the BGH's view, be considered to be sufficiently clarified through various ECJ decisions4 in prior preliminary proceedings.
The BGH's decision that claimants in the Facebook scraping cases could be awarded damages for the mere loss of control without any further requirement for a specific abusive use of their data to their detriment or any other additional noticeable negative consequences stood in contrast to the prevailing judicature in the country and raised eyebrows across the legal field and beyond. The BGH was criticised for misreading the ECJ case law – the ECJ allegedly never expressed that loss of control constituted non-material damage. According to critics of the BGH, the court was erroneously separating loss of control from the data subject's fear that their personal data would be misused by third parties, while the ECJ had merely referred to loss of control in the relevant decisions to justify that the fear of such misuse of data could constitute non-material damage, and the data subject does not have to prove that a corresponding misuse has already occurred.5 It would follow from the ECJ decisions that the ECJ regards the loss of control only as a possible cause for non-material damage, but not as the non-material damage itself.
The rebel
Amongst the BGH's critics was a single judge at the Regional Court of Erfurt ("RC"), who has now done6 what, in their view, the Federal Court should have done in the first place: making use of the preliminary reference proceeding with regards to the question as to whether the mere loss of control over personal data was sufficient to award damages. According to the single judge, there remain doubts as to whether there was an acte éclairé: The ECJ's judgments could be interpreted to mean that a mere loss of control in itself did not yet constitute harm. Rather, additional conditions and circumstances would have to be met – such as psychological impairments following the actual misuse of the data.
The RC judge, further criticising the BGH's decision for a lack of a clear definition of loss of control, submitted the following question7 to the ECJ:
"Is Art. 82 (1) GDPR to be interpreted as meaning that a national court must award compensation to a data subject in the event of a violation of the GDPR, even if the data subject has merely demonstrated that a third party (and not the defendant data controller) had published their personal data on the internet? In other words: Does the mere and short-term loss of control over one's own personal data constitute non-material damage within the meaning of Art. 82(1) GDPR?".8
That old chestnut
As a matter of fact, the question whether loss of control over personal data itself is sufficient to award damages had already, repeatedly, found its way onto the ECJ's bench.
In Agentsia po vpisvaniyata, the referring court had asked whether non-material damage required a noticeable disadvantage and an objectively comprehensible impairment of personal interests, or whether the mere short-term loss of the data subject’s unfettered control over his or her data due to the publication of personal data, which did not have any noticeable or adverse consequences for the data subject, was sufficient.9 The court in Gemeinde Ummendorf asked essentially an identical question,10 with the sole difference that the latter question was tailored to the publication of personal data on the internet as opposed to a commercial register (as happened in Agentsia).
With such previous questions having been raised to the ECJ, it does not come as a huge surprise that the BGH refused to refer this question to the ECJ. Nonetheless, those criticising the BGH's refrainment have an arguable point that the ECJ decisions indeed read ambiguously: In the case arguably most akin to the Facebook scraping cases amongst the cited ECJ decisions, Gemeinde Ummendorf, an agenda of a meeting of the municipal council and a judgment, both revealing personal data, were made accessible on the municipality's homepage for three days. The data subjects argued that the unlawful disclosure of personal data constituted damage within the meaning of Art. 82(1) GDPR, without relying on any additional distress. The ECJ stated that, "although there is nothing to preclude the publication on the internet of personal data and the consequent loss of control over those data for a short period of time from causing the data subjects ‘non-material damage’, within the meaning of Article 82(1) of the GDPR, giving rise to a right to compensation, those persons must also demonstrate that they have actually suffered such damage, however minimal."11 Similarly, the MediaMarkSaturn decision declared: "the loss of control of the personal data for a short period of time may cause the data subject ‘non-material damage’."12 The decision in Agentsia po vpisvaniyata reads: "loss of control, for a limited period, by the data subject over his or her personal data, on account of those data being made available online to the public, in the commercial register of a Member State, may suffice to cause ‘non-material damage’, provided that that data subject demonstrates that he or she has actually suffered such damage, however minimal, without that concept of ‘non-material damage’ requiring that the existence of additional tangible adverse consequences be demonstrated."13
One might therefore be inclined to read these decisions in a way that solely classifies loss of control over data as a potential cause for the non-material damage, which would be the distress suffered through that loss of control.
Yet, the ECJ, referring to recital 85 of the GDPR, also states that "it was apparent from the illustrative list of types of damage that may be suffered by data subjects that the EU legislature intended to include in those concepts, in particular, the mere ‘loss of control’ over their own data."14 Indeed, recital 85 states: "A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data."15
Perhaps the most explicit passage appears in juris16, where the ECJ expressed: "it should be noted that recital 85 of the GDPR expressly mentions ‘loss of control’ among the damage that may be caused by a personal data breach. In addition, the Court has held that the loss of control over such data, even for a short period of time, may constitute ‘non-material damage’ within the meaning of Article 82(1) of that regulation, giving rise to a right to compensation, provided that the data subject can show that he or she has actually suffered such damage, however slight".
Consequently, it cannot be denied that the ECJ has held that loss of control itself is harm. The interpretation that construes the ECJ's decisions as only acknowledging distress suffered by loss of control as non-material damage disregards the court's declarations, and therefore is arguably flawed.
To fear or not to fear
Although the cases appear similar at face value, the material facts and question referred by the national court in MediaMarktSaturn differ from those in Gemeinde Ummendorf. In the former, contractual documents containing the data subject's personal data were given, by error, to another customer in the defendant's premises who subsequently left with the documents for about thirty minutes. The data subject sought compensation for non-material damage, namely discomfort, that he claimed to have suffered on account of the error made and the risk of a resulting loss of control over their personal data. Thus, the data subject relied on discomfort as being the non-material damage. Similarly, in Natsionalna agentsia za prihodite, the data subjects relied on worries, fears and anxieties. Consequently, the question was different and not targeted to the issue of whether loss of control itself can constitute non-material damage. The national court referred the question if "the worries, fears and anxieties suffered by the data subject with regard to a possible misuse of personal data in the future fall per se within the concept of non-material damage (…) and entitle him or her to compensation for damage where such misuse has not been established and/or the data subject has not suffered any further harm".17
In PS GbR, tax documents were sent to an incorrect address. When the data subjects collected the envelope concerned, they found that it contained only a copy of the tax return and a cover letter. They assumed, however, that the envelope also contained the original version of that tax return, which included personal data. The referring court stated that it was not possible to establish which documents were initially enclosed in that envelope or to determine the extent to which the new occupants of the former address of the applicants in the main proceedings had or had not become aware of the contents of that envelope. Consequently, the court asked the question whether "it was sufficient for the establishment of a claim for compensation for non-material damage under Article 82(1) of the GDPR that the claimant fears that his or her personal data have come into the hands of third parties as a result of infringements of provisions of the GDPR, even though that circumstance cannot be positively established".18
In both cases, the data subjects based their claims not merely on the loss of control over their personal data, but on the distress that they suffered as a result of that loss – whereas, in Gemeinde Ummendorf, the claimants solely relied on the loss of control as being the non-material damage.
In order to reconcile the above-mentioned ECJ statements, one arguably has to interpret the decisions in a way that accommodates these differentiating fact patterns. Where a data subject is relying on distress resulting from loss of control over their personal data, this distress can be non-material damage – and the claimant must prove they have suffered such distress, even where they cannot positively establish that a loss of control had occurred (as was decided in Ps GbR)19. Where a data subject, however, solely relies on the mere loss of control, the GDPR also allows compensation, as declared by recital 85 and the ECJ, provided that the data subject can prove that a loss of control has occurred. In other words, the mere loss of control can be the non-material damage itself. To prove loss of control, the claimant, arguably, will have to show that a third party has accessed the data. This is undisputed in the Facebook scraping cases.
Conclusion
Having attempted to untangle the thread of seemingly ambiguous decisions, we consider it is fair to conclude that the ECJ has clearly stated that loss of control itself can be non-material damage. The RC's referral will have no direct impact on the BGH's decision as that judgment, being of a last instance court, cannot be appealed. That being said, due to the absence of any doctrine of precedent in the jurisdiction, German courts will have two possibilities going forward in cases where damages are claimed for loss of control over personal data: the courts may either follow the BGH's decision and award damages for the mere loss of control, or they may stay proceedings with the argument that a preliminary reference proceeding is pending before the ECJ. At a practical level, a European court could still find an absence of proof of loss of control in any given case, which would not require any further legal interpretation (in other words, loss of control cases may still simply fail on evidential grounds).
Similarly, EU law also does not have a doctrine of binding precedent. Strictly speaking, ECJ decisions made in preliminary reference proceedings are therefore only binding on the national court submitting the question as well as on other courts in the same domestic procedure. Nonetheless, ECJ judgments interpreting EU law enjoy an authority similar to those of national supreme courts in civil law countries and will therefore, in reality, be followed when interpreting EU law.20
As there is substantial similarity between the RC's question and former submissions in preliminary reference proceedings, we expect no headline ringing news from the ECJ. Yet, in light of the ongoing discussion around the correct interpretation, an unambiguous answer from the ECJ that erases all lingering doubts would be welcomed, given that the preliminary reference procedure's very purpose is to assist national courts with the interpretation of EU law, and to ensure its uniform application across the Union.
Finally, it should be noted that there is further divergence to be debated between the EU and UK courts' interpretations of loss of control damages. The UK courts have, so far, taken a far more restrictive view when it comes to considering damages for mere loss of control as well as the imposition of a de minimis threshold.
[1] BGH, 18 November 2024, VI ZR 10/24. Read our article on this decision here.
[2] With judgment dated 11 February 2025 (VI ZR 365/22), the BGH reconfirmed its decision.
[3] According to the acte éclairé doctrine, a court which would normally be under a duty to submit the preliminary reference may refrain from doing so if the question raised is materially identical with a question which has already been the subject of a preliminary ruling in a similar case (Da Costa, 28-30/62).
[4] The BGH referred to the following decisions: C-200/23 - Agentsia po vpisvaniyata; C-590/22 - PS GbR; C-741/21 - juris; C-687/21 - MediaMarktSaturn; C-456/22 - Gemeinde Ummendorf; C-340/21 - Natsionalna agentsia za prihodite).
[5] See the article by Jan Spittka and Frauke Tepe from Clyde & Co, " Loss of control over personal data: Sufficient for GDPR damage claims?", 19 February 2025, https://www.clydeco.com/en/insights/2025/02/loss-of-control-over-personal-data.
[6] Landgericht Erfurt, 3 April 2025, 8 O 895/23. While BGH judgments are inevitably followed by lower courts, albeit simply for the reason of avoiding negative appeals, the doctrine of precedent is unknown to German law. Given its judicial independence and under no obligation to agree with the BGH, the RC was therefore entitled to refer the question to the ECJ.
[7] Translated from German.
[8] Our emphasis added.
[9] Para 46.
[10] Para 11.
[11] Para 22; our emphasis added.
[12] Para 66.
[13] Para 156.
[14] Agentsia po vpisvaniyata, para 145; our emphasis added.
[15] Our emphasis added.
[16] para 42.
[17] Para 21.
[18] Para 19.
[19] Para 36.
[20] EU Parliament – Briefing on Preliminary Reference Procedure
