Article 22 ePrivacy Regulation - Right to compensation and liability
Article 22 ePrivacy Regulation
Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the infringer for the damage suffered in accordance with Article 82 of Regulation (EU) 2016/679.
I. General remarks
Art. 22 ePrivacy Regulation grants the persons that suffered a damage as a result of an ePrivacy infringement a right to compensation. The provision, thus, complements the public investigational and correctional powers of supervisory authorities with an additional layer of protection.[1] In the event of a privacy infringement pursuant to the stipulations under the ePrivacy Regulation, infringers are, thus, threatened not only with an intervention by a supervisory authority pursuant to their powers under Art. 18 et seqq. ePrivacy Regulation (in particular fines, Arts. 18 Sec. 1ab Alt. 1; 23 ePrivacy Regulation), but also with claims for compensation under civil law from the concerned parties themselves.
While claims for damages played a rather minor role in practice of data protection and privacy law prior to both the introduction of the GDPR and the ePrivacy Regulation,[2] the practical relevance has since grown. This may be explained as a result of the extension of judicial remedies by the possibility of representation by an association under Art. 80 GDPR.[3] These associations can represent in cases in which the end-users would have stayed away from enforcing their rights due to concerns about the prospects of success of a lawsuit, as well as their related. With the right to compensation for damages becoming more and more relevant in practice, some scholars assume a repressive and preventive function of the provision.[4]
With regard to the details of the right, Art. 22 ePrivacy Regulation refers to the provisions of Art. 82 GDPR. This corresponds to the approach of the ePrivacy Regulation to refer in large parts to the GDPR, as already applied under various ePrivacy provisions, such as the preceding Art. 21 Sec. 1a ePrivacy Regulation. Pursuant to Rec. 146 S. 6 GDPR, persons concerned shall receive “full and effective compensation” for the damage they suffered. This points out the primary, compensatory function of the provision.[5] Possible debtors to the claim are both private and public bodies, which, in the case of joint infringements are jointly and severally liable to the end-user (Art. 22 ePrivacy Regulation in conjunction with Art. 82 Sec. 4 GDPR). The assertion of damages is simplified for the wronged party, as it may choose to approach only one of the infringers and, thus, does not have to claim parts of the damages separately. In addition to the associated practical effort, determining the amount of the claim and the prospects of success of a legal pursuit can sometimes require difficult legal considerations and arithmetical performances. Thus, instead, according to Art. 82 Sec. 5 GDPR, the infringers must seek indemnification among themselves and on their own initiative.
[1] Cf. Art. 21 No. I.3; Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann (2019), Art. 82 Rec. 1 even speaks of the “core for practical enforcement of the GDPR protection rules”.
[2] Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 82 Rec. 2.
[3] Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 82 Rec. 2.
[4] Quas, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 82 Rec. 1.
[5] Cf. Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 82 Rec. 4.
1. Holder of the claim
Art. 22 ePrivacy Regulation in conjunction with Art. 82 Sec. 1 GDPR entitles the claim to “any person” who has suffered material or non-material damage as a result of an infringement of the ePrivacy Regulation. This includes both natural and legal persons, as indicated by Art. 1 Sec. 1a ePrivacy Regulation.
It is in dispute whether Art. 82 Sec. 1 GDPR (and, thus, Art. 22 ePrivacy Regulation) may lead to damage claims by third parties. Third parties are all persons which are not directly targeted by a particular privacy relevant conduct and do not suffer infringements of ePrivacy rights as a result of it, yet, still suffer a damage to own goods or rights. This could, for instance, be the case in competitive environments, where privacy requirements are not adhered to in order to gain an advantage towards competitors.[6] Another example is given whenever a person targeted in the course of a direct marketing communication under Art. 16 ePrivacy Regulation is different to the one who suffers actual economic damages, such as the employer.
Both Art. 22 ePrivacy Regulation’s and Art. 82 Sec. 1 GDPR’s speak in favor of an entitlement of respective claims to third parties, since their extensive wording refers to “any person”. It concerns not only the nature of persons, i.e. whether they are natural or legal, but also the scope of possible right holders. In addition, Rec. 146 S. 1 GDPR in conjunction with Art. 82 Sec. 1 GDPR clarify that an infringer should compensate “any damage”, which “a person” may suffer, pursuant to “an infringement of the GDPR”. This underlines the tort law principle of total reparation and, consequently, includes damages of third persons, as well. When sometimes argued to the contrary that compensation should be granted only to the persons concerned, as the infringement under Art. 82 Sec. 1 GDPR pertained to data of the data subject only, such interpretation contradicts the explicit wording of the provision. Both Art. 22 ePrivacy Regulation and Art. 82 Sec. 1 GDPR do not refer to the violation of a subjective right of the affected person, but to the objective violation of the Regulations. This does not permit a limitation of eligible right holders, subsequently. Rather, such a limitation must be sought at the level of causality both with regard to the infringement of the ePrivacy Regulation and the emergence of a damage.[7] Third parties are excluded from the claim, accordingly, only if there is already no sufficient connection between the infringing conduct and the damage of the third party. Since this must be regarded as the predominant case in practice, the limitation of the provision is sufficiently achieved.[8]
[6] Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 82 Rec. 7.
[7] Quaas, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 82 Rec. 1; Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 82 Rec. 7; Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 82 Rec. 15; different opinion: Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann (2019), Art. 82 Rec. 9.
[8] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 82 Rec. 14.
2. Infringement of the ePrivacy Regulation
Damage claims pursuant to Art. 22 ePrivacy Regulation require an objective infringement of the Regulation’s stipulations. This is in accordance with the approach of a comprehensive private enforcement complementing administrative investigation and correction.[9] In this sense, the concept of infringement must be understood broadly, as to also “[include] processing that infringes delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation”.[10] This breadth is only limited in view of Art. 82 Sec. 1 GDPR’s wording, which refers to “processing” that infringes the Regulation. This means that not any conceivable infringement of the Regulation is eligible for compensation, (such as purely formal stipulations, e.g., the delegation of a specification to Member States, if these should not execute their duties accordingly) but only such that concern the processing of data or, with regard to the ePrivacy Regulation, the rights granted under Chapters II and III.
[9] See above under No. I and II.1.
[10] Rec. 136 S. 5 GDPR,
3. Responsibility
While Art. 22 ePrivacy Regulation does not provide clear guidance on the question whether the infringer must be responsible for the violation of privacy stipulations, Art. 82 Sec. 3 in conjunction with Rec. 146 GDPR may at least serve as an indication. Accordingly, the alleged infringer shall be “exempt from liability […] if it proves that it is not in any way responsible for the event giving rise to the damage”. From this it can be inferred that only a reproachable action can lead to a compensable damage.[11] Strict liability, on the other hand, could only be construed in contradiction to the clear wording of Art. 82 Sec. 3 GDPR. If some scholars claim that Art. 82 Sec. 3 GDPR is not a possibility of exculpation, but a mere reversal of the burden of proof,[12] this would presuppose a referral to the mere involvement in the infringing event. “Responsibility” would consequently be understood as synonymous with “involvement”. However, the systematic comparison with Art. 82 Sec. 2 S. 1 GDPR clearly shows that the legislator was aware of the difference between both concepts and even further differentiated between involvement in the infringement, responsibility for the infringement and responsibility for the damage (cf. wording of Art. 82 Sec. 3 GDPR “responsible for the event giving rise to the damage”). Thus, if it had wanted to refer to a mere involvement, it would not have used the term “responsibility” at this point. This being said, it is rather obvious that the GDPR and, thus, also the similarly construed ePrivacy Regulation require responsibility in the case of a privacy infringement, which the infringer can, yet, dispute pursuant to Art. 82 Sec. 3 GDPR.[13]
In line with the concept of a tortious liability based on the infringement of subjective rights, responsibility under Art. 22 ePrivacy Regulation must be interpreted as culpability. Culpability is defined as an objectively unlawful and subjectively reproachable conduct in the form of intent or negligence (cf. Art. 83 Sec. 2 lit. b GDPR).[14] Intent means (at least) the acceptance of an infringement, negligence the disregard of the due diligence required in the course of business.[15] In that, different standards of diligence must be applied depending on the type of conduct and data, in particular its sensitivity, and the quality of infringement of the end-user’s privacy.[16]
[11] Different opinion: Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 82 Rec. 6.
[12] Cf. Gola/Piltz, in: Gola, Datenschutz-Grundverordnung (2018), Art. 82 Rec. 18.
[13] Prevailing opinion, cf.: Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022) Rec. 44; Albrecht/Jotzo, in: Albrecht/Jotzo, Das neue Datenschutzrecht der EU (2017), Part 8 Rec. 22; Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 82 Rec. 14; Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann (2019), Art. 82 Rec. 10, speaking of the “reproachable conduct”; Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 82 Rec. 12 notes that in practice, however this debate is irrelevant, since the alleged infringer must provide proof of exoneration pursuant to Art. 82 Sec. 3 GDPR.
[14] Cf. in German law § 276 BGB and in this respect Lorenz, in: Hau/Poseck, BeckOK BGB (2022), § 276 Rec. 5.
[15] Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 82 Rec. 14.
[16] Cf. Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 82 Rec. 14.
4. Damage
The infringement of stipulations under the ePrivacy Regulation must have lead to a damage of the concerned end-user or a third party. In this respect, the latter two shall bear the burden of proof with regard to the existence of a damage and its causality to the infringing action.[17] Pursuant to both Art. 22 ePrivacy Regulation and Art. 82 Sec. 1 GDPR the damage can both be material and immaterial.
a) Material and immaterial damage
Pursuant to Rec. 146 S. 2 GDPR, the concept of damage under Art. 82 Sec. 1 GDPR and, thus, Art. 22 ePrivacy Regulation must be “broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation”. Indeed, according to this, the claim for damages shall have a genuine “dissuasive effect”.[18] Yet, this does not mean that every data processing in breach of the stipulations of the ePrivacy Regulation automatically constitutes a compensable damage. Rather, an actual damage must have resulted from this and the existence of a damage needs to be determined in each individual case.[19]
Damages can be both material and immaterial in nature. Neither the ePrivacy Regulation nor the GDPR contain a definition of either term.[20] Rec. 75 and 85 GDPR, however, enlist some exemplary cases of damages, which may occur in the course of an infringement of data subject rights. These include discrimination, identity theft or fraud, financial loss, reputation damage, loss of control over personal data or data protected by professional secrecy, limitation of data subjects’ rights, unauthorized reversal of pseudonymization, or any other significant economic or social damage. This list cannot be interpreted as exhaustive in view of the abstract layout under Art. 22 ePrivacy Regulation and Art. 82 Sec. 1 GDPR. Based on this, however, a corresponding definition can be inferred, which is applicable to other cases.
aa) Material damages
Material damages are all disadvantages suffered by the affected party in terms of either their property or other legally protected assets.[21] According to the interpretation of the CJEU, the concept of material damages must be interpreted in the sense of the principle of effectiveness in such a way that it also includes a loss in profits[22] and, according to the applicable national legislation, the payment of interests[23]. Most obviously, a financial loss can occur in the course of malicious calls to the end-user pursuant to Arts. 14, 16 ePrivacy Regulation, since these tie up available resources of workforce and, thus, lead to a loss of productivity.[24] Other cases are conceivable, especially if, in addition to the collection of telecommunication data and metadata, the infringer processes data and initiates further disadvantages subsequently. For example, the unlawful application of cookies and a subsequent disclosure or processing of data may impact the individual pricing of internet-based offers, which in turn results in a higher price for the end-user.[25] It is also conceivable that, as a result of unlawful disclosure of data, an insurance company may refuse to conclude an insurance contract with the end-user or only offer it on different terms.[26] However, since data protection and privacy violations usually result in only minor or hardly detectable material damage, the higher costs are likely to be those of legal prosecution and, if necessary, containment of immaterial damage.[27] These include, for instance, costs of investigating the incident and warning the infringer, complaining to a supervisory authority, or using IT services to change access codes and digital infrastructure.[28]
bb) Immaterial damages
Art. 22 ePrivacy Regulation in conjunction with Art. 82 Sec. 1 GDPR expressly includes immaterial damages into the scope of compensation. Thus, any infringement of rights under Chapters II and III ePrivacy Regulation may be subject to damage claims.[29] Consequently, and with regard to the nature of privacy and data protection, immaterial damages most probably constitute the more relevant claim. That is true in particular, since material damages are often hard to determine.[30] Targeting the intrusion to the end-user’s private sphere, the ePrivacy Regulation accounts for the fact that infringements will rather affect the end-user psychologically than financially.[31] In line with its approach to grant a “full and effective compensation”, it replenishes the remedial gap that would otherwise be difficult compensate (cf. Rec. 146 S. 7 GDPR).
Given the considerable breadth of the provision, there is, however, reason to fear a boundless expansion of Art. 22 ePrivacy Regulation’s scope of application. It is questionable whether a “materiality threshold” should be implemented accordingly. Pursuant to this, petty violations would be excluded from the provision and not be eligible for compensation. Instead, immaterial damage would need to result from a significant infringement of the end-user’s privacy, as for example, from (public) exposure associated with unlawful disclosure of data,[32] identity theft,[33] or other serious harm to a person’s self-image or reputation,[34] as well as a particular intangible interest beyond the annoyance or further emotional damage caused solely by the infringement itself.[35]
Even though this approach may seem justified it contradicts the legislator’s intent and the systematics of the Regulation. Neither Art. 22 ePrivacy Regulation in conjunction with Art. 82 Sec. 1 GDPR provides for a respective materiality threshold, nor does Recital 148 S. 2 GDPR, which deals with minor infringements and could have made an according statement.[36] From this it must be inferred that a respective “raising of the bar” was not intended by the legislator. This is true all the more since it would simultaneously contradict the fact that the same infringement, which would not be eligible for compensation, could still be subject to a fine under Art. 18 Sec. 1ab Alt. 2; Art. 23 Sec. 1 ePrivacy Regulation in conjunction with Art. 83 GDPR.[37]
Conversely, it does not follow from this finding that a merely minor violation of privacy under the provisions of the ePrivacy Regulation is not to be taken into the account at all. Instead, the severity of the infringement plays a role with regard to the amount of compensation.[38]
cc) Causation
The infringement of the ePrivacy Regulation must have been causal for the damage. This is clear from the wording of both Art. 22 ePrivacy Regulation and Art. 82 Sec. 1 GDPR, speaking of the damage “as a result” of an infringement.[39] In this respect, Union law applies a broad concept of causation, which may be described as equivalent to the existing Member States’ standard of the so-called conditio sine qua non-formula.[40] According to this, every action is causal for the damage that cannot be disregarded without the damage ceasing to exist.[41] No difference is made with regard to the share in the damage or the time of the action, so that all events are treated equal. Consequently, the formula also includes merely contributory causes.[42] Actions are, conversely, excluded, whenever they occurred alongside the relevant sequence of events and did not contribute to the actual incurrence of the damage. Since the damage must be caused by an infringement of the Regulation, lawful conduct is, as well, excluded, even though it might have been harmful to the end-user.[43] If, for example, the lawful integration of cookies by the website operator leads to disadvantages in pricing when the concerned end-user purchases goods on a website, the end-user cannot demand compensation for the damage because the operator, at the same time, unlawfully sells the data to third parties.[44]
Sometimes it is argued that with regard to the breadth of this concept, a restriction must be made, according to which only those acts are causal to the damage, whose concrete consequence was foreseeable at the time of their performance (so-called “foreseeability test” or adequate causation).[45] However, this concept must not be interpreted too restrictively. Pursuant to the case law of the CJEU, it only refers to circumstances, if these “could not be ignored” by the infringer.[46] This excludes not only completely atypical and unusual courses of events, but also those that were (very) unlikely, even though not fundamentally beyond all expectation.
b) Scope of the claim
The scope of the claim is to be determined in light of the broad concept of damages pursuant to Rec. 146 S. 3 and S. 6 GDPR, according to which a full and effective compensation shall be achieved.[47] This includes a dissuasive effect towards future infringements and third parties.[48]
With regard to material damages, all attributable disadvantages suffered by the injured party in terms of their assets or other legally protected goods are eligible for compensation.[49] This may also include a loss of profits and interests.[50] Thus, the scope of the claim is determined by the actual damage, which the claimant must conclusively demonstrate.[51] Problematic, yet, might be determining the amount: with respect to the immaterial nature of personal data and privacy, it seems complicated to assign them with a specific market value.[52] Not only does this require a corresponding market for both assets in the first place, but also (in the case of lost profits) an actual marketing opportunity.[53] Since a claimant will, however, be instead concerned with preventing further infringements of privacy rather than with skimming off lost profits from an own exploitation opportunity, a specific amount might not be determinable, at all.[54] Against this background, it could be a feasible way applying the so-called “three-fold damage calculation”.[55] Accordingly, the data subject can, firstly, put a concrete figure on the damage, which also includes a loss of profit.[56] As a second possibility, abstract compensation can be demanded in accordance with the license analogy, whereby in the case of data protection infringements, this must be based on the value of the data concerned, i.e., the market price for licensing usage of the respective data, either on terms of the claimant or on the usual terms.[57] Finally, as a third method of calculation, the profit generated as a result of the infringement can be skimmed from the infringer.[58] Yet, in principle, the only real damage is compensable, so that punitive damages may be demanded only if and to the extent that it is reflected in the law of the Member States.[59]
In front of this backdrop, the more relevant form of compensation will most probably concern immaterial damages, even though it might be difficult to determine their value, as well. They have to be assessed based on the gravity and duration of the infringement, as well as the context and the circumstances.[60] Indeed, the amount of compensation must not have a punitive effect, but still unfold a genuine deterrence towards future infringements.[61] What is more, the scope of the claim must ensure a full and effective compensation in the sense of Rec. 146 S. 3 GDPR.
[17] Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 82 Rec. 26.
[18] CJEU, judgement of 17 december 2015, C-407/14 – Ariona Camacho/Securitas Seguridad España, Recs. 44 et seq.; CJEU, judgement of 22 April 1997, C-180/95 – Draehmpaehl, Rec. 25; CJEU, judgement of 10 April 1984, C-14/83 – v. Colson and Kamann, Recs. 23 et seq.; CJEU, judgement of 11 October 2007, C-460/06 – Paquay, Rec. 45.
[19] Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 82 Rec. 10; Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 82 Rec. 27.
[20] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann (2019), Art. 82 Rec. 12; Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 82 Rec. 11.
[21] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 82 Rec. 14.
[22] CJEU, judgement of 5 March 1996, C-46/93, C-48/93 – Brasserie du Pêcheur/Factortame, Rec. 90.
[23] CJEU, judgement of 13 July 2006, C-295/04 – C-298/04 – Manfredi, Recs. 95 et. seqq.
[24] See in that regard Art. 14 and Art. 16.
[25] Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 82 Rec. 12.
[26] Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 82 Rec. 11.
[27] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 82 Rec. 19.
[28] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 82 Rec. 14.
[29] Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 82 Rec. 13; Kühling/Sackmann DuD 2019, 347 (348); Richter DSB 2019, 47.
[30] See in this regard below under No. II.4.b).
[31] Cf. Gola/Piltz, in: Gola, Datenschutz-Grundverordnung (2018), Art. 82 Rec. 12; a list of detailed effects provides Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 82 Rec. 18b.
[32] Becker, in: Plath, DSGVO/BDSG/TTDSG (2022), Art. 82 Rec. 4d.
[33] Becker, in: Plath, DSGVO/BDSG/TTDSG (2022), Art. 82 Rec. 4d..
[34] Becker, in: Plath, DSGVO/BDSG/TTDSG (2022), Art. 82 Rec. 4d.
[35] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 82 Rec. 18a.
[36] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 82 Rec. 18a, referring to Wessels DuD 2019, 781 (784); Strittmatter/Treiterer/Harnos CR 2019, 789 (791).
[37] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 82 Rec. 18a; Strittmatter/Treiterer/Harnos, CR 2019, 789 (791).
[38] See below under No. II.4.b); although it has not yet been clarified what the lower limit is: see Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 82 Rec. 34; in recent German judicial procedures, an amount of 500 Euros (County Court Goslar, judgement of 27 September 2019, 28 C 7/19 and District Court Lüneburg,) and 1.000 Euros (District Court Lüneburg, judgement of 14 July 2020, 9 O 145/19) was discussed as a minimum compensation.
[39] See also Quaas, in: Wolff/Brink, BeckOK Datenschutzrecht (2022), Art. 82 Rec. 26; Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 82 Rec. 13; Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 82 Rec. 40.
[40] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 82 Rec. 13 et seq., referring to Weitenberg, Der Begriff der Kausalität in der haftungsrechtlichen Rechtsprechung der Unionsgerichte (2014), pp. 364 et seqq.
[41] Oetker, in: Münchener Kommentar zum BGB (2020), § 249 Rec. 103.
[42] Quaas, in: Wolff/Brink, BeckOK Datenschutzrecht (2022), Art. 82 Rec. 26.
[43] Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 82 Rec. 41; Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 82 Rec. 42.
[44] Since in this case there is no infringement of rights under the ePrivacy Regulation, damages can only be compensated for on grounds of the GDPR.
[45] https://www.law.cornell.edu/wex/foreseeability; Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 82 Rec. 14; Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 82 Rec. 45;
[46] CJEU, judgement of 5 June 2014, C-557/12 – Kone et al./ÖBB, Rec. 34.
[47] CJEU, judgement of 17 december 2015, C-407/14 – Ariona Camacho/Securitas Seguridad España, Rec. 33 and 45.
[48] CJEU, judgement of 17 december 2015, C-407/14 – Ariona Camacho/Securitas Seguridad España, Rec. 45.
[49]Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann (2019), Art. 82 Rec. 27; Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Rec. 28.
[50] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann (2019), Art. 82 Rec. 28; CJEU, judgement of 13 July 2006, C-295-298/04 – Manfredi, Rec. 95.
[51] Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 82 Rec. 10.
[52] An in depth analysis provides Wandtke, MMR 2017, 6.
[53] Gola/Piltz, in: Gola, Datenschutz-Grundverordnung (2018), Art. 82 Rec. 11.
[54] Paal, MMR 2020, 14 (16).
[55] Paal, MMR 2020, 14 (16), with reference to Raue, die dreifache Schadensberechnung (2017); also Gola/Piltz, in: Gola, Datenschutz-Grundverordnung (2018), Art. 82 Rec. 11.
[56] Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 82 Rec. 17.
[57] Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 82 Rec. 17.
[58] Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 82 Rec. 17.
[59] Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 82 Rec. 17.
[60] Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 82 Rec. 12a.
[61] CJEU, judgement of 17 december 2015, C-407/14 – Ariona Camacho/Securitas Seguridad España, Rec. 45.
III.Opponent of the claim and scope of liability, Art. 22 ePrivacy Regulation in conjunction with Art. 82 Secs. 1 – 5 GDPR
Art. 22 ePrivacy Regulation refers to the comprehensive liability regime of Art. 82 GDPR. If more than one infringer is responsible for the damage, all infringers are liable jointly and severely. This means the end-user concerned may demand the entire amount of damages from any one of them (cf. Art. 82 Sec. 4 GDPR). A distinction is made only with respect to the interior relations between individual infringers, as regards their shares of liability. Accordingly, the sued debotr may seek a recourse towards the other infringers in the amount of their respective shares of contribution (cf. Art. 82 Sec. 4 GDPR).
1. One infringer, Art. 82 Sec. 1 GDPR
Claims for damages are directed against the infringer. Pursuant to Art. 22 ePrivacy Regulation the latter is liable for the damage, which the end-user suffered as a result of an infringement of the ePrivacy Regulation. Conversely, persons other than the infringer itself, i.e. mere employees of the infringer or data protection authorities proceeding incorrectly, are not to be considered as opponents.[62] This results from the provision’s purpose to provide effective compensation for the person affected (cf. Rec. 146 S. 6 GDPR).[63] What is more, since the ePrivacy Regulation only knows one type of infringer, it entails a significant simplification of the liability regime compared to the GDPR. The latter distinguishes between controllers and processors with regard to their different roles in processing (cf. Art. 82 Sec. 2 GDPR).[64] The ePrivacy Regulation, in contrast, applies only one liability regime to all infringers equally. Accordingly, every person, who responsibly caused an infringement of the Regulation is held liable as an infringer.[65]
[62] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann (2019), Art. 82 Rec. 15; Quaas, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 82 Rec. 39; Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 82 Rec. 16.
[63] Quaas, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 82 Rec. 39
[64] For further comments, see, for instance, Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 82 Rec. 64 et seqq.
[65] Cf. above No. II.3 and No. II.4.b).
2. Several infringers, Art. 82 Sec. 2 – 5 GDPR
If several parties are involved in the same infringing action and, consequently, cause the damage jointly, they are equally liable pursuant to Art. 22 ePrivacy Regulation in conjunction with Art. 82 Sec. 2 – 5 GDPR. The data subject may claim the entire damage from any infringer (Art. 82 Sec. 4 GDPR), but the latter may seek recourse from its co-debtors pursuant to Art. 82 Sec. 5 GDPR. The amount of recourse is linked to the share of responsibility in the damage.
a) Joint responsibility, Art. 82 Sec. 2 GDPR
Joint responsibility pursuant to Art. 82 Sec. 2 GDPR only requires an “involvement” in the infringement. The term must be interpreted broadly, in order to fulfil the aim of a “full and effective compensation” to the end-user.[66] On the one hand, this means that liability under Art. 22 ePrivacy Regulation in conjunction with Art. 82 Sec. 2 S. 1 GDPR covers not only an infringement as a single (overall) event, but also a series of events.[67] Consequently, the infringer does not necessarily have to be the only one, to whom the overall process can be attributed to[68] or the one who performed the last infringing act.[69] Rather, the participation in an individual event is sufficient in this respect.[70] This results not least from the wording of Art. 82 Sec. 3 GDPR, which requires for a possible exculpation solely that the respective person “is not in any way responsible for the event giving rise to the damage”, as opposed to a responsibility for the damage itself. While both responsibilities will usually coincide, i.e. the responsibility for the infringement and the responsibility for the damage, this is by no means compelling, given the requirement of an adequate causality of the damage.[71] Subsequently, an infringer, who could not foresee the incurrence of a damage might be responsible for infringing the Regulation, but not, however, for the damage itself.
An important example of joint responsibility regards the use of cookies. For instance, website operators often include third party content to their site, which is linked to cookies (e.g., inline frames). Indeed, an unjustified use of these cookies pursuant to Art. 8 ePrivacy Regulation will, then, indeed be carried out by the third party themselves, but the website operator will also be liable for having enabled it in the first place.[72]
b) Exculpation, Art. 82 Sec. 3 GDPR
Pursuant to Art. 82 Sec. 3 GDPR, the alleged infringer can exculpate itself, if it proves that it is “not in any way responsible for the event giving rise to the damage”. Responsibility, in this regard, means culpability.[73] Pursuant to Art. 83 Sec. 2 lit. b GDPR it encompasses intentional and negligent infringements. Consequently, it is necessary for the alleged infringer to prove that it has applied all due diligence and cannot be accused of the slightest negligence.[74] That may, for example, include adequate security measures and monitoring of the effects of their actions.[75] Other ways of exculpation may include to prove a force majeure or referring to the fact that the end-user is solely responsible for the damage by themselves.[76] Conversely, mere contributory negligence on the part of the end-user, contributory responsibility of third parties or contributory causation by force majeure does not suffice in this regard.[77]
c) Joint and several liability; recourse, Art. 82 Secs. 4, 5 GDPR
In case of a joint responsibility of several infringers, i.e. when these are responsible for both the infringing action and the resulting damage, all parties are jointly and severally liable pursuant to Art. 82 Sec. 4 GDPR. The end-user can, consequently, claim the entire amount from each of the infringers. This serves the provision’s purpose of a full and effective compensation (cf. also Rec. 146 S. 6 GDPR). Rec. 146 S. 8 GDPR, however, also allows judicial apportioning on a pro rata basis if they are sued jointly.[78] This, accordingly, substitutes the internal recourse pursuant to Art. 82 Sec. 5 GDPR. The judgment, then, however, has to ensure that full and effective compensation is ensured.
With regard to the specific addressee of the claim, the claimant is free to choose from which of the defendants it would like to have the damage compensated. That applies regardless of the degree of an infringer’s fault or whether one of them is financially stronger than the other.[79] Consequently, the end-user does not have to accept being rebuffed by the addressee on grounds that they had only a minor share in the occurrence of the damage.[80] Rather, this question is to be taken into account only in the assessment of the liability ratio within the context of a recourse under Art. 82 Sec. 5 GDPR.
Art. 82 Sec. 5 GDPR, in this regard, concerns the recourse between the joint and several debtors. The party that has compensated for the damage in an external relationship can internally reclaim the respective share of the compensation from the other responsible parties.[81] Thus, the joint and several debtors are, in effect, not liable in equal parts, but in accordance with their respective responsibility as defined in Art. 82 Sec. 2 S. 1 GDPR.[82]
[66] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 82 Rec. 22; Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann (2019), Art. 82 Rec. 16; Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 82 Rec. 13; Quaas, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 82 Rec. 39; see also Rec. 146 S. 6 GDPR.
[67] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 82 Rec. 22.
[68] Quaas, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 82 Rec. 39.
[69] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann (2019),
[70] Gola/Piltz, in: Gola, Datenschutz-Grundverordnung (2018), Art. 82 Rec. 7; Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 82 Rec. 65; Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 82 Rec. 13; cf. also CJEU, judgement of 29 July 2019, C-40/17 – Fashion ID, Rec. 85.
[71] Cf. Gola/Piltz, in: Gola, Datenschutz-Grundverordnung (2018), Art. 82 Rec. 7; see also No. II.4.a)cc).
[72] Cf. Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 82 Rec. 13.
[73] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann (2019), Art. 82 Rec. 21; Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 82 Rec. 36; different opinion: Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 82 Rec. 15.
[74] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 82 Rec. 54.
[75] Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 82 Rec. 15.
[76] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann (2019), Art. 82 Rec. 22.
[77] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 82 Rec. 54.
[78] Critically in view of the risk of litigation and the possibly jeopardized aim of a full and effective compensation: Nemitz, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 82 Rec. 30 and Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 82 Rec. 58.
[79] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann (2019), Art. 82 Rec. 33; Quaas, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 82 Rec. 44; Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 82 Rec. 57.
[80] Bergt, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 82 Rec. 58.
[81] Quaas, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 82 Rec. 45.
[82] Quaas, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 82 Rec. 45.
IV. Jurisdiction, Art. 22 ePrivacy Regulation in conjunction with Art. 82 Sec. 6 GDPR
Pursuant to Art. 22 ePrivacy Regulation in conjunction with Art. 82 Sec. 6 GDPR, jurisdiction for proceedings, in which the end-user exercises their right to compensation is with the court competent pursuant to Art. 79 Sec. 2 GDPR. This is either the court where the defendant has an establishment or where the end-user has their habitual residence.[83] “Establishment” means any place, where an economic entity carries out its activity (cf. Rec. 22 S. 2 GDPR).[84] This requires a fixed establishment for an indefinite period of time, whereby its legal form is irrelevant.[85] It does not matter if it operates only a branch or a subsidiary, as long as it is legally attributable to the mother firm. In case of several establishments, the end-user is, hence, free to choose the location of their proceedings based on any one of these.[86]
The reference to this provision serves to prevent conflicting jurisdiction over remedies pursuant to Arts. 21 Sec. 1, 22 ePrivacy Regulation and fines under Art. 23 ePrivacy Regulation.[87] One court shall decide over one same conduct of infringement, in order not to allow for different judgements on the same issue. For that reason, according to Rec. 147 GDPR, the provision is a lex specialis in relation to the general rules on jurisdiction, in particular in relation to the European Regulation on Jurisdiction and Enforcement.[88]
[83] For more details see Art. 21 No. II.2.c) and No. II.3.c).
[84] See also CJEU, judgement of 25 July 1991, C-221/89 – Factortame.
[85] CJEU, judgement of 25 July 1991, C-221/89 – Factortame.
[86] Martini, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 79 Rec. 25; Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 82 Rec. 102.
[87] Boehm, in: Simitis/Hornung/Spiecker gen. Döhmann (2019), Art. 82 Rec. 37; Frenzel, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 82 Rec. 18.
[88] Moos/Schefzig, in: Taeger/Gabel, DSGVO – BDSG – TTDSG (2022), Art. 82 Rec. 102; Regulation (EU) No 1215/2012 of the European Parliament and of the Council of 12 December 2012 on jurisdiction and the recognition and enforcement of judgements in civil and commercial matters.