Netherlands: Council of State overrules order to award GDPR damages
The Council of State ('the Council of State') issued, on 1 April 2020, a ruling ('the Ruling') in a privacy case, dealing with the claimant's entitlement to damages because a municipality had unlawfully shared the claimant's data with other municipalities. In particular, the Council of State decided to overrule the decision of a lower instance to award the claimant €500 for damages, detailing that a mere violation of a fundamental right does not automatically result in damages. Moreover, the Council of State decided that in line with Article 6:106 (1)(b) of the Dutch Civil Code, the burden of proof is on the claimant to demonstrate they suffered damages, and that in the case at hand the claimant had failed to prove that the bar of actual harm had been reached.
Furthermore, the Council of State stated that the General Data Protection Regulation (EU) 2016/679 ('GDPR') does not describe how non-material damages should be calculated and that the European Court of Justice has not yet ruled on the issue of calculating compensation linked to privacy violations. In addition, the Council of State found that the damage for which compensation can be received needs to be actual and certain and that the claimant did not demonstrate that the violation by the municipality resulted in damages, impairment to his honour, integrity or reputation, had detrimental effects or adverse consequences. Finally, the Council of State found that the sharing of name and residency with other municipalities does not qualify as serious culpable act with such detrimental consequences that it would result in an infringement of a fundamental right, that the officials who received the data acted in their professional functions, and that there was no indication that the officials misused the plaintiff's data.
You can read the Ruling, only available in Dutch, here.