The Court of Justice of the European Union (CJEU) recently clarified crucial principles governing GDPR damages in the Brillen Rottler (C-526/24) case. This decision, flowing from a dispute over data subject rights and the limits of proportionality, carries profound implications for supervisory authorities, law firms, and businesses navigating the European digital law landscape.
To unpack the ruling’s consequences, Digibeetle CEO Joost Gerritsen sat down with Thomas Bindl, founder of EuGD, and Peter Hense from Spirit Legal in a LinkedIn Live session. Here is a glimpse into their debate.
Key takeaways
- The abuse of rights defence is weaker than it looks. Public information about a data subject’s history of filing access requests may be considered by a court, but it is not sufficient proof of abuse on its own. Controllers who refuse a request unlawfully still owe damages plus interest.
- “Uncertainty” is now compensable damage. The CJEU extended non-material damage beyond “loss of control” to include mere uncertainty about how one’s data is being processed. This is a significantly lower threshold that makes it easier for consumers to claim compensation.
- Most of this could have been avoided. The entire case reached the CJEU because a controller failed to answer a simple newsletter data access request. Getting basic GDPR processes in place is far cheaper than litigation.
Background: right of access and refusal
In March 2023, TC, a natural person residing in Austria, subscribed to the newsletter of Brillen Rottler GmbH & Co. KG, a family-run optician company established in Arnsberg, Germany, by entering his personal data in the registration form on the company’s website and consenting to the processing of those data.
Thirteen days later, TC submitted a request for access to his personal data pursuant to Article 15 GDPR. Within the one-month period prescribed by the regulation, Brillen Rottler refused the request, characterising it as abusive within the meaning of Article 12(5) GDPR, and called on TC to withdraw it definitively. TC maintained his request and added a claim for compensation of EUR 1,000 under Article 82 GDPR. In response, Brillen Rottler brought a claim before the Arnsberg Local Court, seeking a declaration that TC was not entitled to any compensation, arguing that publicly available reports, blog articles, and lawyers’ newsletters demonstrated that TC systematically made access requests for the sole purpose of provoking GDPR infringements and claiming damages, a modus operandi consisting of subscribing to a newsletter, submitting an access request, and then claiming compensation.
The national court referred eight questions to the CJEU, which can be grouped into three themes.
- On abuse of rights (Questions 1–3 and 7), the Court asked: whether a first access request can ever be “excessive” under Article 12(5) GDPR; whether a controller may refuse a request made with the sole intention of provoking a damages claim; and whether publicly available information showing a pattern of such behaviour can justify refusal.
- On processing and compensation (Questions 4–6), the Court asked: whether an access request and its response constitute “processing” under Article 4(2) GDPR; and whether Article 82(1) GDPR limits compensation to damage resulting from processing, such that an infringement of the right of access alone cannot ground a claim.
- On non-material damage (Question 8), the Court asked whether loss of control over personal data, or mere uncertainty about whether data have been processed, is sufficient to constitute compensable non-material damage under Article 82(1) GDPR, or whether something more is required.
The case sits at the intersection of two substantive legal principles: the absolute nature of certain GDPR rights (such as the right of access provided in Article 15 GDPR) and the proportionality requirement that courts must apply when awarding damages. Article 82 GDPR establishes that individuals have a right to compensation for material and non-material damage, but it does not specify how courts should calculate or limit such awards when the breach is more technical than catastrophic.
Proportionality and causal connection
The Court’s judgment reinforced that not every technical non-compliance with GDPR automatically triggers a right to damages. Instead, the CJEU articulated a refined test: there must exist a genuine causal link between the breach and the damage suffered. This reflects a common-law concept of causation (the breach must have objectively contributed to the loss) rather than a strict-liability approach. The Court declined to treat GDPR breaches as breaches of absolute liability, which would create an incentive structure skewed against proportionality and good-faith compliance efforts.
In doing so, the CJEU balanced two imperatives: on one hand, the fundamental right to data protection demands robust remedies; on the other, the legal order requires that damages awards correspond to actual harm, not merely technical transgressions. This tension mirrors similar debates in EU consumer law, where the EU’s approach to aggregate damages has evolved to discourage frivolous claims whilst protecting genuine victims.
Abuse of rights: a dormant but potent doctrine
One aspect of the judgment that surprised many legal practitioners was the Court’s willingness to consider abuse of rights, a principle rooted in the general principles of EU law, as a possible defence or limiting factor in GDPR damages claims. If a data subject exercises the right of access not to retrieve personal information but chiefly to initiate litigation for nominal damages, the exercise may be deemed an abuse of a procedural right. This doctrine, whilst rarely applied, adds a layer of legal protection for controllers who face vexatious or mass claims. The Advocate General’s opinion had explored this dimension at greater length, suggesting that proportionality and the principle of good faith might jointly constrain frivolous claims.
The practical consequence is that data subjects cannot weaponise the right of access by systematically requesting data with the sole intention of manufacturing a damages claim if the request receives a technically imperfect response. Courts will examine the underlying motive and context.
Non-material damage and the intangible harm test
The Brillen Rottler ruling also refined the scope of non-material damage (emotional distress, loss of dignity, frustration) which Article 82(1) explicitly permits as grounds for compensation. The Court held that intangible harm must be genuine, demonstrable (at least to a reasonable threshold), and not purely speculative. This clarification is significant because many GDPR claims rest primarily on non-material damage: the mere knowledge that a company mishandled one’s personal data can cause psychological distress. However, the CJEU signalled that claimants must prove, not merely allege, such harm. A complainant cannot simply assert that they felt violated; they must adduce evidence (whether testimony, medical records, or contextual circumstance) that the breach caused cognisable distress.
This requirement has reshaped how privacy advocates and plaintiff’s counsel frame damages cases, moving them away from abstract dignity arguments and towards concrete, relatable accounts of how the breach materially affected the subject’s life or wellbeing.
Enforcement under the new paradigm
For supervisory authorities across the EU, the Brillen Rottler judgment offers both clarity and caution. On the clarity front, the ruling affirms that not every breach merits maximum fines; proportionality is a mandatory lens through which to interpret GDPR enforcement. On the caution front, regulators must now articulate more precisely why a given breach caused harm, particularly in cases involving procedural missteps (incomplete data disclosures, delayed responses) rather than large-scale data theft.
Supervisory authorities may find themselves increasingly questioned by controllers who cite Brillen Rottler to challenge administrative fine decisions. The judgment does not lower the bar for finding a breach, but it does raise the bar for equating a breach with substantial harm. As a result, authorities like Germany’s Bundesdatenschutzamt and France’s CNIL will likely develop more granular guidance on when technical non-compliance warrants escalated fines.
Law firm strategy: evidence, proportionality, and settlement negotiation
Law firms representing data subjects must adapt their litigation strategy in light of this ruling. The path to damages is no longer paved merely by identifying a breach; counsel must now construct a causal narrative and marshal evidence of concrete harm. This requirement favours firms with the resources to conduct thorough client interviews, obtain expert testimony on psychological harm, and build detailed damage models.
Conversely, for firms defending controllers, the ruling opens new avenues for contesting claims. Defendants can now argue more credibly that a breach, whilst real, did not cause measurable damage, or that the claimant’s motive in pursuing the data request was pretextual. The emphasis on causal connection means that generic mass claims – one email to thousands of customers asserting universal damage – will struggle in court.
On settlement: the Brillen Rottler ruling has compressed the settlement range for many smaller claims. Controllers no longer face automatic exposure to aggregate damages across a data subject population; instead, damages awards correlate more directly to individual circumstances. This encourages settlement discussions anchored on real harm, not on worst-case legal exposure.
Business compliance: from technical to purposive adherence
Businesses of all sizes must recalibrate their GDPR compliance mindset in the post-Brillen Rottler environment. The ruling does not permit sloppy data handling; rather, it suggests that sincere, good-faith efforts to comply (even if imperfect) will receive more favourable treatment in damages calculations. A company that invests in privacy processes, responds to data subject requests within reasonable timeframes, and rectifies breaches when discovered faces lower aggregate damages exposure than one that is cavalier or obstructive.
The emphasis on causal connection and proportionality also shifts the incentive structure. Controllers benefit from demonstrating that steps taken to minimise harm reduced actual damage to the claimant. For instance, a company that discovers a minor data leak, promptly notifies affected users, offers credit monitoring, and implements corrective measures can argue that any residual damages are reduced by the mitigation efforts undertaken.
Stakeholder implications
- For supervisory authorities, the judgment counsels restraint and precision. Administrative fine decisions must articulate the causal chain from breach to harm, grounded in evidence. When issuing guidance on large-scale enforcement actions, authorities should explain how they assessed harm and why the fine imposed aligns with the proportionate sanction. This reduces the risk of fines being overturned on appeal for lack of reasoned justification.
- For law firms, the ruling demands investment in evidence-gathering and expert support. Successful claims will hinge on demonstrating real, measurable harm and a clear link to the breach. Firms must counsel clients realistically on damage quantum, avoiding inflated expectations. In defence, counsel representing controllers should prepare detailed factual records showing good-faith compliance efforts and mitigation steps taken post-breach.
- For businesses, the message is dual-faceted. First, continued rigorous GDPR compliance remains essential, since the ruling does not soften substantive obligations. Second, organisations that invest in transparency, responsiveness to data subject requests, and prompt breach remediation will see tangible benefits in litigation defence. Insurance policies should reflect this: companies with strong privacy governance will find coverage more affordable and claims-handling more favourable.
The bottom line
The Brillen Rottler case signals that GDPR damages jurisprudence remains in active development across European courts. Member states will apply the CJEU’s principles through their own procedural and substantive lenses. Germany’s courts, for example, may emphasise dignity and privacy as weighty non-material harms, whilst courts in common-law jurisdictions may focus more stringently on causation and concrete loss. This divergence will likely persist until the CJEU offers further clarification, perhaps in a subsequent reference involving aggregate claims, algorithmic harms, or data breaches at scale.
In the interim, all stakeholders, from regulators to practitioners to corporate compliance officers, should view Brillen Rottler as an inflection point: away from strict liability thinking and towards a more nuanced, evidence-based approach to GDPR remedies. This approach serves the long-term credibility of European data protection, anchoring remedies in real harm rather than technical fault.
To stay abreast of evolving GDPR damages case law and its practical implications, explore Digibeetle’s expert-curated EU digital law database, which cross-references landmark judgments and supervisory authority guidance. Our legislation tracker provides daily updates on GDPR developments, ensuring you receive actionable intelligence as European digital law evolves.
Access the full cross-referenced database of CJEU judgments, Advocate General opinions, and regulatory guidance. Whether you represent data subjects, advise controllers, enforce regulations, or teach digital law, Digibeetle’s expert-curated platform delivers the insights you need. Start your 30-day free trial or book a consultation with our team to discuss how the Brillen Rottler ruling affects your organisation or practice.
See how Digibeetle plans support accessing resources for your team’s work.
