Introduction
The success of collective redress in data protection depends on how we conceptualize harm. Across European Union member states, at least three related challenges emerge at the intersection of collective redress and the General Data Protection Regulation (GDPR). First, the degree of similarity required for establishing standing and aggregation in collective redress (a threshold that varies across member states, with some requiring near-identical circumstances and others accepting a common underlying data processing practice as sufficient). Second, the quantification of compensation for diffuse digital harms. Third, the type of evidence required to prove harm across large groups of data subjects. Each of these challenges is complicated by the distinctive features of mass data harms, which are typically widespread, embedded in many business models, and difficult to trace to concrete individual consequences for any given data subject.
In this entry, I propose understanding the difference between nonmaterial and material damages under data protection law as a difference between normative harm and consequential harm. Then, I explain how this interpretation responds to the three core challenges of collective redress.
Nonmaterial Damages as Normative Harm
The Court of Justice of the European Union (CJEU) established that damage must be differentiated from a GDPR breach itself, rejecting the notion that a violation automatically gives rise to compensable harm. In turn, Article 82 of the GDPR (the provision establishing controllers’ and processors’ liability to pay compensation to data subjects who suffer damage) establishes that damages can be either material or nonmaterial. The CJEU made clear that “nonmaterial” damages are a distinct category of compensable harm, not to be conflated with “minimal” or “trivial” material damages. So, to give effect to this distinction, one must develop a principled account of what nonmaterial damage means in data protection.
So, three cumulative conditions must be met for compensation: an infringement of the GDPR, the existence of damage (material or nonmaterial), and a causal link between the infringement and the damage. This tripartite structure prohibits collapsing breach into harm as much as it prohibits collapsing material and immaterial damages: a GDPR infringement, material damages, and nonmaterial damages are three distinct concepts.
Building on these boundaries, I propose that nonmaterial damages under the GDPR should be understood as normative harm: harm to a value protected by the law, such as informational autonomy, dignity, or interference with the fundamental right to data protection. These differ from adverse consequences from GDPR breaches, such as financial harm or loss of time. Under this framework, these are material harms for the GDPR. From a private law theory perspective, nonmaterial harm in this sense can be understood as a wrong of treating another person’s data as a resource for private gain in ways that instrumentalize them (that is, using them as a means rather than as an end in themselves) regardless of whether material consequences follow (and regardless of whether the potential gain is monetary or nonmonetary).
This normative conception maintains the CJEU’s two critical distinctions in a principled way. First, to maintain the material versus immaterial distinction, we must distinguish between nonmaterial harm as normative and material harm as consequential: the downstream effects that may or may not materialize. Consider the difference between the dignitary harm of having one’s medical data exposed without consent versus the financial loss from identity theft, work-impeding anxiety about future discrimination, or reputational damage that might follow. The former is normative harm; the latter are consequential harms.
Second, to maintain the damages versus breach distinction, we should distinguish between nonmaterial harm and loss of individual control over personal data. Although loss of control, in some circumstances, constitutes a form of harm (as recognized in Recital 85 of the GDPR, which identifies the risk of loss of control over personal data as one of the harms that data breach notifications are designed to prevent), every GDPR infringement involving the processing of personal data entails some degree of interference with a data subject’s control over that data. Therefore, treating every instance of lost control as compensable nonmaterial damage would effectively collapse the distinction between breach and nonmaterial harm: if all losses of control constituted nonmaterial damage, we would return to a two-element test despite the CJEU’s explicit rejection.
Because normative harm is defined by interference with a protected value rather than by individualized consequences, it leads to answers to each of the three procedural challenges that material harm, by its nature, cannot.
Challenge one: Quantifying compensation of nonmaterial damages
This understanding of privacy harm provides principled responses to the three core challenges of collective redress in GDPR cases. The answer to the first challenge, how courts should quantify nonmaterial damages, lies in recognizing two complementary approaches to the quantification of normative harm.
First, national amounts given to dignitary harm provide established frameworks for quantifying nonmaterial harms. Dignitary harm captures the intrinsic worth of the person and the wrong of instrumentalization. Various language versions of the GDPR reflect this understanding— the French version of Article 82 as dommage matériel ou moral, for example, connects to a civilian legal tradition in which dommage moral has long compensated violations of dignity independently of economic loss. This conception aligns with the historical relationship between data protection, privacy, and dignity across European legal traditions.
Second, courts can quantify nonmaterial harms as they do emotional harm from the perspective of a reasonable person, borrowing a mechanism from national private law. This approach is both objective in that it does not depend on what any individual plaintiff actually felt and normative in that it asks what a person whose autonomy was violated in this way could reasonably be expected to experience: what would a reasonable data subject experience in similar circumstances? This standard aligns with the GDPR’s principle of fairness, which requires personal data to be used in ways that people reasonably expect and not in ways that have unjustified adverse effects on them.
Critically, courts can quantify these harms using national law frameworks, preserving the autonomy of GDPR categories required by EU law while maintaining national procedural autonomy. The normative harm framework provides substantive guidance for these quantification efforts because, building on the idea that the content of EU law categories themselves is not a question of national discretion, it provides room for the application of national methodologies of quantification to a harmonized EU law concept under the principles of equivalence and effectiveness (the requirements, respectively, that national procedural rules must treat EU law claims no less favourably than comparable domestic claims and must not render the exercise of EU rights practically impossible).
Challenge two: type of evidence required
From this view of quantification follows a view of evidence that overcomes confusion that follows from mixing material and nonmaterial categories as both being factual. Under the principle of national procedural autonomy, determining evidence is within the discretion of Member States as long as those determinations do not undermine EU law categories.
Proof of normative harm should not require individualized evidence of subjective psychological impact, such as clinical records of anxiety or documented personal distress. Such requirements would make collective actions practically impossible but, more importantly, they do not fit the nature of nonmaterial harm. The wrong in normative harm lies in the violation of a protected value, such as dignity and autonomy, not in the psychological consequences that may or may not follow from that wrong.
This suggests a principle for evidence in collective actions in data protection. The type of evidence required should correspond to the type of harm alleged: for material harm, individual evidence of adverse consequences and, for nonmaterial harm, evidence of the data processing practice and its interference with protected values, rather than individual proof of subjective distress.
Challenge three: similarity and commonality requirements
The question of when data subjects share sufficient similarity to be aggregated in collective proceedings is difficult, given that Member States’ procedural laws vary: some satisfy the similarity requirement through a common breach, while others require both common breach and common damage.
To respect the autonomy of EU law categories, national laws have three defensible options for establishing similarity following from the two CJEU distinctions above. First, similarity can be achieved through a common breach. Second, similarity can be established through common loss of control arising from the same data practice. Third, similarity can be achieved through nonmaterial harm as common damage without requiring common consequences (i.e., common material harm) for the group of plaintiffs.
A normative understanding of nonmaterial damages therefore provides a basis for claim aggregation through common nonmaterial harm independently of the scale of per-plaintiff recovery, being functional also when the quantification approach leads to low compensation for that harm alone — which is what makes it suited to collective redress. This approach is crucial for meaningful redress because it guarantees that structural GDPR violations affecting millions of data subjects can be addressed collectively rather than requiring millions of individual proceedings.
Normative harm as a legally recognized category allows for aggregation precisely because it is defined by the interference with protected values, not by the subjective experiences of each individual. In contrast, individual assessment of pain and suffering, required for material damages, makes collective actions impossible. National procedural law cannot impose similarity requirements so demanding that they make it impossible to pursue collective claims for common nonmaterial harm, since doing so would undermine the effectiveness of Article 82 GDPR.
Where appropriate and allowed by local procedural law, courts may form subclasses according to material damages if national law allows, for example by grouping data subjects who suffered financial loss from identity theft separately from those claiming only nonmaterial harm from the same data practice, or they may permit separate collective redress for material damages where differentiation is necessary. But the existence of varying material consequences should not prevent aggregation based on common nonmaterial harm.
Conclusion
The effectiveness of collective redress in data protection depends on adopting a principled framework for understanding nonmaterial damages. A normative conception, rooted in interference with legally protected values such as autonomy and dignity, provides this framework.
This approach resolves three core challenges of collective redress. It permits quantification through established domestic law methodologies for dignitary and emotional harms while respecting the autonomy of EU law categories. It defines appropriate evidentiary standards that do not depend on individualized proof. And it enables claim aggregation based on common harm arising from the same data processing practices, even when individual consequences vary. This does not enable unlimited aggregation because the requirement of a common, identifiable data processing practice functions as a threshold constraint.
Courts must recognize that GDPR violations can constitute wrongs deserving of remedy even when they do not produce material losses. Using people’s personal data in ways that exploit them for private gain, such as by interfering with their autonomy and bypassing well-founded reasonable expectations of data uses, constitute harm regardless of whether material consequences follow. A framework that treats these harms as legally cognizable provides the foundation for collective redress commensurate with data processing in the information economy.
This article is based on a keynote address delivered at the Collective Redress and Digital Fairness Conference, Amsterdam, December 10, 2025
(Photo: Max Harlynking)
