Category: AI Careers

Summer and Winter Fellowships provide an opportunity for early-career individuals and established professionals new to the field of AI governance to spend three months working on an AI governance research project, deepening their knowledge of the field, and forging connections with other researchers and practitioners. 

Our 2024 Summer Fellows came from a variety of disciplines and a range of prior experience – some fellows ventured into entirely new intellectual territory for their projects, while others used the time to extend their previous work.

We extend our sincere appreciation to all our supervisors for their dedicated mentorship and guidance this summer.

If you’re interested in applying for future fellowships, check out our Opportunities page. You can register your expression of interest here.

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

GovAI research blog posts represent the views of their authors, rather than the views of the organisation. ‍

Introduction

‍

The Paris AI Action Summit, to be held in February 2025, will be the third iteration of a new international summit series, following 2023’s AI Safety Summit in Bletchley and 2024’s AI Seoul Summit. The first two summits produced several striking outcomes, including: the first international declaration on the importance of ensuring the safety of advanced AI, voluntary safety commitments from leading AI companies, the commissioning of the first International Scientific Report on the Safety of Advanced AI, and the launch of several national AI safety institutes.

The path forward after the February 2025 summit, however, is unclear. There are not yet any public plans for the series after Paris. Many questions about its future remain unanswered.

‍

One crucial question is: What should the summit series’ distinct focus (niche) be? The international AI governance landscape is already crowded, with many international forums competing for engagement. The long term success of the series will therefore depend on its carving out a niche, establishing a distinct identity and offering key stakeholders unique value for their engagement. Clarity on the specific need that the series will fulfil will also make it easier for participants to focus their attention — and easier for each summit’s organisers to craft agendas that progress coherently toward long term goals. A more clearly-defined niche would enable the series to more neatly feed into broader processes, potentially including those within the United Nations.

‍

Across the first three summits, however, the niche of the series has become less clear. The scope has expanded from a specific focus on the safety of advanced AI systems to a broader set of topics. While this expansion has facilitated more holistic conversations, it has also created more overlap with other forums and limited continuity across summits.

‍

Ultimately, I will argue, the most compelling niche for the summit series is: a multistakeholder forum that focuses mainly on “advanced AI” ¹ with an agenda that is closely aligned with the work of AI safety institutes. This specific niche or focus can be institutionalised by developing a strategic framework to guide future summits, ensuring long-term coherence and clearly distinguishing the series from other international forums.

‍

The Need to Define a Niche

‍

The scope of the summit series’ content has expanded significantly across the three summits. The initial summit (the “AI Safety Summit”) focused purely on the safety of advanced AI systems. The second summit (the “AI Seoul Summit”) expanded the initial summit’s focus on advanced AI safety by also introducing innovation and inclusivity as core themes. The third summit (the “AI Action Summit”) will include five expansive workstreams — covering “public interest AI”, “future of work”, “innovation and ecosystems”, “AI in trust” (including safety topics as a subset), and “global governance of AI” — and will cover both advanced AI and other kinds of AI systems. 

This trend towards expanding the breadth of topics offers some obvious benefits. It will bring additional consideration and discussion to several important issues, beyond what they receive in other forums. It may also foster more “holistic” discussions, which acknowledge the intersections between different topics in AI governance.

However, crucially, this trend towards breadth has begun to blur the series’ distinct identity among other international AI governance forums. With a more distinct identity, the summit will encourage and enable more sustainable and meaningful participation from key players in AI. Key players are already expected to participate in numerous high-level events annually, including the G7 summit, the G20 summit, the Global Partnership on AI – OECD summit, the UNESCO Ethics of AI summit, the annual meeting of the World Economic Forum, and the ITU AI for Good summit. The highest level of representation from participating countries and companies cannot attend every AI-related event and must inevitably prioritise. If there is not a clear and compelling story about what the AI Summit Series offers that is distinct from these existing summits, then high-level representatives simply will not prioritise it.

Furthermore, as the focus of summits grows broader, it will become more difficult to make progress within summits. The top representatives from different countries and companies will not, in practice, have the capacity to engage deeply with several different workstreams in a single summit; either their attention will be spread shallowly across several workstreams or some workstreams will be neglected.

Growing breadth will also make it harder for host countries — especially comparatively less well- resourced host countries — to build successfully on each other’s work. A clear and stable niche would make it easier for hosts to design agendas that build on past summits in order to reach  consistent long term goals,and dedicate sufficient resources to all parts of these agendas. A clear niche would also prevent declarations and commitments on different topics from accumulating across summits, which could make it challenging to keep track of agreed-upon goals and initiatives.

Ultimately, the summit series will face several key challenges as it moves forward: 

1. Offering a unique value proposition to participants by addressing specific gaps in the landscape of international AI governance initiatives
2. Supporting productive conversations, by maintaining focus
3. Enabling momentum and high execution quality, by maintaining consistency across events

Overcoming these challenges will require careful coordination with existing initiatives to ensure complementary contributions to international efforts. 

The organizers of the next summit should respond to these challenges and agree on a compelling unified vision for the series. This framework would outline themes and objectives for the series, creating a natural continuation strategy and providing a clear mandate and structure. This will enable each summit to build on the progress of previous summits, while remaining flexible enough to adapt to new developments in AI.

‍

Proposing a Distinct Niche for the Series

‍

The most natural niche for the summit series is a multistakeholder forum that focuses mainly on advanced AI, with an agenda that is closely aligned with the work of safety institutes. This focus would clearly distinguish the series from existing initiatives and address three key challenges listed above.

The following discussion considers each component of this niche individually.

‍

Embracing a Multistakeholder Approach

Many other international AI governance forums only involve industry and civil society participants in limited ways. In contrast, the AI summit series has offered more significant roles to companies and to civil society organisations. For example, one of the key outcomes of the AI Seoul summit was a set of voluntary safety commitments made by leading AI companies worldwide. These commitments are an example of a valuable outcome that simply could not have occurred in a more state-focused venue, such as the G7 or G20.

The AI summit series could also capitalise on its successful multistakeholder approach by — for example — giving equal representation to different categories of stakeholders on joint planning committees and working groups. This would introduce a collaborative approach to the summit process, from the initial concept stage to final recommendations. While governments would retain final decision-making authority, this model would provide a structured forum for industry and academic insights to directly inform policy development.

‍

Focusing Primarily on Advanced AI

While many international forums address AI broadly, no major forum other than the AI Summit Series has focused primarily on “advanced AI” (defined as general-purpose AI systems that exceed or approximately match the capabilities of the most powerful systems available). This topic is also complex and policy-relevant enough to warrant focused attention within at least one forum.  Advanced AI may present relatively distinct risks and opportunities and warrant some distinct measures to manage these risks. For that reason, several high-profile regulatory efforts — including the US Executive Order on AI and the EU AI Act — identify advanced AI as a distinct regulatory category. There is clearly a growing demand for focused discussions on advanced AI, which other major forums are not yet providing.

Most of the successes of the first two summits pertain primarily to advanced AI. Even if future summits do have somewhat broader scopes, it should be a central priority to build upon the advanced-AI-focused successes of past summits.

‍

Aligning with the Efforts of AI Safety Institutes

The creation of AI safety institutes has been considered a result of the AI Summit Series: the first institutes were announced ahead of the initial AI Safety Summit, then at the AI Seoul Summit there was an announcement of plans for an international network of AI safety institutes.

This close connection to the emerging AI safety institute network is a distinct asset for the AI Summit Series, one which can inform strategies for future progress. First, the summit can draw on the expertise housed with AI safety institutes to support informed international discussions. Second, the summit can also serve as a coordination hub for national AI safety institutes. For example, it could help these institutes to establish a shared research agenda on pressing AI safety challenges, facilitate data sharing agreements, or develop common evaluation methods and benchmarks for AI systems. The summit could also support more ambitious projects that the institutes may contribute to or lead in the future, such as efforts to create a shared framework for rapid response to emerging AI risks or efforts to make safety certification processes across participating countries more closely coordinated. By supporting coordination between safety institutes, while also drawing on and spreading their expertise internationally, the summit series can contribute to a more unified and effective global approach to AI safety.

‍

Support Structures and Norms

For the summit series to maintain a clear niche while retaining the flexibility to evolve in response to a changing AI landscape, it will be useful to institute a number of structures and norms.

As discussed above, consistency across summits could be supported by the creation of a high-level strategic framework. This framework could outline key objectives and themes for the series on a multiyear timeframe and help organisers to prioritise when setting summit agendas. The strategic framework should be updated regularly to reflect evolving priorities and the evolving international governance landscape, but should not change substantially in most years.

The creation of joint working groups, which carry over from one summit to the next, could help to ensure consistency. The working groups would support continuity in the series’ themes, although there would also need to be room for groups to be added, removed, or merged over time.

It will be important to establish structures and norms to ensure that the series remains aligned with other international processes, even as these other processes evolve. The fact that other processes are constantly evolving means that the summit series’ niche will also need to evolve over time — and that work must be done to ensure it continues to complement them, rather than competing with them. It will be important, for example, to align with the Global Digital Compact, a comprehensive framework adopted by 193 countries at the United Nations, becoming the first framework for global AI governance.  

There are three main ways to ensure alignment:

1. Invite representatives from other initiatives to participate (as has been done in the past)
2. Establish formal partnerships with other initiatives and create structured channels to contribute effectively
3. Design summit agendas that explicitly build on and complement the work of other initiatives, in consultation with them

Together, these structures and norms could help to ensure that the summit series continues to have a clear niche, while also continuing to evolve to meet new challenges and opportunities.

‍

Conclusion

As the Paris AI Action Summit concludes the three-summit cycle initiated at Bletchley, the series’ future remains uncertain, yet full of potential. The international AI governance landscape is crowded, with numerous forums competing for attention and engagement. The landscape is likely to become more crowded over time, as reflected, for example, by the recently-adopted UN Global Digital Compact’s comprehensive plans for a global dialogue on AI governance. Stakeholders have limited capacity to engage with AI-related events and need to clearly understand the purpose of making time for this series. The series will struggle, therefore, if it does not make its niche clear.

We can learn from the successes of the past two summits, which yielded several concrete outcomes that influenced national agendas and company priorities. These successes suggest a particular niche: the summit series should be a multistakeholder forum dedicated to advanced AI, closely aligned with the efforts of safety institutes. 

The challenge beyond Paris is to formalise this niche, developing a strategic initiative with a long-term vision and concrete goals for the next 3-5 years. This approach would position the summit series as a cornerstone of international AI governance, capable of driving meaningful progress in a rapidly changing field.

‍

Lucia Velasco

‍

The views expressed in this article are those of the author and do not represent the views of their employer. The author would like to thank Ben Garfinkel for his valuable feedback.

‍

‍

‍

When scholars and policymakers consider how technological advances affect the rise and fall of great powers, they draw on theories that center the moment of innovation – the eureka moment that sparks astonishing technological feats. In his new book, Jeffrey Ding offers a different explanation of how technological revolutions affect competition among great powers. Rather than focusing on which state first introduced major innovations, he investigates the ability of states to successfully adapt and spread these technologies across their economies.

Drawing on historical case studies of past industrial revolutions as well as statistical analysis, Ding demonstrates how institutional adaptations oriented around diffusing technology play a crucial role in shaping global competition. His findings bear directly on current concerns about how emerging technologies such as AI could influence the US-China power balance.

Following his presentation, Ding will be joined by Robert Trager, Co-Director of the Oxford Martin AI Governance Initiative, Ben Garfinkel, Director of the Centre for the Governance of AI and Kayla Blomquist, Director of the Oxford China Policy Lab for a panel discussion before Q&A

‍

Dr. Jeffrey Ding is an Assistant Professor of Political Science at George Washington University. Previously, he was a postdoctoral fellow at Stanford’s Center for International Security and Cooperation, sponsored by Stanford’s Institute for Human-Centered Artificial Intelligence. His research focuses on great power competition and cooperation in emerging technologies, the political economy of innovation, and China’s scientific and technological capabilities.

His book, Technology and the Rise of Great Powers (Princeton University Press, 2024), investigates how past technological revolutions influenced the rise and fall of great powers, with implications for U.S.-China competition in emerging technologies like AI. Other work has been published or is forthcoming in European Journal of International Relations, European Journal of International Security, Foreign Affairs, International Studies Quarterly, Review of International Political Economy, and Security Studies, and his research has been cited in The Washington Post, The Financial Times, and other outlets. Ding received his PhD in 2021 from the University of Oxford, where he studied as a Rhodes Scholar. Previously, he worked as a researcher for Georgetown’s Center for Security and Emerging Technology and Oxford’s Centre for the Governance of AI.

‍

‍

Our first research agenda, published in 2018, helped define and shape the nascent field of AI governance. Our team and affiliate community possess expertise in a wide variety of domains, including compute governance, US-China relations, arms race dynamics, EU policy, and AI progress forecasting.

GovAI researchers have published in top journals and conferences, including International Organization, NeurIPS, and Nature Machine Intelligence. Our alumni have gone on to research roles at top academic institutions, including the University of Oxford and the University of Cambridge, and top AI labs, including DeepMind and OpenAI.

‍

As Talent Systems Specialist, you will report to Ryan (Director of Operations), and also work closely with Georg (Chief of Staff), Valerie (Research Manager), and others on GovAI’s talent systems and programs. Responsibilities will include:

• Project management of many of GovAI’s hiring rounds, from outreach to offers, using the systems and processes already in place. This includes quickly understanding how the existing systems work, and leveraging them to ensure that the teams responsible for candidate evaluation have the information, direction, and tools they need to succeed.

• Designing, implementing, and continuously improving the tools, systems, and processes we use in our recruiting. This includes systems for candidate identification, outreach to promising individuals, contending with the proliferation of AI-assisted applications, and running the end-to-end evaluation process. This work has high potential to directly shape our talent strategy by defining what is possible for the organisation.

• Balancing multiple concurrent workstreams, prioritising based on impact and strategic alignment. Because this role will be simultaneously coordinating hiring rounds and improving the systems on which those rounds are run, the individual will need to progress multiple objectives in parallel and quickly adapt when priorities shift.

• Collaborating with staff across GovAI to gather requirements, understand pain points, and create solutions that enhance efficiency and effectiveness across the organisation. We are particularly excited about individuals who will proactively suggest improvements to “the way we do things” and can challenge our assumptions.

• Supporting the Director of Operations in maintaining and elevating the quality and professionalism of our recruiting and people operations.

‍

Depending on your interests and skills, there is room for the role to grow in several directions, including:

• Internal Product Manager, owning nearly all of GovAI’s internal systems, aiming to enable all of GovAI’s programmes to rapidly scale. This could include building and managing a CRM, research repository, website, virtual course platform, research dissemination tools, and more. A key focus would be using data to evaluate and improve the impact of our programmes.

• Recruiting Lead, taking a deeper level of ownership over end-to-end talent selection. Responsibilities could include defining and scoping new roles, designing effective evaluations, coordinating internal and external stakeholders, and participating directly in candidate grading and hiring decisions. This role could also involve managing one or more direct reports on the Operations team who support hiring efforts.

• Head of People, overseeing the complete GovAI staff experience beyond recruiting and onboarding. This would include developing processes for staff to assess and optimise their performance, fostering best practices for delivering effective feedback, helping team members realise ambitious professional development goals, and further strengthening GovAI’s culture and working practices.

‍

At GovAI we believe there is no such thing as a perfect candidate and we don’t expect a successful hire to excel in all of the dimensions listed below. If you are hesitant to apply because you are unsure whether you are qualified or you worry your background doesn’t make you an obvious fit, we still strongly encourage you to apply.

We’re searching for candidates who are:

• Highly organised and skilled in project management. This role involves managing complex, concurrent work streams. We are looking for someone who can demonstrate highly structured work habits, confidently prioritise tasks, and take a methodical approach to maintaining order and progress.

• Proactive in identifying and driving improvements, from ideation through execution. This role should seek out opportunities to enhance our systems and processes, gather high-level guidance from senior stakeholders (e.g. GovAI leadership), and take initiative to build scalable solutions that meet the organisation’s evolving needs.

• Good at working as part of a fast-moving team. GovAI is a small-but-growing organisation and most team members wear many hats. This role should be comfortable iterating, pivoting when priorities change, and ensuring their solutions can stand on their own when the team moves on to new challenges.

• Excellent communicators, both verbally and in writing. This role requires clear and prompt communication with a wide range of stakeholders, often synthesising rapid or fragmented feedback into concrete solutions.

• Adept at translating high-level goals into actionable plans, including defining project owners, setting up project plans, and overseeing their execution from start to finish.

• Driven by excellence and a commitment to producing high-quality results. Successful candidates will actively seek out opportunities to improve their skills and maximise their impact.

‍

Although not mandatory, the following qualities would make a candidate exceptionally promising:  

• Experience in product management, user experience, systems architecture, or data design. Strong candidates might have a good understanding of how to build solutions that address complex needs, integrate with existing processes, and remain adaptable to future requirements.

• Experience in recruiting, talent development, staff support, or people operations. Strong candidates might have experience with recruiting or designing talent search processes, or building HR/people-oriented programs and systems.

• Strong interpersonal skills and leadership abilities. It would be considered a strength if this individual could provide effective line management for junior Operations team members and ensure the Operations team as a whole receives appropriate support and guidance.

• Excited by the opportunity to use their careers to positively influence the lasting impact of artificial intelligence, in line with our organisation’s mission.

‍

This position will be full-time, and managed by Ryan, GovAI’s Director of Operations. Our offices are located in the UK and we strongly prefer team members to be based in Oxford or London, although we are open to hiring individuals who work remotely, and Ryan is based in New York City. We are able to sponsor visas. 

This role will be compensated in line with our salary principles. As such, the salary for this role will depend on the successful applicant’s experience, but we expect the full-time range to be between £60,000 and £80,000 for candidates based in the UK. In rare cases where salary considerations would prevent a candidate from accepting an offer, there may also be some flexibility in compensation. 

Benefits associated with the role include health, dental, and vision insurance, flexible work hours, extended parental leave, ergonomic equipment, a 10% employer pension contribution, and 33 days of paid vacation (including public holidays). Based on location, the role may also offer a £5,000 annual wellbeing budget, a £1,500 annual commuting budget, and a relocation stipend.

‍

The application process includes three stages: a written submission in the first round, a paid remote work test in the second round, and an interview in the final round. Please apply using the form linked below. 

‍We aim to fill this role as soon as possible and may begin reviewing applications before the deadline. Applications submitted earlier may be given additional consideration.

We also note that end-of-year hiring rounds have a higher risk of delays as our graders navigate competing holiday schedules. While we intend to reach a decision before the end of the year, we appreciate your patience if the final outcome is only reached in early 2025.

GovAI is committed to fostering a culture of inclusion and we encourage individuals with underrepresented perspectives and backgrounds to apply. We especially encourage applications from women, gender minorities, people of colour, and people from regions other than North America and Western Europe who are excited about contributing to our mission. We are an equal opportunity employer and want to make it as easy as possible for everyone who joins our team to thrive in our workplace. 

If you need assistance with the application due to a disability, or have any other questions about applying, please email

re*********@go********.ai











.

‍

Introduction

The opening of the Paris Olympics on 26 July 2024 coincided with a potentially significant development in one of France’s most renowned gastronomic traditions. The French cultivated meat startup, Gourmey, applied for a novel food authorization for its cultivated foie gras in the EU, as well as in Singapore, Switzerland, the United Kingdom, and the United States. This first-ever authorization procedure for a cultivated meat product in the EU represents a potential “legal disruption” and warrants close attention from both policy and research communities.

Cultivated meat, produced from animal cells grown in controlled environments outside of animals, is hailed as a potential solution to the numerous environmental and ethical challenges posed by conventional meat production. At the same time, scientific, sustainability and regulatory challenges are well regarded. Notwithstanding, the first commercial cultivated meat product was introduced in Singapore in 2020, following regulatory approval granted to the American company “Eat Just” for chicken nuggets partially composed of cultivated cells. As of May 2024, these nuggets are also available in Singaporean retail stores. Meanwhile, several other cultivated meat products have received approval in Singapore, the United States, and Israel. Regulators in various jurisdictions are actively collaborating with innovators to establish pathways to market for these products.

The EU has not yet taken a leading role in the regulation of cultivated meat. Most food innovations are governed by the EU’s novel food framework, defined by Regulation (EU) No 2015/2283, and cultured meat is no exception. The novel food framework is praised for its robustness but criticized for hindering innovation due to lengthy and demanding procedures. Innovators also fear political interference in the authorization process, as cultivated meat faces intense political backlash in several EU Member States. Since 2020, for example, the French legislature has repeatedly attempted to prohibit the use of meat-related terms for alternative protein products. In November 2023, the Italian government adopted Law No. 172/2023 prohibiting the production and commercialization of cultivated meat. Article 1 provides that the ban is necessary to:

“ensure the protection of human health and citizens’ interests as well as preserve the agri-food heritage, as a set of products that are an expression of the socio-economic and cultural evolution process of Italy, of strategic importance for the national interest”.

Policymakers in Poland and Romania have expressed similar intentions, and the governments of these sceptical countries are proposing revisions to the novel food framework at the EU level.

Disruptive Potential for Novel Food Framework and Animal Welfare

Legal disruption occurs when new technologies challenge the applicability and suitability of existing regulatory frameworks. In our view, the authorization procedure for cultivated foie gras could trigger such disruption concerning the novel food framework, food labelling regulations, and animal welfare laws.

First and foremost, the authorization procedure at the EU level will test the Commission’s claim, that the existing novel food framework is adequate for handling such applications. The European Food Safety Authority (EFSA) has recently taken several steps to engage with stakeholders in the field of cellular agriculture through a Scientific Colloquium on cell culture-derived foods and food ingredients. It has promised specific guidelines for submitting dossiers on cultivated meat products, which are expected to be included in the new general guidance for novel food applications to be published in September 2024. This application will illustrate whether these steps effectively address the concerns of the cellular agriculture industry. 

The parallel filing of applications in Singapore, Switzerland, the UK and the United States will also enable a comparative assessment of regulatory regimes and potentially expedite regulatory cooperation. While all countries share the fundamental objective of ensuring food safety, their specific authorization procedures, approval times and transparency requirements vary significantly. Different countries exhibit varying levels of risk acceptance when it comes to food innovations. For instance, Singapore aims to position itself as a regulatory pioneer to attract innovators because it views cultivated meat and novel foods as essential to achieve the objectives of the national food security strategy ‘30 by 30’, aiming to produce locally 30% of the country’s nutritional needs by 2030.

In this context, the foie gras application may influence the EU’s stance on radical food innovation more broadly. Whilst the EU’s novel food framework primarily focuses on food safety, the political discourse on cultivated meat encompasses additional aspects. Legislative efforts in France and Italy reflect concerns about agriculture and, rural development, the right to informed consumer choices. An EU novel food authorization would challenge the effectiveness of such national legislation and compel stakeholders to defend the (perceived) interests of conventional animal production at the EU level.

Unlike most dairy and meat products, foie gras is a “luxury” product that is already highly controversial. It has been the subject of heated political debate and regulatory action. The process of force-feeding geese to enlarge their livers has been banned in several countries, including more than half of the EU Member States, and some countries have started banning foie gras imports. Protecting its conventional producers is unlikely to garner broad public support.

Au contraire, the authorization of cultivated foie gras could even spur advancements in animal welfare regulation. Animal welfare is enshrined as a principle of EU primary law in Article 13 TFEU. For animals kept for farming purposes, this translates into Article 3 of Directive 98/58/EC, according to which ‘Member States shall […] ensure that the owners or keepers take all reasonable steps to ensure the welfare of animals under their care and to ensure that those animals are not caused any unnecessary pain, suffering or injury’. The availability of cultivated alternatives to animal products alters the trade-offs implied by this rule. The authorization of cultivated foie gras could thus reshape the regulatory debate on biotechnological food innovation in general. Until now, opponents have argued for consideration of the broader socio-economic implications of innovative products during the authorization process, assuming this would justify limitations and prohibitions. However, considerations of animal welfare (or other aspects such as working conditions, one health, or ecological impacts) could support the urgent approval of such products.

Conclusion

The first novel food application concerning cultivated meat in Europe is now a reality. Gourmey’s focus on foie gras, as a controversial and high-value luxury item, appears to be a smart strategy given the polarized political debate on cultivated meat in Europe. This move should prompt French and other European policymakers to reconsider their positions and potentially reinvent one of their most recognizable food delicacies. The timing of the application’s publication on the opening day of the Paris Olympics 2024 may have limited broader public scrutiny, but this should not deter food innovation scholars from carefully monitoring its development.

Since C-300/21 Österreichische Post, the first ECJ decision on non-material damages under GDPR, the ECJ has handed down multiple other decisions on the topic (C-340/21 Natsionalna agentsia za prihodite, C-667/21 Krankenversicherung Nordrhein, C-456/22 Gemeinde Ummendorf and C‑687/21 MediaMarktSaturn). There seems to be a marked effort by the Court to create a reliable jurisprudence for non-material damages. In fact, all the decisions have been assigned to and decided by the Third Chamber under Article 60 of the Rules of Procedure of the Court of Justice. This post analyses the subsequent cases after Österreichische Post to flesh out the Court’s conception of non-material damages under Article 82 GDPR and to analyse whether a coherent approach emerges from the case law.

Requirements

Based on Article 82(2) GDPR, the Court delineates three cumulative elements for non-material damages (Österreichische Post at 36, Natsionalna agentsia za prihodite at 77, Gemeinde Ummendorf at 14,  Krankenversicherung Nordrhein at 82 and MediaMarktSaturnat 58):

1. Infringement of the GDPR

2. Damage

3. A causal link between the infringement and damage

Once these three elements are in place, a controller is liable for the non-material damage and must compensate the claimant in accordance with Article 82(1) GDPR.

(1) Infringement

As per Article 82 GDPR, a controller has to compensate for a damage which arose as the consequence of an infringement of the GDPR (Österreichische Post at 31). However, mere infringement alone is insufficient to confer a right to compensation (MediaMarktSaturn at 58, Österreichische Post at 33 and 34). This is because the three elements are cumulative (as seen above).

Infringement of the GDPR cannot simply be determined by the fact that there was, for example, a data breach (MediaMarktSaturn at 45). In MediaMarktSaturn, the hearing of an action for damages under Article 82 must also take into account all the evidence that a controller provides to demonstrate, for example, that their technical and organisational measures were sufficient and therefore, complied with Articles 24 and 32 GDPR (MediaMarktSaturn at 44).

In other words, to ascertain whether an “infringement” occurred in the specific case, the Court seems to consider not only the factual consequences of it (i.e. whether the controller lost control over the personal data following a breach). It also determines whether that event is attributable to the controller in terms of intent or culpability (did the controller want that event or were they negligent in adopting any reasonable countermeasures?). It seems that a controller can use a lack of intent or negligence to argue against their alleged infringement. For example, if a breach occurred but the controller proved that they were not negligent and had the necessary technical and organisational measures, then there is arguably no infringement and a claim for damages would end here.

(2) Damage

Recital 85 to the GDPR provides a non-binding list of what could constitute material or non-material damage under the GDPR. It lists the following: ‘loss of control over […] personal data, limitation of […] rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.’

The first of this list – loss of control over personal data – has been clarified further and defined rather broadly by the ECJ. Fear deriving from the loss of control over personal data from an infringement of the GDPR is sufficient to give raise to non-material damages (Natsionalna agentsia za prihodite at 80). The amount of time that the fear is felt by the claimant can be short. In Gemeinde Ummendorf, a few days, which did not have a noticeable consequence for the claimant beyond the fear itself, were sufficient for non-material damages (Gemeinde Ummendorf at 22). This follows a previous decision, which in doing away with a threshold of seriousness for non-material damages, allows all non-material damages, even if they are limited in scope, to lead to possible claims (Österreichische Post at 49). The fear itself is sufficient, as there is no requirement that the damage be linked to an actual misuse of the data by third parties by the time of the claim (Natsionalna agentsia za prihodite at 79). Nor does the claimant need to show that there has been a misuse to their detriment (Natsionalna agentsia za prihodite at 82 and Gemeinde Ummendorf at 22). Thus, it is sufficient that the breach of the GDPR be linked to the claimant’s fear that such misuse may occur in the future.

This is a broad reading of loss of control. As noted by AG Pitruzzella, the GDPR does not state that fear should create a ground for compensation for non-material damages (AG Opinion in C‑340/21 at 78). There is undoubtedly ‘a fine line between mere upset (which is not eligible for compensation) and genuine non-material damage (which is eligible for compensation)’ (AG Opinion in C‑340/21 at 83). The Court here could have gone either way, especially in a case on the facts such as Natsionalna agentsia za prihodite where the fear suffered by the claimant of a possible misuse of personal data in the future had no established misuse and the claimant had not suffered further harm (AG Opinion in C‑340/21 at 77). Nonetheless, because the definition of damage should be ‘broad’ and allow for ‘full and effective’ compensation as per Recital 146 to the GDPR, the AG Pitruzzella stated that the Court should hold the fear itself to be sufficient (AG Opinion in C‑340/21 at 71 and 77). Not only did the Court follow the AG’s Opinion at paragraph 81 of the judgment, but it has consistently referred to the broadness point of Recital 146 in its later non-material damages judgments (Gemeinde Ummendorf at 19 and 20 and MediaMarktSaturn at 65).

The ECJ did not, however, go as far as to establish a presumption that all infringements would result in a damage (cf. AG Opinion in C‑340/21 at 74). The claimant still needs to show consequences from the infringement (Österreichische Post at 50 and MediaMarktSaturn at 60). Thus, they must show that they have suffered an actual damage, however minimal it may be (Gemeinde Ummendorf at 22). The burden of proof is also on the claimant to show this damage (MediaMarkt at 61 and 68 and Natsionalna agentsia za prihodite at 84). This makes sense given that the claimant is the only one who has experienced the damage (for example, fear) and is in a position to prove it.

It is perhaps due to this logic, that the ECJ (on the concept of loss of control) also stated that the fear must be ‘well-founded’ and that the risk cannot be hypothetical (MediaMarkt at 67 and 68 and Natsionalna agentsia za prihodite at 85). While it is for national courts to determine whether these requirements are met (MediaMarktSaturn at 67 and 6), the ECJ nonetheless determined that the disclosure of data to a third party, who did not know about it, would not give rise to non-material damages (MediaMarktSaturn at 69). In this case, it was clear that the risk was unfounded; the third party never became aware of the personal data during the breach and the document containing the data was returned within half an hour. So, the fear linked to this so-called hypothetical risk proved insufficient for non-material damages. If the claimant cannot evidence damage as defined above, then a successful claim for damages will also end at this point.

(3) Causal link

A causal link must exist between the infringement and damage (Österreichische Post at 32 and under Article 82(1) GDPR). The Court has not yet developed this criterion in detail, but it can be inferred that the claimant should show there to be some form of reasonable relationship between the infringement and their damage. If there is no causal link it follows that there cannot be a right to receive compensation under Article 82 GDPR.

The fact that damage was caused by a third party, as defined by Article 4(10) GDPR, rather than the controller themselves, is not a limiting factor. Article 4(10) GDPR defines third parties as being under the ‘direct authority’ of the controller or processor and authorised to process the data. The Court in Natsionalna agentsia za prihodite found hackers to be third parties under Article 4(10) GDPR (at 71). Thus, Article 4(10) has been interpreted broadly in that it does not require third parties to be employees of the controller or subject to its control (at 66). Nonetheless, for the third party act to be attributable to the controller, the controller must have made the infringement possible in the first place by failing to comply with their GDPR obligations, for example, by failing to implement appropriate technical and organisational measures (at 71).

Defences

Liability is subject to fault on the part of the controller, which is presupposed unless it proves that it is ‘not in any way responsible’ for the event giving rise to the damage (MediaMarkt at 52, Recital 146 GDPR, and Natsionalna agentsia za prihodite at 37 and 69). The circumstances in which the controller may claim to be exempt from civil liability under Article 82 GDPR are ‘strictly limited’ to those in which the controller is able to demonstrate that the damage is not attributable to it (Natsionalna agentsia za prihodite at 70). It is explicitly for the controller to rebut this presumption of fault (Krankenversicherung Nordrhein at 94 and alsoNatsionalna agentsia za prihodite at 69 and 70). This allocation of the burden of proof to the controller ensures that the effectiveness of the right to compensation (Article  82 GDPR)  is maintained ( MediaMarktSaturn at 42).

Questions remain over what type of defence Article 82(3) is and how it relates more widely to the concept of non-material damages. For example, if liability (the link between the controller’s fault and the damage) is presupposed, does this mean that the causal link (between the infringement and the damage) is presupposed as well? Is Article 82(3) GDPR, therefore, a defence against causation or a separate general defence against liability? Moreover, does this presumption of fault also mean that intent or negligence should become a rebuttable presumption when deciding on an infringement? These are questions that will inevitably arise before the ECJ in the future. 

Compensation

Article 82(1) GDPR has a compensatory instead of punitive function (MediaMarktSaturn at 48). Compensation is limited to monetary compensation and should only fully compensate for the damage suffered by the infringement of the GDPR (Krankenversicherung Nordrhein at 84 to 87, Österreichische Post at 58 and MediaMarktSaturn at 54). It is because of this compensatory function that national courts should not look at the controller’s behaviour when quantifying non-material damages. The compensation will not be affected by the degree of the controller’s responsibility, and it does not matter whether there was intent or negligence from the side of the controller (Krankenversicherung Nordrhein at 86, 87, and 102 and MediaMarktSaturn at 48).

Final compensation must be ‘full and effective’ (Recital 146 to the GDPR). This means that national rules must enable the claiming of compensation (Österreichische Post at 56). Nonetheless, it is for national courts to determine the exact amount of pecuniary damages in accordance with their national law (Krankenversicherung Nordrhein at 83 and 101), as long as the internal rules of the Member State follow the principles of equivalence and effectiveness of EU law (MediaMarktSaturn at 53).

Damages under the GDPR are conceptually autonomous and therefore ‘special national’ interpretations, except for the amount of the compensation, should not occur (MediaMarkt at 59). In general, the divergence or unity of GDPR damages in comparison with national law conceptions of damages will require a more detailed discussion than is possible within this blogpost.

A coherent vision

Having briefly analysed the cases above, there seems to be a coherent line of argumentation behind the non-material damages cases under Article 82 GDPR. The rulings do not radically diverge from each other, and the concepts developed are re-used, cross-referenced, and built upon. As more preliminary references arrive and non-material damages develop further, the Court could even begin to send some questions back to national courts under Article 99 (Reply by Reasoned Order) of the Rules of Procedure of the Court.This is where the question referred is identical to a question on which the court has already ruled or where the answer to such a question may be clearly deduced from existing case law.

A practical point to mention is that the definition of non-material damages is likely to affect also class action suits and collective redress. A broad interpretation of non-material damages could lead to data breaches becoming exorbitantly expensive for controllers, to the point that they may no longer want to operate in Europe. Instead of restricting the concept of damages, a solution would be to avoid the creation of an impossible threshold for controllers and processors to prove that they have complied with Articles of the GDPR. It is perhaps for this reason that the Court has so far been reasonable with its thresholds and decided, for example, that unauthorised disclosure of personal data to third parties is not sufficient in itself to hold that Articles 24 and 32 GDPR have been infringed by the controller (MediaMarktSaturn at 40).

Material and non-material damages are well defined concepts within national law, and so conflicts will inevitably occur between national systems and the GDPR. It is important that the ECJ maintain its coherent vision of non-material damages to create a uniform application of the GDPR and therefore, protect the effectiveness of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union.

The Corporate Sustainability Due Diligence Directive at risk

In December 2023, following a lengthy Trilogue, a political agreement was reached regarding the Corporate Sustainability Due Diligence Directive (CSDDD); the first EU economy-wide mandatory due diligence legislative measure. The Directive aims to promote sustainable corporate conduct across global value chains, which include the full range of activities involved in the creation of a product or service. While the CSDDD is not a panacea, it is expected to foster a level playing field and improve corporate sustainability. However, a last-minute announcement from the internally divided German government to abstain from voting in the European Council has put the Directive’s future at risk.

Despite earlier endorsement, on the 1^st of February 2024, Germany suddenly withdrew its support for the CSDDD due to the opposition of the FDP, the liberal government coalition party. Lukas Köhler, FDP deputy head in German Parliament, stated that the FDP cannot support the Directive as its obligations would overburden companies. Subsequently, other EU Member States, such as Italy, followed Germany’s example and decided to abstain from voting, or to vote against approval. The Council vote which was initially planned on 9 February had to be postponed since the required qualified majority would not be reached. On 28 February, once again, due to lack of support, it was decided to postpone the vote on the approval of the Directive. In the meantime, the Belgian Presidency of the Council, reportedly, proposed a new comprise text of the Directive hoping to convince Member States to vote in favour. The revised version would have included a downsized personal scope of application and softened provisions on civil liability. However, on 8 March, the Council vote has again been postponed. While time is running out ahead of the European elections, the Directive has been set on the agenda of the Coreper I meeting on 13 March.

This blog post argues that the failure to approve the CSDDD by the Council under the guise of protecting companies is counterproductive and represents a missed opportunity in mitigating climate change. First, the post looks at the CSDDD from the perspective of European businesses. Then, it connects the urgent societal challenge of climate change to the EU Directive awaiting approval by the Council.

European companies embrace harmonisation

Abstaining from voting, and, thus, de facto making approval impossible, is not in the interest of European companies. Indeed, the CSDDD would serve the companies’ interests by seeking to harmonise due diligence legislation within the EU internal market. Pursuant to its dual legal basis (Art. 50 and 114 TFEU), the Directive aims to harmonise legislation to ensure a level playing field within the EU internal market and avoid distortions of competition. It is for this reason that European businesses urge the EU Member States to formally adopt the CSDDD. In a joint statement, large German companies argue that putting the CSDDD at risk will create legal uncertainty. In their view, the Directive is the ‘only chance’ for an EU-wide level playing field with fair competitive conditions that will create legal certainty. Not only big companies embrace the CSDDD; the Italian Confederation of Craft Trades (CNA) representing small and medium-sized enterprises has, for example, expressed its support to the CSDDD as it will ensure a level playing field and avoid unfair competition with non-EU companies.

The fears of these companies regarding an unlevel playing field and legal uncertainty appear to be well-founded. Disparities between national due diligence legislation result in legal fragmentation which can lead to distortions of competition. Most notably, Germany and France have enacted legislation containing due diligence requirements. The legislative measures significantly differ in personal scope, material scope and regulatory approach. For instance, the German act applies to companies employing more than 1000 employees, whereas the French actonly applies to companies employing more than 5000 employees. Moreover, under the French act climate change should be addressed in carrying out due diligence, while the German act does not cover climate change issues at all. Considering just these two examples of legislation, it becomes apparent that the risk of legal fragmentation should be taken seriously.

The Commission convincingly argues in the proposal for the CSDDD that these disparities between national legislation are likely to lead to distortions of competition within the internal market. Companies that are active in certain EU-jurisdictions with no or less stringent due diligence legislation will have a competitive advantage. Furthermore, legal fragmentation creates a significant burden to companies as compliance with different national legislation requires diverging measures and policy per jurisdiction. Against this background, it should be noted that rejection of the CSDDD could even lead to further legal fragmentation. National legislative proposals, such as a Dutch proposal, that were put on hold, awaiting the CSDDD, could be rehabilitated. Indeed, one could argue that not the CSDDD’s requirements, but the lack of harmonisation will overburden European companies.

Alongside the harmonising effects of the CSDDD within the EU, the Directive’s requirements align with international standards on due diligence. Since their adoption in 2011, the UN Guiding Principles on Business and Human Rights(UNGPs) and OECD Guidelines for Multinational Enterprises are internationally broadly recognised soft law documents that pursue corporate sustainability through encouraging due diligence regarding human rights and the environment. The approval of the CSDDD would strengthen these influential international standards, which have been endorsed by the EU since 2011. According to the UN High Commissioner for Human Rights, the EU would show historic global leadership. Additionally, companies that already pursue to comply with these international due diligence standards will be rewarded for their efforts in carrying out business activities responsibly. Unsurprisingly, a large and wide-ranged group of European businesses called for an ambitious CSDDD aligning with the UNGPs and OECD Guidelines for Multinational Enterprises.

Corporate sustainability legislation for a green EU economy

Building upon the existing international due diligence standards, the CSDDD, inter alia, seeks to advance the greening of the EU economy. Arising from the EU sustainable corporate governance initiative, the CSDDD is a proposal for corporate sustainability legislation, crucial in steering towards a green and climate-neutral EU economy by 2050 as required by the European Climate Law. Additional mitigating efforts are indeed necessary to address the urgent challenges posed by climate change. Last year, the International Panel on Climate Change (IPCC) established that human activities had already caused a global temperature rise of 1.1°C by 2020 in comparison to pre-industrial levels. Moreover, it revealed that current global mitigation efforts are insufficient to limit global warming to 1.5°C as envisioned by the Paris Agreement. Similarly, the European Environmental Agency has concluded that current EU-efforts will not suffice to achieve the climate change mitigation goals codified by the European Climate Law. According to the IPCC, resilient climate policy will require ‘large and sometimes disruptive changes in economic structures’.

Since the CSDDD is based on existing soft law, it does not seem to be that disruptive, yet it will target the right actors with substantive obligations. Addressing the private sector is necessary as large companies are currently and historically have been the main contributors to climate change. The 2017 Carbon Majors Report showed that just 100 companies are responsible to 71 per cent of all global greenhouse gas emissions since 1988. Regulation of sustainable corporate conduct has come a long way. Prior to the European Green Deal, the EU predominantly aimed to enhance corporate sustainability through supporting and promoting voluntary corporate social responsibility (CSR). However, open-ended CSR initiatives and non-legally binding international due diligence standards leave a regulatory gap and do not suffice in effectively pursuing sustainable corporate conduct (see, e.g. the study for the Commission on supply chain due diligence).

The CSDDD partly seizes the opportunity to bridge this regulatory gap. The cautiously drafted Directive, as negotiated in the political agreement, contributes to the EU’s climate change mitigation objectives rather half-heartedly and does not seem to fulfil the Directive’s potential. In truth, the CSDDD’s text has been watered down significantly. Both the Commission’s proposal and the European Parliament’s draft report were less cautiously drafted and would have been more effective in mitigating climate change. In this context, the political agreement’s personal scope of application is fairly narrow. According to the political agreement, the Directive applies to EU companies with over 500 employees and a net worldwide turnover of at least EUR 150 million, and to non-EU companies with a net EU turnover of at least EUR 300 million. As a result, the revenue threshold for non-EU companies has, for example, been doubled compared to the Commission proposal. Additionally, the political agreement fails to designate any high-risk business sectors with lower employee base and revenue thresholds. Although the current text does not fulfil the Directive’s potential, adoption would still be a crucial step into the right direction. The companies concerned are required to comply with two main substantive obligations.

Firstly, the due diligence obligation of Article 4 of the Directive requires companies to address adverse impacts of their business activities to specific human rights and environmental norms. Rather surprisingly, the political agreement fails to refer to any directly climate-related rights and norms. Noteworthy, the European Parliament was keen on directly addressing climate change through the due diligence obligation. Although not specified, the reason for not directly including adverse climate impacts could be that this due diligence obligation would, by some, be regarded as too far-reaching. However, as it is increasingly accepted that climate change harms the realisation of human rights and environmental norms (see, e.g. UN General Assembly Resolution 76/300 and the Dutch Supreme Court’s decision in the Urgenda case), adverse climate impacts can (possibly) be considered as adverse human rights or environmental impacts. This would mean that companies must either way address the adverse impacts of business activities to the climate.

Secondly, the other main obligation does directly refer to climate change. Article 15 lays down the obligation to draw up a climate transition plan. Reinforcing the reporting obligation of the Corporate Sustainability Reporting Directive (CSRD), the CSDDD would require large companies to adopt and put into effect a plan that is in line with the European Climate Law. Companies falling within the personal scope of the Directive would be obliged to reconsider their business strategy and implement measures, through a best-efforts approach, to play their part in reaching climate-neutrality by 2050.

The way forward

It is to be hoped that the Council will eventually formally approve the proposed Directive. The CSDDD is not only about holding companies accountable, but also about fostering a level playing field and ensuring fair competition within the EU internal market. The support for the CSDDD from European businesses underscores its importance in creating legal certainty and eliminating distortions of competition that arise from disparities in national legislation. Furthermore, in light of the urgent need to address climate change and the transition to a sustainable economy, the Directive represents a crucial step forward. Efforts of the Belgian Presidency in the Council must be efficacious to regain earlier-existing support which was present at the time of reaching the political agreement in December 2023. By voting in favour of the CSDDD, EU Member States would, at last, prioritise the long-term interests of European companies, society and the planet.