CJEU Provides Further Clarity on GDPR Right of Compensation in Relation to Identity Theft

2–4 minutes

Written by Kieran Harte

On 20 June 2024 last, the Court of Justice of the European Union (CJEU) in two joined cases C‑182/22 and C‑189/22, Scalable Capital, provided some further clarification concerning compensation for non-material damage under Article 82(1) of the EU General Data Protection Regulation (GDPR) arising from the theft by third parties unknown of personal data, and following a request for a preliminary ruling. The decision has effectively raised the bar for claiming non-material damages in respect of “identity theft”, in that it requires proof of actual misuse of the data by a third party.

Background

The case related to two complainants in Germany that sought to recover damages for non-material loss as a result of the theft of their personal data stored on a trading application managed by Scalable Capital. Scalable Capital maintained that the personal data had not been used fraudulently.

The Amtsgericht München (local court in Munich) referred a number of questions to the CJEU for guidance regarding the appropriate level of compensation, whether mere loss of control over personal data was actionable where there was no evidence of subsequent exploitation, and whether gaining possession of the personal data by third parties constituted “identity theft”.

CJEU Decision

The court found that Article 82(1) of the GDPR should be interpreted as a compensatory function (i.e. not punitive) that allowed the damage suffered to be compensated in full. Furthermore, the severity and the possible intentional nature of the infringement of the GDPR is not required to be considered for the purposes of compensation. The court also found that the damage caused by a personal data breach is not, by its nature, less significant than a physical injury. It held that it is for the national courts to apply the domestic criteria for determining the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are observed. Moreover, a national court may, where that damage is not serious, compensate for it by awarding minimal compensation to the data subject, provided that it compensates in full the damage suffered. Finally, in order to qualify for compensation, the identity of a person affected by a theft of personal data must have actually been misused by a third party. However, compensation for non-material damage caused by the theft of personal data cannot be limited to cases where it is demonstrated that the data theft subsequently gave rise to identity theft or fraud.

The decision has confirmed previous CJEU decisions to the effect that a data subject will only be entitled to compensation for loss of control or theft of their data under the regulation if there has been an infringement of GDPR, that infringement caused him or her damage, and there was a causal link between the infringement and the damage (see the judgment in ‘Österreichische Post). However, it also appears to indicate that there is a low threshold for recovering compensation generally for non-material damage, and that a data subject may obtain compensation for an infringement of GDPR resulting in loss of control or theft of their data (irrespective of whether it has been misused and constitutes “identity theft”), so long as the data subject can demonstrate that said loss of control or theft caused them some form of non-material damage (i.e. for example distress or upset), and the damaged was caused by an infringement of the GDPR.

,

More ICS News

Read more ICS News

Become a Member
ADPO News
HISI News
IASA News
itSMF News
Irish Digital Skills & Jobs Coalition News
EU Tech Policy News
AI Policy News

Discover more from Irish Computer Society

Subscribe now to keep reading and get access to the full archive.

Continue reading