Analysis: CJEU decision raises the bar for GDPR compensation claims for identity theft

Analysis: CJEU decision raises the bar for GDPR compensation claims for identity theft

Matheson partners Davinia Brennan, Anne-Marie Bohan, Carlo Salizzo, Sarah Jayne Hannah and Michael Byrne consider a recent EU court ruling on GDPR compensation claims for “identity theft”.

The Court of Justice of the European Union (CJEU) in joined cases C‑182/22 and C‑189/22, Scalable Capital, has provided some further clarification regarding compensation for non-material damage under Article 82(1) of the GDPR as a result of the theft by third parties of personal data. The decision reflects a high threshold for claiming non-material damages in respect of “identity theft”.

According to the CJEU, compensation for non-material damage based on an allegation of “identity theft” requires that a third party has actually misused the identity of a person whose personal data has been compromised. The CJEU held that the theft of personal data does not, in itself, constitute compensable “identity theft”.

However, the CJEU further ruled that compensation for non-material damage cannot be limited to cases where the theft of one’s data subsequently gave rise to “identify theft”.

Rather, a data subject is entitled to compensation for any loss of control or theft of their data (whether or not it is subsequently misused and constitutes “identity theft”), under Article 82(1) GDPR, if the three conditions laid down in that provision apply, namely the personal data is processed in breach of the GDPR, damage is suffered by the data subject, and there is a causal link between that unlawful processing and that damage (as per the CJEU decision in the Austrian Post case).

Facts

The complainants were two data subjects based in Germany who sought to recover damages for non-material loss following the theft of their personal data from a trading platform operated by the defendant, Scalable Capital.

Whilst the data had unquestionably been unlawfully accessed and exfiltrated, at no stage was any evidence produced to indicate that the bad actors had actually used the exfiltrated data for any purpose (fraudulent or otherwise).

The complaints, which were commenced before the Munich courts, were referred to the CJEU for guidance as to whether the mere loss of control over personal data may be actionable by data subjects in circumstances in which there are no further consequences or exploitation of those data.

In particular, the Munich court sought guidance as to whether the simple expropriation of data by third parties amounts to “identity theft or fraud”, for the purposes of the GDPR, and whether proving the existence of such identity theft or fraud is a prerequisite to data subjects having a private remedy against a data controller.

Scalable Capital argued that Article 82 GDPR only gives rise to a right to compensation for damages that “individuals actually suffer”, rather than the hypothetical damages pleaded by the plaintiffs.

CJEU decision

The right to compensation under Article 82 GDPR fulfils a compensatory not a punitive function

The CJEU found that Article 82(1) GDPR must be interpreted as meaning that the right to compensation fulfils an exclusively compensatory not a punitive function, allowing only for compensation of the actual damage suffered as a result of a GDPR infringement.

The CJEU held that the severity and the possible intentional nature of the infringement of the GDPR by the controller should not be taken into account by the courts for the purposes of determining the compensation to be awarded.

The CJEU further ruled that Article 82(1) GDPR must be interpreted as meaning that, when determining the amount of damages due in respect of the right to compensation for non-material damage, it is appropriate to consider that such damage caused by a personal data breach is not, by its nature, less significant than physical injury.

In that regard, the CJEU noted that the GDPR does not contain any provision intended to define the rules on the assessment of the damages to which a data subject may be entitled under Article 82, where an infringement of the GDPR has caused him or her harm.

Therefore, in the absence of rules of EU law governing the matter, it is for the legal system of each member state to prescribe the criteria for determining the extent of the compensation payable in that context, subject to compliance with the principles of equivalence and effectiveness.

The CJEU also ruled that where damage is established, a national court may, where that damage is not serious, award minimal compensation to the data subject, provided that that compensation is such as to compensate in full for the damage suffered.

Compensation for identify theft requires proof of actual misuse by a third party

The CJEU noted that the concept of identity theft is not expressly defined within the GDPR. However, “identity theft or fraud” are referred to in recital 75 GDPR as forming part of a non-exhaustive list of the consequences of processing personal data liable to cause physical, material or non-material damage.

In recital 85 GDPR, “identity theft or fraud’” are again referred to together in a list of physical, material or non-material damage that may be caused by a personal data breach.

The different language versions of recitals 75 and 85 of the GDPR refer to the terms “identity theft”, “identity fraud”, “abuse of identity”, “misuse of identity”, without distinction. Consequently, the concepts of “identity theft” and “identity fraud” are interchangeable and no distinction can be drawn between them.

The CJEU confirmed that the concept of “identity theft” in order to give a right to compensation implies that the identity of a person affected by a theft of personal data has actually been misused by a third party.

Compensation for non-material damage is not limited to cases of identity theft or fraud

However, the CJEU further noted that among the various concepts set out in the lists in recitals 75 and 85 of the GDPR, “loss of control” or the inability “to exercise control” over personal data are distinguished from “identity theft or fraud”.

The CJEU accordingly found that access to and the taking of control over those data, which could be likened to a theft of those data, are not, in themselves, comparable to “identity theft or fraud”. In other words, the theft of personal data does not, in itself, constitute identity theft or fraud.

In that regard, the CJEU held that “compensation for non-material damage caused by the theft of personal data…cannot be limited to cases where it is shown that that data theft subsequently gave rise to identity theft or fraud”.

Rather the theft of a data subject’s personal data gives rise to a right to compensation for non-material damage suffered, under Article 82(1) GDPR, if the three conditions laid down in that provision apply, namely processing of personal data carried out in breach of the provisions of the GDPR, damage suffered by the data subject, and a causal link between that unlawful processing and that damage.

Comment

On the one hand, the decision raises the bar for data subjects to successfully recover compensation for non-material loss suffered as a result of “identity theft”, in that it requires proof of actual misuse of the data by a third party.

However, on the other hand, the decision confirms previous CJEU decisions which indicate that the bar for recovering compensation generally for non-material damage is relatively low, and a data subject may recover compensation for the loss of control or theft of their data (irrespective of whether it has been misused and constitutes “identity theft” or “identity fraud”), as long as the data subject can show that such loss of control or theft causes them some form of non-material damage (i.e. such as distress or upset), and that such damage resulted from an organisation’s breach of the GDPR.

Share icon
Share this article: