On June 20, 2024, the Court of Justice of the European Union (CJEU) issued a significative decision on the right to compensation of damages caused by the breach of the General Data Protection Regulation (EU Reg. 2016/679 GDPR).
The decision came from the preliminary ruling requests proposed by the Court of Munich (Amtsgericht München) in the context of two disputes involving two people (JU and SO) against the company Scalable Capital GmbH.
At the center of the decision there was the interpretation of the notions of “identity theft” and “non-material damage” provided in the GDPR.
The case: data stolen from a trading app
The case originated from the appeal brought by JU and SO that had opened an online account on a trading app managed by Scalable Capital GmbH.
In 2020 some hackers, of unknown identity, managed to access the personal data of the applicants and their investments portfolio. The applicants then complained the theft of their personal data and requested a compensation for the non-material damages suffered to the data controller company before the Munich Court.
The preliminary question: does the theft of personal data correspond to “identity theft”?
The question addressed by the German judges to the CJEU has a central significance. At first, it was indeed necessary to establish if the conduct of the hackers falls within the notion of “identity theft or fraud”, pursuant to recitals 75 and 85 of the Regulation (EU) 2016/679 (GDPR).
In other terms, the Court was asked to clarify if the availability, for the authors of the crime, of data that make the interested party identifiable represents identity theft, or if such crime occurs only in case the offender has actually assumed the identity of the person concerned, impersonating them in any way.
Secondly, in order to evaluate the consequences connected to the identity theft, the Court of Munich addressed the Court also to point out the conditions and criteria of the quantification of the non-material damage. It should be considered that the right to compensation is provided for in art. 82 of the GDPR, but the definition and entity of the non-material damage are not clearly defined, leaving space to many interpretations.
The decision of the Court
The CJEU took the opportunity to clarify different crucial aspects concerning the nature of the non-material damage compensation, going in depth about what needs to be considered “identity theft” pursuant to the EU Regulation.
As matter of fact, the GDPR does not define even this notion, but it is recalled by recitals 75 and 85, that provide a list of risks to the rights and freedoms of natural persons deriving from personal data processing, as well as physical, material or non-material damages, that personal data infringement can cause.
The Court confirms also that the terms “identity theft” and “identity fraud” are considered interchangeable and no distinction can be drawn between them, but they imply, in its opinion, one’s intention to take possession of the identity of a person whose data have been previously stolen.
As a consequence, the simple access or the acquisition of control by a hacker of personal data, as happened in the case under exam, although certainly represent a data theft, are not sufficient to constitute an identity theft or fraud.
On this point, the Courts concludes that the personal data theft does not constitute, in itself, an identity theft or fraud.
Nevertheless, the Court continues, this does not mean that the simple theft of data could not give rise to the right to compensation of the non-material damage suffered: this should not be limited only to the cases where it is shown that stolen data are subsequently used for an actual identity fraud, but it must be guaranteed any time these three conditions are satisfied:
- personal data processing breaching GDPR
- damages suffered by the individual
- causality link between the unlawful data processing and the damage suffered.
In this regard, the Court confirmed that art. 82 of the GDPR provides a compensation having an exclusive compensatory function. This means that the pecuniary compensation must allow to fully compensate the damage caused by the infringement of the Regulation and does not have a mere punitive or dissuasive function.
Moreover, the severity and the possible intentional nature of the infringement must not influence the amount of compensation for non-material damages. This must be determined only on the basis of the actual damage suffered by the interested person as to guarantee a “full and effective” compensation, taking into consideration that such a damage must not be intended, by its nature, less significant that a personal injury.
Implications of the decision: a strengthening of the protection
This decision offers an important clarification on the concept of identity theft in context of the GDPR, broadening the protection of the rights of the interested individuals and highlighting the importance of adopting appropriate measures to guarantee the conformity to the EU Regulation.
Such decision will not only have a significative impact on the companies’ data management policies, by encouraging them to strengthen their security measures, but it also marks an important victory for individual rights in the digital era.
On the one hand, companies and organizations responsible for the processing will be more aware of the risk to compensate the non-material damages also in case of data theft and even without an effective use of the same to misuse others’ identity. On the other, the decision confirmed that the right to compensation for non-material damages is an essential component of the GDPR, establishing that any infringement implies an obligation to compensate for the real damages suffered, regardless of the intention or the severity of the infringement, thus strengthening the protection of personal data of European citizens.
In conclusion, it is likely that the decision of the Court of Justice of the European Union issued on June 20, 2024 will represent an important precedent for future legal lawsuits regarding personal data protection occurred through the use of online applications.
And, at the same time, European citizens will feel more protected, knowing that the protection of their data is extended also to the possibility of theft of their data and not only, or not necessarily, to their identity.
Teresa Franza