EU advocate general Collins has reiterated that individuals’ right to claim compensation for harm caused by GDPR breaches requires proof of “actual damage suffered” as a result of the breach, and “clear and precise evidence” of such damage – mere hypothetical harms or discomfort are insufficient. The advocate general also found that unauthorised access to data does not amount to “identity theft” as that term is used in the GDPR.
The right for individuals to claim compensation for data breaches has long been a controversial and uncertain aspect of the GDPR – see our previous blogs here, here, here, and here for example.
The present case (C-182/22 and 189/22) arose from a data breach that caused an individual’s personal data, including his name, date of birth, and a copy of his identity card, to be accessed by an unknown third party. Although there was no evidence that the third party had harmed the claimant by using the stolen data for identity fraud or similar purposes, the claimant alleged that the unauthorised access to his data caused him emotional distress and amounted to “identity theft”, therefore entitling him to compensation.
Applying the court’s ruling in the Österreichische Post case (see our blog on that case here), the advocate general noted that GDPR compensation must reflect “actual damage suffered” by the relevant GDPR infringement, and that there must be “clear and precise” evidence of the damage suffered. Merely possible or hypothetical damage, or mere disquiet that a breach has occurred, is insufficient. As a result, the advocate general concluded that the claimant only had a right to compensation if he could prove that he had suffered actual damage and could prove that the damage was caused by a GDPR infringement.
The advocate general went on to note that unauthorised access to personal data does not by itself amount to “identity theft” – a term used in the GDPR as an example of a harm that individuals should be compensated for. Instead, the term “identity theft” in the GDPR is used interchagably with “identity fraud” – that is, it involves some active attempt to use the data to assume another person’s identity. The fact that an unauthorised party has received access to data may enable that party to commit identity theft or fraud, but it is not of itself identity theft or fraud.
What happens next?
The advocate general’s opinion is influential, but not binding on, the CJEU which will issue a final ruling on the case in the coming months. And this case is only one of a raft of cases currently before the CJEU which are set to examine damages under the GDPR (see for example C-687/21 and C-741/21). The topic of defining non-material damages is also of increasing importance as EU member states continue their transposition of the Representative Actions Directive.
* * *
Covington’s Data Privacy and Cybersecurity Practice regularly advises on European privacy laws, including data breaches, cyber incidents, and litigation at the European Court of Justice. If you have any questions about the implications of this ruling for your business, please let us know.
(This blog post was written with the contributions of Alberto Vogel.)