Ducks overlooking outside scenery on bridge.
  1. Home >
  2. Snapshots >
  3. Data protection >
  4. >
  5. EU Advocate General’s opinion on data subjects’ rights to compensation for non-material damage under the GDPR

SHARE:

EU Advocate General’s opinion on data subjects’ rights to compensation for non-material damage under the GDPR

Published on 11 December 2023

The question

Does the theft of an individuals sensitive personal data by a wrongdoer give rise to compensation for non-material damage under Article 82 EU General Data Protection Regulation (GDPR), if the wrongdoer has not used, or taken steps to use, the sensitive personal data for any purpose?

The key takeaway

The opinion handed down by EU Advocate General (AG) Michael Collins states that, under GDPR, the possession of personal data by a wrongdoer, without any steps being taken by the wrongdoer to use the personal data to impersonate a data subject, does not constitute identity theft”. However, the opinion provides that the theft of a data subjects sensitive personal data may give rise to a right to compensation under Article 82 GDPR where: (i) there is proof that GDPR has been infringed, (ii) actual damage has been suffered by the data subject, and (iii) there is a causal link between the GDPR infringement and the damage the data subject has suffered.

The background

On 26 October 2023, the AG published its opinion on the Court of Justice of the European Unions (CJEU) website. The opinion, which the judges of the CJEU will consider before making a final decision, concerns the cases of JU v Scalable Capital GmbH (Case C-182/22) and SO v Scalable Capital GmbH (Case C-189/22).

These cases relate to claims by data subjects for the pain and suffering (ie non-material damage) which they claim they suffered following the theft of their sensitive personal data by unknown wrongdoers from a trading application managed by Scalable Capital. As such, the local court in Munich sought the CJEUs guidance on: (i) the interpretation of the concept of non-material damage under Article 82 GDPR, and (ii) what constitutes identity theft under Recital 75, GDPR.

The development

In relation to the interpretation of the concept of non-material damage under Article 82 GDPR, the AGs opinion concurs with the preliminary ruling of the CJEU in UI v Österreichische Post AG (see our Summer Snapshot here). As such, the AG has reiterated that to receive an award of compensation for non-material damage under Article 82 GDPR, a data subject must demonstrate that: (i) they have suffered damage, (ii) there has been an infringement of the GDPR, and (iii) the infringement is linked to the damage the data subject suffered.

In relation to what constitutes identity theft under Recital 75 GDPR, the AGs opinion provides that the GDPR does not explicitly define the concept of “identity theft. However, the AGs opinion also states that a systematic interpretation of Recital 75 supports the view that “identity theft occurs where a wrongdoer misuses a data subjects personal data in order to feign that data subjects identity. As such, the opportunity for a wrongdoer to use certain personal data to impersonate a data subject in the future, without any intention or steps being taken to do so, does not constitute identity theft because it only presents an abstract possibility that damage might occur in the future.

Given the above, the AG has opined that, where the points under UI v Österreichische Post AG can be demonstrated by a data subject (as detailed above), a data subject will be entitled to compensation for non-material damage under Article 82 GDPR.

Therefore, an award of compensation for non-material damage under Article 82 GDPR is predicated on whether a data subject can demonstrate that an infringement of the GDPR has occurred, and that the data subject actually suffered damage due to that infringement. As such, this will come down to the particular facts of the case in question.

Why is this important?

While the opinion of the AG is not binding on the CJEU, or applicable to the UK, it will be considered by the judges in the CJEU before they make a final decision in these two cases. As such, it provides organisations with a useful example of what the courts could require a data subject to prove in order to ground a claim for non-material damages under Article 82 GDPR.

Further, once a final decision in these cases is made by the CJEU, the decision will represent a persuasive authority and is likely to inform how the UK courts, and the Information Commissioners Office (ICO) will respond to similar compensation claims by UK data subjects.

Any practical tips?

While the AGs opinion is not binding in the UK, UK organisations should still consider tracking the progress of cases concerning claims by data subjects for non-material damages under Article 82 GDPR. These cases provide a feel for how the UK courts (and the ICO) may respond to similar claims against their UK controllers – and in turn help assess potential exposure to the ever-present threat of class actions by aggrieved data subjects.

Winter 2023