CJEU - Joined Cases C‑182/22 and C‑189/22 - Scalable Capital
| CJEU - Joined Cases C‑182/22 and C‑189/22 Scalable Capital | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 82(1) GDPR |
| Decided: | 20.06.2024 |
| Parties: | |
| Case Number/Name: | Joined Cases C‑182/22 and C‑189/22 Scalable Capital |
| European Case Law Identifier: | ECLI:EU:C:2024:531 |
| Reference from: | |
| Language: | 24 EU Languages |
| Original Source: | Judgement |
| Initial Contributor: | nzm |
The CJEU found that, among other things, the damage caused by a personal data breach is not, by its nature, less significant than a physical injury and that in the specific case of identity theft, the personal data must have been actually
English Summary
Facts
Scalable capital (‘controller’) managed a trading application in which the data subject opened accounts and entered personal data to do so. In 2020, their personal data were seized by third parties whose identity remains unknown. According to the controller, those data had not been used fraudulently. The data subjects brought an action before the Amtsgericht München (Local Court, Munich, Germany) seeking compensation for the non-material damage which they claimed to have suffered as a result of the theft of their personal data. The court stayed the proceedings and decided to refer the following questions to the CJEU: 1. Does the right to compensation under Article 82(1) GDPR, including the determination of the amount of the compensation, have a purely compensatory function, and in some cases a satisfactory function? 2. Does the right to compensation also have an individual satisfaction function – understood as the private interest of the injured party in seeing the behaviour that caused the damage penalised? When determining the compensation, is additional weight attributed to only deliberate or grossly negligent data protection infringements? 3. Is the compensation for non-material damages to be determined on the basis of a structural order of precedence which attributes less weight to the detrimental effects of a data infringement than to the detrimental and painful effects associated with a physical injury? 4. Can a national court only award minimal compensation in the light on the non-serious nature of the damage? 5. Does identity theft under recital 75 GDPR require the offender to have actually assumed the identity of the data subject, meaning to have somehow impersonated that person, or does the mere possession of such data constitute identity theft?
Holding
On the first and second questions First, the CJEU pointed out that it has already held that Article 82 GDPR fulfils a function that is compensatory and not punitive. Accordingly, the right to compensation, in particular in the case of non-material damage, fulfils an exclusively compensatory function, in that financial compensation based on that provision must allow the damage actually suffered as a result of the infringement of the GDPR to be compensated in full. Second, the controller’s liability under Article 82 GDPR is subject to fault on the part of the controller, which is presupposed, unless it proves that it is not in any way responsible for the event giving rise to the damage. Article 82 also does not require that the severity of that fault is taken into consideration when setting the amount of the compensation allocated for non-material damages under that provision. However, the amount must be fixed in a way to compensate in full for the damage actually suffered as a result of the infringement. Therefore, the CJEU found that the severity and possible intentional nature of the infringement of the GDPR does not have to be taken into account for the purposes of compensation for damage under Article 82(1) GDPR.
On the third question The CJEU noted that the GDPR does not contain any provision intended to define the rules on the assessment of the damages to which a data subject may be entitled under Article 82 GDPR, and thereof, where an infringement of the GDPR has caused them harm. In the absence of EU law on this matter, the legal system of each Member State is to prescribe the criteria for determining the compensation payable in that context, subject to compliance with the principles of equivalence and effectiveness. The CJEU noted that financial compensation under Article 82(1) GDPR must be regarded as ‘full and effective’ if it allows the damage actually suffered to be compensated in full. The Court explained that recitals 75 and 85 GDPR set out various circumstances that could be classified as a ‘physical, material or non-material damage’ without establishing a hierarchy between them. The CJEU also indicated that the recitals do not indicate that harm resulting from a data breach is, by its very nature, less significant than physical injury. Therefore, the CJEU considered that when determining the amount of damages due in respect of the right to compensation for non-material damage, it is appropriate to consider that such damage caused by a personal data breach is not, by its nature, less significant than a physical injury.
On the fourth question The CJEU recalled that it follows from settled case-law that the person seeking compensation for non-material damage under Article 82(1) GDPR must not only establish the infringement of the GDPR, but also that the infringement caused them damage, which cannot be presumed merely on the basis that the infringement took place. The CJEU also held that Article 82(1) GDPR does not require that the damage alleged by the data subject must reach a ‘de minimis threshold’ in order to give rise to a right to compensation. However, this does not preclude national courts from awarding compensation of a small amount provided that such compensation fully offsets that damage. Therefore, the CJEU held that where a damage is established, a national court may, where that damage is not serious, compensate for it by awarding minimal compensation to the data subject, provided that the compensation is such as to compensate in full for the damage suffered.
On the fifth question The CJEU pointed out that the concept of identity theft is not expressly defined within the GDPR. However, identity theft or fraud are referred to in recital 75 GDPR, as part of a non-exhaustive list of the consequences of processing personal data liable to cause physical, material or non-material damage, and in recital 85 GDPR; as part of a list of physical, material and non-material damage that may be cause by a data breach. The Court also noted that the Advocate General observed in his opinion that in different languages; recitals 75 and 85 GDPR refer to the terms ‘identity theft’, ‘identity fraud’, ‘abuse of identity’, ‘misuse of identity’, ‘misappropriation of identity’ and ‘usurpation of identity without distinction. Thus, the CJEU held that the concepts of identity theft and identity fraud are interchangeable and no distinction can be drawn between them. The Advocate General also stated that the ‘loss of control’ or the ‘inability ‘to exercise control’ over personal data are distinguished from identity ‘theft’ or ‘fraud’. The CJEU confirmed this approach and held that the theft of personal data does not, in itself, constitute identity theft or fraud. However, the CJEU specified that the compensation for non-material damage caused by the theft of personal data cannot be limited to cases where there was identity theft or fraud. Indeed, the theft of personal data can give rise to a right to compensation under Article 82(1) GDPR if the three cumulative conditions are met. Therefore, the CJEU concluded that in order to give rise to compensation, the concept of identity theft implies that the identity of the data subject has actually been misused by a third party. However, compensation for non-material damage caused by a theft of personal data is not limited to cases where that data theft gave rise to identity theft or fraud.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
