CJEU - C‑182/22 and C‑189/22 - Scalable Capital (Joined Cases)
CJEU - Joined Cases C‑182/22 and C‑189/22 Scalable Capital | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 82(1) GDPR |
Decided: | 20.06.2024 |
Parties: | |
Case Number/Name: | Joined Cases C‑182/22 and C‑189/22 Scalable Capital |
European Case Law Identifier: | ECLI:EU:C:2024:531 |
Reference from: | |
Language: | 24 EU Languages |
Original Source: | Judgement |
Initial Contributor: | nzm |
The CJEU found that the damage caused by a personal data breach is not, by its nature, less significant than a physical injury. Moreover, for an event to qualify as identity theft the personal data must have been actually misused by a third party.
English Summary
Facts
Scalable capital (‘controller’) managed a trading application in which the data subject opened accounts and entered personal data to do so. In 2020, their personal data were seized by third parties whose identity remains unknown. According to the controller, those data had not been used fraudulently.
The data subjects brought an action before the Amtsgericht München (Local Court, Munich, Germany) seeking compensation for the non-material damage which they claimed to have suffered as a result of the theft of their personal data. The court stayed the proceedings and decided to refer the following questions to the CJEU:
- Does the right to compensation under Article 82(1) GDPR, including the determination of the amount of the compensation, have a purely compensatory function, and in some cases a satisfactory function?
- Does the right to compensation also have an individual satisfaction function – understood as the private interest of the injured party in seeing the behaviour that caused the damage penalised? When determining the compensation, is additional weight attributed to only deliberate or grossly negligent data protection infringements?
- Is the compensation for non-material damages to be determined on the basis of a structural order of precedence which attributes less weight to the detrimental effects of a data infringement than to the detrimental and painful effects associated with a physical injury?
- Can a national court only award minimal compensation in the light of the non-serious nature of the damage?
- Does identity theft under recital 75 GDPR require the offender to have actually assumed the identity of the data subject, meaning to have somehow impersonated that person, or does the mere possession of such data constitute identity theft?
Holding
On the first and second questions
First, the CJEU pointed out that it has already held that Article 82 GDPR fulfills a function that is compensatory and not punitive (§22 of the Judgement, and See CJEU, 4 May 2023, Österreichische Post, C-300/21). Accordingly, the right to compensation, in particular in the case of non-material damage, fulfills an exclusively compensatory function, in that financial compensation based on that provision must allow the damage actually suffered as a result of the infringement of the GDPR to be compensated in full (§23 of the Judgement).
Second, the controller’s liability under Article 82 GDPR is subject to fault on the part of the controller, which is presupposed, unless the controller proves that it is not in any way responsible for the event giving rise to the damage. Article 82 GDPR also does not require that the severity of that fault is taken into consideration when setting the amount of the compensation allocated for non-material damages under that provision (§28 of the Judgement). However, the amount must be fixed in a way to compensate in full for the damage actually suffered as a result of the infringement (§29 of the Judgement).
Therefore, the CJEU found that the severity and possible intentional nature of the infringement of the GDPR does not have to be taken into account for the purposes of compensation for damage under Article 82(1) GDPR (§30 of the Judgement).
On the third question
The CJEU noted that the GDPR does not contain any provision which defines the rules of the assessment of the damages under Article 82 GDPR, and hence, where an infringement of the GDPR has caused the data subject harm. In the absence of EU law on this matter, the legal system of each Member State is to prescribe the criteria for determining the compensation payable in that context, subject to compliance with the principles of equivalence and effectiveness (§33 of the Judgement).
The CJEU noted that financial compensation under Article 82(1) GDPR must be regarded as ‘full and effective’ if it allows the damage actually suffered to be compensated in full (§35 of the Judgement). The CJEU explained that recitals 75 and 85 GDPR set out various circumstances that could be classified as a ‘physical, material or non-material damage’ without establishing a hierarchy between them (§37 of the Judgement). The CJEU also indicated that the recitals do not indicate that harm resulting from a data breach is, by its very nature, less significant than physical injury (§38 of the Judgement).
Therefore, the CJEU considered that damages caused by a personal data breach are not, by their nature, less significant than damages caused by a physical injury (§39 of the Judgement).
On the fourth question
The CJEU recalled that it follows from settled case-law that the person seeking compensation for non-material damage under Article 82(1) GDPR must not only establish the infringement of the GDPR, but also that the infringement caused them damage, which cannot be presumed merely on the basis that the infringement took place (§§41 and 42 of the Judgement, and See CJEU, 4 May 2023, Österreichische Post, C-300/21).
The CJEU also held that Article 82(1) GDPR does not require that the damage alleged by the data subject must reach a ‘de minimis threshold’ in order to give rise to a right to compensation. However, this does not preclude national courts from awarding compensation of a small amount provided that such compensation fully offsets that damage (§44 of the Judgement).
Therefore, the CJEU held that where a damage is established, a national court may, where that damage is not serious, compensate for it by awarding minimal compensation to the data subject, provided that the compensation is such as to compensate in full for the damage suffered (§46 of the Judgement).
On the fifth question
The CJEU pointed out that the concept of identity theft is not expressly defined within the GDPR. However, identity theft or fraud are referred to in recital 75 GDPR as part of a non-exhaustive list of the consequences of processing personal data liable to cause physical, material or non-material damage, and in recital 85 GDPR as part of a list of physical, material and non-material damage that may be cause by a data breach (§54 of the Judgement).
The CJEU also noted that the Advocate General observed in his opinion that in different languages, recitals 75 and 85 GDPR refer to the terms ‘identity theft’, ‘identity fraud’, ‘abuse of identity’, ‘misuse of identity’, ‘misappropriation of identity’ and ‘usurpation of identity’ without distinction. Thus, the CJEU held that the concepts of identity theft and identity fraud are interchangeable and no distinction can be drawn between them (§55 of the Judgement).
The Advocate General also stated that the ‘loss of control’ or the ‘inability to exercise control’ over personal data are distinguished from identity ‘theft’ or ‘fraud’. The CJEU confirmed this approach and held that the theft of personal data does not, in itself, constitute identity theft or fraud (§56 of the Judgement).
However, the CJEU specified that the compensation for non-material damage caused by the theft of personal data cannot be limited to cases where there was identity theft or fraud. Indeed, the theft of personal data can give rise to a right to compensation under Article 82(1) GDPR if the three cumulative conditions are met ((1) the existence of a violation of the GDPR, (2) the existence of a damage which has been suffered and (3) a causal link between the damage and the infringement).
Therefore, the CJEU concluded that in order to give rise to compensation, the concept of identity theft implies that the identity of the data subject has actually been misused by a third party. However, compensation for non-material damage caused by a theft of personal data is not limited to cases where that data theft gave rise to identity theft or fraud (§58 of the Judgement).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!