by Kristof Van Quathem and Aleksander Aleksiev
EU advocate general Collins has reiterated that individuals’ right to claim compensation for harm caused by GDPR breaches requires proof of “actual damage suffered” as a result of the breach, and “clear and precise evidence” of such damage – mere hypothetical harms or discomfort are insufficient. The advocate general also found that unauthorised access to data does not amount to “identity theft” as that term is used in the GDPR.
The right for individuals to claim compensation for data breaches has long been a controversial and uncertain aspect of the GDPR – see our previous blogs here, here, here, and here for example.
The present case (C-182/22 and 189/22) arose from a data breach that caused an individual’s personal data, including his name, date of birth, and a copy of his identity card, to be accessed by an unknown third party. Although there was no evidence that the third party had harmed the claimant by using the stolen data for identity fraud or similar purposes, the claimant alleged that the unauthorised access to his data caused him emotional distress and amounted to “identity theft”, therefore entitling him to compensation.
Applying the court’s ruling in the Österreichische Post case (see our blog on that case here), the advocate general noted that GDPR compensation must reflect “actual damage suffered” by the relevant GDPR infringement, and that there must be “clear and precise” evidence of the damage suffered. Merely possible or hypothetical damage, or mere disquiet that a breach has occurred, is insufficient. As a result, the advocate general concluded that the claimant only had a right to compensation if he could prove that he had suffered actual damage and could prove that the damage was caused by a GDPR infringement.
The advocate general went on to note that unauthorised access to personal data does not by itself amount to “identity theft” – a term used in the GDPR as an example of a harm that individuals should be compensated for. Instead, the term “identity theft” in the GDPR is used interchangeably with “identity fraud” – that is, it involves some active attempt to use the data to assume another person’s identity. The fact that an unauthorised party has received access to data may enable that party to commit identity theft or fraud, but it is not of itself identity theft or fraud.
What happens next?
The advocate general’s opinion is influential, but not binding on, the CJEU which will issue a final ruling on the case in the coming months. And this case is only one of a raft of cases currently before the CJEU which are set to examine damages under the GDPR (see for example C-687/21 and C-741/21). The topic of defining non-material damages is also of increasing importance as EU member states continue their transposition of the Representative Actions Directive.
Kristof Van Quathem is Of Counsel and Aleksander Aleksiev is an Associate at Covington & Burling LLP. This post originally appeared on the firm’s blog.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).