In a recent opinion (in joined cases C-182/22 and C-189/22) delivered by Advocate General Collins before the Court of Justice of the European Union ("CJEU"), the Advocate General found that individuals have a right to compensation under Article 82 GDPR where their personal data is stolen, even where there is no evidence of actual exploitation of the data by a third party.
The Opinion follows the decision of the CJEU in Oesterreichische Post (case C-300/21) (previously discussed here), in which the CJEU held that the right to compensation applies where a complainant can show:
i. a breach of the GDPR;
ii. subsequent material / non-material damage arising from the breach; and
iii. that the damages arising were caused by the breach.
The claimant is not required to meet any threshold of seriousness to bring their claim, and as such, even relatively minor breaches of the GDPR that give rise to very minimal damages which can be causally linked to the breach may give rise to a right to compensation.
Overview of Complaint and Referral to CJEU
The complainants were two data subjects who sought to recover damages for non-material loss following the theft of their personal data from a trading platform operated by the defendant, Scalable Capital. Whilst the data had unquestionably been unlawfully accessed and exfiltrated, at no stage was any evidence produced to indicate that the bad actors had actually used the exfiltrated data for any purpose (fraudulent or otherwise).
The complaints, which were commenced before the Munich courts, were referred to the CJEU for guidance as to whether the mere loss of control over personal data may be actionable by data subjects in circumstances in which there are no further consequences or exploitation of those data. In particular, the Munich court sought guidance as to whether the simple expropriation of data by third parties amounts to 'identity theft or fraud', for the purposes of the GDPR, and whether proving the existence of such theft or fraud is a prerequisite to data subjects having a private remedy against a data controller. Scalable Capital argued that Article 82 GDPR only gives rise to a right to compensation for damages that 'individuals actually suffer', rather than the hypothetical damages pleaded by the plaintiffs.
The CJEU was effectively tasked with determining whether the right to compensation can only be relied on where a data subject can actually demonstrate misuse of their data by way of identity theft or similar.
Opinion of Advocate General Collins
Examining the matter, Advocate General Collins made a number of key observations as to the nature of Article 82 GDPR. AG Collins noted that the right to compensation under Article 82 GDPR requires that the data subjects demonstrate: (i) that there has been an infringement of the GDPR; (ii) that there has been actual damage suffered (whether material or non-material) by the data subject; and (iii) that there is a causal link between that infringement of the GDPR and the resultant damage.
Turning to the recitals of the GDPR, AG Collins examined the references in recitals 75 and 85 to 'identity theft'. He noted that, in both instances, identity theft and fraud were identified as potential risks and consequences arising from a failure to properly protect personal data. However, he found that this does not restrict the right to compensation to circumstances in which actual identity theft or fraud can be proven as a result of the breach.
Advocate General Collins further reiterated (as per the Oesterreichische Post case) that there is no de minimis requirement vis-a-vis seriousness in order for a breach of the GDPR to give rise to compensation. However, actual damage (rather than potential damage, hypothetical damage, or mere disquiet) must have occurred. Advocate General Collins noted that no precise definition of 'identity theft and fraud' is set out in the text of the GDPR. As such, demonstrating that actual identity theft and / or fraud has occurred is not a prerequisite to a data subject exercising their right to compensation. The mere loss of control of data may, in its own right, give rise to a claim for non-material loss (provided a causal link to damages can be shown). He concluded that the right to compensation would have to be assessed on a case-by-case basis, examining each breach and the resultant damage on its merits.
Impact of Opinion
Whilst the CJEU is not bound to follow the decision of Advocate General Collins, the Court often aligns its judgments with the opinions delivered by the Advocates General. As such, organisations, and in particular organisations who are the target of cyberattacks or data theft, should carefully consider the impact of this decision on both their liability and their obligations to ensure users maintain control over their data.
If followed by the CJEU, this would be a notable departure from the position under English law, which does not allow for the recovery of damages in cases of de minimis data breaches, as set out in the case of Lloyd v Google [2021] UKSC 50. UK courts have specifically said that mere loss of control is insufficient to give rise to a right to compensation on the part of data subjects, and that claimants must show damage that is caused by, but distinct from, the alleged breach of data protection law.
Whilst the Irish position historically aligned with the position under English law, the decision in Oesterreichische Post effectively allowed for recovery of damages that, previously, may have been irrecoverable. It is notable that, in a subsequent decision last July before the Dublin Circuit Court (previously discussed here), an award of €2,000 was made to an employee who alleged misuse of his personal data by his employer. However, most other compensation claims for non-material loss under the GDPR have been stayed pending the resolution of further preliminary references to the CJEU on the scope of the right to compensation under Article 82 GDPR.