DATA PROTECTION
EU Court of Justice: in the event of theft of personal data (even if not unlawfully used), the parties - private or public - who hold the data must also pay compensation.
Scalable Capital, a company under German law, operated a 'trading app' in which the plaintiffs had opened an account. To that end, the latter saved certain personal data to their respective accounts, in particular their name, date of birth, postal address, email address and a digital copy of their identity card, and then paid a sum of several thousand euros to open those accounts.
The personal data as well as the data relating to the applicants' securities portfolio were then stolen by third parties whose identity remained unknown. Furthermore, it was not established whether or not the aforementioned personal data had been subject to fraudulent use.
Against this background, the applicants brought an action before the Amtsgericht München (District Court, Munich, Germany), the referring court, seeking compensation for the intangible damage they claimed to have suffered as a result of the theft of their personal data.
The EU Court of Justice provided new criteria for the interpretation and application of Article 82 of the GDPR on damages, confirming first of all that the right to compensation under that provision has an exclusively compensatory function and that monetary compensation based on that provision must allow full compensation for the damage suffered.
The Court also clarifies that in order to constitute and give rise to a right to compensation for immaterial damage within the meaning of Article 82 of the GDPR, the concept of 'identity theft' implies that the identity of a person affected by the theft of personal data is actually usurped by a third party. However, compensation for immaterial damage caused by the theft of personal data cannot be limited to cases where it is proven that such a data theft subsequently resulted in identity theft or usurpation. Therefore, data theft that has not yet been used to actually replace the data subject is also compensable.
On the basis of the principles provided by the EU Court, moreover, not only the perpetrators of the data theft are obliged to pay compensation, but also the private public entities that suffered the data breach and exfiltration, and this subjective widening of the range of obliged entities implies strong financial impacts. While it is true that the Court recalls that the sentence to pay compensation must not take on a punitive or exemplary character, it is equally true that in the context of determining the amount due by way of compensation for immaterial damage, the damage caused by a personal data breach is, by its very nature, no less serious than a personal injury.
The personal data as well as the data relating to the applicants' securities portfolio were then stolen by third parties whose identity remained unknown. Furthermore, it was not established whether or not the aforementioned personal data had been subject to fraudulent use.
Against this background, the applicants brought an action before the Amtsgericht München (District Court, Munich, Germany), the referring court, seeking compensation for the intangible damage they claimed to have suffered as a result of the theft of their personal data.
The EU Court of Justice provided new criteria for the interpretation and application of Article 82 of the GDPR on damages, confirming first of all that the right to compensation under that provision has an exclusively compensatory function and that monetary compensation based on that provision must allow full compensation for the damage suffered.
The Court also clarifies that in order to constitute and give rise to a right to compensation for immaterial damage within the meaning of Article 82 of the GDPR, the concept of 'identity theft' implies that the identity of a person affected by the theft of personal data is actually usurped by a third party. However, compensation for immaterial damage caused by the theft of personal data cannot be limited to cases where it is proven that such a data theft subsequently resulted in identity theft or usurpation. Therefore, data theft that has not yet been used to actually replace the data subject is also compensable.
On the basis of the principles provided by the EU Court, moreover, not only the perpetrators of the data theft are obliged to pay compensation, but also the private public entities that suffered the data breach and exfiltration, and this subjective widening of the range of obliged entities implies strong financial impacts. While it is true that the Court recalls that the sentence to pay compensation must not take on a punitive or exemplary character, it is equally true that in the context of determining the amount due by way of compensation for immaterial damage, the damage caused by a personal data breach is, by its very nature, no less serious than a personal injury.