EU advocate general Collins has reiterated that individuals’ right to claim compensation for harm caused by GDPR breaches requires proof of “actual damage suffered” as a result of the breach, and “clear and precise evidence” of such damage – mere hypothetical harms or discomfort are insufficient. The advocate general also found that unauthorised access to data does not amount to “identity theft” as that term is used in the GDPR.

The right for individuals to claim compensation for data breaches has long been a controversial and uncertain aspect of the GDPR – see our previous blogs here, here, here, and here for example.

The present case (C-182/22 and 189/22) arose from a data breach that caused an individual’s personal data, including his name, date of birth, and a copy of his identity card, to be accessed by an unknown third party. Although there was no evidence that the third party had harmed the claimant by using the stolen data for identity fraud or similar purposes, the claimant alleged that the unauthorised access to his data caused him emotional distress and amounted to “identity theft”, therefore entitling him to compensation.

Applying the court’s ruling in the Österreichische Post case (see our blog on that case here), the advocate general noted that GDPR compensation must reflect “actual damage suffered” by the relevant GDPR infringement, and that there must be “clear and precise” evidence of the damage suffered. Merely possible or hypothetical damage, or mere disquiet that a breach has occurred, is insufficient. As a result, the advocate general concluded that the claimant only had a right to compensation if he could prove that he had suffered actual damage and could prove that the damage was caused by a GDPR infringement.  

The advocate general went on to note that unauthorised access to personal data does not by itself amount to “identity theft” – a term used in the GDPR as an example of a harm that individuals should be compensated for. Instead, the term “identity theft” in the GDPR is used interchagably with “identity fraud” – that is, it involves some active attempt to use the data to assume another person’s identity. The fact that an unauthorised party has received access to data may enable that party to commit identity theft or fraud, but it is not of itself identity theft or fraud.

What happens next?

The advocate general’s opinion is influential, but not binding on, the CJEU which will issue a final ruling on the case in the coming months. And this case is only one of a raft of cases currently before the CJEU which are set to examine damages under the GDPR (see for example C-687/21 and C-741/21). The topic of defining non-material damages is also of increasing importance as EU member states continue their transposition of the Representative Actions Directive.

*                             *                             *

Covington’s Data Privacy and Cybersecurity Practice regularly advises on European privacy laws, including data breaches, cyber incidents, and litigation at the European Court of Justice.  If you have any questions about the implications of this ruling for your business, please let us know.

(This blog post was written with the contributions of Alberto Vogel.)

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Aleksander Aleksiev Aleksander Aleksiev

Aleksander advises clients on legal problems associated with data protection, cybersecurity, and new technologies. He holds degrees in both law and computer engineering which he combines to provide advice that is both legally sound and technologically pragmatic.

Aleksander has advised companies, governments, and…

Aleksander advises clients on legal problems associated with data protection, cybersecurity, and new technologies. He holds degrees in both law and computer engineering which he combines to provide advice that is both legally sound and technologically pragmatic.

Aleksander has advised companies, governments, and charitable organizations on a range of technology law issues including data breach response, compliance with privacy and cybersecurity laws, and IT contract negotiations. In addition to his experience advising on European law, Aleksander is Australian-qualified and has significant experience advising clients in the Asia-Pacific – particularly on Australian and Hong Kong law.