Provisional text
OPINION OF ADVOCATE GENERAL
COLLINS
delivered on 26 October 2023(1)
Joined Cases C‑182/22 and C‑189/22
JU (C‑182/22)
SO (C‑189/22)
v
Scalable Capital GmbH
(Request for a preliminary ruling from the Amtsgericht München, (Local Court, Munich, Germany))
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 82(1) – Right to compensation for damage caused by data processing that infringes that regulation – Non-material damage – Theft of data – Identity theft or fraud)
I. Introduction
1. In two largely identical actions brought by JU against Scalable Capital GmbH (‘Scalable Capital’) (Case C‑182/22) and SO against Scalable Capital (Case C‑189/22), the plaintiffs claim compensation for non-material damage for alleged pain and suffering caused by what the referring court describes as the theft (2) by unknown third parties of their personal data stored on a trading application managed by Scalable Capital. The third parties have not, to date, used the data for fraudulent or other purposes. The Amtsgericht München (Local Court, Munich, Germany) seeks the Court’s guidance as to the interpretation of the concept of non-material damage in Article 82 of Regulation (EU) 2016/679 (3) and the conditions under which compensation for such damage is available. It asks, in particular, whether the theft of that data constitutes ‘identity theft’ to which recital 75 of the GDPR refers.
II. Legal framework – European Union law
2. Recital 75 of the GDPR is in the following terms:
‘The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; …’
3. Recital 85 of the GDPR states:
‘A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. …’
4. Recital 146 of the GDPR is formulated as follows:
‘The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. … The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. … Data subjects should receive full and effective compensation for the damage they have suffered. …’
5. Under Article 82 of the GDPR, entitled ‘Right to compensation and liability’:
‘1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
…’
III. The disputes in the main proceedings and the questions referred for a preliminary ruling
6. JU and SO opened investment accounts on a trading application managed by Scalable Capital. In order to verify their identities, they each recorded personal data in the application, including their names, dates of birth, postal and email addresses and digital copies of their identity cards. (4) It is undisputed that unknown offenders stole that data.
7. The Amtsgericht München (Local Court, Munich) considers that the stolen data are relatively sensitive and finds that JU and SO are entitled to compensation under Article 82 of the GDPR. Considering that the amount of compensation to be awarded to JU and SO depends on the interpretation of Article 82 of the GDPR, it decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Is Article 82 of the [GDPR] to be interpreted as meaning that the right to compensation, including the determination of the amount of that compensation, does not have a punitive character, in particular, that it has no general or specific dissuasive function, but a purely compensatory function and, in some instances, a satisfaction function?
(2.a) Is the right to compensation for non-material damage to be determined on the basis that it also has an individual satisfaction function – understood here to mean the private interest of the injured party in seeing the behaviour that caused the damage penalised – or does it have only a compensatory function – understood here to mean the function of compensating for the detrimental effects suffered?
(2.b.1) If it is to be assumed that the right to compensation for non-material damage has both a compensatory and a satisfaction function: is it to be determined on the basis that the compensatory function has structural precedence over the satisfaction function or, at least, that the relationship between the two is that of the rule and the exception? Does that mean that it can have a satisfaction function only when the infringement is deliberate or a result of gross negligence?
(2.b.2) If the right to compensation for non-material damage does not have a satisfaction function: when determining that compensation, is additional weight attributed only to deliberate or grossly negligent data protection infringements deemed to be contributory factors?
(3) Is the compensation for non-material damage to be determined on the basis of a structural order of precedence or, at least, a rule-exception relationship, which attributes less weight to the detrimental effects of a data infringement than to the detrimental and painful effects associated with a physical injury?
(4) Assuming that damage has been sustained, can a national court award only minimal compensation, which may be perceived by the injured party or generally as merely symbolic, in the light of the non-serious nature of the damage?
(5) Are the consequences of the compensation for non-material damage to be assessed on the basis that identity theft within the meaning of recital 75 of the [GDPR] requires an offender to have actually assumed the identity of the person concerned, that is to say to have somehow impersonated that person, or does the mere fact that offenders have gained possession of data that identify the person concerned constitute such identity theft?’
IV. The procedure before the Court
8. By decision of 19 April 2022, the President of the Court of Justice joined Cases C‑182/22 and C‑189/22 for the purposes of the written and oral procedure and the judgment.
9. On 1 June 2022, the President of the Court rejected Scalable Capital’s request to anonymise the present proceedings pursuant to Article 95(2) of the Rules of Procedure of the Court of Justice.
10. SO, Scalable Capital, Ireland and the European Commission submitted written observations.
11. I shall first address the objections that have been taken to the admissibility of the questions referred before advising the Court, on foot of its request, as to how it should reply to the fifth question.
V. Assessment
A. Admissibility
12. According to Scalable Capital, the loss of control over personal data, without further consequences for the individual concerned, does not give rise to non-material damage within the meaning of Article 82(1) of the GDPR. The text, general scheme and purpose of Article 82 of the GDPR do not support the existence of a presumption that such damage materialises as a consequence of such loss of control. The referring court thus erred when it made the assumption that JU and SO had suffered non-material damage. The requests for a preliminary ruling are, accordingly, irrelevant to the resolution of the actions before the referring court and are thus inadmissible.
13. The Commission considers that the relevance of the fifth question to the resolution of the actions before the referring court is unclear. The referring court merely refers to the parties’ divergent interpretations of the law and observes that ‘identity theft occurs only when illegally obtained data is used for the purposes of feigning the identity of the person concerned’. Nor does the fifth question ask the Court to interpret a specific provision of the GDPR.
14. In accordance with the Court’s settled case-law, questions on the interpretation of EU law referred by a national court enjoy a presumption of relevance. The Court may refuse to rule on such questions only where it is quite obvious that the interpretation of EU law sought is unrelated to the actual facts of the main action or its object, where the problem is hypothetical, or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions asked of it. (5)
15. Scalable Capital’s objection to the admissibility of all of the questions referred is grounded upon its interpretation of Article 82 of the GDPR, the right to compensation and the alleged absence of non-material damage. The questions referred concern the right of data subjects to compensation under Article 82 of the GDPR. Establishing the existence of damage is a necessary prerequisite in order to obtain such compensation. (6) Scalable Capital’s objection to the admissibility of the requests for a preliminary ruling thus goes to the substance of the issues that they raise. Of their nature, arguments that go to the substance of the issues raised in a request for a preliminary ruling cannot affect the admissibility of that request. (7)
16. As for the Commission’s objection to the admissibility of the fifth question, it is not obvious that that question either bears no relation to the actions before the referring court or that it is hypothetical. The referring court is seised of actions for compensation pursuant to the GDPR. The parties do not agree whether the theft of personal data constitutes the identity theft to which recital 75 of the GDPR refers or whether for identity theft to occur ‘an offender must have actually assumed the identity of the persons concerned’. (8) While the referring court’s observations on its fifth question are succinct, the requests for a preliminary ruling disclose that that question is linked to the other four questions it asked about the concept of non-material damage and the right to compensation pursuant to Article 82 of the GDPR.
17. I accordingly advise that the Court reject the various objections taken to the admissibility of the questions put by the Amtsgericht München (Local Court, Munich).
B. Substance
1. The parties’ observations
18. According to SO, recital 85 of the GDPR makes a clear distinction between identity theft and identity fraud. Identity theft presupposes that the offender may misuse a person’s identity by misleading others as to that identity. Identity fraud may be committed following identity theft. It follows that identity theft does not require the actual misuse of a person’s identity. The nature and the extent of the data stolen in the instant case gives rise to a presumption that identity theft occurred, generating a right to compensation under that heading.
19. Scalable Capital submits that identity theft occurs where a person misuses an individual’s personal data with a view to ‘feigning’ that individual’s identity. The theft of certain data may lead to or facilitate identity theft but does not itself amount to identity theft. A systematic interpretation of recital 75 of the GDPR provides support for that approach as the other examples in that provision indicate that the opportunity to make use of certain personal data does not constitute identity theft. The aim of Article 82 of the GDPR is to afford compensation for damage that individuals actually suffer. An extensive interpretation of the concept of identity theft runs counter to that aim since it would ground an action in damages upon the abstract possibility that damage might occur in the future.
20. Ireland submits that identity theft refers to circumstances where a party actually assumes the identity of the person whose data has been misappropriated. For identity theft to happen it is thus insufficient that a party be in possession of data that identifies a person. Compensation for non-material damage under Article 82 of the GDPR is, in any event, to be assessed by reference to the merits of each individual case.
21. The Commission observes that the GDPR does not define identity theft. Recitals 75 and 85 of the GDPR refer to identity theft as an example of the processing of personal data that is likely to cause physical, material or non-material damage. According to the Commission, the identity theft to which those recitals refer is the illegal acquisition of data for the purpose of ‘feigning the identity’ of the person concerned. (9) To prove identity theft, the offender’s intention to pass him- or herself off as the person concerned must be established by reference to concrete actions or acts preparatory thereto. Since it is settled case-law that damage must be ‘actual and certain’ (10), the simple possession of data identifying the person concerned, without any steps being taken to pass oneself off as that person, does not constitute identity theft.
2. Analysis
22. The referring court’s fifth question seeks to ascertain whether the simple theft of a data subject’s sensitive personal data (11) by an unknown offender constitutes identity theft, thereby giving rise to a right to compensation, or whether for it to occur the offender must in fact assume the data subject’s identity or take steps for that purpose. That question is asked in the context of a finding that unknown offenders stole certain of JU’s and SO’s sensitive personal data from Scalable Capital’s trading application. Although no further (mis)use of the data appears to have occurred, since the identity of the offenders is unknown and they remain unapprehended, it is not possible to exclude such future (mis)use.
23. Article 82 of the GDPR confirms in broad (12) terms the right of any data subject who has suffered ‘material or non-material damage’ due to an infringement of the GDPR to compensation and apportions liability between controller(s) and/or processor(s). That provision identifies neither the specific nature, nor the form, of such damage. The GDPR does not refer to the laws of the Member States to define the meaning and scope of the term ‘non-material damage’. (13) That term therefore falls to be treated as an autonomous concept of EU law and interpreted in a uniform manner in all Member States. (14)
24. Compensation under Article 82 of the GDPR is payable upon proof of an infringement of the GDPR, ‘actual damage suffered’ and a causal link between that infringement and that damage. (15) The GDPR does not provide for a system of strict liability. (16) The compensatory nature of the regime that Article 82(1) of the GDPR inaugurated also excludes the award of punitive damages. (17) Such compensation must be full and effective, thereby requiring ‘damage actually suffered as a result of the infringement of [the GDPR] to be compensated in its entirety’. (18) The non-material damage the data subject sustained need not attain a certain degree of seriousness. (19) While there is no de minimis threshold with respect to the level of non-material damage, there must be clear and precise evidence that the data subject suffered such damage. Potential or hypothetical damage, (20) or mere disquiet relating to the theft of one’s personal data, is insufficient.
25. Article 82(3) of the GDPR exempts a controller or processor from liability ‘if it proves that it is not in any way responsible for the event giving rise to the damage’. The Court has not had occasion to examine Article 82(3) of the GDPR in detail. A literal interpretation of that provision appears to envisage that any (contributory) negligence or lapse on the part of the controller or processor suffices to exclude the application of the exemption. In addition, the burden of proof (21) this provision imposes on controller(s) or processor(s) seeking to avail of the exemption may require the implementation of continuing measures aimed at the prevention of data breaches. (22)
26. Theft of a data subject’s personal data gives rise to a right to compensation for non-material damage under Article 82(1) of the GDPR where the three conditions laid down in the judgment in Österreichische Post (23) are met. By recital 7 of the GDPR, ‘natural persons should have control of their own personal data’. Data subjects being ‘prevented from exercising control over their personal data’ (24) or natural persons losing ‘control over their personal data’ (25) can give rise to non-material damage. It is in that context that the referring court enquires as to whether the theft of personal data constitutes identity theft.
27. The operative provisions of the GDPR neither refer to nor define identity theft. Recitals 75 and 85 of the GDPR simply refer to ‘identity theft or fraud’. Recital 75 gives ‘identity theft or fraud’ as one of a non-exhaustive list of examples (26)of risk to natural persons’ exercise of their rights and freedoms due to the processing of their personal data. Recital 85 of the GDPR similarly refers to ‘identity theft or fraud’ as an example (27)of damage due to a failure to address a personal data breach in an appropriate and timely manner. (28)
28. A number of recitals (29) and provisions (30) in other EU legislation refer to terms such as ‘identity theft’, (31) ‘identity fraud’ and ‘identity theft or fraud’. (32) I have not found any provision of EU legislation that defines those terms. (33)The EU legislature thus refers to those terms for illustrative purposes. (34)
29. This is also evident from a consideration of the different language versions of those terms in recitals 75 and 85 of the GDPR. While the German (Identitätsdiebstahl oder -betrug), English (identity theft or fraud), Estonian (identiteedivargust või -pettust), Irish (goid aitheantais nó calaois aitheantais), Lithuanian (būti pavogta ar suklastota tapatybė), Dutch (identiteitsdiefstal of -fraude), Polish (kradzieżą tożsamości lub oszustwem dotyczącym tożsamości), Romanian (furt sau fraudă a identității) and Slovak (krádeži totožnosti alebo podvodu) language versions are largely similar, other language versions diverge therefrom to varying degrees: Czech (krádeži či zneužití identity), French (vol ou une usurpation d’identité), Greek (κατάχρηση ή υποκλοπή ταυτότητας), Portuguese (usurpação ou roubo da identidade), Italian (furto o usurpazione d’identità) and Spanish (usurpación de identidad o fraude). The various language versions of the pertinent recitals of the GDPR indicate that the terms identity theft, identity fraud, abuse of identity, misuse of identity, misappropriation of identity and usurpation of identity overlap and may be considered, at least to some extent, as interchangeable. It follows that recitals 75 and 85 of the GDPR do not draw a clear distinction between identity theft and identity fraud, contrary to SO’s contentions as set out in point 18 of the present Opinion.
30. Recitals 75 and 85 of the GDPR distinguish between the example of ‘loss of control’ or being prevented from ‘exercising control’ over personal data and the example of ‘identity theft or fraud’. As a consequence, the theft of personal data (35) alone does not constitute identity theft even if that theft may lead to future (mis)use of that data. Identity theft requires an additional action or step with detrimental effects for the data subject that go beyond the theft of personal data. (36) A person who steals a data subject’s personal data must (mis)use or take concrete steps to (mis)use them for unlawful purposes without that person’s consent. (37) Such action typically involves fraud or some other form of deceit and is generally carried out for financial or other gain or in order to harm the data subject or his or her entourage. (38)
31. It follows from the foregoing that while the theft of personal data does not constitute identity theft or fraud, that theft may give rise to non-material damage and a right to compensation pursuant to Article 82(1) of the GDPR. (39) Proof of non-material damage may be easier to establish where a data subject is found to have been a victim of identity theft or fraud as a result of the theft of his or her personal data. (40) A right to compensation for non-material damage pursuant to Article 82(1) of the GDPR for the theft of personal data does not, however, depend on the existence of identity theft or fraud. (41) Non-material damage and the right to compensation pursuant to Article 82(1) of the GDPR is to be assessed on a case-by-case basis, taking all relevant circumstances into account.
VI. Conclusion
32. In the light of the foregoing considerations, I propose that the Court answer the fifth question referred by the Amtsgericht München, (Local Court, Munich, Germany) as follows.
Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
must be interpreted as meaning that the theft by an unknown offender of a data subject’s sensitive personal data may give rise to a right to compensation for non-material damage upon proof of an infringement of the General Data Protection Regulation, actual damage suffered and a causal link between the damage and that infringement. The award of such compensation does not require the offender to assume the data subject’s identity, nor does the possession of data that identifies the data subject itself constitute identity theft.