CURIA - Documents

Home > Search form > List of results > Documents

Start printing

Language of document : ECLI:EU:T:2023:247

Provisional text

OPINION OF ADVOCATE GENERAL

COLLINS

delivered on 26 October 2023(1)

Joined Cases C‑182/22 and C‑189/22

JU (C‑182/22)

SO (C‑189/22)

Scalable Capital GmbH

(Request for a preliminary ruling from the Amtsgericht München, (Local Court, Munich, Germany))

(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 82(1) – Right to compensation for damage caused by data processing that infringes that regulation – Non-material damage – Theft of data – Identity theft or fraud)

I. Introduction

1. In two largely identical actions brought by JU against Scalable Capital GmbH (‘Scalable Capital’) (Case C‑182/22) and SO against Scalable Capital (Case C‑189/22), the plaintiffs claim compensation for non-material damage for alleged pain and suffering caused by what the referring court describes as the theft (2) by unknown third parties of their personal data stored on a trading application managed by Scalable Capital. The third parties have not, to date, used the data for fraudulent or other purposes. The Amtsgericht München (Local Court, Munich, Germany) seeks the Court’s guidance as to the interpretation of the concept of non-material damage in Article 82 of Regulation (EU) 2016/679 (3) and the conditions under which compensation for such damage is available. It asks, in particular, whether the theft of that data constitutes ‘identity theft’ to which recital 75 of the GDPR refers.

II. Legal framework – European Union law

2. Recital 75 of the GDPR is in the following terms:

‘The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; …’

3. Recital 85 of the GDPR states:

‘A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. …’

4. Recital 146 of the GDPR is formulated as follows:

‘The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. … The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. … Data subjects should receive full and effective compensation for the damage they have suffered. …’

5. Under Article 82 of the GDPR, entitled ‘Right to compensation and liability’:

‘1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.

…’

III. The disputes in the main proceedings and the questions referred for a preliminary ruling

6. JU and SO opened investment accounts on a trading application managed by Scalable Capital. In order to verify their identities, they each recorded personal data in the application, including their names, dates of birth, postal and email addresses and digital copies of their identity cards. (4) It is undisputed that unknown offenders stole that data.

7. The Amtsgericht München (Local Court, Munich) considers that the stolen data are relatively sensitive and finds that JU and SO are entitled to compensation under Article 82 of the GDPR. Considering that the amount of compensation to be awarded to JU and SO depends on the interpretation of Article 82 of the GDPR, it decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1) Is Article 82 of the [GDPR] to be interpreted as meaning that the right to compensation, including the determination of the amount of that compensation, does not have a punitive character, in particular, that it has no general or specific dissuasive function, but a purely compensatory function and, in some instances, a satisfaction function?

(2.a) Is the right to compensation for non-material damage to be determined on the basis that it also has an individual satisfaction function – understood here to mean the private interest of the injured party in seeing the behaviour that caused the damage penalised – or does it have only a compensatory function – understood here to mean the function of compensating for the detrimental effects suffered?

(2.b.1) If it is to be assumed that the right to compensation for non-material damage has both a compensatory and a satisfaction function: is it to be determined on the basis that the compensatory function has structural precedence over the satisfaction function or, at least, that the relationship between the two is that of the rule and the exception? Does that mean that it can have a satisfaction function only when the infringement is deliberate or a result of gross negligence?

(2.b.2) If the right to compensation for non-material damage does not have a satisfaction function: when determining that compensation, is additional weight attributed only to deliberate or grossly negligent data protection infringements deemed to be contributory factors?

(3) Is the compensation for non-material damage to be determined on the basis of a structural order of precedence or, at least, a rule-exception relationship, which attributes less weight to the detrimental effects of a data infringement than to the detrimental and painful effects associated with a physical injury?

(4) Assuming that damage has been sustained, can a national court award only minimal compensation, which may be perceived by the injured party or generally as merely symbolic, in the light of the non-serious nature of the damage?

(5) Are the consequences of the compensation for non-material damage to be assessed on the basis that identity theft within the meaning of recital 75 of the [GDPR] requires an offender to have actually assumed the identity of the person concerned, that is to say to have somehow impersonated that person, or does the mere fact that offenders have gained possession of data that identify the person concerned constitute such identity theft?’

IV. The procedure before the Court

8. By decision of 19 April 2022, the President of the Court of Justice joined Cases C‑182/22 and C‑189/22 for the purposes of the written and oral procedure and the judgment.

9. On 1 June 2022, the President of the Court rejected Scalable Capital’s request to anonymise the present proceedings pursuant to Article 95(2) of the Rules of Procedure of the Court of Justice.

10. SO, Scalable Capital, Ireland and the European Commission submitted written observations.

11. I shall first address the objections that have been taken to the admissibility of the questions referred before advising the Court, on foot of its request, as to how it should reply to the fifth question.

V. Assessment

A. Admissibility

12. According to Scalable Capital, the loss of control over personal data, without further consequences for the individual concerned, does not give rise to non-material damage within the meaning of Article 82(1) of the GDPR. The text, general scheme and purpose of Article 82 of the GDPR do not support the existence of a presumption that such damage materialises as a consequence of such loss of control. The referring court thus erred when it made the assumption that JU and SO had suffered non-material damage. The requests for a preliminary ruling are, accordingly, irrelevant to the resolution of the actions before the referring court and are thus inadmissible.

13. The Commission considers that the relevance of the fifth question to the resolution of the actions before the referring court is unclear. The referring court merely refers to the parties’ divergent interpretations of the law and observes that ‘identity theft occurs only when illegally obtained data is used for the purposes of feigning the identity of the person concerned’. Nor does the fifth question ask the Court to interpret a specific provision of the GDPR.

14. In accordance with the Court’s settled case-law, questions on the interpretation of EU law referred by a national court enjoy a presumption of relevance. The Court may refuse to rule on such questions only where it is quite obvious that the interpretation of EU law sought is unrelated to the actual facts of the main action or its object, where the problem is hypothetical, or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions asked of it. (5)

15. Scalable Capital’s objection to the admissibility of all of the questions referred is grounded upon its interpretation of Article 82 of the GDPR, the right to compensation and the alleged absence of non-material damage. The questions referred concern the right of data subjects to compensation under Article 82 of the GDPR. Establishing the existence of damage is a necessary prerequisite in order to obtain such compensation. (6) Scalable Capital’s objection to the admissibility of the requests for a preliminary ruling thus goes to the substance of the issues that they raise. Of their nature, arguments that go to the substance of the issues raised in a request for a preliminary ruling cannot affect the admissibility of that request. (7)

16. As for the Commission’s objection to the admissibility of the fifth question, it is not obvious that that question either bears no relation to the actions before the referring court or that it is hypothetical. The referring court is seised of actions for compensation pursuant to the GDPR. The parties do not agree whether the theft of personal data constitutes the identity theft to which recital 75 of the GDPR refers or whether for identity theft to occur ‘an offender must have actually assumed the identity of the persons concerned’. (8) While the referring court’s observations on its fifth question are succinct, the requests for a preliminary ruling disclose that that question is linked to the other four questions it asked about the concept of non-material damage and the right to compensation pursuant to Article 82 of the GDPR.

17. I accordingly advise that the Court reject the various objections taken to the admissibility of the questions put by the Amtsgericht München (Local Court, Munich).

B. Substance

1. The parties’ observations

18. According to SO, recital 85 of the GDPR makes a clear distinction between identity theft and identity fraud. Identity theft presupposes that the offender may misuse a person’s identity by misleading others as to that identity. Identity fraud may be committed following identity theft. It follows that identity theft does not require the actual misuse of a person’s identity. The nature and the extent of the data stolen in the instant case gives rise to a presumption that identity theft occurred, generating a right to compensation under that heading.

19. Scalable Capital submits that identity theft occurs where a person misuses an individual’s personal data with a view to ‘feigning’ that individual’s identity. The theft of certain data may lead to or facilitate identity theft but does not itself amount to identity theft. A systematic interpretation of recital 75 of the GDPR provides support for that approach as the other examples in that provision indicate that the opportunity to make use of certain personal data does not constitute identity theft. The aim of Article 82 of the GDPR is to afford compensation for damage that individuals actually suffer. An extensive interpretation of the concept of identity theft runs counter to that aim since it would ground an action in damages upon the abstract possibility that damage might occur in the future.

20. Ireland submits that identity theft refers to circumstances where a party actually assumes the identity of the person whose data has been misappropriated. For identity theft to happen it is thus insufficient that a party be in possession of data that identifies a person. Compensation for non-material damage under Article 82 of the GDPR is, in any event, to be assessed by reference to the merits of each individual case.

21. The Commission observes that the GDPR does not define identity theft. Recitals 75 and 85 of the GDPR refer to identity theft as an example of the processing of personal data that is likely to cause physical, material or non-material damage. According to the Commission, the identity theft to which those recitals refer is the illegal acquisition of data for the purpose of ‘feigning the identity’ of the person concerned. (9) To prove identity theft, the offender’s intention to pass him- or herself off as the person concerned must be established by reference to concrete actions or acts preparatory thereto. Since it is settled case-law that damage must be ‘actual and certain’ (10), the simple possession of data identifying the person concerned, without any steps being taken to pass oneself off as that person, does not constitute identity theft.

2. Analysis

22. The referring court’s fifth question seeks to ascertain whether the simple theft of a data subject’s sensitive personal data (11) by an unknown offender constitutes identity theft, thereby giving rise to a right to compensation, or whether for it to occur the offender must in fact assume the data subject’s identity or take steps for that purpose. That question is asked in the context of a finding that unknown offenders stole certain of JU’s and SO’s sensitive personal data from Scalable Capital’s trading application. Although no further (mis)use of the data appears to have occurred, since the identity of the offenders is unknown and they remain unapprehended, it is not possible to exclude such future (mis)use.

23. Article 82 of the GDPR confirms in broad (12) terms the right of any data subject who has suffered ‘material or non-material damage’ due to an infringement of the GDPR to compensation and apportions liability between controller(s) and/or processor(s). That provision identifies neither the specific nature, nor the form, of such damage. The GDPR does not refer to the laws of the Member States to define the meaning and scope of the term ‘non-material damage’. (13) That term therefore falls to be treated as an autonomous concept of EU law and interpreted in a uniform manner in all Member States. (14)

24. Compensation under Article 82 of the GDPR is payable upon proof of an infringement of the GDPR, ‘actual damage suffered’ and a causal link between that infringement and that damage. (15) The GDPR does not provide for a system of strict liability. (16) The compensatory nature of the regime that Article 82(1) of the GDPR inaugurated also excludes the award of punitive damages. (17) Such compensation must be full and effective, thereby requiring ‘damage actually suffered as a result of the infringement of [the GDPR] to be compensated in its entirety’. (18) The non-material damage the data subject sustained need not attain a certain degree of seriousness. (19) While there is no de minimis threshold with respect to the level of non-material damage, there must be clear and precise evidence that the data subject suffered such damage. Potential or hypothetical damage, (20) or mere disquiet relating to the theft of one’s personal data, is insufficient.

25. Article 82(3) of the GDPR exempts a controller or processor from liability ‘if it proves that it is not in any way responsible for the event giving rise to the damage’. The Court has not had occasion to examine Article 82(3) of the GDPR in detail. A literal interpretation of that provision appears to envisage that any (contributory) negligence or lapse on the part of the controller or processor suffices to exclude the application of the exemption. In addition, the burden of proof (21) this provision imposes on controller(s) or processor(s) seeking to avail of the exemption may require the implementation of continuing measures aimed at the prevention of data breaches. (22)

26. Theft of a data subject’s personal data gives rise to a right to compensation for non-material damage under Article 82(1) of the GDPR where the three conditions laid down in the judgment in Österreichische Post (23) are met. By recital 7 of the GDPR, ‘natural persons should have control of their own personal data’. Data subjects being ‘prevented from exercising control over their personal data’ (24) or natural persons losing ‘control over their personal data’ (25) can give rise to non-material damage. It is in that context that the referring court enquires as to whether the theft of personal data constitutes identity theft.

27. The operative provisions of the GDPR neither refer to nor define identity theft. Recitals 75 and 85 of the GDPR simply refer to ‘identity theft or fraud’. Recital 75 gives ‘identity theft or fraud’ as one of a non-exhaustive list of examples (26)of risk to natural persons’ exercise of their rights and freedoms due to the processing of their personal data. Recital 85 of the GDPR similarly refers to ‘identity theft or fraud’ as an example (27)of damage due to a failure to address a personal data breach in an appropriate and timely manner. (28)

28. A number of recitals (29) and provisions (30) in other EU legislation refer to terms such as ‘identity theft’, (31) ‘identity fraud’ and ‘identity theft or fraud’. (32) I have not found any provision of EU legislation that defines those terms. (33)The EU legislature thus refers to those terms for illustrative purposes. (34)

29. This is also evident from a consideration of the different language versions of those terms in recitals 75 and 85 of the GDPR. While the German (Identitätsdiebstahl oder -betrug), English (identity theft or fraud), Estonian (identiteedivargust või -pettust), Irish (goid aitheantais nó calaois aitheantais), Lithuanian (būti pavogta ar suklastota tapatybė), Dutch (identiteitsdiefstal of -fraude), Polish (kradzieżą tożsamości lub oszustwem dotyczącym tożsamości), Romanian (furt sau fraudă a identității) and Slovak (krádeži totožnosti alebo podvodu) language versions are largely similar, other language versions diverge therefrom to varying degrees: Czech (krádeži či zneužití identity), French (vol ou une usurpation d’identité), Greek (κατάχρηση ή υποκλοπή ταυτότητας), Portuguese (usurpação ou roubo da identidade), Italian (furto o usurpazione d’identità) and Spanish (usurpación de identidad o fraude). The various language versions of the pertinent recitals of the GDPR indicate that the terms identity theft, identity fraud, abuse of identity, misuse of identity, misappropriation of identity and usurpation of identity overlap and may be considered, at least to some extent, as interchangeable. It follows that recitals 75 and 85 of the GDPR do not draw a clear distinction between identity theft and identity fraud, contrary to SO’s contentions as set out in point 18 of the present Opinion.

30. Recitals 75 and 85 of the GDPR distinguish between the example of ‘loss of control’ or being prevented from ‘exercising control’ over personal data and the example of ‘identity theft or fraud’. As a consequence, the theft of personal data (35) alone does not constitute identity theft even if that theft may lead to future (mis)use of that data. Identity theft requires an additional action or step with detrimental effects for the data subject that go beyond the theft of personal data. (36) A person who steals a data subject’s personal data must (mis)use or take concrete steps to (mis)use them for unlawful purposes without that person’s consent. (37) Such action typically involves fraud or some other form of deceit and is generally carried out for financial or other gain or in order to harm the data subject or his or her entourage. (38)

31. It follows from the foregoing that while the theft of personal data does not constitute identity theft or fraud, that theft may give rise to non-material damage and a right to compensation pursuant to Article 82(1) of the GDPR. (39) Proof of non-material damage may be easier to establish where a data subject is found to have been a victim of identity theft or fraud as a result of the theft of his or her personal data. (40) A right to compensation for non-material damage pursuant to Article 82(1) of the GDPR for the theft of personal data does not, however, depend on the existence of identity theft or fraud. (41) Non-material damage and the right to compensation pursuant to Article 82(1) of the GDPR is to be assessed on a case-by-case basis, taking all relevant circumstances into account.

VI. Conclusion

32. In the light of the foregoing considerations, I propose that the Court answer the fifth question referred by the Amtsgericht München, (Local Court, Munich, Germany) as follows.

Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that the theft by an unknown offender of a data subject’s sensitive personal data may give rise to a right to compensation for non-material damage upon proof of an infringement of the General Data Protection Regulation, actual damage suffered and a causal link between the damage and that infringement. The award of such compensation does not require the offender to assume the data subject’s identity, nor does the possession of data that identifies the data subject itself constitute identity theft.

1 Original language: English.

2 The referring court does not furnish a precise legal qualification of the offenders’ actions under national law. The term ‘theft’ is broad and may include the misappropriation of data by third parties.

3 Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’).

4 The orders for reference also state that ‘since the investment account was managed by a robo[t] advisor, the defendant’s attitude to risk was not apparent from the trading’.

5 See, to that effect, judgment of 2 September 2021, OTP Jelzálogbank and Others (C‑932/19, EU:C:2021:673, paragraph 26 and the case-law cited).

6 The Court has interpreted Article 82 of the GDPR to the effect that the existence of ‘damage’ which has been ‘suffered’ is one of three conditions that must be met in order to obtain compensation thereunder. An infringement of the GDPR does not, of itself, give rise to a right to compensation. Judgment of 4 May 2023, Österreichische Post (Non-material damage resulting from unlawful processing of data) (C‑300/21, EU:C:2023:370, paragraphs 32 and 42) (‘the judgment in Österreichische Post’).

7 See, by analogy, judgment of 12 December 2019, Slovenské elektrárne (C‑376/18, EU:C:2019:1068, paragraph 29).

8 See text of the fifth question of the referring court.

9 See European Data Protection Board, Guidelines 01/2021 on Examples regarding Personal Data Breach Notification – Adopted on 14 December 2021 – Version 2.0, available at https://edpb_guidelines_012021_pdbnotification_adopted_en.pdf (europa.eu) (‘the 2021 guidelines’).

10 Judgment of 4 April 2017, Ombudsman v Staelen (C‑337/15 P, EU:C:2017:256, paragraphs 91 to 95 and 127 to 131).

11 Point (1) of Article 4 of the GDPR provides that ‘personal data’ ‘means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.

12 See recital 146 of the GDPR.

13 The Court has not defined the concept of ‘non-material damage’ in the context of Article 82 of the GDPR. I agree with Advocate General Pitruzzella that upset or displeasure at the fact that one’s data has been ‘hacked’ does not suffice. To succeed in such a claim the data subject must demonstrate that the fear of misuse of his or her data caused him or her ‘emotional damage’. See the Opinion of Advocate General Pitruzzella in Natsionalna agentsia za prihodite (C‑340/21, EU:C:2023:353, points 81 to 83).

14 Judgment in Österreichische Post, paragraph 30.

15 See Article 82(2) of the GDPR and the judgment in Österreichische Post, paragraphs 32 and 50.

16 Judgment in Österreichische Post, paragraphs 33 and 34. See also Opinion of Advocate General Pitruzzella in Natsionalna agentsia za prihodite (C‑340/21, EU:C:2023:353, point 61).

17 Judgment in Österreichische Post, paragraph 58. See also Opinions of Advocate General Campos Sánchez-Bordona in Österreichische Post (Non-material damage resulting from unlawful processing of data) (C‑300/21, EU:C:2022:756, points 27 to 55), and of Advocate General Pitruzzella in Natsionalna agentsia za prihodite (C‑340/21, EU:C:2023:353, point 74).

18 Judgment in Österreichische Post, paragraph 58.

19 Judgment in Österreichische Post, paragraphs 31 to 33, 51 and 58). See also recital 146 of the GDPR. See, by contrast, Opinions of Advocate General Campos Sánchez-Bordona in Österreichische Post (Non-material damage resulting from unlawful processing of data) (C‑300/21, EU:C:2022:756, point 105), and of Advocate General Pitruzzella in Natsionalna agentsia za prihodite (C‑340/21, EU:C:2023:353, point 78).

20 To that effect, see judgment in Österreichische Post, paragraph 37.

21 It seems that in order to come within the scope of the exemption, controller(s) and/or processor(s) may be required to prove a negative.

22 Advocate General Pitruzzella considers that, in order to avoid liability pursuant to Article 82 of the GDPR, controllers of systems of public or private entities that hold a large amount of personal data must put in place appropriate measures to deal, in particular, with external attacks: see his Opinion in Natsionalna agentsia za prihodite (C‑340/21, EU:C:2023:353, points 65 to 67). Such proactive measures may be onerous and costly. Article 82 of the GDPR itself imposes a very high duty of care on controllers and processors.

23 See paragraphs 32 and 50 of that judgment. See also point 24 of and footnote 6 to the present Opinion.

24 Recital 75 of the GDPR.

25 Recital 85 of the GDPR.

26 This is clear from the use of the terms ‘may’, ‘could’ and ‘in particular’ in that recital.

27 This is clear from the use of the terms ‘may’ and ‘such as’ in that recital. See, by analogy, judgment of 22 December 2008, Wallentin-Hermann (C‑549/07, EU:C:2008:771, paragraph 22).

28 Point (12) of Article 4 of the GDPR defines ‘personal data breach’ as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.

29 Recitals facilitate the interpretation and comprehension of EU legislation by indicating, inter alia, the objectives it pursues and the context in which it was adopted. They assist in ascertaining the meaning of ambiguous legislative provisions. Recitals cannot be used to interpret a provision contra legem. Judgment of 19 November 1998, Nilsson and Others (C‑162/97, EU:C:1998:554, paragraph 54).

30 See, for example, Article 86(e) of 2013/490/EU, Council and Commission Decision of 22 July 2013 on the conclusion of the Stabilisation and Association Agreement between the European Communities and their Member States, of the one part, and the Republic of Serbia, of the other part (OJ 2013 L 278, p. 14), and Article 2(2)(b) and Articles 21 and 25 of Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA (OJ 2019 L 135, p. 27).

31 Recital 14 of Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ 2013 L 218, p. 8) states that ‘setting up effective measures against identity theft and other identity-related offences constitutes another important element of an integrated approach against cybercrime’. By recital 31 of Directive (EU) 2019/713 of the European Parliament and of the Council of 17 April 2019 on combating fraud and counterfeiting of non-cash means of payment and replacing Council Framework Decision 2001/413/JHA (OJ 2019 L 123, p. 18), ‘fraud and counterfeiting of non-cash means of payment can result in serious economic and non-economic consequences for its victims. Where such fraud involves, for example, identity theft, its consequences are often aggravated because of reputational and professional damage, damage to an individual’s credit rating and serious emotional harm’. Recital 33 of that directive states that ‘Member States should adopt measures of assistance and support to such victims which build on the measures required by that Directive but respond more directly to the specific needs of victims of fraud related to identity theft’.

32 The terms ‘identity theft or fraud’ are used, without definition, in recitals of other EU legislation. See, for example, recital 46 of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ 2018 L 295, p 39), and recitals 51 and 61 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ 2016 L 119, p. 89).

33 Annex II to Commission Regulation (EU) 2018/1798 of 21 November 2018 implementing Regulation (EC) No 808/2004 of the European Parliament and of the Council concerning Community statistics on the information society for the reference year 2019 (OJ 2018 L 296, p. 2) contains a number of examples of or references to identity theft. These include ‘somebody stealing respondent’s personal data and impersonating him/her, such as shopping under respondent’s name’ as an example of ‘online identity theft’.

34 See, by contrast, Article 226-4-1 of the Code pénal français (French Criminal Code) (amended by LOI n°2020-936 du 30 juillet 2020 (Law No 2020-936 of 30 July 2020) – Article 19), which provides: ‘Stealing the identity of another person or making use of one or more items of data of any kind whereby that person can be identified in order to disturb his or her peace of mind or that of others, or to damage his or her honour or reputation, shall be punishable by one year’s imprisonment and a fine of EUR 15 000. The same penalties shall apply when the offence is committed on an online public communication network. When committed by the victim’s spouse or cohabitee, or by a partner bound to the victim by a pacte civil de solidarité (civil partnership), such acts shall be punishable by two years’ imprisonment and a fine of EUR 30 000.’ 18 U.S. Code § 1028A(a)(1) establishes the US Federal crime of aggravated identity theft. It provides that ‘whoever, during and in relation to any felony violation enumerated in subsection (c), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 2 years’. See also 18 U.S. Code § 1028(a)(7), which establishes the US Federal crime of identity theft.

35 And the resulting loss of control over the stolen personal data.

36 Identity theft requires the offender to misrepresent the data subject by, for example, impersonating the data subject or by passing him- or herself off as the data subject.

37 Contrary to SO’s contentions as set out in point 18 of the present Opinion, in the absence of any (mis)use of stolen data or of taking concrete steps for that purpose, the nature and the extent of that data do not give rise to a presumption of identity theft.

38 For examples of identity theft, see European Union Agency for Cybersecurity, Identity theft – ENISA Threat Landscape – From January 2019 to April 2020, available at https://www.enisa.europa.eu/publications/enisa-threat-landscape-2020-identity-theft; Section 7.1 of the 2021 guidelines, available at https://edpb_guidelines_012021_pdbnotification_adopted_en.pdf(europa.eu), and European Data Protection Board, Guidelines 01/2022 on data subject rights – Right of access – Version 1.0 – Adopted on 18 January 2022, paragraph 105, available at https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf.

39 Where the three conditions described in point 24 of the present Opinion are met.

40 In his Opinion in Österreichische Post (Non-material damage resulting from unlawful processing of data) (C‑300/21, EU:C:2022:756, points 98 and 99), Advocate General Campos Sánchez-Bordona indicated that the examples of risk or damage in recitals 75 and 85 of the GDPR may be ‘significant’ or of a ‘more serious nature’. In practice, the presence of identity theft or fraud will assist in establishing the existence of damage.

41 This flows from the fact that ‘identity theft or fraud’ in recitals 75 and 85 of the GDPR appears alongside other examples of risk or damage such as ‘discrimination’, ‘financial loss’ and ‘damage to reputation’.