Data privacy litigation landscape
Non-material damages claims based on (alleged) violations of the General Data Protection Regulation (GDPR) are increasingly being brought before courts across the European Union, including Germany. A common feature of these proceedings is that plaintiffs typically do not plead any specific impairment as a result of the alleged GDPR violation, but rather seek to rely on the mere fact that their personal data has been compromised and they have “lost control” over it or suffered “identity theft”. As reported in our October 2022 blog post (here), we advise and represent a number of clients in such cases. One of them – a leading investment platform – is involved in the Court of Justice of the European Union (CJEU) proceedings in which AG Collins has now delivered his opinion, requiring plaintiffs to prove specific impairments (joined cases C‑182/22 and C‑189/22, see here).
Background to AG Collins' opinion
Before we discuss AG Collins' opinion in the preliminary ruling proceedings, it is important to note a previous ruling by the CJEU that laid the groundwork for understanding GDPR non-material damages claims. In its preliminary ruling of 4 May 2023 in the Austrian Post case (C-300/21, see our blog post here), the CJEU rejected an extensive reading of Article 82 GDPR and pointed out that in addition to a GDPR breach, the data subject must prove that they have suffered actual causal damage and that “negative consequences” of an infringement of the GDPR do not constitute non-material damage per se. However, the CJEU did not unequivocally rule on whether a mere “loss of control” constitutes compensable non-material damage under Article 82 GDPR. Nor did it comment on the concept of “identity theft”.
On 26 October 2023, building on the Austrian Post ruling by the CJEU, AG Collins delivered his opinion on the interpretation of “non-material damage” as a prerequisite of compensation claims and provided clarity on the above issues of mere “loss of control” and “identity theft”. The opinion was delivered in preliminary proceedings initiated by the Munich District Court, which had to decide on non-material damages claims by two individuals whose personal data had been compromised in the course of cyber-attacks on our client in 2020. The Munich District Court was keen to find out whether the mere fact that a third party has gained possession of those individuals’ data constitutes “identity theft” within the meaning of recital 75 GDPR.
AG Collins significantly restricts assertion of non-material damages in GDPR claims
AG Collins’ opinion is in line with the observations we filed with the CJEU on behalf of our client. AG Collins begins by echoing the CJEU’s ruling in the Austrian Post case, ie that Article 82 GDPR non-material damages require a GDPR breach, damage and a causal link. He also confirmed that the damages claim is only compensatory in nature, ie the award of punitive damages is not covered by Article 82 GDPR. As to the procedural standard of proof, the data subject must provide “clear and precise evidence” that they have suffered causal damage.
In the context of a “loss of control” over personal data (which AG Collins equates with “data theft”), AG Collins clearly stressed that such a “loss of control” does not constitute non-material damage per se and clarified that
- potential or hypothetical damage and disquiet relating to the theft of one’s personal data, and
- the mere upset or displeasure at the fact that one’s data has been hacked
do not suffice either.
Consistent with the above, AG Collins rebutted the notion that the theft of data as such (even if it can lead to future misuse of that data) constitutes “identity theft” and establishes a right to compensation. For such “identity theft” to be assumed, the third party “must (mis)use or take concrete steps to (mis)use [the stolen data] for unlawful purposes”. Finally, AG Collins emphasised that “the nature and the extent of that data do not give rise to a presumption of identity theft”.
Concluding, AG Collins found that
- “the theft […] of a data subject’s sensitive personal data may give rise to a right to compensation for non-material damage upon proof of an infringement of the [GDPR], actual damage suffered and a causal link between the damage and that infringement” and
- “[t]he award of such compensation does not require the offender to assume the data subject’s identity, nor does the possession of data that identifies the data subject itself constitute identity theft.”
AG Collins’ opinion exhibits a strong potential to significantly weaken the prospects of success of data privacy mass claims based on the assertation that the plaintiff’s data has been compromised. AG Collins clearly pointed out that the theft of sensitive personal data does not constitute non-material damage per se. It needs to be emphasised that, in AG Collins’ view, damage is to be denied even if sensitive data is affected. AG Collins’ opinion will also result in plaintiffs’ attempts to substantiate (alleged) non-material damage by mere recourse to other descriptions of data theft (such as loss of control, identity theft, fear of future damage, displeasure over a data incident) failing.
Although AG Collins’ opinion is not binding on the CJEU, it is indicative of the direction in which the CJEU may rule in these proceedings. In particular, AG Collins’ views align closely with the approach recently advocated by the CJEU in the Austrian Post case. Following the CJEU’s ruling in the Austrian Post case, even more German courts have begun to take the notion of “non-material” damage as a separate prerequisite of compensation claims seriously. It can be expected that AG Collins’ opinion, which clearly comes down against an extensive interpretation of Article 82 GDPR, will strengthen this trend. In order to succeed in claiming compensation under Article 82 GDPR, plaintiffs will need to present concrete evidence of causal damage, rather than merely relying on the fact that a data breach has occurred.