Data Protection Insider, Issue 115

Data Protection Insider, Issue 115 - DPI 10

– CJEU Rules on Compensation and Damages in Scalable Capital 

On 20th June, the CJEU delivered its judgment in the Scalable Capital case. As to the facts of the case, the applicants in the main proceedings provided their personal data in the course of an investment on a trading platform maintained by Scalable Investment. Following a hack of the platform, their personal data were stolen and they requested compensation under Article 82 GDPR. The perpetrators of the hack are unknown and, at the material time, no damage had been established as a result of the leak – e.g. a misuse of the investors’ identity. The local courts were uncertain as to whether the theft of personal data constitutes identity theft and as what compensation the concerned individuals are entitled to under the GDPR. In this regard, the following questions were considered by the CJEU:

  • Does Article 82(1 GDPR mean ‘the right to compensation laid down in that provision fulfils a compensatory function’ or does it also fulfil ‘a punitive function intended, inter alia, to satisfy the individual interests of the data subject’?
  • Does Article 82(1) mean ‘the severity and possible intentional nature of the infringement’ be considered when calculating compensation’?
  • Does Article 82(1) mean ‘that, when determining the amount of damages…for non-material damage, it is appropriate to consider that…damage caused by a personal data breach is…less significant than physical injury?’
  • Does Article 82(1) mean, ‘a national court may, where…damage is not serious’, award only minimal compensation ‘which could be perceived as symbolic’?
  • ‘Are the consequences of…compensation for non-material damage to be assessed on the basis that identity theft’ according to recital 75 requires ‘an offender to have…assumed the identity of the person…, or does the…fact that offenders have gained possession of’ relevant data constitute identity theft?

In this regard, the Court, in a brief judgment, concluded:

  • Article 82(1) means ‘the right to compensation…in that provision fulfils an exclusively compensatory function’.
  • Article 82(1) does not require ‘that the severity and the possible intentional nature of the infringement…be taken into account for the purposes of compensation’.
  • Article 82(1) means ‘that, when determining the amount of damages…for non-material damage, it is appropriate to consider that such damage caused by a personal data breach is not, by its nature, less significant than physical injury’.
  • Article 82(1) means ‘that, where damage is established, a national court may, where that damage is not serious, compensate for it by awarding minimal compensation to the data subject, provided that that compensation is such as to compensate in full for the damage suffered’.
  • Article 82(1), in light of recitals 75 and 85, means ‘identity theft…implies…the identity of a person affected by a theft of personal data has actually been misused by a third party. However, compensation for non-material damage caused by the theft of personal data, under that provision, cannot be limited to cases where it is shown that that data theft subsequently gave rise to identify theft or fraud’.

This is, despite its brevity, an interesting case, and well worth a read. We found the discussions of the relationship between physical and non-material damage, and the idea of symbolic compensation under the GDPR, particularly interesting. We also found ourselves asking questions as to the methods the Court uses in interpreting the legal status and content of recitals in the context of the GDPR.

 

– CJEU Rules on Compensation and Damages in AT and BT v. PS GbR and Others

On 20th June, the Court delivered its verdict in the case of AT and BT v. PS GbR and Others. The case concerned clients of a tax consultancy firm, the applicants, whose tax return, including a range of personal data, was sent to their old address. This happened despite the fact that they had registered a change of address with the company. Unfortunately, the tenants now at the old address opened the letter containing the tax return by accident, and passed it on to others to be returned to the applicants. The applicants assert that, when they finally received the letter containing the tax return, certain documents seemed to be missing. Unfortunately, it seems it is not possible to determine ‘which documents were initially enclosed in that envelope or to determine the extent to which the new occupants of the former address of the applicants…had or had not become aware of the contents of that envelope’. The plaintiffs thus brought an action for damages, before the national Courts, against the tax consultancy under Article 82(1) of the GDPR. In this regard, the CJEU considered the following questions:

  • Does Article 82(1) GDPR mean an infringement, in itself, is ‘sufficient to give rise to a right to compensation’, or must the data subject ‘establish the existence of damage, of a certain degree of seriousness, caused by that infringement’?
  • Does Article 82(1) mean ‘a person’s fear that his or her personal data have, as a result of an infringement…been disclosed to third parties’, whilst this may not be provable, ‘is sufficient to give rise to a right to compensation for non-material damage’?
  • Does Article 82(1) mean that, ‘to determine the amount of damages due as compensation…, it is necessary, first, that the criteria for setting the amount of administrative fines laid down in Article 83…be applied mutatis mutandis and, second,…a dissuasive function be conferred on that right to compensation’?
  • Does Article 82(1) mean that, ‘to determine the amount of damages due as compensation…, account must be taken of simultaneous infringements of national provisions relating to the protection of personal data but not intended to specify the rules of’ the GDPR?

In this regard, the Court decided that:

  • Article 82(1) means an infringement ‘is not, in itself, sufficient to give rise to a right to compensation…. The data subject must also establish the existence of damage caused by that infringement, without, however, that damage having to reach a certain degree of seriousness’.
  • Article 82(1) means ‘a person’s fear that his or her personal data have…been disclosed to third parties…is sufficient to give rise to a right to compensation, provided that that fear, with its negative consequences, is duly proven’.
  • Article 82(1) means ‘that, in order to determine the amount of damages due as compensation…it is not necessary…to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in Article 83’ or ‘to confer on that right to compensation a dissuasive function’.
  • Article 82(1) means that, ‘to determine the amount of damages due as compensation…it is not necessary to take account of simultaneous infringements of national provisions which relate to the protection of personal data but which are not intended to specify the rules’ of the GDPR.

Whilst many of the issues dealt with in the case have been already clarified elsewhere, the case is nevertheless worth reading. There are, in this regard, a number of interesting considerations engaged in by the Court, including regarding the concept of ‘fear’ and the need to prove its existence to found a compensation claim.

 

– ECtHR: North Macedonia Did Not Protect Personal Data against Private Heating Company –

On 25th June, the ECtHR ruled that North Macedonia did not protect the data of an individual against misuse by a private heating company in Vlaisavlevikj v. North Macedonia. As to the facts of the case, the applicant was never a user of the services of a certain private heating company and had never provided them with their personal data. Nevertheless, the applicant was receiving invoices from the heating company and his complaints about the misuse of his data, including with the domestic courts, were not successful. He complained that ‘the domestic authorities had failed to protect him against the unlawful collection and use of his personal data, in violation of Article 8 of the Convention’. The Court ruled that the processing of the personal data of the applicant constituted an interference with the applicant’s Article 8 rights and that the case raises the question of whether North Macedonia fulfilled its positive obligations. The Court observed that, whereas the domestic courts ruled that the applicant did not have to pay the bills sent by the heating company, they did not examine the data protection aspects of the complaint: ‘the Court cannot but conclude that the domestic courts never actually examined the core of the applicant’s claim because of the lack of a comprehensive examination of the question whether, in the absence of a contractual or any other legal relationship between the applicant and the heat supplier, the continued retention and use of the applicant’s data corresponded to that legitimate aim.’ Thus, the Court concluded that there was a violation of Article 8 ECHR.

 

– ECtHR: Armenia Illegally Disclosed the Identity of an Applicant in Legal Proceedings –

On 18th June, the ECtHR ruled that Armenia breached the applicant’s privacy rights by publishing her name and address and full judicial decisions concerning her claim for damages after suffering sexual abuse in A.P. v Armenia. As to the facts of the case, the applicant in the main proceedings suffered from ‘a mild intellectual disability from birth’. She claimed to have been sexually harassed by a teacher (A.G.) when she was 14 years old. With the help of her mother, she initiated proceedings against A.G., claiming damages. As concerns the Article 8 ECHR part of the complaint with the ECtHR, the applicant claimed that ‘the publication on Datalex (including her full name and address) concerning her civil claim for damages’ breached her right to private life. The Court ruled that the publication of the information did constitute an interference with the applicant’s right to private life, also because, in the individual case, all the disclosed information could be easily added up in order to show that the applicant had a disability and was subject to sexual abuse in a small Armenian village where conservative traditions prevail. As to the justification of the interference, the Court noted that the domestic courts and the Government could not indicate any legal basis for the interference. Thus, it concluded that the interference was ‘not in accordance with the law’.

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply