GDPR: more CJEU decisions on compensation for non-material damage

Two CJEU decisions in June cover very similar ground to last year's decisions in Austrian Post and VB v Natsionalna agentsia za prihodite.  Both these new decisions involved claims for compensation for non-material damage where no actual mis-use of personal data had been demonstrated.  Judging by the regular flow of decisions from the CJEU in this area, it is an aspect of GDPR which national courts find challenging.  

In the first case a trading application operated by Scalable Capital had been hacked and personal data of account holders taken.  The CJEU re-affirmed that the purpose of Article 82 is compensatory and not punitive, and that the criteria for assessing the compensation due should be determined by the legal system of each Member State, provided that this enables the data subject to be compensated in full.  It also held that damage caused by a personal data breach is not, by its nature, less significant than physical injury, but that it is possible for a national court to award only minimal compensation if the damage is not serious, again provided that the compensation is such as to compensate in full for the damage suffered.   The CJEU was also asked to clarify the concept of “identity theft”, as that term is used in recitals 75 and 85 as an example of a type of damage.  It confirmed that mere theft of personal data does not constitute identity theft, but emphasised that compensation cannot be limited to cases where the data theft subsequently gave rise to identity theft.  Data theft itself may be sufficient if the three conditions identified by it in Austrian Post are met.   

The second decision involved a tax return, which included information relating to disabilities and religious affiliation, being sent to the wrong address.  The applicants were essentially seeking compensation in respect of a loss of control over their personal data, without being able to establish the extent to which third parties actually became aware of such data.  The CJEU confirmed that the fear experienced by a data subject with regard to a possible mis-use of his or her personal data is capable of constituting “non-material damage”, referring back to its decision in VB v Natsionalna agentsia za prihodite.  In that case it had said the national court “must verify that the fear can be regarded as well founded”.  In this more recent decision it says that the data subject must show that they have suffered actual damage: “a mere allegation of fear, with no proven negative consequences” cannot give rise to compensation.