Opinion of Advocate General Collins delivered on 26 October 2023.

• Jurisdiction: European Union
• ECLI: ECLI:EU:C:2023:820
• Date: 26 October 2023
• Celex Number: 62022CC0182
• Court: Court of Justice (European Union)

Provisional text

OPINION OF ADVOCATE GENERAL

COLLINS

delivered on 26 October 2023(1)

Joined Cases C‑182/22 and C‑189/22

JU (C‑182/22)

SO (C‑189/22)

v

Scalable Capital GmbH

(Request for a preliminary ruling from the Amtsgericht München, (Local Court, Munich, Germany))

(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 82(1) – Right to compensation for damage caused by data processing that infringes that regulation – Non-material damage – Theft of data – Identity theft or fraud)

I. Introduction

1. In two largely identical actions brought by JU against Scalable Capital GmbH (‘Scalable Capital’) (Case C‑182/22) and SO against Scalable Capital (Case C‑189/22), the plaintiffs claim compensation for non-material damage for alleged pain and suffering caused by what the referring court describes as the theft (2) by unknown third parties of their personal data stored on a trading application managed by Scalable Capital. The third parties have not, to date, used the data for fraudulent or other purposes. The Amtsgericht München (Local Court, Munich, Germany) seeks the Court’s guidance as to the interpretation of the concept of non-material damage in Article 82 of Regulation (EU) 2016/679 (3) and the conditions under which compensation for such damage is available. It asks, in particular, whether the theft of that data constitutes ‘identity theft’ to which recital 75 of the GDPR refers.

II. Legal framework – European Union law

2. Recital 75 of the GDPR is in the following terms:

‘The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; …’

3. Recital 85 of the GDPR states:

‘A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. …’

4. Recital 146 of the GDPR is formulated as follows:

‘The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. … The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. … Data subjects should receive full and effective compensation for the damage they have suffered. …’

5. Under Article 82 of the GDPR, entitled ‘Right to compensation and liability’:

‘1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.

…’

III. The disputes in the main proceedings and the questions referred for a preliminary ruling

6. JU and SO opened investment accounts on a trading application managed by Scalable Capital. In order to verify their identities, they each recorded personal data in the application, including their names, dates of birth, postal and email addresses and digital copies of their identity cards. (4) It is undisputed that unknown offenders stole that data.

7. The Amtsgericht München (Local Court, Munich) considers that the stolen data are relatively sensitive and finds that JU and SO are entitled to compensation under Article 82 of the GDPR. Considering that the amount of compensation to be awarded to JU and SO depends on the interpretation of Article 82 of the GDPR, it decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1) Is Article 82 of the [GDPR] to be interpreted as meaning that the right to compensation, including the determination of the amount of that compensation, does not have a punitive character, in particular, that it has no general or specific dissuasive function, but a purely compensatory function and, in some instances, a satisfaction function?

(2.a) Is the right to compensation for non-material damage to be determined on the basis that it also has an individual satisfaction function – understood here to mean the private interest of the injured party in seeing the behaviour that caused the damage penalised – or does it have only a compensatory function – understood here to mean the function of compensating for the detrimental effects suffered?

(2.b.1) If it is to be assumed that the right to compensation for non-material damage has both a compensatory and a satisfaction function: is it to be determined on the basis that the compensatory function has structural precedence over the satisfaction function or, at least, that the relationship between the two is that of the rule and the exception? Does that mean that it can have a satisfaction function only when the infringement is deliberate or a result of gross negligence?

(2.b.2) If the right to compensation for non-material damage does not have a satisfaction function: when determining that compensation, is additional weight attributed only to deliberate or grossly negligent data protection infringements deemed to be contributory factors?

(3) Is the compensation for non-material damage to be determined on the basis of a structural order of precedence or, at least, a rule-exception relationship, which attributes less weight to the detrimental effects of a data infringement than to the detrimental and painful effects associated with a physical injury?

(4) Assuming that damage has been sustained, can a national court award only minimal compensation, which may be perceived by the injured party or generally as merely symbolic, in the light of the non-serious nature of the damage?

(5) Are the consequences of the compensation for non-material damage to be assessed on the basis that identity theft within the meaning of recital 75 of the [GDPR] requires an offender to have actually assumed the identity of the person concerned, that is to say to have somehow impersonated that person, or does the mere fact that offenders have gained possession of data that identify the person concerned constitute such identity theft?’

IV. The procedure before the Court

8. By decision of 19 April 2022, the President of the Court of Justice joined Cases C‑182/22 and C‑189/22 for the purposes of the written and oral procedure and the judgment.

9. On 1 June 2022, the President of the Court rejected Scalable Capital’s request to anonymise the present proceedings pursuant to Article 95(2) of the Rules of Procedure of the Court of Justice.

10. SO, Scalable Capital, Ireland and the European Commission submitted written observations.

11. I shall first address the objections that have been taken to the admissibility of the questions referred before advising the Court, on foot of its request, as to how it should reply to the fifth question.

V. Assessment

A. Admissibility

12. According to Scalable Capital, the loss of control over personal data, without further consequences for the individual concerned, does not give rise to non-material damage within the meaning of Article 82(1) of the GDPR. The text, general scheme and purpose of Article 82 of the GDPR do not support the existence of a presumption that such damage materialises as a consequence of such loss of control. The referring court thus erred when it made the assumption that JU and SO had suffered non-material damage. The requests for a preliminary ruling are, accordingly, irrelevant to the resolution of the actions before the referring court and are thus inadmissible.

13. The Commission considers that the relevance of the fifth question to the resolution of the actions before the referring court is unclear. The referring court merely refers to the parties’ divergent interpretations of the law and observes that ‘identity theft occurs only when illegally obtained data is used for the purposes of feigning the identity of the person concerned’. Nor does the fifth question ask the Court to interpret a specific provision of the GDPR.

14. In accordance with the Court’s settled case-law, questions on the interpretation of EU law referred by a national court enjoy a presumption of relevance. The Court may refuse to rule on such questions only where it is quite obvious that the interpretation of EU law sought is unrelated to the actual facts of the main action or its object, where the problem is hypothetical, or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions asked of it. (5)

15. Scalable Capital’s objection to the admissibility of...