On 20 June 2024, the CJEU ruled on two joint cases against Scalable Capital (Scalable), a financial trading app.
The applicants in the proceedings had accounts with Scalable and entered personal data into their profiles, including name, date of birth, address, email address and digital copies of identity documentation. In a data breach, the applicants’ data was seized by a third party but not (apparently) used fraudulently.
The applicants sought damages in relation to the theft of their personal data. The issue was referred to the CJEU given the difference in approaches taken by the German courts to damages in this type of case.
The court held that:
- Damages under Article 82 GDPR are compensatory rather than punitive in nature.
- The severity and intentional nature of the infringement must not be taken into account when determining the amount to be awarded.
- There is no hierarchy of damages, non-material damage is not by its nature less significant than physical injury.
- Where a person succeeds in showing that an infringement has caused them damage, there is no de minimis threshold, but a court can award a small amount of damages if this is sufficient to compensate the claimant.
- The concept of identity theft involves the misuse of data by the thief, but this does not mean that where there is theft of personal data without identity theft there can be no compensation.
These cases follow on from a lot of activity in the UK and EU in relation to the issue of damages in individuals’ claims for compensation and looking at the issue of differing approaches in the German courts, this case does seem to exemplify the concerns raised in the multi-stakeholder report on the GDPR about the differences in approach taken to the interpretation of the GDPR.
The judgment can be found here.
