Under what circumstances can those affected claim damages if their personal data has been misused? The European Court of Justice has ruled on this again today.
Hacker attacks and data theft have increased significantly in recent years. According to the Federal Office for Information Security, many companies are not well enough positioned to stand up to cyber criminals. It happens again and again that companies do not protect their customers’ personal data sufficiently.
If criminals fish out data or if it reaches unauthorized recipients, those affected can generally demand compensation. This is regulated by the European General Data Protection Regulation. In two rulings today, the European Court of Justice (ECJ) in Luxembourg has again defined criteria under which those affected can claim compensation.
Complaints from investors
In one of the two cases, two investors who had used a so-called trading app from a Munich asset manager had filed a lawsuit. Unknown third parties had gained access to their data. They then sued the app provider for damages at the Munich District Court. According to the district court, tens of thousands of people were affected by the loss of data.
Since the two investors’ claims for damages are based on EU law and the European Court of Justice is responsible for interpreting this law, the district court asked the ECJ to clarify various legal questions – for example, what is important when a national court has to determine the amount of damages.
Incorrectly sent Tax returns
In the other case, a tax consultancy firm had accidentally sent tax returns from two clients to the wrong addresses, namely to their old addresses – even though both had informed the firm of the new address. The mail was opened by the new residents of the old address. The clients then sued the firm for damages before the Wesel District Court, claiming that it had violated the EU General Data Protection Regulation.
The district court was unable to determine whether the new residents had actually looked at the tax documents and data. It therefore wanted to know from the ECJ, among other things, whether it was sufficient for a claim for damages if there was a fear that data would be viewed by unauthorized persons.
ECJ: Damages already in case of Risk of abuse
The ECJ has decided that, in the case of a justified claim, it is only a matter of compensating for the damage caused. Only this compensation must be taken into account when determining the amount. In previous decisions, the ECJ had already ruled that the purpose of compensation is not to have a deterrent effect on future violations. In its most recent ruling, the ECJ formulated a certain rule of thumb: the less the damage, the less money a person affected can claim.
What strengthens the position of those affected: According to the rulings of the ECJ, it is not necessary that the data has actually been misused, for example if criminals have emptied accounts using bank details. Even the justified fear that the data could be misused can lead to a claim for damages. The ECJ has now reaffirmed this. In accordance with these criteria from Luxembourg, the Munich and Wesel district courts must now decide on the plaintiffs’ claims for damages.
Amount of awarded sums relatively low
Since the General Data Protection Regulation came into force, there have been a number of court decisions on the subject of compensation in Germany alone. It is clear from the decisions that the amount of compensation set by the courts is clearly limited. “In most cases, they are now in the three-digit range, i.e. several hundred euros,” said Reemt Matthiesen, a lawyer at the CMS Hasche Sigle law firm and an expert in data protection law. In far fewer cases would German courts award plaintiffs four-figure sums.
In contrast, the fines imposed by the supervisory authorities on companies to punish violations of the EU General Data Protection Regulation are considerably higher. According to lawyer Matthiesen, it is not uncommon for the fines to be in the five-figure range or higher.
Case numbers: C-590/22, C-182-22, C-189-22