An EU advocate general (AG) has re-emphasised that individuals seeking compensation for violations under the EU General Data Protection Regulation (GDPR) must provide proof of "actual damage suffered" as a result of the breach, along with "clear and precise evidence" of such damage. Hypothetical harms or discomfort are not sufficient. Additionally, the advocate general found that unauthorised access to data does not qualify as "identity theft" under the GDPR.
The case in question (C-182/22 and 189/22) involved a data breach that resulted in an unknown third party accessing an individual's personal data, including their name, date of birth, and a copy of their identity card. Despite no evidence of harm caused by the breach, the individual claimed emotional distress and "identity theft" and sought compensation.
While the AG’s opinion is influential, it is not legally binding. The Court of Justice of the European Union (CJEU) is expected to issue a final ruling in the coming months.
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 4,350 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.
