A German Court has ordered pain and suffering damages as a result of a data breach, the first decision of its kind in Europe.

According to the judgment, Scalable Capital has to pay the plaintiff, represented by consumer organization EuGD Europäische Gesellschaft für Datenschutz mbH, € 2,500 in damages for non-material damage because he was affected by the Scalable data leak. The plaintiff from southern Germany is one of the 33,200 Scalable Capital customers whose e-mail addresses, copies of ID cards, photos and account numbers ended up on the Darknet between April and October 2020 as a result of a data leak.

While it is possible to sue for such damages in some US states, to my knowledge, no such award has been made in the US either. Most data breach lawsuits are filed for negligence, breach of contract, breach of warranty, breach of fiduciary duty, false advertising and unfair or deceptive trade practices.

Recently, in the Ramirez case, the U.S. Supreme Court held that Article III standing requires a concrete injury even in the context of a statutory violation. And in Spokeo, the court said that it is not enough to allege a bare procedural violation, divorced from any concrete harm.