The Advocate General of the Court of Justice of the EU, in his October 26, 2023 Opinion on the two joined cases C182/22 and C189/22, requested the Court to interpret the GDPR broadly and more favorably for data subjects in data breach matters.
Specifically, the case concerned a data theft from a trading company.
In the opinion of the Advocate General, all data subjects would be entitled to claim intangible damages from the company that suffered the cyberattack with exfiltration of personal data, even if the data had not yet been used. Indeed, it would not be necessary to wait for an identity theft, being a data theft sufficient.