Legal measures in the EU to prosecute carders under the GDPR

[Student]

For educational purposes, I will provide a more detailed answer about the legal measures in the European Union (EU) to prosecute carders under the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), focusing on the legal framework, enforcement mechanisms, interactions with other laws, case examples, and current trends. The answer will be structured for clarity, with an emphasis on educational value, including clarification of terms, procedures, and context. I will also note that carders (those who steal and misuse credit or debit card data) commit acts that fall under the GDPR, as card data is considered personal data if it allows for the identification of an individual.

1. Context: Who are carders and how does the GDPR apply to their activities?​

Carders are cybercriminals who steal, buy, sell, or use bank card data (card number, expiration date, CVV code, cardholder name) to conduct fraudulent transactions, purchase goods, withdraw funds, or resell the data on the black market (e.g., the dark web). Their activities include:

• Data theft: Through phishing, skimmers, database hacking, malware (e.g. keyloggers).
• Data use: Online purchases, cash withdrawals, transfers.
• Selling data: On forums such as darknet marketplaces.

The GDPR applies because card data, especially when combined with name, address, or other identifiers, is considered personal data (Article 4(1) of the GDPR). Even partial data (e.g., just a card number) may fall under the GDPR if it poses a risk to the rights and freedoms of an individual (CJEU decision C-582/14, 2016). A violation of the GDPR occurs when data is processed:

• Without legal basis (Article 6);
• Without observing safety principles (Article 32);
• Causing damage to data subjects (Article 82).

The GDPR is not a primary tool for criminal prosecution (that is the task of national laws and Directive 2013/40/EU on cyber-attacks), but it does provide powerful administrative measures to punish violators, including companies that failed to protect data, leading to leaks exploited by carders.

2. GDPR-Related Carding Violations​

Carders and their affiliates (such as platforms that have breached data) may be in violation of the following provisions of the GDPR:

1. Unlawful processing of personal data(Article 6):
   • Carders process card data (collection, storage, transfer, use) without the consent of the data subject, legitimate interest, or other legal basis.
   • Example: Purchasing stolen data from darknet forums is processing without a lawful basis.
2. Violation of safety principles(Article 32):
   • Companies storing card data (banks, online stores) are required to implement technical and organizational measures (e.g. encryption, two-factor authentication).
   • If data is leaked due to weak security (for example, software vulnerabilities), it is a breach.
   • Example: A company's database was hacked due to a lack of security patches.
3. Data breach (Articles 33–34):
   • In the event of a data breach (for example, theft of a database containing card numbers), companies are required to notify data protection authorities (DPAs) within 72 hours and, where necessary, data subjects.
   • Carders often exploit such leaks, and companies are held liable for failure to comply with notification requirements.
4. Liability of data controllers and processors(Articles 24–28):
   • Controllers (those who determine the purposes and means of data processing, such as a bank) and processors (those who process data on behalf of the data subject, such as payment systems) are responsible for data protection.
   • Example: If a payment platform does not encrypt card data and carders steal it, the platform is in violation of the GDPR.
5. Transfer of data outside the EU(Articles 44–50):
   • Carders often transfer data to jurisdictions outside the EU (e.g. darknet servers in third countries), which violates cross-border transfer rules.
   • Companies that allowed such transfers due to weak security are also liable.

3. Measures of persecution under the GDPR​

Data Protection Authorities (DPAs) in each EU country (e.g., the CNIL in France, the ICO in the UK, and the DPC in Ireland) are responsible for enforcing the GDPR. For cross-border cases (e.g., carding through international forums), a "one-stop-shop" mechanism (Article 56) is in place, where the lead DPA coordinates the investigation with other authorities through the European Data Protection Board (EDPB). Measures include:

3.1. Administrative fines (Article 83)​

• Amount of fines:
  • Up to €20 million or 4% of global annual turnover (for serious violations, such as illegal processing or lack of security measures).
  • Up to €10 million or 2% of turnover (for less serious violations, such as failure to comply with notification procedures).
• Calculation criteria:
  • Intention or negligence.
  • The scale of damage (number of victims, volume of data).
  • Cooperation with DPA.
  • Previous violations.
• Examples of cases related to carding:
  • British Airways (2018): 400,000 customer data, including card numbers, were leaked due to a vulnerability in the web application. The ICO fined £20 million (~€22 million, reduced due to COVID-19).
  • Marriott (2019): 339 million guest data breach, including payment details. Fine: £18.4 million.
  • Ticketmaster (2018): 9.4 million customer data breach, including card details. ICO fine: £1.25 million.
  • According to the Enforcement Tracker (2024), in 2023–2024, 18% of GDPR fines are related to financial data breaches, including carding.

3.2. Corrective measures (Article 58)​

• DPAs can:
  • Issue a cease-and-desist order (e.g., prohibit the platform from processing payments until the vulnerabilities are fixed).
  • Impose a temporary or permanent ban on data transfer.
  • Require a security audit or certification.
• Example: In the Equifax case (2017) (although pre-GDPR, but a similar approach), the ICO ordered the company to implement encryption and patch vulnerabilities after a leak of 147 million customer data, including cards.

3.3. Compensation to victims (Article 82)​

• Data subjects(cardholders) have the right to compensation for:
  • Material damage: Financial losses from fraudulent transactions.
  • Non-material damage: Stress, fear, or anxiety from a data breach.
• Key judicial clarification (CJEU, C-300/21, 2023): It is sufficient to prove a risk of misuse of data (e.g. fear that carders use the data) to claim compensation, without the need to prove actual damage.
• Examples:
  • In the Bulgarian NAP case (2023), hundreds of citizens filed lawsuits following a leak of tax service data, including financial information. The average compensation awarded was €100–€500 per person.
  • In Germany (2024), victims of carding filed a class action lawsuit against an online store after 50,000 card data records were leaked.

3.4. Investigations and cooperation (Articles 57–59)​

• Process:
  • DPAs conduct investigations (inspections, document requests, interrogations).
  • For cross-border cases, the EDPB coordinates action through a cooperation mechanism (Article 60).
  • In 2025, the EDPB introduced new procedural rules to speed up investigations (Regulation (EU) 2024/1689).
• Example: In the Meta case (2023), the Irish DPA imposed a fine of €1.2 billion for the illegal transfer of data to the US, including financial data, which could be used by carders.

3.5. Criminal consequences​

• The GDPR does not provide for criminal sanctions, but carding falls under national laws and Directive 2013/40/EUon cybercrime.
  • Penalties: Up to 5-7 years in prison for illegal access to systems, data theft, or fraud (varies by country).
  • Example: In 2025, Europol added a suspected carding suspect to the EU Most Wanted list for running an international network selling stolen card data.
• DPAs forward data to the police or Europol if they detect signs of a criminal offence.

4. Specifics of applying the GDPR to carding​

1. Card data as personal data:
   • Card number + name/address = identifiable data (Article 4 of the GDPR).
   • Even anonymised data (e.g. just a card number) may fall under the GDPR if it creates a risk to the data subject (UK tribunal decision, 2022).
   • The CJEU (C-184/20, 2022) clarified that data are considered personal if they can be linked to an individual through "reasonable efforts".
2. Combination with PCI DSS:
   • The PCI DSS (Payment Card Industry Data Security Standard ) requires companies (banks, retailers) to protect card data.
   • A PCI DSS violation (such as a lack of encryption) increases liability under the GDPR because it demonstrates non-compliance with Article 32.
   • Example: In the Target case (2013) (although this was in the US, but similarly) a leak of 40 million cards resulted in fines for weak security, which in the EU would have been reinforced by GDPR.
3. The cross-border nature of carding:
   • Carders often operate through servers outside the EU, which complicates enforcement.
   • The GDPR (Article 3) applies to any controllers/processors processing the data of EU residents, even if they are outside the EU.
   • The EDPB actively cooperates with international bodies (such as Interpol) to combat darknet forums.
4. The role of banks and payment systems:
   • Banks are required to implement PSD2 (Directive 2015/2366/EU), including Strong Client Authentication (SCA).
   • Data breaches due to non-compliance with PSD2 increase liability under GDPR.
   • Example: In 2024, a bank in Poland received a €2 million fine for leaking 10,000 card data due to weak SCA.

5. Trends and statistics (2023–2025)​

• Rising fines: According to the Enforcement Tracker (2024), total GDPR fines exceeded €5.88 billion, of which ~20% are related to financial data breaches.
• Focus on Eastern Europe: 24% of fines over €10,000 are in Poland, Romania, and Bulgaria, where carding remains a problem due to vulnerabilities in local systems.
• New enforcement rules: In 2025, updated procedural rules (Regulation (EU) 2024/1689) came into force, speeding up cross-border investigations.
• GDPR reform proposals: Amendments to combat financial scams, including simplified data exchange between banks and DPAs, are being discussed in 2025.
• Class action lawsuits on the rise: In Germany and the Netherlands, victims of carding are increasingly filing class actions under Article 82.

6. Examples of real cases​

1. British Airways (2018):
   • Data leak of 400,000 customers due to a vulnerability in a web application (Magecart attack, often used by carders).
   • Violation: lack of security measures (Article 32).
   • Fine: £20 million (ICO, 2020, reduced due to pandemic).
   • Lesson: Companies must implement protection against script attacks.
2. Marriott (2019):
   • 339 million guest data, including payment cards, were exposed due to weak security in Starwood's legacy systems.
   • Violation: Failure to comply with Article 32 and lack of due diligence during the merger.
   • Fine: £18.4 million.
3. Bulgarian NAP (2019–2023):
   • Data leak of 6 million citizens, including financial data.
   • Hundreds of lawsuits from victims for non-material damages (fear of data misuse).
   • Fine: 2.6 million leva (~1.3 million euros).
4. Europol и carding (2025):
   • An operation to shut down a darknet forum selling data from 10 million cards.
   • DPAs passed on data to Europol, leading to arrests in 5 EU countries.

7. Recommendations for protection against carding​

• For companies:
  • Implement encryption, tokenization of card data, PCI DSS.
  • Conduct regular penetration testing.
  • Notify DPAs and customers of breaches within 72 hours.
• For citizens:
  • Monitor banking transactions.
  • Use two-factor authentication.
  • File complaints to the DPA or take action under Article 82 in the event of a data breach.
• For law enforcement:
  • Cooperate with Europol and Interpol for cross-border prosecution.
  • Use GDPR investigation data for criminal cases.

8. Conclusion​

The GDPR plays a key role in the fight against carding, providing tools for administrative penalties against companies that have caused data breaches and protecting the rights of victims. Key measures include large fines, corrective orders, and compensation for victims. However, for individual carders, the primary prosecution is through criminal law and international cooperation (Europol, Interpol). The combination of the GDPR with PCI DSS and PSD2 strengthens financial data protection, and new regulations for 2025 will expedite investigations. For educational purposes, it's important to understand that the GDPR isn't just about fines; it's also about creating a culture of data security, which reduces opportunities for carders.

Sources:

• Text of GDPR (Regulation (EU) 2016/679).
• Enforcement Tracker (enforcementtracker.com, data as of 2024).
• EDPB reports (edpb.europa.eu).
• Decisions of the CJEU (C-582/14, C-300/21, C-184/20).
• Directive 2013/40/EU on cybercrime.
• Europol News (europol.europa.eu, 2025).

 

[chushpan]

Here is a detailed, comprehensive comment on the legal measures within the European Union to prosecute carders, elaborating on the intricate relationship between data protection law, criminal law, and judicial cooperation.

The Legal Framework for Prosecuting Carders in the European Union: A Multi-Layered Approach​

The prosecution of "carders"—individuals involved in the trafficking and fraudulent use of stolen payment card data—within the European Union is a complex process that relies on a sophisticated, multi-layered legal architecture. A common misconception is that the General Data Protection Regulation (GDPR) itself serves as a direct criminal statute against such actors. This is not the case. Instead, a nuanced division of labor exists where the GDPR establishes the foundational liability and triggers investigative processes, while dedicated criminal law instruments at the EU and national levels provide the actual basis for prosecution.

This analysis breaks down the legal measures into four interconnected pillars:

1. The GDPR: The Trigger for Accountability and Investigation
2. Substantive Criminal Law: The Direct Tools for Prosecution
3. Cross-Border Cooperation: The Engine of Enforcement
4. Preventive and Sector-Specific Measures

Pillar 1: The GDPR (Regulation (EU) 2016/679): The Trigger for Accountability and Investigation​

While the GDPR does not criminally prosecute carders, its role is indispensable and operates on two primary fronts: holding data controllers accountable and defining the criminal act.

a) Defining the Incident and Creating Liability:
The very act of a carder exfiltrating payment card data constitutes a "personal data breach" under Article 4(12) GDPR, defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed." Payment card data (Primary Account Number + cardholder name + CVV code) unequivocally qualifies as personal data.

This definition triggers strict legal obligations for the breached organization (the data controller):

• Breach Notification (Article 33): The controller must notify the relevant national Data Protection Authority (DPA) within 72 hours of becoming aware of the breach.
• Communication to Data Subjects (Article 34): If the breach is likely to result in a high risk to individuals' rights and freedoms, the controller must also inform the affected individuals without undue delay.

b) Administrative Enforcement Against Negligent Organizations:
The GDPR empowers DPAs to investigate the breached organization. The key question is whether the organization implemented "appropriate technical and organisational measures" (Article 32) to ensure a level of security appropriate to the risk. Failure to do so—such as using weak encryption, failing to patch known vulnerabilities, or having poor access controls—renders the organization liable.

The consequences are severe administrative measures:

• Corrective Powers (Article 58): DPAs can order the controller to comply with data subjects' requests, mandate specific improvements to security infrastructure, or impose a temporary or definitive ban on processing.
• Administrative Fines (Article 83): The GDPR's famous two-tier penalty system can be invoked. For infringements of the basic principles for processing, including security, fines can go up to €20 million or 4% of the company's total global annual turnover, whichever is higher. This creates a powerful financial incentive for companies to fortify their defenses against carders.

c) The Investigative Bridge to Criminal Law:
A GDPR investigation is not conducted in a vacuum. The evidence gathered by a DPA—forensic reports, logs showing the attack vector, the scope of data exfiltrated—is invaluable for criminal investigators. While DPAs are not police forces, they have legal channels to share this information with law enforcement authorities (such as Europol or national cybercrime units) under specific legal frameworks like the Law Enforcement Directive (LED), providing the crucial link from a regulatory breach to a criminal prosecution.

Pillar 2: Substantive Criminal Law: The Direct Tools for Prosecution​

The actual criminal charges brought against a carder are based on national laws that have been harmonized by EU directives. There is no single "EU Criminal Code," but member states are required to criminalize certain behaviors.

a) The Core Instrument: Directive 2013/40/EU on Attacks against Information Systems
This directive is the cornerstone for prosecuting the cyber-enabled aspects of carding. It mandates that member states criminalize the following acts, which directly describe a carder's activities:

• Illegal Access to Information Systems (Article 3): The intentional access without right to the whole or any part of an information system (i.e., hacking into a server).
• Illegal System Interference (Article 5): The intentional serious hindering or interruption of the functioning of an information system (e.g., a DDoS attack used as a distraction).
• Illegal Data Interference (Article 6): The intentional deletion, damaging, deterioration, alteration, suppression, or rendering inaccessible of computer data on an information system. The act of copying and exfiltrating payment card data without authorization falls squarely under this offense.
• Illegal Interception (Article 4): The intentional interception without right of non-public transmissions of data to, from, or within an information system.

The directive requires that these offenses be punishable by effective, proportionate, and dissuasive criminal penalties, including the possibility of imprisonment for at least a maximum of at least two years for the more serious offenses, and at least five years for aggravating circumstances (e.g., large-scale attacks, involvement of a criminal organization).

b) Broader Criminal Law Frameworks:
Carding is rarely just a "computer crime." It is part of a broader criminal enterprise. Therefore, carders are often prosecuted under a combination of laws for:

• Computer-Related Fraud: Using stolen card data to make unauthorized purchases or withdrawals.
• Identity Theft: Assuming the identity of the cardholder.
• Participation in a Criminal Organization: If they are part of a larger carding ring.
• Money Laundering: For processing the proceeds of their fraudulent activities.

These charges are typically brought under national criminal codes, which have also been influenced by other EU instruments, such as the Directive on the fight against fraud to the Union's financial interests by means of criminal law (PIF Directive).

Pillar 3: Cross-Border Cooperation: The Engine of Enforcement​

Carding is inherently transnational. The attacker, the victim, the hosting server, and the cashing-out operation may all be in different member states. Effective prosecution is impossible without robust cooperation.

a) Europol and the European Cybercrime Centre (EC3):
Europol serves as the central hub for operational information sharing and analytical support. Its EC3 unit provides specialized expertise to national law enforcement agencies, facilitates joint investigation teams (JITs), and maintains databases and forensic capabilities crucial for tracking sophisticated carding rings across borders.

b) Eurojust:
This agency facilitates judicial cooperation. When a carding case involves investigations and prosecutions in multiple member states, Eurojust helps coordinate, align strategies, and resolve legal conflicts (e.g., which jurisdiction should prosecute first).

c) The European Investigation Order (EIO) - Directive 2014/41/EU:
This instrument allows a judicial authority in one member state to directly request and obtain evidence from another member state. For example, German prosecutors can use an EIO to compel an Irish service provider to hand over server logs related to a carding operation.

d) The Upcoming e-Evidence Regulation:
To further streamline this process, the new e-Evidence package will establish direct channels for law enforcement to obtain electronic evidence (subscriber information, access to data, etc.) from service providers in other member states, significantly speeding up investigations that are often time-critical.

Pillar 4: Preventive and Sector-Specific Measures​

Beyond prosecution, the EU employs measures to make the carders' trade less profitable and more difficult.

a) The Payment Services Directive (PSD2):
PSD2 mandates Strong Customer Authentication (SCA) for electronic payments. This requires multi-factor authentication (typically something you know [password], something you have [phone], and something you are [fingerprint]), creating a formidable barrier for carders attempting to use stolen card data for online transactions.

b) The Network and Information Security (NIS2) Directive:
While GDPR focuses on data protection, NIS2 focuses on the security of essential and important entities (like energy, transport, banking, and digital infrastructure). It imposes baseline security and incident reporting requirements, strengthening the overall cybersecurity resilience of the EU's critical economic sectors against attacks that could lead to mass card data theft.

Conclusion: The Integrated Prosecution Pathway​

In practice, these pillars work in concert. The pathway to prosecuting a carder often follows this integrated model:

1. A carding ring breaches a French e-commerce website, stealing 100,000 payment card records. This is a personal data breach under GDPR.
2. The French company reports the breach to the CNIL (the French DPA). The CNIL investigates and finds security failures, leading to a multi-million euro administrative fine against the company.
3. The CNIL's technical investigation identifies the attackers' methods and infrastructure. This evidence is shared with the French National Gendarmerie's Cybercrime Unit under legal protocols.
4. The French authorities, using national laws that implement Directive 2013/40/EU, open a criminal case for "illegal data interference" and "computer-related fraud."
5. Investigation reveals the carders are operating from Poland and Bulgaria. French authorities use Europol's EC3 for analytical support and create a Joint Investigation Team facilitated by Eurojust.
6. European Investigation Orders are issued to secure evidence from cloud providers in a third member state.
7. Simultaneously, the PSD2's SCA requirement has rendered a large portion of the stolen card data useless for online purchases in the EU, drastically reducing the carders' profit margin.
8. After a coordinated takedown, the individuals are arrested and face trial in French and Polish courts under their respective national criminal laws for the cyber offenses harmonized by EU directives.

Therefore, prosecuting a carder in the EU is not a matter of applying a single law but of navigating a cohesive, if complex, ecosystem where data protection law sets the stage, criminal law delivers the blow, and deep institutional cooperation makes it all possible.