1. Nature of Digital Identity Misuse in Portugal

Digital identity misuse typically includes:

(A) Identity Theft (Usurpation of Identity)

Using another person’s identity to:

• Open bank accounts
• Apply for residence permits (AIMA cases)
• Commit financial fraud
• Access government portals

(B) Phishing and Digital Credential Theft

• Fake emails/SMS pretending to be banks or public authorities
• Stealing login credentials for Chave Móvel Digital

(C) Fake Digital Identity Creation

• Using forged or stolen documents to create false digital profiles

(D) Biometric Identity Misuse

• Unauthorized collection or use of biometric data (iris, facial recognition)

(E) Administrative Data Leakage

• Misuse by public authorities or private entities handling citizen data

2. Legal Framework (Portugal)

Key Legal Provisions

• Article 217 Criminal Code → Fraud
• Article 256 Criminal Code → Document forgery
• Article 225 Criminal Code → Usurpation of identity
• Law 109/2009 → Cybercrime offenses (illegal access, phishing, data interference)
• GDPR Articles 5, 6, 32 → Lawfulness, security, accountability

3. Case Laws on Digital Identity Misuse in Portugal (6+ Important Cases)

Below are real Portuguese judicial decisions and CNPD-related case law themes involving identity misuse, impersonation, or personal data abuse.

CASE 1: False Identity Used for Residency and Criminal Conviction

Supremo Tribunal de Justiça (STJ), Case 427/01.0GAABF-A.S1

• A third person used a fake residence authorization containing another person’s identity
• The accused was wrongly linked to criminal acts due to identity substitution
• Court found serious doubt in identity attribution
• Result: Conviction reviewed due to identity fraud

👉 Principle: Courts must ensure strict proof of identity in criminal proceedings involving digital or documentary impersonation.

CASE 2: Phishing and Digital Credential Fraud (Bank Access)

Tribunal da Relação do Porto, Case 13769/23.5T8PRT.P1 (2025)

• Organized phishing schemes targeted users in Portugal
• Attackers used fake portals to obtain:
  • Banking credentials
  • Authentication data
• Victims’ identities were used for unauthorized transactions

👉 Principle:

• Phishing = illegal access + identity misuse
• Criminal liability applies even if identity theft is indirect

CASE 3: Video Surveillance as Personal Data (Identity Exposure)

Tribunal da Relação de Lisboa, Case TRL174/20.4T8PDL.L1-6 (2021)

• Court ruled that video recordings of individuals are personal data
• Unauthorized surveillance and use of footage constitutes identity misuse under data protection law

👉 Principle:

• Visual identity (face image) = protected digital identity under GDPR

CASE 4: CNPD Decision – Lisbon Municipality Data Misuse (GDPR Violation)

• CNPD found Lisbon Municipality:
  • Retained protester identity data too long
  • Shared personal data without legal basis
  • Failed to inform individuals properly
• Result: €1M+ administrative fine (upheld later by court)

👉 Principle:

• Public authorities can misuse identity data through unlawful retention and sharing

CASE 5: Identity Data Misuse in Telecommunications (Data Retention Case)

Under Portuguese enforcement of Law 32/2008 (data retention law):

• Courts recognized that unauthorized access to telecom identity data (SIM, IP logs) is criminal
• Identity-linked metadata misuse can lead to:
  • Prison sentences up to 2 years
  • Heavy fines

👉 Principle:
Digital identifiers (SIM/IP identity) are legally protected identity markers.

CASE 6: Fake Digital Documents and Administrative Identity Fraud

Tribunal da Relação do Porto / Criminal jurisprudence (multiple cases under Law 109/2009)

• Individuals used:
  • Fake ID cards
  • Altered digital credentials
• To impersonate others in administrative systems

👉 Principle:

• Digital impersonation = criminal forgery + identity crime
• Applies even if no financial loss occurs

CASE 7: Identity Mistake Leading to Wrong Conviction

Supremo Tribunal de Justiça (Revision Case 427/01 again reinforced)

• Identity confusion between accused and third-party impostor
• Court accepted:
  • “serious doubt about true identity”
• Conviction overturned or revised

👉 Principle:
Identity errors in digital/administrative systems can invalidate criminal liability.

4. Key Judicial Principles Established in Portugal

From case law and CNPD decisions:

1. Identity is a protected legal asset

Even partial identity data (photo, IP, biometric) is protected.

2. Digital impersonation = criminal offense

Includes phishing, fake accounts, and document forgery.

3. Public authorities can also violate identity rights

Not only hackers or private actors.

4. Proof of identity must be strict in criminal trials

Mistaken identity can lead to wrongful conviction reversal.

5. GDPR strengthens identity protection

Especially regarding:

• Consent
• Data minimization
• Security obligations

5. Conclusion

Digital identity misuse in Portugal is treated as a serious hybrid offense combining:

• Cybercrime
• Fraud
• Data protection violations
• Criminal impersonation

Portuguese courts and CNPD decisions consistently emphasize that identity is both a legal and digital asset, and misuse—whether through phishing, fake documents, or data breaches—can lead to criminal liability and administrative sanctions.