Under the GDPR, data subjects may claim compensation if they suffered damages because the controller infringed his obligations under the GDPR. Does a data theft by cybercriminals mean that the controller has not adopted appropriate data security measures meaning that he failed to comply with his data protection obligations? Can the data subject claim compensation if his only damage is the fear that his personal data was misused? The Court of Justice of the European Union answered these questions in a fresh decision which will be analysed in this short article.
Facts
In 2019, the media revealed that the IT system of the Bulgarian authority NAP has been hacked and personal data contained by the IT system was published on the internet. More than 6 million persons were affected by the data breach.
The appellant sued the NAP for compensation claiming that the fear that her personal data leaked because of the data breach might be misused (she might be blackmailed, assaulted or even kidnapped) constitutes a non-material damage.
The first instance court dismissed the appellant action. The court held that the appellant failed to prove that the NAP has not adopted appropriate security measures, further the appellant did not suffer any non-material damage.
The appellant filed an appeal against this decision and the Supreme Administrative Court sent the case to Luxembourg to the CJEU to clarify the provisions of the GDPR as regards to the adequacy of data security measures and the conditions of compensation including the concept of non-material damage.
The adequacy of data security measures
First, the CJEU established that based on the GDPR an unauthorized access to or disclosure of personal data by a third party is not sufficient to conclude that the data security measures adopted by the controller were not appropriate. The EU legislator only expects controllers to mitigate the risks of personal data breaches, however there is no indication in the text of the GDPR that it would be possible to eliminate them.
According to the Luxembourg court, the national courts shall assess the appropriateness of data security measures in two stages. First, it is necessary to identify the risks of a data breach and their consequences for the rights and freedoms of natural persons. Secondly, is shall be ascertained whether the implemented data security measures are appropriate to the identified risks, considering the state of art, the costs of implementation and the parameters of the processing.
Further, the CJEU clarified that in relation to the appropriateness of the data security measures, the burden of proof lies with the controller.
The conditions of compensation
When it comes to the conditions of the compensation to be paid based on the GDPR, the Luxembourg judges shed light on two important questions.
The CJEU recalled that a controller may only be exempted from paying compensation if he is able to demonstrate that the damage is not attributable to him. In the Court’s view, if the personal data breach has been committed by cybercriminals (therefore a third party), the infringement of the GDPR cannot be attributed to the controller unless he failed to comply with his obligations laid down by the GDPR, specifically to adopt appropriate data security measures.
In addition, the Luxembourg court interpreted the concept of damage under the GDPR. According to the Court, by analysing the wording of the GDPR, it is clear that the EU legislature intended to include in those concepts the mere ‘loss of control’ over the personal data even if there had been no misuse of the data to the detriment of the affected data subjects. Thus, the fear experienced by a data subject with regard to the possible misuse of his personal data by third parties as a result of an infringement of the GDPR is capable, in itself, of consulting non-material damage.
Conclusion
To shortly analyse the decision, on the one hand controllers may welcome the CJEU’ attitude regarding the appropriateness of data security measures, namely that even in case of a data breach, controllers may prove that the adopted data security measures were appropriate. On the other, it seems to be a rather high standard of liability that data subjects can claim damages for the mere fear of their data being misused without suffering actual damages.
By Anita Vereb, Attorney-at-law, SmartLegal Schmidt & Partners