The basis of the decision
On 5 July 2019, it was reported that there was an unauthorized access to the information system of the Bulgarian National Agency for Revenue “NAP”. Subsequently, the personal data contained in this system was published on the internet by the hackers. More than six million people were affected. Hundreds of them sued the NAP for compensation for the non-material damage that allegedly resulted from the disclosure of the data. It was unclear whether and under what conditions those affected were entitled to compensation in such cases and was therefore referred to the European Court of Justice for a preliminary ruling.
It was asked whether the finding of a personal data breach would allow the conclusion that the measures taken by the data controller were not “appropriate” and and which rules of proof apply for controllers with regard to the suitability of the protective measures applied.
In addition, it was asked whether the sole fear of a person that their personal data could be misused in the future could constitute”damage” within the meaning of art. 82 sec. 1 GDPR.
Suitability of the measures and burden of proof
The European Court of Justice rejects a general assumption that the security measures were unsuitable or inadequate if unauthorized access (e.g. a cyberattack) was successful. This means that courts must make an individual assessment of the controller’s security measures.
Due to the principle of accountability formulated in the GDPR, the controller of personal data bears the burden of proof that the security measures it took were suitable to ensure adequate data protection. Consequently, the controller can only exempt itself from liability by proving that it is not responsible for the damage in any way.
When does a liability for damages arise?
In general, damage can be caused by the data subject’s fear that the data could be misused. There is no trivial threshold for the claim under art. 82 sec. 1 GDPR. With reference to another European Court of Justice ruling (“Österreichische Post”, C- 300/21), it is again pointed out that data subjects must prove the existence of the aforementioned damage within the meaning of art. 82 GDPR.
Implications for companies and the law practice
The rulings may lead to stricter assessment of data protection violations and an increased number of lawsuits for non-material damages. Fines and warnings from consumer protection associations may also be imposed. Therefore, this should be an opportunity for companies to implement and review adequate security measures. Above all, an appropriate level of protection of personal data should always be guaranteed and, if necessary, it should also be proven that the company is not responsible for the breach in any way.