The European Court of Justice (CJEU) likely anticipated a wave of GDPR-related referrals. Few such matters receive as much attention from the public and lawyers as questions on GDPR damages.
Earlier this year, the CJEU decided in a landmark case C-300/21 that an award of non-material damages in accordance with Art 82 GDPR requires an infringement of the GDPR, damage suffered by the data subject, and a causal link between the unlawful processing and the damage (see also EU: CJEU lowers threshold for GDPR damages).
Up next is the case of a data subject worried about possible, but by no means certain or probable, future events after a hacker attack.
Four years ago…
The Bulgarian National Revenue Agency Natsionalna agentsia za prihodite ("NAP") informed Bulgarian and foreign nationals via the media of an unauthorised access to its information system. The NAP was hacked and various tax and social security information was published online. The incident affected the personal data of 6,074,140 data subjects, including 4,104,786 Bulgarian citizens and foreign nationals, and 1,959,598 deceased individuals. Plaintiffs across Bulgaria saw an opportunity and claimed compensation of non-material damages due to alleged harm suffered.
The lower Bulgarian Court Administatibven sad Sofia-grad dismissed a specific claim arguing that the NAP failed to implement the necessary technical and organisational measures required by the GDPR, which led to the security leak causing worry and fears. The plaintiff claimed compensation of non-material damages in the amount of BGN 1,000 (approx. EUR 511). The main grounds for dismissal of the claim in the first-instance decision were that
- being hacked was not sufficient to presume that the necessary technical and organisational measures were not appropriate;
- the plaintiff bears the burden of proof that appropriate technical and organisational measures were not implemented by the NAP or were implemented inappropriately, so that this contributed to the unauthorised access and disclosure of the personal data;
- the emotional discomfort caused by the news of the unauthorised access to the NAP's files does not constitute actual damage within the meaning of the law;
- the public disclosure of the unauthorised access to the NAP's database has not affected the plaintiff's life, self-esteem, self-worth, work, relationships with loved ones or health;
- the emotional discomfort experienced by the plaintiff is not a result of the NAP's behaviour.
Upon the applicant's appeal, the Supreme Administrative Court, Varhofen administrativen sad, referred several questions to the CJEU. Among others, the Bulgarian Court asked the CJEU whether
- being hacked is sufficient to presume that the necessary technical and organisational measures were not appropriate;
- the controller bears the burden of proof that appropriate technical and organisational measures were implemented;
- a hacking attack exempts entities from liability; and
- worries, fears and anxieties suffered with regard to a possible misuse of personal data in the future may constitute non-material damage.
Being hacked does not automatically equate to a violation of the GDPR's obligations
Unsurprisingly, in the opinion of Advocate General Giovanni Pitruzzella, it would be illogical to assume that the EU legislator intended to impose obligations on the controller, making it impossible to demonstrate that the controller had correctly fulfilled its obligations under the GDPR. Therefore, a data breach alone does not show that the controller had failed to implement appropriate technical and organisational measures. Nevertheless, the burden of proving the appropriateness of the measures implemented and assessed by national courts lies not with the data subject, which must show harm suffered, causation and an infringement of the GDPR, but the controller. The admissible methods of proof and inquiry, such as expert reports, are subject to national procedural law.
Money, money, money – is worrying about the future enough?
When it comes to damages, Advocate General Pitruzzella believes that a hacker attack does not automatically exempt a controller from liability. Thankfully, in his view the GDPR does not provide for strict liability, where the element of fault is entirely disregarded. Rather, a controller could provide exonerating evidence and, to this end, must demonstrate that it was not responsible for the breach caused. The Advocate General is clear that it should not simply suffice that a third party was able to access the data subject's personal data without authorisation. In practice, this would mean that a controller would have to prove that it was not acting negligently and facilitated the hacker attack by not having appropriate data security measures in place.
With respect to non-material damages, which are becoming quite popular across Europe, the Advocate General predictably opted for a broad interpretation – also see C-300/21 EU: CJEU lowers threshold for GDPR damages for the CJEU's judgment subsequent to Advocate General Pitruzella's Opinion. Nonetheless, the Advocate General explains that a plaintiff's subjective perception, changeable and dependent on character and personal elements, will not be decisive, but actual inconvenience to the data subject's physical and psychological sphere or its relationships will be required, i.e. actual and emotional damage. The national courts would then assess and verify the actual and emotional damage case by case.
The Advocate General's opinion is not binding for the CJEU. Notably, the CJEU has deviated from Advocate General Manuel Campos Sánchez-Bordona's Opinion on the question of whether a threshold of seriousness is required to award compensation for non-material damages for GDPR infringements (C-300/21). The opinion has been criticised for placing the burden of proof of appropriate technical and organisational measures having been implemented on the controller. It remains to be seen what the CJEU will make of it.
Nevertheless, potential defendants faced with non-material damages claims do not need to panic. We shall see whether judges will be convinced by plaintiffs' arguments that they are worried about possible future implications because personal data has been compromised. Copy & paste claims might fail, however, and a plaintiff willingly sharing data for raffles, ad-free surfing or numerous online shops might struggle to explain in court why they are more worried about contact data being accessed by a hacker and not by the 30 or 50 online shops around the world – also in non-Member States – that they are registered with.
It is definitely a good time to double-check the implementation of appropriate technical and organisational measures. From a pre-litigation perspective, it is highly recommended to record any checks, protocols and updates to data security, correspondence with and suitability of privacy officers and engagement of third parties. In the worst-case scenario, this information may prove to be essential evidence in court proceedings, also to rely on the exemption from liability.
One EUR 500 claim may not seem like much at first glance, but the Collective Redress Directive could be a gamechanger. So far, the Directive has not been implemented in every Member State (see Class Action Info Corner). Neither Austria, a country where data protection disputes have been going strong in recent years, nor Bulgaria have implemented the Directive yet. Once implemented, however, it could easily become a tool for so-called Qualified Entities to confront companies with high-value claims on behalf of consumers.
By Sara Khalil, Counsel, and Marin Demirev, Counsel, Schoenherr