On April 27, 2023, the Advocate General published it’s Opinion in Case C-340/21 regarding the compensation that can be awarded for non-material damage arising from liability and presumed fault on the part of the data controller.

In order to be exempt from liability, a data controller must demonstrate that it is not in any way responsible for the event giving rise to the damage. Fear of a possible misuse of the personal data in the future can constitute non-material damage. This will give rise to a right to compensation only if it is actual and certain emotional damage and not simply trouble or inconvenience for the data subject.

The Opinion of the Advocate General states that the data controller is obliged to implement appropriate technical and organizational measures to ensure that processing of personal data is performed in accordance with the General Data Protection Regulation (‘GDPR’).

The most important points of the Opinion are that that:

  • The occurrence of a personal data breach is not sufficient in itself to conclude that the technical and organizational measures implemented by the data controller were not ‘appropriate’ to ensure data protection. The data controller’s decision is subject to possible judicial review of compliance but the data controller must consider the ‘state of the art’ to what is reasonably possible at the time of implementation as well as the implementation costs. The assessment of appropriateness of the measures will be based on a balancing exercise between the interests of the data subject and the economic interests and technological capacity of the controller, in compliance with the general principle of proportionality;
  • The burden of proving that the measures are appropriate is on the data controller and not the data subject;
  • The fact that the infringement has been committed by a third party does not in itself constitute a ground for exempting the data controller. In order to be exempted from liability, the data controller must demonstrate, to a high standard of proof, that it is not in any way responsible for the event giving rise to the damage;
  • Detriment consisting in the fear of a potential misuse of one’s personal data in the future, the existence of which the data subject has demonstrated, may constitute non-material damage giving rise to a right to compensation, provided that it is a matter of actual and certain emotional damage and not simply trouble or inconvenience.

While the Advocate General’s Opinion is not binding on the Court of Justice of the European Union (‘CJEU’), the Opinion provides an independent legal solution to the CJEU which can be considered by the judges when deliberating the case. The outcome of Case C340/21 is a development that will be closely monitored.

Does your organization have a question about data breaches or how to respond to data subjects regarding data breaches? Contact us, the Experts in Data Privacy, at info@dpoconsultancy.nl for more information.