The Court of Justice of the European Union (“CJEU”) has ruled that the fear of a data subject over the possible misuse of their personal data from a data breach is regarded as non-material damage and can lead to financial compensation from the data controller.

Facts:

The Bulgarian Tax Authority – the data controller – suffered a data breach and as a result, more than 6 million data subjects’ personal data was leaked online. The complainant was one of the 6 million data subjects affected.

The complainant instituted legal proceedings against the data controller under Article 82 General Data Protection Regulation (“GDPR”). Part of her claim included approximately €510 as compensation for the non-material damage resulting from the data breach. She argued that the data controller had caused the damage due to their failure to implement adequate technical and organizational measures in breach of Articles 5, 24 and 32 GDPR. Her non-material damage was the fear that her personal data might be misused in the future and that she could be threatened as a consequence.

Her claims were dismissed as the court held that the data controller had not caused the data breach as it caused by the actions of third parties and that the complainant had failed to prove the data controller failed to implement security measures. Furthermore, the court was of the opinion that the complainant had not suffered any non-material damage as her fear was only hypothetical.

The complaint appealed this decision and various questions were referred to the CJEU by the appellate court.

Finding:

The CJEU held that the burden of proof for proving that technical and organizational measures are adequate lies with the data controller and therefore granted the complainant damages for the data breach.

The fact that a third party breaches a data controller does not automatically mean the technical and organizational measures of the data controller were inadequate. The CJEU further held that Articles 24 and 32 GDPR merely requires the data controller to implement technical and organizational measures in order to avoid any personal data breach, if at all possible. It cannot be inferred from the language of the GDPR that a breach is sufficient to conclude that the measures were not appropriate, without allowing the data controller to argue otherwise.

The appropriateness of technical and organizational measures and expert reports regarding this must be assessed by national courts. This must be assessed in two stages, firstly, the court must identify the risks of a breach and the potential consequences of those risks and secondly, the court must determine whether the data controller’s technical and organizational measures are appropriate to the risks. The substance of the technical and organizational measures in light of the criteria set out in Article 32 GDPR must be examined and the investigation must not be confined to how the data controller aimed to comply with Article 32 GDPR.  

The interpretation of non-material damages and compensation as relied upon by the CJEU is supported by the Ӧsterreichische Post AG case, where the CJEU stated that the concept of damage has to be interpreted broadly. The national courts must ensure that the fear over the misuse of personal data is not unfounded and that is related to the specific circumstances at issue with the data subject.

Does your organization have questions about appropriate technical and organizational measures? Contact us, the Experts in Data Privacy at info@dpoconsultancy.nl for assistance.