Share This Article
The decision of the CJEU on potential damages deriving from a data breach might potentially increase the risk of a class action connected to privacy related violations.ย
The Court of Justice of the European Union recently ruled in Case C-340/21 on the conditions for compensation for intangible harm resulting from the publication of personal data on the internet following a hacker attack, constituting a personal data breach under EU Regulation 679/2016.ย According to the CJEU, a data subject’s fear of potential misuse of personal data by third parties that a person has following a data breach can, in itself, constitute compensable “intangible harm.”ย In fact, according to the Court, the data controller cannot be relieved of its obligation to compensate for the damage suffered by the data subject, under Article 82 of the GDPR, merely because such damage results from an unauthorized disclosure of personal data or unauthorized access to such data by “third parties” such as cybercriminals.
The case and the preliminary questions raised by the national court
The case originates from an abusive access to the computer system of the Bulgarian equivalent of the Internal Revenue Agency. The Agency is responsible, notably, for the identification, safeguarding and recovery of public debts and processes, consequently and as a data controller, a considerable amount of personal data referable to Bulgarian and non-Bulgarian taxpayers.
Following the aforementioned cyber attack, a full-fledged data breach involving the publication of personal data referable to millions of data subjects on the Internet, many have taken action against the agency, seeking compensation for the intangible damage allegedly resulting from the fear of potential misuse of their personal data.
The Bulgarian Supreme Administrative Court referred several preliminary questions to the Court regarding the interpretation of the GDPR, forwarding a request for a preliminary ruling under Article 267 of the Treaty on the Functioning of the European Union. The Bulgarian court asked for clarifications regarding the conditions for compensation for intangible damage invoked by a person whose personal data, held by a public agency, was subject to publication on the Internet as a result of an attack by cybercriminals.
In support of her claim for compensation, the plaintiff alleged that she had suffered intangible harm resulting from a personal data breach, within the meaning of Article 4(12) of the GDPR, more specifically, a breach of security that was allegedly caused by the Agency’s breach of its obligations under, in particular, Article 5(1)(f), as well as Articles 24 and 32 of the Regulation. In essence, the intangible harm complained of by the plaintiff would consist of the fear that her personal data that were published without her consent would be misused in the future or that she would be subjected to blackmail, assault, or even kidnapping.
Since the Administrativen sad Sofia-grad (Sofia City Administrative Court) had dismissed the appellant’s appeal in the main proceedings, the appellant had appealed this decision in cassation to the Varhoven administrativen sad (Supreme Administrative Court, Bulgaria), the referring court in the present case.
The CJEU’s principles of law on compensation for data breach damages
The principles of law developed by the CJEU with reference to the preliminary questions raised by the Bulgarian Supreme Court with reference to the conditions for compensation for intangible damages can be summarized as follows:
- The data controller cannot be exempted from his obligation to compensate for the damage suffered by the data subject, pursuant to Article 82 of the GDPR, merely because such damage results from unauthorized disclosure of personal data or unauthorized access to such data by “third parties” such as cybercriminals, since the data controller must prove that the fact that caused the damage in question is in no way attributable to him;
- For the purpose of assessing the adequacy of the security measures that the data controller has implemented under Article 32 of the GDPR, a judicial expertise cannot be a systematically necessary and sufficient means of proof;
- The fear of potential misuse of one’s personal data by third parties that a person has as a result of a GDPR breach may, in itself, constitute “intangible harm;”
- The CJEU had already clarified how Article 82(1) of the GDPR could also apply with reference to “intangible damage,” going to encompass a situation, such as the one considered by the referring court, in which the data subject invokes, in order to obtain compensation on the basis of this provision, his or her fear that his or her personal data will be subject to future misuse by third parties, due to the breach of this regulation that occurred.
According to the Court, this literal interpretation is supported by a number of additional indicators, such as:
- Recital 146 of the GDPR, which specifically addresses the right to compensation provided for in Article 82(1) and mentions that “[t]he concept of harm should be interpreted broadly in the light of the case law of the Court of Justice so as to fully reflect the objectives” of the Regulation. Accordingly, an interpretation of “intangible harm” that excludes situations in which the data subject from a breach alleges a fear that his or her personal data will be misused in the future would not respond to a broad conception of this notion as understood by the Union legislature; and
- Recital 85 of the GPDR, which indicates that “[a]ny personal data breach may, if not addressed in an appropriate and timely manner, cause physical, material or immaterial harm to natural persons, such as loss of control over personal data concerning them or limitation of their rights, discrimination, identity theft or usurpation, financial loss, (…) or any other significant economic or social harm.”ย From this illustrative list, it appears that the Union legislature intended to include in these notions, in particular, the mere “loss of control” over their data, as a result of a GDPR breach, when even a misuse of the data in question has not actually occurred to their detriment.
In any case, it is important to note that, according to the CJEU, the mere unauthorized disclosure of personal data or unauthorized access to such data is not in itself sufficient for the courts to infer that the security measures taken by the data controller were inadequate.ย In fact, according to the CJEU, it still remains the burden of the courts to examine the adequacy of those measures in concreto, taking into account the risks associated with the processing and assessing whether the nature, content and implementation of those measures are appropriate to those risks. In any case, the burden of proof is on the data controller as to whether security measures taken were adequate.
Why this ruling creates a greater risk of a privacy related class action consequential to a data breach
Because the preliminary reference allows the courts of the member states, in the context of a dispute before them, to refer questions to the Court on the interpretation of Union law or the validity of a Union act, the CJEU does not resolve the national dispute but it will be up to the national court-in this case, the Bulgarian courts-to resolve the case in accordance with the principles of law dictated by the CJEU.
However, this decision is particularly important for companies to which the GDPR applies because the CJEU’s decision will equally bind other national courts to which a similar problem is submitted and may increase the risk of potential class actions that have not been there so far precisely because of the difficulty of proving damage resulting from data breaches. However, this ruling could be a turning point in this regard.
Therefore, given the potential costs of a class action, it will be necessary for companies to invest time and resources in data breach prevention and data processing security activities, as well as to treat any requests received from data subjects with the utmost care and attention.
In any case, it will be interesting to observe how the principles of law expressed by the CJEU will be able to be combined with the well-established orientation of the Supreme Court of Cassation according to which, also in the field of a data breach, the damage, in order to be compensable, must meet the requirements of “seriousness of the damage” and “seriousness of the injury,” not identifying the same with the mere injury of the interest protected by the system, but with the consequences of such injury, being then able to be proven also through presumptions for the purposes of a class action.
On a similar topic you might be interested in “CJEU: There is NO threshold for damage claims regarding a GDPR breach.“
