Share This Article
In a recent ruling, the Court of Justice of the European Union (“CJEU“) has spoken for the first time on the interpretation of 32 of the GDPR and the obligation to take adequate privacy security measures in the context of a data breach.
The CJEU concluded that the presence of a data breach, in the face of unauthorized disclosure or access, is not in itself sufficient to find that the technical and organizational measures implemented by the data controller are not “adequate” within the meaning of Articles 24 and 32 of the GDPR.
The CJEU case on data breach under privacy rules
The case originates from a request for a preliminary ruling made by a Bulgarian court, in the context of a dispute established between a citizen of Bulgarian nationality and the NAP, an authority attached to the Bulgarian Ministry of Finance.
Following a hacker attack that had affected the computer system from NAP, the personal data of more than 6 million people, including those of the plaintiff, had been published on the Internet. The appellant had then sued NAP, claiming compensation for damages suffered and alleging a breach of the security obligations placed on NAP as the data controller.
On the matter, the appellant court then decided to involve the CJEU in order to clarify, among others, the following questions:
- Whether the finding of a personal data breach can automatically indicate the inadequacy of the measures taken, in accordance with Articles 24 and 32 of the GDPR; and
- what should be the object and scope of judicial review of legitimacy when examining the adequacy of technical and organizational measures taken by the data controller under Article 32.
The CJEU’s interpretation of the inadequacy of security measures resulting in a data breach
After analyzing the facts of the case, the CJEU ruled as follows:
On the first issue, the CJEU points out that a combined reading of Articles 24 and 32 of the GDPR shows that this regulation establishes a risk management regime and that it in no way claims to eliminate the risks of a personal data breach.
The adequacy of the security measures must therefore be assessed on the basis of factual circumstances by examining whether those measures have been implemented taking into account the various criteria set forth in the aforementioned articles and the data protection requirements specifically inherent in the processing at issue as well as the risks induced by the latter. On this basis, the Court concludes by clarifying that Articles 24 and 32 of the GDPR must be interpreted to mean that it is not sufficient that a data breach takes place in order to consider that the technical and organizational measures implemented by the data controller in question are inadequate.
On the second question, the CJEU argues that -under the interpretation of Article 32 the adequacy of technical and organizational measures must be assessed in two steps: (i) on the one hand, by assessing concretely ex ante the degree of likelihood of the risks induced by the processing and their degree of severity; (ii) on the other hand, whether the measures implemented by the data controller are appropriate to those risks, taking into account the state of the art, the costs of implementation as well as the nature, scope, context and purposes of such processing. Thus, national courts must assess the appropriateness of the technical and organizational measures implemented by the data controller in concrete terms, taking into account the risks associated with the processing in question and assessing whether the nature, content and implementation of those measures are appropriate to those risks.
The relevance of the ruling for privacy authorities
The findings of the judgment have important consequences not only for national courts, but also for the data protection authorities, which are first called upon to examine personal data breaches notified to them.
Applying by analogy the same principles expressed by the CJEU, when assessing a data breach, the data protection authorities will in fact also have to carry out a specific analysis of the content of the security measures, the way they have been applied and their practical effects, based on the evidence available to them and the circumstances of the specific case. Conversely, then, in case the Authority challenges the suitability and effectiveness of the security measures, they will be required to provide specific and detailed reasons to support their challenge.
On a similar topic you might be interested in the following article “Higher risks of a class action for a privacy related data breach following CJEUโs ruling“.
