On December 14, 2023, the Court of Justice of the European Union ("CJEU") delivered a landmark judgment, following the request of a preliminary ruling, in the case of VB v. Natsionalna agentsia za prihodite (C 340/21) whereby the Court examined, among other aspects, liability and non-material damage under the EU General Data Protection Regulation ("GDPR").

Background

A cyber-attack committed against the Bulgarian National Revenue Agency (the "Agency") resulted in a data breach affecting over 6 million Bulgarian citizens and foreign nationals. The breach prompted legal actions from several hundred affected individuals, including the main appellant in the proceedings, who sought compensation from the Agency claiming non-material damages incurred due to the fear of the possible misuse and potential harm that could arise as a result of the unauthorized disclosure of their personal data.

The Supreme Administrative Court of Bulgaria raised several questions to the CJEU for a preliminary ruling, aiming to seek clarification on the following points:

  1. Whether the unauthorised disclosure of personal data inherently indicates insufficient technical and organisational measures implemented by the controller;
  2. The scope of judicial review for the adequacy of technical and organisational measures under article 32 GDPR;
  3. Who bears the burden of proving that the technical and organisational measures adopted by the controller are appropriate, and whether an expert's report constitutes necessary and sufficient means of proof;
  4. Whether the controller is liable for the unauthorised disclosure of, or access to, personal data, resulting from third party actions;
  5. Whether the fear suffered by a data subject regarding the possible misuse of personal data in the future, falls within the scope of non-material damage.

Court Considerations

In response to the initial query, the CJEU determined that articles 24 and 32 of the GDPR merely require the controller to implement technical and organisational measures, designed to prevent, to the extent possible, any breach of personal data. The evaluation of such technical measures should be assessed on a case-by-case basis, taking into account the appropriateness of such measures in relation to the nature, scope, context and purpose of the processing, as well as the potential risks to the rights and freedoms of individuals. Thus, the Court held that the aforementioned articles cannot be interpreted as creating a presumption that the unauthorised disclosure or unauthorised access to personal data by a third party inherently indicates inadequacy or inappropriateness of the controller's adopted measures. Instead, the controller should be given the opportunity to demonstrate that the technical and organisational measures adopted align with the provisions of the GDPR.

Referring to the second point brought by the referring court, the CJEU asserted that the adequacy of the technical and organisational measures implemented by the controller should be evaluated by the national courts in a concrete manner. Article 32(1) and (2) requires a two-step assessment of the organisational and technical measures adopted by the controller which initially involves identifying the risks associated with potential data breaches caused by the processing concerned and their potential impact on the rights and freedoms of data subjects and secondly, determining whether the measures implemented by the controller are suitable for mitigating these identified risks. The CJEU acknowledged the controller's discretion in selecting the appropriate technical and organisational measures to establish a security level commensurate with the risk. Nevertheless, the CJEU emphasised that it is the responsibility of the national court to scrutinize the assessment adopted by the controller to ascertain the appropriateness of the adopted measures in ensuring a high level of security.

Regarding the third query, the CJEU held that it is the controller's responsibility to take all necessary measures to ensure the implementation of appropriate security to safeguard against unauthorised or unlawful processing of personal data, as well as accidental loss, destruction or damage. The Court established that, in an action for damages pursuant to article 82 of the GDPR, the burden of proof rests with the controller to show that the processing of personal data adheres to the requisite security standards. In the second segment of the third question posed, the CJEU clarified that the GDPR does not establish rules relating to the admission and the probative value of evidence, including expert reports, in action for damages. This determination is left to the discretion of national courts of each member state, allowing them to define specific rules relating to the types of evidence required to assess the appropriateness of such measures. Therefore, the CJEU asserted that an expert's report cannot be deemed to be a universally necessary and sufficient means of proof for evaluating the adequacy of measures adopted by the controller.

When addressing the fourth question posed by the referring court, the CJEU clarified that the controller initially bears the responsibility of remedying any damage resulting from a GDPR infringement related to the processing. Additionally, the controller can only be relieved of liability if he can substantiate that he is in no way responsible for the event giving rise to the damage. The circumstances that permit a controller to be exempt from liability are strictly confined to cases where the controller can prove non-involvement in the occurrence of the damage. In this specific instance, as the personal data breach was perpetrated by cybercriminals, the infringement cannot be attributed to the controller unless the controller facilitated the breach by failing to adhere to its obligations under the GDPR. Thus, a controller is exempt from liability when demonstrating the absence of a causal link between the potential breach of its data protection obligations and the harm endured by natural persons.

Lastly, the CJEU highlights that the fear experienced by individuals regarding the potential misuse of their personal data by third parties, may, in itself, be considered to be non-material damage. The Court emphasized that the existence of 'damage' suffered is a prerequisite for the entitlement to compensation. However, it is the data subject affected by the infringement who must demonstrate that the adverse consequences experienced qualify as non-material damage. Additionally, when an individual seeking compensation bases their claim on the apprehension that their personal data might be misused in the future, it is the national court overseeing the case that must assess whether the expressed concern is well-founded in light of the specific circumstances at hand.

This article was first published in The Malta Independent on 06/03/2024.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.