Skip to main content

Clifford Chance

Clifford Chance
All

Data

Talking Tech

Court of Justice of the European Union on GDPR & Cybercrime

Cyber Security Data Privacy 15 December 2023

On 14 December 2023, the Court of Justice of the European Union (CJEU) published its preliminary ruling in Case C-340/21 involving the Bulgarian National Revenue Agency (NAP), which suffered a cyberattack leading to the unauthorized disclosure of personal data.

In July 2019, a cyberattack on the NAP's IT system was reported, resulting in the online publication of personal data of more than six million individuals. The NAP is tasked with identifying, securing, and recovering public debts and as such acts as a controller of personal data. The report of the cyberattack led to legal claims against the NAP, with several hundred individuals seeking compensation for non-material damage due to the fear of potential misuse of their data.

Following this, the Bulgarian Supreme Administrative Court referred five questions to the CJEU for a preliminary ruling, all concerning the interpretation of the General Data Protection Regulation (GDPR). The questions aimed to clarify the conditions under which compensation for non-material damage can be awarded to a data subject in cases where their personal data, held by a controller, are made public on the internet because of a cyberattack. 

FEAR OF POSSIBLE MISUSE MAY CONSTITUTE NON-MATERIAL DAMAGE

The most interesting answer provided by the CJEU regards the fear of a possible misuse. The CJEU ruled that the fear experienced by a data subject of potential misuse of personal data can constitute, in itself, 'non-material damage'. The ruling contains two important limitations in this regard by stating that: 

  • a person concerned by an infringement of the GDPR which has negative consequences for them is required to demonstrate that those consequences constitute non-material damage; and
  • where a person claiming compensation on that basis relies on the fear that their personal data will be misused in the future because of the infringement, the relevant national court must verify that that fear can be regarded as well founded, in the specific circumstances at issue and with regard to the data subject. 

Nevertheless, the ruling does increase the risk for controllers (and processors) of being subject to damage claims from data subjects. In the end, this ruling could open the floodgates for numerous damage claims and subsequent litigation in the aftermath of cyberattacks.

OTHER KEY CLARIFICATIONS BY THE CJEU

Courts cannot infer that protective technical and organisational measures implemented by the controller were not 'appropriate' (within the meaning of the GDPR) solely based on unauthorized personal data disclosure or access. The appropriateness of these measures must be assessed by national courts in a concrete manner.

  • The CJEU emphasized in its ruling that the GDPR requires technical and organisational measures intended to avoid, in so far as it is at all possible, any personal data breach. The appropriateness of the measures taken by the controller must be assessed based on various criteria and the specific risks associated with the processing (taking into account their likelihood and severity). The controller has some discretion in determining the appropriate measures, but the national court must ensure that these measures are suitable for ensuring the required level of security

The controller has to prove that protective measures it implemented were appropriate and an expert’s report cannot constitute a systematically necessary and sufficient means of proof.

  • The CJEU held that the GDPR's principle of accountability is to be interpreted as meaning that, in an action for damages, the controller bears the burden of proving that the security measures implemented by it are appropriate pursuant to the GDPR.
  • The CJEU stated that it is for the national legal system of each Member State to establish procedural rules, including as to the required kinds of evidence, subject to compliance with the principles of equivalence and effectiveness. However, an expert's report cannot be considered a systematically necessary and sufficient means of proof. The court must carry out an objective assessment of the appropriateness of the measures, and the use of an expert's report may be superfluous depending on the other evidence available.

If a 'third party' (e.g., a cybercriminal) commits unauthorized personal data disclosure or access, the controller may be held responsible and required to compensate the data subjects for the damage, unless it can prove it is in no way responsible.

  • According to the CJEU, a controller cannot be exempt from its obligation to compensate for damage solely because the damage resulted from unauthorized actions by a third party. The controller (or processor) must prove that it is in no way responsible for the event that led to the damage. However, where a personal data breach has been committed by cybercriminals, the controller can only be held responsible if it has failed to comply with an obligation under the GDPR, thereby making the infringement possible. The controller will not be liable if it can prove that it has not breached the GDPR or that there is no causal link between its possible breach and the damage suffered by the individual.

INITIAL CONCLUSION

The ruling has potential to have significant implications for controllers (and processors, who are also directly responsible for compliance with the GDPR's security requirements) and the interpretation of the GDPR. The CJEU's decision that the fear of potential misuse of personal data can constitute 'non-material damage' could potentially lead to an increase in damage claims from data subjects following cyberattacks. However, the ruling also clarifies that controllers can only be held responsible for such breaches if they have failed to comply with GDPR obligations, and they have the right to prove they are not responsible for the event leading to potential damage to data subjects. The ruling also emphasizes the need for a concrete assessment of the appropriateness of technical and organizational measures implemented by controllers and highlights the crucial role of national courts in assessing the appropriateness of such measures. Moving forward, a key challenge for controllers will be to convincingly prove the adequacy of their protective measures.

Toolkits & Client Log-in