MISUSE OF PERSONAL DATA AND LIABILITY FOR COMPENSATION OF NON MATERIAL DAMAGE

MISUSE OF PERSONAL DATA AND LIABILITY FOR COMPENSATION OF NON MATERIAL DAMAGE

Addressing the nexus between the General Data Protection Regulation (GDPR) and compensation claims, this recent judgment by the Court of Justice of the European Union (CJEU) delves into the ramifications of personal data breaches and the associated legal implications.

Background

In 2019, media reports unveiled a breach in the IT system of the Bulgarian authority NAP, resulting in the exposure of personal data for over 6 million individuals. Subsequently, a data subject sought compensation from NAP, asserting that the apprehension of potential misuse of her leaked personal data constituted a form of non-material damage, anticipating potential threats such as blackmail, assault, or kidnapping.

Initial Proceedings

The first instance court dismissed the plaintiff’s claim, citing her failure to substantiate inadequate security measures by NAP as well as the absence of demonstrable non-material damage.

Appeal to CJEU

The appellant contested the decision, adressing the Supreme Administrative Court to refer the case to the CJEU. This referral sought clarification on GDPR provisions pertaining to the sufficiency of data security measures and the criteria for compensatory claims, including the concept of non-material damage.

Evaluation of Data Security Measures

The CJEU stated that unauthorized access or disclosure by a third party does not per se indicate inadequacy in the data security measures implemented by the controller. The legislative expectation is for controllers to mitigate, rather than eliminate, risks associated with personal data breaches. National courts are instructed to assess the appropriateness of data security measures in a two-tier process: identification of breach risks and evaluation of implemented measures based on technological standards, implementation costs, and processing parameters. Crucially, the burden of proof lies with the data controller.

Compensation Criteria

The CJEU underscored that a controller can be exempted from compensatory obligations only by demonstrating that the damage is not attributable to them. If a personal data breach is orchestrated by cybercriminals (a third party), the controller’s liability hinges on their adherence to GDPR-mandated obligations, specifically the adoption of adequate data security measures.

Interpretation of Damage

In interpreting the concept of damage under the GDPR, the CJEU explicated that the intent of the legislator is to encompass the mere ‘loss of control’ over personal data, even in absence of actual misuse. Consequently, the apprehension experienced by data subject arising from a GDPR infringement, constitutes potential liability for compensation of non-material damage.

Conclusion

In summarizing this decision, controllers may find favor in the CJEU’s stance on the adequacy of data security measures, allowing them to establish the appropriateness of adopted measures even in the event of a data breach. On the other hand, the high standard for data subjects to claim damages solely based on the fear of potential misuse, without actual harm, raises significant legal considerations.