Update Data Protection No. 163
ECJ rules on liability and compensation in the event of Cyberattacks
In its judgment of 14 December 2023 (Case C-340/21), the European Court of Justice ("ECJ") answered various highly relevant questions regarding the adequacy of technical and organisational measures in the context of a cyberattack, the distribution of the burden of proof when assessing the appropriateness of technical and organisational measures, the possible exculpation of the controller in the event of cyberattacks and the question of whether a data subject's fear that their personal data may be misused already gives rise to a right to compensation for non-material damage.
A. Facts of the case
In July 2019, a cyberattack resulted in unauthorised access to the information system of the Bulgarian authority "Natsionalna agentsia za prihodite" ("NAP"), the National Revenue Agency. Tax and social security data of millions of people were published on the Internet. A large number of individuals, including the appellant in the main proceedings, therefore brought an action.
At first instance, the appellant claimed that NAP had breached its duty as a controller to process personal data in such a way that appropriate security standards were guaranteed. NAP had failed to implement appropriate technical and organisational measures in accordance with Articles 24 and 32 of the General Data Protection Regulation ("GDPR"). She claimed that she had suffered non-material damage consisting of worries and fears of future misuse of her personal data.
NAP countered that there was no causal link between the unauthorised access and the alleged non-material damage. It had implemented all information security measures that complied with the applicable international data protection regulations.
The court dismissed the case at first instance. The publication of the data was not attributable to NAP. The burden of proof for the appropriateness of the measures taken lay with the plaintiff and there was no non-material damage. The plaintiff appealed against this decision in cassation to the Supreme Administrative Court of Bulgaria. The Supreme Administrative Court stayed the proceedings and referred several questions to the ECJ for a preliminary ruling on the claim for non-material damages, as the first instance proceedings had reached different conclusions on the NAP's liability for damages.
B. The decision of the ECJ
The ECJ ruled as follows:
I. Personal Data breach does not automatically mean that the measures were inappropriate
The ECJ ruled that in the event of unauthorised disclosure of or access to data, the mere fact that such an incident occurred is not sufficient to establish that the measures taken to protect the data were inappropriate. Rather, the appropriateness of the technical and organisational measures must be assessed in the specific case. The reference in Art. 32 GDPR to a "level of security appropriate to the risk" alone demonstrates that the regulatory regime of the GDPR aims for a risk management system and does not require that the risk of personal data breaches to be completely eliminated. This is supported by systematic and teleological considerations in the interpretation of Art. 24 and Art. 32 GDPR. The principle of accountability under Art. 5 para. 2 GDPR requires the controller to be able to prove that the technical and organisational measures taken are appropriate for fulfilling the obligations under Art. 24 and Art. 32 GDPR. However, this obligation would make no sense if the controller was obliged to prevent any impairment of data anyway. This is also supported by recital 83 of the GDPR. This recital states that "the controller [...] should evaluate the risks inherent in the processing and implement measures to mitigate those risks". This shows that while the risks must be mitigated, it is not possible to eliminate them completely.
In this respect, the ECJ follows the opinion of the Advocate General. The Advocate General referred to the discretion available to the controller with regard to the measures to be taken. The court decided that although the measures must always correspond to the "state of the art", they could be adequate at a certain point in time and still be circumvented by cyber criminals. It is therefore illogical to impose an obligation on the controller to prevent every possible personal data breach. Art. 32 para. 1 GDPR also includes the costs of implementation in the assessment of which measures should be taken. This already shows that not every conceivable measure must be taken. Rather, a balance must be struck between what is technically and economically feasible on the one hand, and the data subject's interest in the highest possible level of protection on the other.
II. Scope of judicial review of the legality of technical and organisational measures
Furthermore, the referring court wanted to know what the subject-matter and scope of the judicial review of legality should be when assessing whether the measures taken by the controller were appropriate.
The Advocate General had taken the view that the court seised must carry out a review that extends to a concrete analysis of both the content of the measures and the way in which they are implemented and their practical effect.
The ECJ also comes to this conclusion in this case. When assessing the appropriateness of the measures taken in accordance with Art. 32 GDPR, a court must carry out a substantive examination based on all of the criteria set out in this provision, as well as the circumstances of the individual case and the evidence available to the court. It is not enough simply to determine how a controller has complied with its obligations. The review must examine all the specific measures taken, the way in which they are applied and their impact on the level of security.
III. Controller bears the burden of proving that the security measures implemented by it are appropriate
The ECJ also ruled that the controller bears the burden of proof for the appropriateness of the technical and organisational measures taken in the context of a claim for damages under Art. 82 GDPR.
This follows from a consideration of the principle of accountability under Art. 5 para. 2 GDPR, according to which the controller is responsible for compliance with the principles relating to processing under Art. 5 para. 1 GDPR and must be able to demonstrate compliance with them. In particular, the controller must observe the principle of integrity and confidentiality under Art. 5 para. 1 lit. f GDPR which obliges controllers to process data in such a way that appropriate data security is ensured by technical and organisational measures. This is intended to protect against unintentional loss, destruction or damage to the data. In line with the objectives of the GDPR, the general principle that the controller bears the burden of proof for the appropriate security of processing follows from an overall consideration of Art. 5 para. 2, 24 para. 1 and 32 para. 1 GDPR. The level of protection provided for by the GDPR depends on the measures to be taken by the controller. Furthermore, the claim for damages under Art. 82 para. 1 GDPR would be deprived of a significant part of its effectiveness if the burden of proof would lie with the data subject.
IV. Does a cyberattack lead to an exemption from liability under Art. 82 para. 3 GDPR?
The ECJ rejected a blanket exemption from liability for the controller under Art. 82 para. 3 GDPR in the event of a cyberattack. Art. 82 para. 3 GDPR states that a controller is exempt from liability for damages if it can exculpate itself. To do so, they must prove that they are not responsible in any way for the event giving rise to the damage.
According to the ECJ, this is not always the case in the event of a cyberattack. According to the ECJ, the mere fact that a third party initiated the infringement of the GDPR is not sufficient for exculpation. The controller must specifically prove that it is not responsible in any way for the infringement. This is evident from the fact that the phrase "not in any way" was explicitly added during the legislative process. If the personal data breach is the result of a cyberattack by third parties within the meaning of Art. 4 No. 10 GDPR, the infringement can be attributed to the controller if the controller enabled the infringement by failing to comply with its obligations under the GDPR. Only if the controller can prove that there is no conceivable causal link between the breach of the obligation and the damage suffered by the natural person does the exemption from liability under Art. 82 para. 3 GDPR apply.
V. Fear of misuse of personal data by third parties following a GDPR infringement may constitute non-material damage
The ECJ made important statements on non-material damages in the event of breaches of the GDPR. According to the ECJ, the mere fact that a data subject fears that their personal data will be misused by third parties as a result of a GDPR infringement can constitute non-material damage.
In this regard, the ECJ first recalls its previous case law on Art. 82 para. 1 GDPR. According to this, the cumulative existence of damage, a GDPR infringement and a causal link between the damage and the infringement are prerequisites for a claim for damages. Referring to its recent case law, it reiterates that non-material damage is not linked to a certain threshold of materiality. Furthermore, the wording of Art. 82 para. 1 GDPR leaves open the question of whether an asserted non-material damage is linked to a misuse of the data by third parties that has already occurred at the time of the assertion of the claim for damages, or to the fear that such a use could occur in the future. Therefore, non-material damage could, in principle, consist of a data subject’s fear that their data will be misused by third parties in the future as a result of the GDPR infringement. This is also supported by the recitals of the GDPR: On the one hand, recital 146 states that the concept of damage must be interpreted broadly. On the other hand, recital 85 shows that the legislator also intended the concept of damage to include the mere loss of control over one's personal data due to the GDPR infringement.
Nevertheless, according to the ECJ, the data subject must prove that the consequences suffered constitute non-material damage within the meaning of Art. 82 GDPR. In particular, a court seised must carefully examine whether the fear of future misuse of the data subject's data can be considered justified in the specific circumstances and with regard to the data subject.
C. Conclusion
With this decision, the ECJ not only answered the question of the appropriateness of technical and organisational measures, but also made important statements regarding the scope of non-material damage and the burden of proof.
The ECJ's clarification that the mere fact that a data leak has occurred does not automatically mean that the technical and organisational data security measures taken by the controller were inappropriate is to be welcomed. This is not only a logical consequence, especially in view of the implementation costs to be taken into account under Art. 32 GDPR when implementing measures, but also makes sense. In times of increasingly frequent, highly professional cyberattacks on IT infrastructures, it is economically and practically impossible to prevent every attack in advance.
The ECJ's comments on the burden of proof in proceedings for damages under Art. 82 GDPR and a possible exculpation under Art. 82 para. 3 GDPR are noteworthy. The ECJ has expressly clarified that the burden of proof for the appropriateness of technical and organisational measures lies with the controller. In addition, controllers cannot exculpate themselves from liability merely by arguing that the breach was caused by cyberattacks by third parties.
Nevertheless, the burden of proof for non-material damage lies with the data subjects. With reference to Case C-300/21, the ECJ confirms the requirement to prove non-material damage and requires courts to examine whether such fears may exist in the particular case. It therefore gives controllers the necessary room for defending themselves against (completely) unsubstantiated claims for damages that do not prove any concrete damage.
The judgment is likely to have a significant impact on legal practice. Consumer and employment lawyers will use the comments on non-material damage to pursue claims. Companies are therefore once again advised to pay even more attention to ensuring that they have a robust and state of the art IT security structure and appropriate data protection and IT security management, so that the question of damage does not arise and the burden of proof is simplified.