Blog
Blog » DOES THE FEAR OF MISUSE OF PERSONAL DATA GIVE RISE TO A COMPENSATION?
DOES THE FEAR OF MISUSE OF PERSONAL DATA GIVE RISE TO A COMPENSATION?
18 January 2024
Under the GDPR, data subjects may claim compensation if they suffered damages because the controller infringed his obligations under the GDPR. Does a data theft by cybercriminals mean that the controller has not adopted appropriate data security measures meaning that he failed to comply with his data protection obligations? Can the data subject claim compensation if his only damage is the fear that his personal data was misused? The Court of Justice of the European Union answered these questions in a fresh decision which will be analysed in this short article.
Facts
In 2019, the media revealed that the IT system of the Bulgarian authority NAP has been hacked and personal data contained by the IT system was published on the internet. More than 6 million persons were affected by the data breach.
The appellant sued the NAP for compensation claiming that the fear that her personal data leaked because of the data breach might be misused (she might be blackmailed, assaulted or even kidnapped) constitutes a non-material damage.
The first instance court dismissed the appellant action. The court held that the appellant failed to prove that the NAP has not adopted appropriate security measures, further the appellant did not suffer any non-material damage.
The appellant filed an appeal against this decision and the Supreme Administrative Court sent the case to Luxembourg to the CJEU to clarify the provisions of the GDPR as regards to the adequacy of data security measures and the conditions of compensation including the concept of non-material damage.
The adequacy of data security measures
First, the CJEU established that based on the GDPR an unauthorized access to or disclosure of personal data by a third party is not sufficient to conclude that the data security measures adopted by the controller were not appropriate. The EU legislator only expects controllers to mitigate the risks of personal data breaches, however there is no indication in the text of the GDPR that it would be possible to eliminate them.
According to the Luxembourg court, the national courts shall assess the appropriateness of data security measures in two stages. First, it is necessary to identify the risks of a data breach and their consequences for the rights and freedoms of natural persons. Secondly, is shall be ascertained whether the implemented data security measures are appropriate to the identified risks, considering the state of art, the costs of implementation and the parameters of the processing.
Further, the CJEU clarified that in relation to the appropriateness of the data security measures, the burden of proof lies with the controller.
The conditions of compensation
When it comes to the conditions of the compensation to be paid based on the GDPR, the Luxembourg judges shed light on two important questions.
The CJEU recalled that a controller may only be exempted from paying compensation if he is able to demonstrate that the damage is not attributable to him. In the Court’s view, if the personal data breach has been committed by cybercriminals (therefore a third party), the infringement of the GDPR cannot be attributed to the controller unless he failed to comply with his obligations laid down by the GDPR, specifically to adopt appropriate data security measures.
In addition, the Luxembourg court interpreted the concept of damage under the GDPR. According to the Court, by analysing the wording of the GDPR, it is clear that the EU legislature intended to include in those concepts the mere ‘loss of control’ over the personal data even if there had been no misuse of the data to the detriment of the affected data subjects. Thus, the fear experienced by a data subject with regard to the possible misuse of his personal data by third parties as a result of an infringement of the GDPR is capable, in itself, of consulting non-material damage.
Conclusion
To shortly analyse the decision, on the one hand controllers may welcome the CJEU’ attitude regarding the appropriateness of data security measures, namely that even in case of a data breach, controllers may prove that the adopted data security measures were appropriate. On the other, it seems to be a rather high standard of liability that data subjects can claim damages for the mere fear of their data being misused without suffering actual damages.
In this article we analysed decision C‑340/21 of the CJEU.
-
CJEU DECISION IN A GDPR-RELATED CASE: DOES THE VIOLATION OF THE GDPR AUTOMATICALLY CONSTITUTE NON-MATERIAL DAMAGE?
Does the infringement of the data subjects’ rights by the controller give automatically rise to compensation? Can the controller be exempted from liability solely on the basis that the damage was the result of the fact that its employee did not comply with its instructions? What are decisive criteria to determine the amount of damages? In this article we analyse the fresh decision of the CJEU which addressed the previous questions.
Read more » -
HUNGARY – PERSONAL SCOPE EXTENSION OF JURISDICTION CLAUSE TO NON-SIGNATORY UNDER BRUSSELS IBIS
Does the principle of independence of the choice-of-court agreement require that parties shall expressly transfer the dispute resolution clause in case of transfer of the main contract? When can the personal scope of a jurisdiction agreement be extended to a non-signatory? A Hungarian appellate court decided upon these questions under the Brussels Ibis Regulation in a recent judgment
Read more » -
SETTING ASIDE ARBITRAL AWARDS IN HUNGARY
Given that there is no right of appeal in arbitration proceedings, it is important to be aware of what other legal remedies are available to you against an arbitral award. According to the Hungarian Arbitration Act, the parties may request the competent state court to set aside the award, which is a “mandatory” remedy, which cannot be waived by the parties in advance.
Read more »