ECJ C‑340/21: Ade­qua­te data secu­ri­ty (con­cept and bur­den of pro­of); lia­bi­li­ty for breaches

The ECJ has ruled in the Judgment Case C‑340/21 of Decem­ber 14, 2023 Que­sti­ons refer­red by the Supre­me Admi­ni­stra­ti­ve Court of Bul­ga­ria in con­nec­tion with a cyber attack on a Bul­ga­ri­an aut­ho­ri­ty answered.

The back­ground to this was a cyber­at­tack on the aut­ho­ri­ty in which Per­so­nal data published on the Inter­net wit­hout aut­ho­rizati­on have been. This appar­ent­ly affec­ted more than 6 mil­li­on peo­p­le, a few hundred of whom were actual­ly on Com­pen­sa­ti­on for imma­te­ri­al dama­ge The dama­ge con­si­sted of the fear that published per­so­nal data could be misu­s­ed or that tho­se affec­ted could be black­mai­led, attacked or kidnapped.

The ECJ ans­wers the que­sti­ons sub­mit­ted in this con­text as fol­lows. Over­all, it fol­lows that in the event of a cyberattack

  • it must be exami­ned whe­ther it was made pos­si­ble by a lack of data security;
  • The court must spe­ci­fi­cal­ly exami­ne the risks (ex ante) and the appro­pria­ten­ess of the mea­su­res taken, if neces­sa­ry with the assi­stance of an expert opinion;
  • If the mea­su­res were ina­de­qua­te and the attack was cau­sal­ly enab­led as a result, the per­son respon­si­ble may also be lia­ble for non-mate­ri­al damage;
  • This dama­ge may con­sist of the fear that data could be misu­s­ed in the future.

In detail:

  • Art. 24 and 32 GDPR are to be inter­pre­ted in such a way that a unaut­ho­ri­zed dis­clo­sure of data by third par­ties not yet occu­p­iedthat the controller’s secu­ri­ty mea­su­res were not “appro­pria­te”. This fol­lows from the fact that Art. 32 GDPR only requi­res “a level of pro­tec­tion appro­pria­te to the risk” and
    […] shows that with the GDPR a Risk manage­ment system intro­du­ced and in no way claims that it eli­mi­na­tes the risk of per­so­nal data breaches.
  • When a body such as a court exami­nes the appro­pria­ten­ess of the secu­ri­ty mea­su­res, it must pro­ce­ed in two stages – first it must deter­mi­ne the risks and then check whe­ther the TOMs are appro­pria­te. The per­son respon­si­ble has a cer­tain Scope for decis­i­on-making.
  • Howe­ver, a court must still be able to eva­lua­te the assess­ment of the per­son respon­si­ble. To do this, it must have a “Mate­ri­al exami­na­ti­on of the­se mea­su­res”, through a

    spe­ci­fic exami­na­ti­on of both the natu­re and con­tent of the mea­su­res taken by the con­trol­ler, the man­ner in which tho­se mea­su­res were applied and their prac­ti­cal impact on the level of secu­ri­ty that the con­trol­ler had to ensu­re in view of the risks pre­sen­ted by that processing

  • The Bur­den of pro­of for appro­pria­ten­ess but lies with the Respon­si­ble:

    It is clear from the wor­ding of Art. 5(2), Art. 24(1) and Art. 32(1) GDPR that the bur­den of pro­of that per­so­nal data are pro­ce­s­sed in a man­ner that ensu­res appro­pria­te secu­ri­ty of tho­se data […] lies with the con­trol­ler […]. The­se three artic­les thus for­mu­la­te a gene­ral­ly appli­ca­ble rule which, in the absence of indi­ca­ti­ons to the con­tra­ry in the GDPR, must also be applied in the con­text of an action for dama­ges based on Art. 82 GDPR.

  • When a court asses­ses the appro­pria­ten­ess of secu­ri­ty mea­su­res, it may take into account an expert opi­ni­on. The evi­dence pro­ce­du­re is sub­ject to the law of the Mem­ber Sta­te; Uni­on law only requi­res that the natio­nal pro­ce­du­ral rules for mat­ters gover­ned by Uni­on law are not less favorable than for simi­lar mat­ters gover­ned by natio­nal law (Prin­ci­ple of equi­va­lence), and they must not ren­der prac­ti­cal­ly impos­si­ble or exce­s­si­ve­ly dif­fi­cult the exer­cise of rights under Uni­on law (Prin­ci­ple of effec­ti­ve­ness). You may of cour­se con­sult an expert opi­ni­on, but it not con­side­red gene­ral­ly neces­sa­ry and suf­fi­ci­ent view.
  • Dama­ges pre­sup­po­ses that dama­ge has occur­red, that it was cau­sal­ly cau­sed by a breach of the GDPR in con­nec­tion with the pro­ce­s­sing, and that the con­trol­ler does not pro­ve that it is not respon­si­ble for the damage.
  • In the event of a cyber­at­tack, the breach of the GDPR can only be attri­bu­ted to the con­trol­ler attri­bu­ted if it enab­led the breach in vio­la­ti­on of the GDPR. He can or must the­r­e­fo­re pro­ve that the­re was no breach of the GDPR or that this was not cau­sal for the dama­ge. Howe­ver, the fact that third par­ties car­ri­ed out an attack is not sufficient.
  • A imma­te­ri­al dama­ge may lie not only in the misu­se of per­so­nal data, but also in the fear that data could be misu­s­ed in the future, becau­se the

    The exem­pla­ry list of “dama­ge” that data sub­jects may suf­fer shows that the Uni­on legis­la­tor inten­ded the term “dama­ge” to include, in par­ti­cu­lar, the mere “loss of con­trol” over their own data as a result of a breach of the GDPR, even if no misu­se of the data in que­sti­on to the detri­ment of the­se indi­vi­du­als has actual­ly taken place.

  • If a per­son con­cer­ned alleges non-mate­ri­al dama­ge, he or she must pro­ve. If they cla­im to fear that their data may be misu­s­ed in the future, it must be exami­ned whe­ther this fear “can be regard­ed as justi­fi­ed under the given spe­cial cir­cum­stances and with regard to the per­son concerned”.