The ECJ has ruled in the Judgment Case C‑340/21 of December 14, 2023 Questions referred by the Supreme Administrative Court of Bulgaria in connection with a cyber attack on a Bulgarian authority answered.
The background to this was a cyberattack on the authority in which Personal data published on the Internet without authorization have been. This apparently affected more than 6 million people, a few hundred of whom were actually on Compensation for immaterial damage The damage consisted of the fear that published personal data could be misused or that those affected could be blackmailed, attacked or kidnapped.
The ECJ answers the questions submitted in this context as follows. Overall, it follows that in the event of a cyberattack
- it must be examined whether it was made possible by a lack of data security;
- The court must specifically examine the risks (ex ante) and the appropriateness of the measures taken, if necessary with the assistance of an expert opinion;
- If the measures were inadequate and the attack was causally enabled as a result, the person responsible may also be liable for non-material damage;
- This damage may consist of the fear that data could be misused in the future.
In detail:
- Art. 24 and 32 GDPR are to be interpreted in such a way that a unauthorized disclosure of data by third parties not yet occupiedthat the controller’s security measures were not “appropriate”. This follows from the fact that Art. 32 GDPR only requires “a level of protection appropriate to the risk” and
[…] shows that with the GDPR a Risk management system introduced and in no way claims that it eliminates the risk of personal data breaches.
- When a body such as a court examines the appropriateness of the security measures, it must proceed in two stages – first it must determine the risks and then check whether the TOMs are appropriate. The person responsible has a certain Scope for decision-making.
- However, a court must still be able to evaluate the assessment of the person responsible. To do this, it must have a “Material examination of these measures”, through a
specific examination of both the nature and content of the measures taken by the controller, the manner in which those measures were applied and their practical impact on the level of security that the controller had to ensure in view of the risks presented by that processing
- The Burden of proof for appropriateness but lies with the Responsible:
It is clear from the wording of Art. 5(2), Art. 24(1) and Art. 32(1) GDPR that the burden of proof that personal data are processed in a manner that ensures appropriate security of those data […] lies with the controller […]. These three articles thus formulate a generally applicable rule which, in the absence of indications to the contrary in the GDPR, must also be applied in the context of an action for damages based on Art. 82 GDPR.
- When a court assesses the appropriateness of security measures, it may take into account an expert opinion. The evidence procedure is subject to the law of the Member State; Union law only requires that the national procedural rules for matters governed by Union law are not less favorable than for similar matters governed by national law (Principle of equivalence), and they must not render practically impossible or excessively difficult the exercise of rights under Union law (Principle of effectiveness). You may of course consult an expert opinion, but it not considered generally necessary and sufficient view.
- Damages presupposes that damage has occurred, that it was causally caused by a breach of the GDPR in connection with the processing, and that the controller does not prove that it is not responsible for the damage.
- In the event of a cyberattack, the breach of the GDPR can only be attributed to the controller attributed if it enabled the breach in violation of the GDPR. He can or must therefore prove that there was no breach of the GDPR or that this was not causal for the damage. However, the fact that third parties carried out an attack is not sufficient.
- A immaterial damage may lie not only in the misuse of personal data, but also in the fear that data could be misused in the future, because the
The exemplary list of “damage” that data subjects may suffer shows that the Union legislator intended the term “damage” to include, in particular, the mere “loss of control” over their own data as a result of a breach of the GDPR, even if no misuse of the data in question to the detriment of these individuals has actually taken place.
- If a person concerned alleges non-material damage, he or she must prove. If they claim to fear that their data may be misused in the future, it must be examined whether this fear “can be regarded as justified under the given special circumstances and with regard to the person concerned”.