In the run up to Christmas 2023, the Court of Justice of the European Union ("CJEU") delivered three noteworthy judgments (in cases C-340/21, C-456/22 and C-667/21), which further clarify the scope of an individual's right to recover compensation under Article 82 GDPR for non-material damage suffered as a result of a GDPR infringement.
The judgments follow the approach taken by the CJEU in the Austrian Post case (C-300/21) (previously discussed here). In that case, the CJEU found that three cumulative conditions apply in order to recover compensation under Article 82 GDPR, including: (i) a GDPR infringement; (ii) damage and (iii) a causal link between the two. In addition, the CJEU ruled that Article 82 GDPR prohibits any national law or rule requiring non-material damage suffered to reach a minimum threshold of seriousness in order to confer a right to compensation.
The latest judgments further confirm, amongst other things, that:
- Fear of misuse of personal data, even in the absence of actual misuse, can constitute "non-material damage" under Article 82 GDPR, subject to verification by the national court dealing with the case that the alleged damage is well-founded in the specific circumstances at issue and with regard to the data subject.
- A personal data breach does not automatically mean that a controller or processor has inappropriate security measures in place in violation of Article 32 GDPR. The courts must assess the appropriateness of those measures in a concrete manner.
- It is for the controller or processor to prove that the security measures implemented were appropriate.
- A controller or processor is presumed to be liable for the damage, unless it can prove that it was not responsible for the event giving rise to the damage.
- A data subject concerned by a GDPR infringement which has negative consequences for him or her bears the burden of proving that those consequences constitute "non-material damage" within the meaning of Article 82 GDPR.
- Compensation payable under Article 82 GDPR should be purely compensatory and not punitive in nature.
Case 1: C-340/21 – VB v Natsionalna agentsia za prihotide
Background
In this case, the Bulgarian tax authority (the "NAP") suffered a cyberattack, leading to personal data relating to about 6 million people being exfiltrated and published on the internet. Several hundred data subjects, including the complainant in the main proceedings, brought actions against the NAP seeking compensation for non-material damage allegedly suffered as a result of the unauthorised disclosure of their data.
The complainant sought approximately €510 in damages on the basis of Article 82 GDPR and local Bulgarian law. She claimed compensation on the grounds that she suffered non-material damage as a result of the NAP's failure to fulfil its security obligations under, inter alia Articles 5(1)(f), 24, and 32 GDPR. There was no evidence that the personal data of the complainant had been misused by those who had exfiltrated the data. The non-material damage claimed consisted of fear that her personal data, having being published online without her consent, might be misused in the future, or that she might be blackmailed, assaulted or even kidnapped.
The Bulgarian Supreme Administrative Court asked the CJEU to clarify some GDPR matters.
CJEU Decision
The questions and answers referred to, and ruled on by, the CJEU were as follows:
1. Adequacy of security measures: If a controller or processor ("controller") experiences a data breach, does this mean that the controller has failed to meet its data security obligations under the GDPR?
No. Articles 24 and 32 GDPR must be interpreted as meaning that unauthorised access or disclosure of personal data by a third party (such as via a cyberattack) are not sufficient per se for the controller to be found to have implemented inappropriate technical and organisational measures. The CJEU found that the EU legislator's intent was "to 'mitigate' the risks of personal data breaches, without claiming that it would be possible to eliminate them".
The appropriateness of the technical and organisational measures implemented by the controller under Article 32 GDPR must be assessed in each case by the national courts "in a concrete manner, by taking into account the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks".
2. Burden of Proof: Does the controller have to prove that security measures were appropriate, or does the complainant have to prove that the security measures were not appropriate?
The principle of accountability set out in Article 5(2), and given expression in Article 24 GDPR, must be interpreted as meaning that in an action for damages under Article 82 GDPR, the controller in question bears the burden of proving the security measures implemented by it were appropriate pursuant to Article 32 GDPR.
In order to assess the appropriateness of the security measures implemented by the controller under Article 32 GDPR, an expert's report cannot constitute a systematically necessary and sufficient means of proof.
3. Liability for breaches by third parties: Is Article 82(3) GDPR to be interpreted as meaning that a hacking attack by a third party constitutes an event for which the controller is not in any way responsible for and which entitles it to exemption from liability?
A controller cannot be exempt from its obligation to pay compensation for damage suffered by a data subject under Article 82 GDPR, solely because that damage resulted from an unauthorised disclosure of, or access to, personal data by a third party. Rather a controller will not be subject to liability for compensation if it can prove that it is in no way responsible for the event that gave rise to the damage concerned.
4. Non-material damage: Is Article 82 GDPR to be interpreted as meaning that in a case such as the present one, involving unauthorised access to, and disclosure of personal data by means of a hacking attack, the worries, fears and anxieties suffered by the data subject with regard to possible misuse of personal data fall per se within the concept of 'non-material damage', which is to be interpreted broadly, and entitle him or her to compensation for damage where such misuse has not been established, and/or the data subject has not suffered any further harm?
Article 82 GDPR, and recitals 85 and 146 GDPR, must be interpreted as meaning that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of a GDPR infringement is capable, in itself, of constituting "non-material damage". The CJEU noted that Recital 146 states that the concept of damage must be interpreted broadly. Recital 85 further shows that the legislator intended the concept of damage to include the mere loss of control over one's personal data due to a GDPR infringement.
However, the CJEU held that a person concerned by an infringement of the GDPR is required to demonstrate that the negative consequences for him or her of the breach constitute "non-material damage" under Article 82 GDPR. The CJEU stated that this finding in respect of burden of proof for "non-material damage" is in line with the Austrian Post decision (para 50 thereof). The CJEU further held that, in each case, "the national court seised must verify that the fear can be regarded as well-founded in the specific circumstances at issue, and with regard to the data subject".
Case 2: C-456/22 – VX and AT v Gemeinde Ummendorf
Background
In this case, two German data subjects sought compensation for non-material damage suffered as a result of the unauthorised publication of an agenda for a council meeting on the council's website, which contained their personal data, in particular their full names and home addresses. The Council argued that a de minimis threshold of damage must be shown in order to recover compensation, including proof of a noticeable disadvantage and an objectively comprehensible impairment of their personal interests.
The referring German court considered that the data subjects' mere loss of control over their personal data was not sufficient to constitute "non-material damage" under Article 82 GDPR. The referring court considered that a de minimis threshold must be exceeded, and that was not the case here, in circumstances where the data subjects had lost control over their data only for a short period of time.
CJEU Decision
Following its earlier decision in the Austrian Post case, the CJEU held that only three cumulative conditions need to be met in order to recover compensation, and that Article 82 GDPR precludes any national law or practice from imposing a de minimis threshold of damage in order for that damage to be capable of compensation.
The CJEU noted that this interpretation is supported by Recital 146 GDPR which states that the concept of damage should be interpreted broadly in light of CJEU case-law, and in a manner which fully reflects the objectives of the GDPR.
The CJEU stated that making compensation for non-material damage subject to a certain threshold of seriousness would risk undermining the coherence of the rules established by the GDPR, since the graduation of such a threshold, on which the possibility of obtaining compensation would depend, would be liable to fluctuate according to the assessment of the courts dealing with the matter.
However, in line with the Austrian Post case, and case C-340/21 (discussed above), the CJEU found that a person concerned by a GDPR infringement which has negative consequences for him or her, bears the burden of demonstrating that those consequences constitute "non-material damage" within the meaning of Article 82 GDPR.
Case 3: C-667/21 – Krankenversicherung Nordrhein
Background
This case concerned the processing of an incapacitated employee's personal data, including health data, by the medical service provider ("MDK") of a health insurance fund in Germany. Under applicable law, MDK draws up reports on the capacity of individuals insured by the health insurance fund to work. These may include reports concerning the health of MDK's own employees. After becoming aware of the fact that a report concerning himself had been prepared, an employee of MDK sought compensation under Article 82 GDPR.
The CJEU was asked to determine a number of questions, including whether the right to compensation under Article 82 GDPR fulfils a dissuasive or punitive function, in addition to a compensatory function; whether the degree of seriousness of the fault should be taken into account by the court in assessing the amount of compensation awarded, and who bears the burden of proof in regard to proving fault for the damage caused to the data subject.
CJEU Decision
The CJEU confirmed that the nature of the compensation owed to the data subject under Article 82 GDPR is purely compensatory, and not dissuasive or punitive. Recital 146 GDPR states that "data subjects should receive full and effective compensation for the damage they have suffered". The CJEU found that compensation awarded under Article 82 GDPR must be considered to be "full and effective" if it allows full compensation for the damage actually suffered as a result of the GDPR infringement. In contrast, the CJEU noted that Articles 83 and 84 GDPR have essentially a punitive purpose, as they respectively allow for the imposition of administrative fines and other sanctions.
Since the right to compensation under Article 82 GDPR does not fulfil a dissuasive or punitive function, the degree of seriousness of the controller or processor's fault for having caused the damage cannot influence the amount of damages awarded under this provision.
The CJEU further ruled that the GDPR establishes a system of fault-based liability in which the controller or processor's fault is presumed, unless it is proves that it is not in any way responsible for the event giving rise to the damage. Accordingly, the burden of proof in respect of liability for fault rests on the controller or processor, rather than on the person who has suffered damage.
Comment
These three judgments by the CJEU contain important statements regarding the scope of non-material damage, in particular in regard to who bears the burden of proof in proceedings for damages under Article 82 GDPR. It is clear from these cases that the burden of proof is on the controller in respect of proving compliance with its obligations under the GDPR and that it is not responsible for the event giving rise to the damage, whilst the burden of proof is on the data subject in respect of showing that he/she has suffered "non-material damage" within the meaning of Article 82. The national courts will have to consider in each case whether the damage claimed by the data subject is well-founded in the specific circumstances at issue. Accordingly, controllers should have the opportunity to defend themselves against any unsubstantiated claims for damages.
The judgments may lead to an increase in non-material damages claims under the GDPR, to the extent that they confirm the right to recover compensation even for minor non-material damage, by excluding any de minimis threshold of damage. However, it is noteworthy that, in the only Irish written court decision to date awarding non-material damages, Judge John O'Connor of the Circuit Court noted that even where non-material damage can be proved, and are not trivial, damages will probably be modest (discussed further here).
In order to mitigate the risk of infringing the GDPR and being exposed to compensation claims from affected data subjects, it is vital that organisations invest in robust security measures, taking account of the risk profile of the data being processed. Organisations should also ensure they have appropriate data breach response procedures in place, enabling them to quickly implement any necessary remedial measures to address any data breach or cyber-attack that occurs and to mitigate its possible adverse effects.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
