On 14 December 2023, the Court of Justice of the European Union (CJEU) issued a landmark ruling in the case of VB v. Natsionalna agentsia za prihodite (C‑340/21), placing a spotlight on the concept of non-material damage under Article 82 of the EU General Data Protection Regulation (GDPR) and specifically addressing the pivotal issue of the adequacy of technical and organisational measures (TOMs) in the context of a data breach.

Background

The case involved a cyber-attack against the Bulgarian National Revenue Agency, resulting in a data breach affecting over six million individuals. One affected individual sought compensation, claiming non-material damage due to the fear that their personal data, published without consent, might be misused in the future or lead to potential harm.

Key questions

The Supreme Administrative Court Bulgaria referred several questions to the CJEU for a preliminary ruling, seeking clarity on various aspects, including:

  1. Whether a data breach automatically presumes inadequate TOMs by the data controller.
  2. What should be the scope of judicial review for the adequacy of TOMs under Article 32 GDPR.
  3. Who bears the burden of proof regarding the adequacy of the TOMs.
  4. What is the controller liability in cases where the breach resulted from third-party actions.
  5. Whether the fear of potential misuse of personal data constitutes non-material damage under Article 82 GDPR.

Holding

The Advocate General opined that the burden of proof lies with the data controller to demonstrate the adequacy of TOMs. The CJEU's ruling affirmed this stance and provided key insights:

  1. A data breach does not automatically imply inadequate TOMs. The GDPR focuses on risk mitigation rather than complete elimination, requiring a concrete assessment of implemented measures in light of associated risks.
  2. National courts must assess TOMs in a two-stage process: identifying risks and potential consequences, followed by evaluating the adequacy of the controller's measures.
  3. The burden of proving TOM adequacy rests with the data controller, aligning with the principles of accountability outlined in Articles 5(2), 24(1), and 32(1) GDPR.
  4. Controller liability persists even if a breach results from third-party actions, with the controller required to demonstrate the absence of fault on their part.
  5. The fear of potential misuse of personal data qualifies as non-material damage, entitling the data subject to compensation under Article 82 GDPR.

Implications and conclusion

This ruling, combined with earlier decisions, establishes a comprehensive framework for assessing liability and damages in GDPR cases. It emphasises the need for controllers to demonstrate the adequacy of their security measures and acknowledges the validity of claims based on the fear of potential misuse. This precedent is likely to impact future data protection cases, potentially opening avenues for class action lawsuits in response to data breaches. In the face of evolving cyber threats, organisations handling personal data should take note of these developments and ensure robust security measures to mitigate risks and protect individuals' rights under the GDPR.

The CJEU's judgment can be found here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.