Turkey: Comparing Liability In Personal Data Breaches: A Closer Look At 'Best Effort' Vs. 'Result Obligation' Under EU Data Protection Laws – GDPR And Europol Regulation

1. Introduction

This short article embarks on an exploration of the nuanced interpretations of liability and obligation for taking security measures under the General Data Protection Regulation (GDPR) and the Europol Regulation, focusing on landmark cases that test these legal waters. Through the lens of the VB v Natsionalna agentsia za prihoditet case, which was given on 14 December 2023, I delve into the GDPR's approach to data security, which recognizes a "best effort" ethos, accepting the inherent limitations of securing digital data. Concurrently, I examine the contrasting stance of the CJEU particularly through the prism of the Kočner case, which was decided on 5 March 2024. This case implies for a more stringent "result obligation" for security obligation under Europol Regulation.

2. Best Effort for Security under the GDPR: VB v Natsionalna agentsia za prihodite

In a landmark case, VB v Natsionalna agentsia za prihoditet, stemming from a significant data breach at the Bulgarian Tax Agency, where over 6 million individuals' personal data was exposed online, a complainant sought compensation citing GDPR violations. She claimed about €510 for non-material damages, arguing that the agency's failure to implement sufficient Technical and Organisational Measures (TOMs) per Articles 5(1)(f), 24, and 32 of the GDPR resulted in the breach. The complainant's fear of future misuse of her data and potential threats underpinned her claim for damages. However, the Administrative Court Sofia dismissed the case, attributing the breach to third-party actions and finding no evidence of the agency's failure to secure data or that the complainant suffered actual non-material damage, considering her fears hypothetical. The case escalated to the Supreme Administrative Court of Bulgaria, which referred pivotal questions to the CJEU, seeking clarity on whether a data breach inherently indicates insufficient TOMs, the extent of judicial review on TOM appropriateness, the responsibility for proving the adequacy of TOMs, the possibility of controller exemption from liability when breaches are caused by third parties, and if anxiety from a hack can qualify as non-material damage requiring compensation under Articles 82(1) and (2) GDPR.

the CJEU examined several questions related to the obligations of data controllers to prevent unauthorized disclosure of personal data and their liability for damages resulting from such breaches. The CJEU clarified that unauthorized disclosure or access to personal data by a third party does not automatically indicate that TOMs implemented by the controller were inappropriate under Articles 24 and 32 of the GDPR. Instead, the appropriateness of such measures must be assessed concretely, considering the specific risks associated with the processing concerned. The CJEU ruled that the appropriateness of the measures under Article 32 must be evaluated in a concrete manner by national courts, taking into account the risks associated with the processing.

This evaluation involves a thorough analysis of the nature, content, and implementation of the measures, ensuring they are suited to mitigate the identified risks. The CJEU stated that an expert report on the appropriateness of security measures is not a systematically necessary or sufficient means of proof. National courts must independently assess the adequacy of the measures, considering all available evidence.

In actions for damages under Article 82 of the GDPR, the controller bears the burden of proving that the security measures implemented were appropriate. This ruling underscores the principle of accountability, requiring controllers to demonstrate compliance with GDPR obligations, particularly regarding the security of personal data. The controller cannot be exempted from its obligation to compensate for damages resulting from unauthorized disclosure or access to personal data by a third party solely based on the involvement of that third party. The controller must prove it is not responsible for the event causing the damage.

This case brings to light the nature of security obligations under the GDPR, distinguishing between "best effort" and "result obligation." The GDPR's provisions, particularly Articles 24 and 32, do not explicitly demand that data controllers completely eliminate the risk of personal data breaches. Instead, they are required to implement "appropriate technical and organizational measures" to ensure a level of security suitable to the risk. This framework establishes a "best effort" obligation rather than a "result obligation." This involves assessing the risks associated with data processing activities and adopting measures to mitigate these risks, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. The appropriateness of these measures is not judged solely on the outcome (whether a data breach occurs or not) but on the effort exercised in protecting the data. This acknowledges the practical reality that no security system is infallible and that breaches may occur despite best efforts to prevent them.

3. Result Obligation for Security of Personal Data under the Europol Regulation: Marián Kočner v Europol Case

The case of Kočner v Europol revolves around a claim for compensation under Article 50 of the Europol Regulation made by the appellant, who argues that Europol should be held liable for the non-contractual damages suffered as a result of the public disclosure of personal data from mobile telephones, which were made available on the internet and reproduced in the Slovak press. The disclosure allegedly harmed the appellant's honor, and professional reputation, and infringed on his right to respect for his private and family life, as well as his communications, as guaranteed by Article 7 of the Charter of the European Union (Charter).

Three main elements underpin the non-contractual liability of Europol in accordance with Article 50(1) of the Regulation 2016/794 (Europol Regulation) with a reference to Article 340 of the Treaty of the Functioning of the European Union (TFEU): unlawful conduct (unlawful data processing), actual damage, and causal link.

For the first element, the appellant contends that the damage resulted from unlawful data processing, invoking by referring to the security obligations of Europol under Article 28 of the Europol Regulation. However, Europol counters this claim by arguing that there's no evidence of data leak originating from it and that any leak would not automatically result in non-contractual liability. The CJEU clarifies that for Europol's liability to be engaged, there must be a sufficiently serious breach of EU law intended to confer rights on individuals. In this case, it was found that the disclosure of personal data to unauthorized persons constituted a breach of EU law designed to protect individual rights, with no discretion given to entities in protecting against unlawful data processing.

For the second element (actual damage), the appellant alleges that the disclosure of his personal data, including intimate conversations, infringed his rights and negatively impacted his family relationships, causing non-material damage. The court emphasizes that for the EU to incur liability, the claimant must demonstrate actual, certain damage and this damage arising from the breach of EU law.

For the third element (causal link), the appellant needs to establish a sufficiently direct causal link between the alleged breach of EU law (unlawful data processing) and the damage suffered. The court found that the public availability of the appellant's personal conversations indeed infringed his rights and caused non-material damage, directly linking the harm to unlawful data processing.

The argument surrounding the breach of the security obligation due to the telephone conversations being made public hinges on the interpretation of the nature of Europol's obligations under Article 28 of the Europol Regulation. The disclosure of the intimate conversations in the press implies a failure to protect personal data, raising the question of whether Europol's duty is to absolutely ensure data security ("result obligation") or to merely make the best effort to protect data without guaranteeing its security ("best effort obligation"). The distinction is critical because viewing the security obligation as a result obligation implies that any breach, regardless of the effort made to prevent it, constitutes a failure to meet the required standard. This interpretation significantly elevates the standard of accountability for Europol, meaning that it is responsible for preventing any unauthorized disclosure of personal data, thus making the security obligation stringent and unequivocal. This perspective challenges the argument made by Europol that it implemented appropriate TOMs, as the occurrence of the leak itself would be considered a direct failure to fulfill its security obligations, irrespective of the efforts made to prevent such an outcome. This principle significantly lowers the burden on the claimant to specify the origin of the breach, focusing instead on the fact of unauthorized disclosure and its impact on the individual's rights.

This approach aligns with the broader objective of EU law to ensure the protection of personal data and individual rights, allowing individuals to seek redress for breaches without the complex requirement of attributing fault among the entities involved. Therefore, the existence of the breach itself, leading to the unauthorized disclosure of personal data, is sufficient to engage the liability of Europol under the Europol Regulation, without the need for the affected individual to prove that Europol was directly responsible for the breach.

4. Conclusion

The contrasting interpretations of liability and obligation in the GDPR and Europol Regulation cases highlight the complex balance between protecting individual rights and recognizing the practical challenges of data security. On the one hand, the case of VB v Natsionalna agentsia za prihoditet clarifies and provides a "best effort" approach to security by acknowledging the limitations of security measures. On the other hand, the Europol Regulation, as interpreted in the Kočner case, seems to impose a more stringent "result obligation." This divergence underscores the need for a nuanced understanding of data protection laws in the EU.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.