Unlawful access to personal data by third parties leads to liability for presumed fault on the part of the controller and may give rise to nonmaterial damage for which compensation can be awarded.

In order to be exempt from liability, a controller must demonstrate that it is not in any way responsible for the event giving rise to the damage. Fear of a possible misuse of the data in the future can constitute non-material damage which gives rise to a right to compensation only if it is actual and certain emotional damage and not simply trouble or inconvenience.

On 15 July 2019, the Bulgarian media spread the news that there had been unauthorised access to the information system of the National Revenue Agency, Bulgaria (‘the NAP’) and that various items of tax and social security information regarding millions of persons had been published on the internet. Many persons, including V.B., brought proceedings against the NAP for compensation for non-material damage in the form of worry and fear that their personal data would be misused in the future. According to V.B., the NAP had infringed national rules, as well as the obligation to process personal data as controller in a manner that ensures appropriate security. The court of first instance dismissed the application, taking the view that the dissemination of the data was not attributable to the agency, that the burden of proof as to whether the measures implemented were appropriate was on V.B., and that non-material damage was not eligible for compensation. Hearing the case on appeal, the Supreme Administrative Court referred a number of questions to the Court for a preliminary hearing regarding the interpretation of the General Data Protection Regulation 1 with a view to defining the conditions for awarding compensation for non-material damage to a person whose personal data, held by a public agency, was published on the internet following a hacking attack.

In the Opinion given today, Advocate General Giovanni Pitruzzella states at the outset that the controller is obliged to implement appropriate technical and organisational measures to ensure that processing of personal data is performed in accordance with the Regulation. Whether such measures are ‘appropriate’ must be determined taking into account the nature, scope, context and purposes of processing as well as the likelihood and severity of the risks for the rights and freedoms of natural persons, assessed on a case-by-case basis.

In the first place, the Advocate General states that the occurrence of a ‘personal data breach’ is not sufficient in itself to conclude that the technical and organisational measures implemented by the controller were not ‘appropriate’ to ensure data protection. When choosing measures, the controller must take into account a number of factors, including the ‘state of the art’, which limits the technological level of measures to be implemented to what is reasonably possible at the time of implementation, and also the implementation costs. 

The controller’s decision is subject to possible judicial review of compliance. The assessment of the appropriateness of those measures must be based on a balancing exercise between the interests of the data subject and the economic interests and technological capacity of the controller, in compliance with the general principle of proportionality.

In the second place, the Advocate General states that, when verifying whether the measures are appropriate, the national court must carry out a review which extends to a specific analysis of the content of those measures and the manner in which they were applied, as well as of their practical effects. Judicial review must therefore take into account all the factors set out in the regulation. Among those, the adoption of codes of conduct or certification systems may constitute a relevant criterion of assessment for the purposes of discharging the burden of proof, it being specified that the controller has the burden of proving that it actually implemented the measures provided for in the code of conduct, while certification constitutes in itself proof that the processing is carried out in compliance with the Regulation. Since those measures must be reviewed and updated where necessary, the court must also assess that that has been done.

In the third place, the Advocate General states that the burden of proving that the measures are appropriate is on the controller. In accordance with the principle of procedural autonomy, it is for the national legal order of each Member State to determine the admissible methods of proof and their probative value, including the measures of inquiry.

In the fourth place, the fact that the infringement of that regulation was committed by a third party does not in itself constitute a ground for exempting the controller. In order to be exempted from liability, the controller must demonstrate, to a high standard of proof, that it is not in any way responsible for the event giving rise to the damage. The unlawful processing of personal data has, in fact, the nature of aggravated liability for presumed fault, which gives rise to the possibility for the controller to provide exonerating evidence.

Lastly, according to the Advocate General, detriment consisting in the fear of a potential misuse of one’s personal data in the future, the existence of which the data subject has demonstrated, may constitute non-material damage giving rise to a right to compensation, provided that it is a matter of actual and certain emotional damage and not simply trouble and inconvenience.

(Source: EU Court of Justice Press Release 67/2023 - Ownership of contents: EU Court of Justice)