The issue of data protection is becoming increasingly important in light of the growing number of cyberattacks and data breaches. In this context, the European Court of Justice (CJEU) has ruled on the conditions under which individuals affected by a hacking incident can claim compensation. The judges set out key requirements for those responsible, particularly regarding the design and implementation of technical and organisational measures (judgment of 14 December 2023, Case No. C-340/21).
Background and legal context
At the heart of the decision was a case from Bulgaria, in which the tax authority became the target of a hacker attack that led to the personal data of over six million individuals being published online.
According to the General Data Protection Regulation (GDPR), data controllers are required to take measures to protect personal data against unauthorised access. These measures must reflect the state of the art and be appropriate to ensure a level of security commensurate with the risk involved (Art. 32 GDPR). A breach of these obligations may give rise to claims for compensation if a specific harm can be demonstrated.
In the present case, hundreds of affected individuals filed claims, including the claimant in the main proceedings, seeking compensation for non-material damage caused by the fear of potential misuse of their data. The claim was initially rejected, as the Bulgarian tax authority argued that it had implemented appropriate security measures, thereby excluding liability. The appellate court referred the matter to the CJEU, which then addressed the interpretation of Art. 82 GDPR in relation to possible compensation claims for breaches of Art. 32 GDPR. The court also clarified questions concerning the burden of proof.
Current judgements on the GDPR
Read our regular reviews of data protection law rulings to stay up to date!
Key findings of the judgment
Appropriateness of measures
An unauthorised disclosure of, or unauthorised access to, personal data by third parties alone is not sufficient to conclude that the technical and organisational measures implemented by the controller responsible for the processing were inadequate within the meaning of Art. 24 and 32 of the GDPR.
Rather, the assessment must be carried out in accordance with the criteria laid down by the GDPR. These include, in particular, the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons.
The protective measures taken must, however, regularly comply with the state of the art.
Burden of proof and documentation of evidence
The controller must be able to demonstrate that the measures were adequate and complied with the state of the art, which results in a reversal of the burden of proof.
The CJEU clarified that an expert opinion is not mandatory to prove the appropriateness of the technical and organisational measures. Other forms of evidence, such as independent security audits or internal controls, may suffice to assess their adequacy.
Courts are required to consider all available evidence and must not rely solely on expert reports when evaluating the suitability of security measures.
Requirements for legal standing
The CJEU held that the mere anxiety about potential misuse of data following unauthorised disclosure to third parties can be recognised as non-material damage. A proven instance of actual misuse by third parties is not strictly necessary.
However, in order to claim compensation, data subjects must be able to demonstrate an objective impairment of their emotional or psychological well-being.
There must also be a causal link between the breach and the damage suffered. Mere awareness of a hacking incident and one’s own involvement, typically learned through the notification obligation under Art. 34 GDPR, is not sufficient to establish legal standing.
Implications of the reversal of the burden of proof
According to the general principle of burden of proof, each party is responsible for proving the facts relevant to asserting their legal claims. The aforementioned reversal of the burden of proof therefore has significant consequences for data controllers.
They are obliged to demonstrate that they implemented all necessary technical and organisational measures to effectively prevent or mitigate cyberattacks.
This proof requires careful documentation and regular review of the protective measures to ensure their continued relevance and effectiveness.
In addition, certifications such as an information security management system (ISMS) in accordance with ISO 27001 may be used to substantiate the effectiveness of the measures. However, the certification must specifically cover the area affected by the data breach.
The measures taken and their appropriateness are then subject to full judicial review. As a result, controllers must be prepared to defend the protective measures they have implemented in court.
If they are unable to prove that all necessary precautions were taken, they risk liability for data protection breaches, which may lead to compensation claims.
This ruling imposes a clear obligation on businesses not only to define their protective measures initially but also to regularly review and document them. The controller must be able to demonstrate the appropriateness of these measures at any time.
In addition to the nature, purpose, and scope of the processing, the evidence must always include the state of the art, the cost of implementation, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.
In short, what is required is nothing less than a risk management approach for individual processing operations.
Conclusion
The CJEU ruling may encourage individuals affected by disclosed data protection violations to increasingly assert claims against controllers. This is because even the fear of potential data misuse is recognised as a basis for non-material compensation. However, the detailed case-by-case assessment required by the CJEU regarding proof of damage and causality is likely to prevent such claims from being widely successful.
Nevertheless, controllers would be well advised to ensure that their technical and organisational measures meet current requirements and are regularly reviewed. A form of risk management can be implemented as part of the documented processing activities. This can also include the evaluation of case-specific measures and their appropriateness.
