BAC (Bulgaria) - 2606/2021
The Bulgarian Supreme Administrative Court stayed the proceedings in an appeal by the National Revenue Agency (NRA), pending the resolution of case C-340/2021 at the CJEU. In the previous instance, the NRA was found to have violated Articles 24 and 32 GDPR in relation to a data breach affecting more than 5,000,000 Bulgarians. The mere fact that personal data was disclosed,
The mere fact personal and financial data was disclosed, published online, and became a potential object of uncontrolled (in terms of time, place, and volume) violation, determined the occurrence of non-pecuniary damages to the Complainant, a Bulgarian citizen, one of the many whose personal data has been leaked during the breach.
Ruling in the course of court proceedings under Administrative Case 2606 of 2021, dated 13 July 2021 The Supreme Administrative Court of the Republic of Bulgaria (SAC) stayed the proceedings in an appeal by the National Revenue Agency (NRA) of Bulgaria, until the end of the proceedings under case C-340/2021 of the Court of Justice of the European Union. In the previous instance, NRA was found responsible for violating Articles 24 and 32 of the GDPR by not fulfilling its obligations and ensuring an appropriate level of security, which led to a massive data breach in July 2019. It was found that the mere fact personal and financial data have been disclosed, published online, and became a potential object of uncontrolled (in terms of time, place, and volume) violation, determined the occurrence of non-pecuniary damages to the Complainant, a Bulgarian citizen, one of the many whose personal data has been leaked during the breach.
English Summary
Facts
On 15 July 2019, a massive data breach of the National Revenue Agency (NRA) of Bulgaria was revealed. The person responsible for the breach sent an email to major Bulgarian media outlets, detailing the scope of the attack. NRA became aware of the breach on the same date, while the exact date of the breach remained unknown. During the day, media announced leaked data amounted to 57 folders with .csv files detailing the names and national identification numbers of more than 5,000,000 Bulgarian citizens, as well as records on revenues, tax and social security payments, debts, online betting data and company activities dating back as early as 2007, and as recently as June 2019.
NRA notified the personal data breach to the Bulgarian Commission for Personal Data Protection (CPDP), which is the competent supervisory authority in accordance with Article 55 of the GDPR, on 16 July 2019 and to the Prosecutor's Office of Sofia City on 17 July 2019. Again, on 17 July 2019, NRA requested an all-round audit of its information systems by an independent external organization. NRA also developed a special application through which any Bulgarian citizen could check whether their personal data had been compromised.
In a follow-up investigation, CPDP found that personal data of a total of 6,074,140 data subjects was breached, including data for 4,104,786 living Bulgarian and foreign citizens and 1,959,598 dead. The compromised data included names, national identification numbers, addresses, phone numbers, e-mail addresses, data retrieved from annual financial data declared by individuals including reports on paid incomes, insurance declarations, health insurance contributions, data for issued acts of administrative violation, data on payments of taxes and insurance liabilities through [company], data on requested and refunded VAT paid abroad. On 22 August 2019, CPDP issued NRA an order under Article 58(2)(d) supra Article 57(1)(a) and Article 83(2)(a), (c), (d), (f) and (g) of the GDPR for undertaking suitable technical and organizational measures for personal data protection. On 28 August 2019, CPDP served NRA with a decision imposing an administrative penalty for violating Article 32(1)(b) of the GDPR.
On 16 September 2019 a complaint was filed with the Administrative Court of Sofia City (ACSC) against NRA for non-pecuniary damages caused by unlawful inaction of NRA to fulfil its obligations under Articles 24 and 32 of the GDPR which led to the personal data breach, as per Article 4(12) of the GDPR, including with regards to the complainant’s personal data. On 11 August 2019, after initiating a series of checks starting from 26 July 2019, the complainant learned that his personal data has been breached via the NRA application (this fact was not disputed by NRA). The exact type of breached data, such as national identification number, name, nationality, permanent and temporary address, ID data, bank account, and data submitted by organizers of online gambling (bet to a particular online game, size of the bet, data of the bet), was announced and made known to the complainant during the court proceedings.
Since financial data is protected by law and access to it is strictly regulated and could take place only after a ruling of a court under certain limited hypotheses, ACSC noted NRA should not be considered as a data controller, but a body entrusted with the creation, processing and protection of tax and insurance information regarding the obligated subjects, thus being legally protected information with regulated access. ACSC concluded the requirements for the processing of personal data by NRA, given the nature and volume of the information stored, should have been significantly higher than the requirements for the processing of personal data, which did not constitute legally protected information. ACSC found facts for unlawful inaction of NRA, in its capacity as a data controller, under Article 24 and 32 of the GDPR, which led to a breach of the security of personal data under Article 4(12) of the GDPR, and no proof that NRA has fulfilled its obligations in that sense and have not been able to ensure an appropriate level of security.
ACSC found that the allegations of the complainant for NRA’s noncompliance with the data breach notification mechanism under Article 67 of the Bulgarian Personal Data Protection Act (PDPA), supra Article 33 of the GDPR, and violation of the requirement for communicating the personal data breach to the data subjects under Article 66 of the PDPA, supra Article 34 of the GDPR, are incorrect.
Despite the only witness with regards to the non-pecuniary damages is a member of the complainant’s inner circle, ACSC credited that only such a person could have witnessed the psychological and emotional state of the complainant and found the complainant's concerns and fears for misuse of his personal data are justified and realistic. Also, ACSC found that the mere fact personal and financial data have been breached, published online, and became a potential object of uncontrolled (in terms of time, place, and volume) violation, determined the occurrence of non-pecuniary damages to the data subject. However, ACSC found the amount of damaged claimed, being BGN 1,000, was unjustified and lowered the award to BGN 500; with interest due only by the date of filing the claim for damages.
In the present case before the Supreme Administrative Court of the Republic of Bulgaria (SAC), NRA appealed the decision of ACSC. It argued that the court’s decision was incorrect due to violation of substantive law, significant violations of the rules of court proceedings and unfoundedness; with cassation grounds for annulment within the meaning of Article 209 (2) and (3) of the Administrative Procedure Code. An annulment of the court decision was requested.
Holding
SAC found that the cassation appeal was admissible, but after proceeding on the merits of the dispute, procedural obstacles arose for SAC’s consideration on the merits.
At present, there is a pending case C-340/21 before the Court of Justice of the European Union (CJEU), initiated by a request for a preliminary ruling under Article 267 TFEU on the interpretation of recitals 74, 85 and 146, point 12 of Article 4 and Articles 5(2), 24, 32 and 82 of Regulation 2016/679. The request is made by SAC with reference to an Administrative Case 1037 of 2021.
Questions referred for a preliminary ruling include:
(1) Are Articles 24 and 32 of Regulation (EU) 2016/679 to be interpreted as meaning that unauthorised disclosure of, or access to, personal data within the meaning of point 12 of Article 4 of Regulation (EU) 2016/679 by persons who are not employees of the controller’s administration and are not subject to its control is sufficient for the presumption that the technical and organisational measures implemented are not appropriate?
(2) If the first question is answered in the negative, what should be the subject matter and scope of the judicial review of legality in the examination as to whether the technical and organisational measures implemented by the controller are appropriate pursuant to Article 32 of Regulation (EU) 2016/679?
(3) If the first question is answered in the negative, is the principle of accountability under Article 5(2) and Article 24 of Regulation (EU) 2016/679, read in conjunction with Recital 74 thereof, to be interpreted as meaning that, in legal proceedings under Article 82(1) of Regulation (EU) 2016/679, the controller bears the burden of proving that the technical and organisational measures implemented are appropriate pursuant to Article 32 of that regulation? Can the obtaining of an expert’s report be regarded as a necessary and sufficient means of proof to establish whether the technical and organisational measures implemented by the controller were appropriate in a case such as the present one, where the unauthorised access to, and disclosure of, personal data are the result of a ‘hacking attack’?
(4) Is Article 82(3) of Regulation (EU) 2016/679 to be interpreted as meaning that unauthorised disclosure of, or access to, personal data within the meaning of Article 4(12) of Regulation (EU) 2016/679 by means of, as in the present case, a ‘hacking attack’ by persons who are not employees of the controller’s administration and are not subject to its control constitutes an event for which the controller is not in any way responsible and which entitles it to exemption from liability?
(5) Is Article 82(1) and (2) of Regulation (EU) 2016/679, read in conjunction with Recitals 85 and 146 thereof, to be interpreted as meaning that, in a case such as the present one, involving a personal data breach consisting in unauthorized access to, and dissemination of, personal data by means of a ‘hacking attack’, the worries, fears and anxieties suffered by the data subject with regard to a possible misuse of personal data in the future fall per se within the concept of non-material damage, which is to be interpreted broadly, and entitle him or her to compensation for damage where such misuse has not been established and/or the data subject has not suffered any further harm?
SAC considered these questions asked relevant to the present case and considered the court obliged to comply with the interpretation by the CJEU once given and binding for all national courts. Thus, SAC found the only procedural way to ensure the correct application of Community law was to stay the proceedings until the end of the proceedings under case C-340/2021 of the Court of Justice of the European Union.
Comment
Interestingly, there are a number of recent decisions where the Supreme Administrative Court of the Republic of Bulgaria stayed proceedings for exactly the same reasons. This is a common practice of the Bulgarian courts and could be seen with regards to a number of cases/topics throughout recent years.
In cases where there was a ruling despite the existing pending case C-340/21 before the Court of Justice of the European Union, the Court found unjustified motives of the first instance and ruled on the merits of the dispute.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Bulgarian original. Please refer to the Bulgarian original for more details.