CJEU - C‑340/21 - Natsionalna agentsia za prihodite

CJEU - C‑340/21 Natsionalna agentsia za prihodite
Court:	CJEU
Jurisdiction:	European Union
Relevant Law:	Article 5 GDPR Article 24 GDPR Article 32 GDPR Article 82 GDPR
Decided:	14.12.2023
Parties:
Case Number/Name:	C‑340/21 Natsionalna agentsia za prihodite
European Case Law Identifier:	ECLI:EU:C:2023:986
Reference from:
Language:	24 EU Languages
Original Source:	AG Opinion Judgement
Initial Contributor:	sh

The CJEU ruled that the fear of a data subject over the possible misuse of their data from a data breach counts as a non-material damage and can lead to financial compensation from the controller. The burden of proof is on the controller to prove that appropriate measures were adopted against the cyberattack.

English Summary

Advocate General Opinion

With its first question, the referring court asked whether the fact that a GDPR violation effectively occurred automatically entails that the controller did not comply with its obligations to implement appropriate measures under Articles 24 and 32 GDPR. According to the Advocate General, appropriate measures shall be in line with the state of the art. However, this cannot guarantee that in exceptional situations they will always be effective. In addition, Article 32(1) GDPR specifically mentions that the controller may take into account the “cost of implementations” that a certain security measure entails.

With its second question, the Supreme Administrative Court tried to ascertain what kind of test should a judicial authority perform when assessing the suitability of the measures adopted by the controller. The Advocate General stressed that judicial scrutiny cannot be limited to the existence of measures in place.

The third question concerned how to allocate the burden of proof concerning the suitability of the security measures. In the Advocate General’s Opinion, it is the controller who has to bear such a burden. The data subject, in the context of an action pursuant to Article 82 GDPR, shall prove a GDPR infringement, the existence of a damage and a causal link between the former elements. However, a burden of proof on the data subject concerning the suitability of the measures would make the fulfillment of the action almost impossible in practice.

With the fourth question, the referring court asked whether the fact that the data breach occurred because of third parties’ actions entails that the controller was no longer liable under Article 82(3) GDPR. The Advocate General categorically excluded this interpretation, highlighting that a controller ceases to be liable only when it shows the lack of fault on his side.

The fifth question concerned the notion of non-material damage. In particular, the court wondered whether the data subject’s concern that their data may be misused as a consequence of a data breach is sufficient to give rise to non-material damages pursuant to Article 82 GDPR. According to the Advocate General’s opinion, even if the notion of damages should be interpreted broadly, Article 82 GDPR implies a distinction between damages, including non-material ones, and other situations which are merely annoying for the data subject. As a matter of fact, only the former confer the data subject a right to compensation. It is not necessary that a data breach led to further use (or misuse) of personal data. Indeed, the loss of control over personal data may already be sufficient to substantiate non-material damages. However, the data subject must be able to objectively prove the existence of a damage occurred to them. What a judge must avoid, to the contrary, is a test exclusively based on the data subject's subjective representation of their emotional state.

Facts

The Bulgarian Tax Agency (the controller) suffered a data breach. As a result, more than 6 million people's personal data was leaked online, including that of the complainant.

The complainant sued the controller in the Aministrative Court Sofia under the basis of Article 82 GDPR. She requested around €510 as compensation for the non-material damage^[1] resulting from the breach. She argued that the controller had caused the damage because they had failed to implement adequate Technical and Organisational Measures (TOMs) in breach of Article 5(1)(f) , 24 and 32 GDPR. Her non-material damage was the fear that her personal data, might be misused in the future and that she could be threatened as a consequence.

The Administrative Court Sofia dismissed the action. Firstly, the controller had not caused the breach because the breach had resulted from the actions of third parties. Secondly, the complainant had not proved that the controller had failed to implement security measures. Laslty, in the courts opinion the complainant had not suffered an actual non-material damage, since her fear was only hypothetical she could not be granted compensation.

The complainant appealed this decision before the Supreme Administrative Court Bulgaria, who referred the case to the CJEU with the following questions:

1) Do Articles 24 and 32 GDPR mean that a data breach, as defined by Article 4(12) GDPR by, is sufficient to presume that the TOMs implemented by the controller are insufficient?

2) If the first question is answered in the negative, what should be the scope of the court's judicial review into whether the TOMs are approproate under Article 32 GDPR be?

3) If the first question is answered in the negative, is the burden on the controller to prove that the implemented TOMs are appropriate under Article 32 GDPR?

4) Does Article 82(3) GDPR allow the controller to be exempt from liability for damages if the data breach as defined by 4(12) GDPR was caused by third parties outside of the controller's control?

5) Does Article 82(1) and (2) GDPR allow the anxiety caused by a hacking attack to constitute a non-material damage and entitle the complainant to damages even though they have not suffered further harm?

Holding

The CJEU decided that the burden of proof over proving that TOMs are adequate lies with the data controller, and it granted the complainant damages for the data breach.

On the notion of technical and secure measures under Articles 24 and 32:

On the first question, the fact that a third party breached a controller does not automatically mean the TOMs of the controller were inadequate. Article 24 GDPR imposes on the controller a general obligation to implement appropriate TOMs to ensure that processing is carried out in accordance with the GDPR and that this can be demonstrated. Article 32 GDPR also requires the controller to implement a "level of security appropriate to the risk." The language of Article 32 demonstrates that the GDPR's goal is only to establish a risk management system, not to eliminate the risks of personal data breaches. Thus, Articles 24 and 32 GDPR imply that the GDPR merely requires the controller to implement TOMs in order to avoid any personal data breach, if at all possible. It cannot be inferred from this language that a breach is sufficient to conclude that the measures were not appropriate, without even allowing the controller to argue otherwise. This is particularly significant because Article 24 GDPR expressly states that the controller must be able to demonstrate that the measures implemented comply with the regulation, a possibility that would be lost if an irrebuttable presumption were accepted.

On the second question, the court decided that the appropriateness of TOMs must be assessed by national courts. Such an interpretation is capable of ensuring the protection of personal data and the right to an effective judicial remedy against the controller under Article 79(1) GDPR. Having said that, Article 32(1) and (2) GDPR make it clear that national courts must assess the appropriateness of TOMs in two stages. First, the court must identify the risks of a breach and the potential consequences of those risks. Second, the court must determine whether the controller's TOMs are appropriate to the risks. A national court cannot confine itself to investigating how the controller aimed to comply with Article 32 but rather needs to examine the substance of the TOMs in light of the criteria set out in Article 32 GDPR.

On the third question, the court split it into two parts. First, does the principle of accountability under Article 5(2) and 24 GDPR mean that the burden of proof is on the controller to prove the adequacy of their TOMs in the context of damages? Second, does an experts report constitute sufficient means of proof that the TOMs were adequate? The court determined that the controller bears the burden of proving the adequacy of TOMs, particularly in the context of damages under Article 82 GDPR. The wording of Articles 5(2), 24(1), and 32(1) GDPR makes this clear. Furthermore, if the burden of proof for the appropriateness of those measures falls on the data subjects, the right to compensation provided for in Article 82(1) of the GDPR would lose its effectiveness, as the data subject would never be able to prove such a point. In terms of expert reports, the court determined that they are neither necessary nor sufficient proof. It is for the Member States to judge the types of evidence that make it possible to assess the appropriateness of TOMs, subject to compliance with those principles of equivalence and effectiveness.^[2] If the court would decide that an expert report was automatically 'sufficient' then it would undermine this flexibility.

On the notion of damages:

On the fourth question, the court decided that Article 83(2) means that the controller cannot be exempt from liability for damages just because the damage was caused by third parties (a third party means anyone not authorised to process the data). The wording of Article 82(2) GDPR and Recital 146 make it clear that the controller is responsible for compensating damage caused by GDPR-infringement processing. To be exempt, the controller must demonstrate that the act that caused the damage was not attributable to it. This is supported by the fact that Article 82(2) GDPR states that the controller can only be exempt if it can demonstrate 'in any way' that it is not responsible for the damage. As a result, the circumstances in which the controller may claim to be exempt from liability under Article 82 GDPR must be strictly limited to those in which the controller can demonstrate that there is no casual link between its possible breach of the GDPR and the damage suffered by the natural person.

On the fifth question, the court decided that Article 82(1) includes the fear of the potential misuse of personal data that a data subject feels as a result of a breach. This fear is therefore sufficient to give rise to non-material damages and compensation. The wording of Article 82(1) GDPR is broad and does not require the non-material damage to be linked to the misuse of the data at the date of compensation. This interpretation is supported by CJEU - C-300/21 - Österreichische Post AG where it stated that the concept of damage has to be interpreted broadly. Lastly, Recital 85 includes a situation where the mere loss of control over data results in a data breach, suggesting that this is again enough to allow for damages. The national court must ensure, however, that the fear over the misuse of the data is not unfounded and that it is related to the specific circumstances at issue with the data subject.

Comment

This case, especially when combined with CJEU - C-300/21 - Österreichische Post AG which determines that there is no minimum threshold for non-material damages, will likely open the gateway for class action law suits.

Further Resources

Share blogs or news articles here!