CJEU - C‑340/21 - Natsionalna agentsia za prihodite

CJEU - C‑340/21 Natsionalna agentsia za prihodite
Court:	CJEU
Jurisdiction:	European Union
Relevant Law:	Article 5 GDPR Article 24 GDPR Article 32 GDPR Article 82 GDPR
Decided:	14.12.2023
Parties:
Case Number/Name:	C‑340/21 Natsionalna agentsia za prihodite
European Case Law Identifier:	ECLI:EU:C:2023:986
Reference from:
Language:	24 EU Languages
Original Source:	AG Opinion Judgement
Initial Contributor:	sh

The CJEU ruled that the fear of a data subject over the possible misuse of their data from a data breach counts as non-material damages and can lead to financial compensation from the controller. The burden of proof is on the controller to prove that appropriate measures were adopted against the cyberattack.

English Summary

Facts

The Bulgarian Tax Agency (the controller) suffered a data breach. As a result, more than 6 million people's personal data was leaked online, including that of the complainant.

The complainant sued the controller in the Aministrative Court Sofia under the basis of Article 82 GDPR. She requested around €510 as compensation for the non-material damage^[1] resulting from the breach. She argued that the controller had caused the damage because they had failed to implement adequate Technical and Organisational Measures (TOMs) in breach of Article 5(1)(f) , 24 and 32 GDPR. Her non-material damage was the fear that her personal data, might be misused in the future and that she could be threatened as a consequence.

The Administrative Court Sofia dismissed the action. Firstly, the controller had not caused the breach because the breach had resulted from the actions of third parties. Secondly, the complainant had not proved that the controller had failed to implement security measures. Laslty, in the courts opinion the complainant had not suffered an actual non-material damage, since her fear was only hypothetical she could not be granted compensation.

The complainant appealed this decision before the Supreme Administrative Court Bulgaria, who reffered the case to the CJEU with the following questions:

1) Do Articles 24 and 32 GDPR mean that a data breach, as defined by Article 4(12) GDPR by third parties, sufficient to pressume that the TOMs implemented by the controller are insufficient?

2) If the first question is answered in the negative, what should the scope of the court's judicial review into whether the TOMs are approproate under Article 32 GDPR be?

3) If the first question is answered in the negative, is the burden on the controller to prove that the implemented TOMs are appropriate under Article 32 GDPR?

4) Does Article 82(3) GDPR allow the controller to be exempt from liability for damages if the data breach as defined by 4(12) GDPR was caused by third parties outside of the controller's control?

5) Does Article 82(1) and (2) GDPR allow the anxiety caused by a hacking attack to constitute a non-material damage and entitle the complainant to damages even though they have not suffered further harm?

Holding

The CJEU decided that the burden of proof over proving that TOMs are adequate lie with the data controller and granted the complainant damages for the data breach.

On the notion of technical and secure measures under Article 24 and 32:

On the first question, the fact that a third party breached a controller does not automatically mean the TOMs of the controller were inadequate. Article 24 of the GDPR imposes on the controller a general obligation to implement appropriate TOMs to ensure that processing is carried out in accordance with the GDPR and that this can be demonstrated. Article 32 also requires the controller to implement a "level of security appropriate to the risk." The language of Article 32 demonstrates that the GDPR's goal is only to establish a risk management system, not to eliminate the risks of personal data breaches. Thus, Articles 24 and 32 of the GDPR imply that the GDPR merely requires the controller to implement TOMs in order to avoid any personal data breach, if at all possible. It cannot be inferred from this language that a breach is sufficient to conclude that the measures were not appropriate, without even allowing the controller to argue otherwise. This is particularly significant because Article 24 of the GDPR expressly states that the controller must be able to demonstrate that the measures implemented comply with the regulation, a possibility that would be lost if an irrebuttable presumption were accepted.

On the second question, the court decided that the appropriateness of TOMs must be assessed by national courts. Such an interpretation is capable of ensuring the protection of personal data and the right to an effective judicial remedy against the controller under Article 79(1) GDPR. Having said this, Article 32(1) and (2) GDPR make clear that the appropriateness of TOMs must be assessed by national courts in two stages. First, the court must identify the risks of a breach and their possible consequences. Second, the court must ascertain whether the TOMs implemented by the controller are appropriate to those risks. A national court cannot confine itself to investigating how the controller aimed to comply with Article 32 but rather needs to examine the substance of the TOMs in light of the the criteria set out in Article 32.

On the third question, the burden of proof for proving TOMs is on the controller. Especially in the context of damages under Article 82.

On the notion of damages:

4) Article 83(2) means that the controller cannot be exempt from liability for damages just because the damage was caused by third parties (hackers). To be excempt the controller must prove that the act which caused the damage is in no way attributable to it.

5) Article 82(1) includes the fear of the potential misuse of personal data that a data subject feels as a result of a breach. This constitutes “moral damage” and is sufficient to give rise to non-material damages.

Comment

This case will likely open the gateway for class action law suits. It sets an

Further Resources

Share blogs or news articles here!