The Court of Justice of the European Union (“CJEU”) in its ruling in case C-340/21 in the names of “VB vs Natsionalna agentsia za prihodite”, has determined that the apprehension of potential misuse of personal data can be considered as non-material harm.
The Bulgarian National Revenue Agency (“NAP”) holds the role of identifying, safeguarding, and recouping public debts, functioning as a controller of personal data in this capacity. In the year 2019, media outlets disclosed a breach in the NAP IT system, exposing that, subsequent to this cyberattack, personal information of millions of data subjects had been disclosed on the internet. In fact, numerous individuals initiated legal proceedings against the NAP, seeking compensation for non-material harm arising from the anxiety of the potential misuse involving their data.
Subsequently, the Bulgarian Supreme Administrative Court raised multiple queries to the CJEU concerning the interpretation of GDPR. Specifically, it sought elucidation on the criteria for granting compensation for non-material harm, as invoked by an individual whose personal data, under the custody of a public agency, were exposed on the internet after a cybercriminal attack.
The CJEU stated that in cases of unauthorized disclosure or access to personal data, the mere occurrence of such events does not automatically imply that the protective measures implemented by the data controller were inadequate. The court went on to say in this regard that the appropriateness of these measures must be evaluated by the courts.
Furthermore, the CJEU continued to explain that the burden of proof regarding the adequacy of the said protective measures ultimately lies with the data controller, who must be able to demonstrate that the measures implemented were indeed appropriate ones.
Additionally, the CJEU reiterated that if a third party, such as cybercriminals, is responsible for the unauthorized disclosure or access to personal data, the data controller may be obligated to compensate affected data subjects unless it can prove that it bears no responsibility for the incurred damage.
Finally, and most prominently, the CJEU remarked that the anxiety experienced by the data subjects regarding the potential misuse of their personal data by third parties due to a GDPR violation, can in and of itself constitute ‘non-material damage’.
We have seen the concept of ‘non-material damage’ arise in various previous case-law albeit not in the context of cyberattacks, when it comes to the CJEU. In fact, in the case C-131/12 in the name of “Google Inc. vs Agencia Española de Protección de Datos (AEPD), Mario Costeja González” Case C-131/12,the CJEU had ruled that individuals have the right to request the removal of certain personal information from search engine results under certain conditions and failure to comply could result in non-material damages. In yet another case in the name of “Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV” Case C-40/17, the concept of non-material damages was delved into yet again. This case dealt with the responsibility of websites embedding social media plugins for obtaining user consent. The CJEU clarified aspects related to joint controllership and the liability for non-material damage in cases of non-compliance with data protection rules.
For more information or assistance please contact Dr Ian Gauci and Dr Terence Cassar.