Blog
Blog » DOES THE FEAR OF MISUSE OF PERSONAL DATA GIVE RISE TO A COMPENSATION?
DOES THE FEAR OF MISUSE OF PERSONAL DATA GIVE RISE TO A COMPENSATION?
18 January 2024
Under the GDPR, data subjects may claim compensation if they suffered damages because the controller infringed his obligations under the GDPR. Does a data theft by cybercriminals mean that the controller has not adopted appropriate data security measures meaning that he failed to comply with his data protection obligations? Can the data subject claim compensation if his only damage is the fear that his personal data was misused? The Court of Justice of the European Union answered these questions in a fresh decision which will be analysed in this short article.
Facts
In 2019, the media revealed that the IT system of the Bulgarian authority NAP has been hacked and personal data contained by the IT system was published on the internet. More than 6 million persons were affected by the data breach.
The appellant sued the NAP for compensation claiming that the fear that her personal data leaked because of the data breach might be misused (she might be blackmailed, assaulted or even kidnapped) constitutes a non-material damage.
The first instance court dismissed the appellant action. The court held that the appellant failed to prove that the NAP has not adopted appropriate security measures, further the appellant did not suffer any non-material damage.
The appellant filed an appeal against this decision and the Supreme Administrative Court sent the case to Luxembourg to the CJEU to clarify the provisions of the GDPR as regards to the adequacy of data security measures and the conditions of compensation including the concept of non-material damage.
The adequacy of data security measures
First, the CJEU established that based on the GDPR an unauthorized access to or disclosure of personal data by a third party is not sufficient to conclude that the data security measures adopted by the controller were not appropriate. The EU legislator only expects controllers to mitigate the risks of personal data breaches, however there is no indication in the text of the GDPR that it would be possible to eliminate them.
According to the Luxembourg court, the national courts shall assess the appropriateness of data security measures in two stages. First, it is necessary to identify the risks of a data breach and their consequences for the rights and freedoms of natural persons. Secondly, is shall be ascertained whether the implemented data security measures are appropriate to the identified risks, considering the state of art, the costs of implementation and the parameters of the processing.
Further, the CJEU clarified that in relation to the appropriateness of the data security measures, the burden of proof lies with the controller.
The conditions of compensation
When it comes to the conditions of the compensation to be paid based on the GDPR, the Luxembourg judges shed light on two important questions.
The CJEU recalled that a controller may only be exempted from paying compensation if he is able to demonstrate that the damage is not attributable to him. In the Court’s view, if the personal data breach has been committed by cybercriminals (therefore a third party), the infringement of the GDPR cannot be attributed to the controller unless he failed to comply with his obligations laid down by the GDPR, specifically to adopt appropriate data security measures.
In addition, the Luxembourg court interpreted the concept of damage under the GDPR. According to the Court, by analysing the wording of the GDPR, it is clear that the EU legislature intended to include in those concepts the mere ‘loss of control’ over the personal data even if there had been no misuse of the data to the detriment of the affected data subjects. Thus, the fear experienced by a data subject with regard to the possible misuse of his personal data by third parties as a result of an infringement of the GDPR is capable, in itself, of consulting non-material damage.
Conclusion
To shortly analyse the decision, on the one hand controllers may welcome the CJEU’ attitude regarding the appropriateness of data security measures, namely that even in case of a data breach, controllers may prove that the adopted data security measures were appropriate. On the other, it seems to be a rather high standard of liability that data subjects can claim damages for the mere fear of their data being misused without suffering actual damages.
In this article we analysed decision C‑340/21 of the CJEU.
-
WHAT ARE THE FORMAL AND CONTENT REQUIREMENTS OF COMPANY DOCUMENTS IN B2B TRANSACTIONS IN HUNGARY?
Few people may know, but legislation often imposes formal and content requirements for certain documents. In most cases, these rules are for the sake of identification, which is in the interest of both parties, so it is important to pay attention to them to avoid misunderstandings. In this article, we examine the content requirements for documents used in business to business (B2B) transactions.
Read more » -
HOW FAR THE EMPLOYER’S SPHERE OF CONTROL EXTENDS IN HUNGARY, ACCORDING TO THE SUPREME COURT?
Under Hungarian labour law, the employer may be exempted from compensating the employee for damage caused in connection with the employment relationship if the damage was caused by circumstances beyond the employer’s control. But how far does the employer's control extend, and does it really have to take every eventuality into account, even the most unpredictable? In its recent decision, the Hungarian Supreme Court addressed this question.
Read more » -
WE ARE 15!
Recently we celebrated our 15th Anniversary, which is a very important milestone for us. Looking back, our Office went through a long improvement until the formation of our present profile: providing legal support in domestic and international commercial law issues and helping our clients doing business in Hungary.
Read more »