by Laura Fannin , Denise O’Shaughnessy March-08-2024 in Commercial & Business, Competition Law, Data Protection, Insolvency & Restructuring
On 14 December 2023, the Court of Justice of the European Union (“CJEU”) issued judgment in VB v. Natsionalna agentsia za prihodite (C-340/21) and held that the fear of misuse of one’s data after a data breach can constitute non-material damage. The Court considered the rules regarding burden of proof under the GDPR and non-material damage pursuant to article 82 of the GDPR.
Background
The Bulgarian National Revenue Agency (the “Agency”) suffered a cyber attack causing personal data of millions of data subjects to be published on-line. Some of the impacted data subjects brought actions against the Agency, as the data controller of their personal data, claiming compensation for non-material damage under article 82 of the GDPR caused by the fear that their data may be misused.
The Bulgarian Supreme Administrative Court referred several questions to the CJEU.
Decision
The CJEU held that the mere fact that a personal data breach occurred does not mean that the Agency did not implement appropriate technical and organizational measures to comply with Articles 24 and 32 of the GDPR. Controllers or Processors “should evaluate the risks inherent in the processing and implement measures to mitigate those risks”. National courts should undertake an adequacy test and assess the measures implemented “in a concrete manner, by taking into account the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks.”
The CJEU noted that the fact that an infringement results from the behaviour of a third-party does not exempt the data controller of liability. A controller may be required to compensate data subjects who have suffered damage, unless it can prove that it is in no way responsible.
The burden of proving that the implemented technical and organizational measures are appropriate lies with the controller.
The CJEU stated " fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of that regulation is capable, in itself, of constituting ‘non-material damage’. Article 82 of the GDPR provides that any person who suffered material or non-material damage shall have the right to receive compensation from the controller or processor for the damage suffered. The CJEU did note that the national court should “verify that that fear can be regarded as well founded, in the specific circumstances at issue and with regard to the data subject.”
Comment
This decision is a landmark decision that is likely to lead to increased claims for non-material damages and stricter assessment by national courts. Data controllers and processors should ensure they continuously review their data protection policies and associated agreements, utilise robust technical and organisational measures that adequately address security risks and clearly document and record all such measures to facilitate any possible assessment.
For further information or advice on how the judgement impacts upon your organisation, please contact Laura Fannin and Denise O’Shaughnessy.
Back to Full NewsShare this article:
About the Authors
Laura Fannin
Laura is a partner in the Commercial & Business team at Hayes solicitors. Laura advises clients on a diverse range of corporate and commercial matters and regulatory requirements. She is an experienced adviser on terms and conditions of sale and purchase, IT issues, data protection, product liability, advertising and promotions, intellectual property and a wide range of commercial agreements.
Denise O’Shaughnessy
Denise is an associate solicitor in the Commercial and Business team at Hayes solicitors. She advises clients on a variety of commercial and business law matters including drafting, negotiation and review of commercial contracts and advising companies and state bodies in relation to their data protection obligations under the General Data Protection Regulation.