Analysis: GDPR Article 82 – The CJEU gathers pace clarifying data breach compensation
Increasing jurisprudence from the Court of Justice of the European Union is shedding light on Article 82 of the GDPR, write Mark D Finan BL and R. Caroline McGrath BL.
Following the delivery of its first judgment concerning article 82 GDPR in May 2023 in Case C-300/21 UI v. Österreichishe Post, the final weeks of 2023 and early weeks of 2024 have seen a considerable increase in momentum of the journey towards clarity in the interpretation of article 82.
The CJEU has delivered a further four judgments in this regard in December 2023 and January 2024.
Judgment 1: Cyberattack Data Breach Liability
Case C-340/21 VB v. Natsionalna agentsia za prihodite
This case relates to a reference made by the Bulgarian Supreme Administrative Court in proceedings where VB, a natural person, sought compensation from Natsionalna agentsia za prihodite (NAP), the National Revenue Agency in Bulgaria, for non-material damage arising from alleged breaches of the GDPR by the NAP in its role as a data controller.
The incident giving rise to the proceedings arose due to a cyberattack of the NAP IT systems which led to the publication of personal data of more than six million data subjects on the internet. VB claimed that she had suffered non-material damage in the form of fear that her personal data would be misused in the future or that she would be blackmailed, assaulted or even kidnapped as a result of the unauthorised publication of her personal data.
The NAP argued that VB had not sought information from it as to the precise personal data which had been disclosed. It sought to rely on documentation which it argued showed it had taken all necessary measures prior to breach to prevent its occurrence and to limit the effects of the breach once it had occurred. The NAP claimed that there was no causal link between the alleged non-material damage asserted by VB and the breach. Finally, it argued that it could not be liable for the malicious actions of persons who were not its employees causing harm.
The first instance court dismissed the claim of VB holding that the data breach was committed by third parties, that VB had failed to establish that the NAP had not adopted appropriate security measures and that VB had not suffered non-material damage giving her a right to compensation.
VB appealed this decision to the Bulgarian Supreme Administrative Court which stayed the proceedings pending receipt of a preliminary ruling from the CJEU in respect of five specific questions.
The first question posed sought confirmation as to whether articles 24 and 32 GDPR meant that unauthorised access to personal data held by a data controller by persons who are not employees of the data controller gave rise to a presumption that the technical and organisational measures adopted by the controller were not appropriate.
If this was not the case, the CJEU was asked to specify the subject matter and scope of the judicial review of legality in the examination as to whether the technical and organisational measures implemented by the controller were appropriate.
Thirdly, the CJEU was asked to clarify whether the principle of accountability required by articles 5 and 24 GDPR means that the burden of proving that organisational and technical measures were appropriate in proceedings pursuant to article 82 rests with the data controller.
The fourth question posed asks whether a data controller can be exempt from liability for damage caused by way of a hacking attack by third parties who are not subject to the control of the data processor.
Finally, the CJEU was asked to clarify if the worries, fears and anxiety suffered by a data subject about potential future misuse of their personal data following a data breach falls within the concept of non-material damage giving rise to an entitlement to compensation.
In answering the first question, the CJEU had regard to the wording used in articles 24 and 32 GDPR which requires data controllers to adopt technical and organisational measures intended to avoid, in so far as it is possible, a data breach. Thus, unauthorised disclosure of personal data or access to personal data by third parties, cannot give rise to a presumption the data controller has not adopted appropriate organisational and technical measures.
The second question clarifies that the assessment of whether technical and organisational measures are appropriate is a two-stage exercise. First, article 32 requires the risks arising from a personal data breach caused by the particular processing concerned to be assessed taking account the likelihood and severity of the risks. Secondly, the measures adopted by the controller must be examined to determine if they are appropriate to the risks concerned, taking account the state of the art, the costs of implementation, the nature, scope, context and purposes of the data processing. A court completing this assessment must do so in a concrete manner, taking into account the risks associated with the processing concerned and whether the nature, content and implementation of the technical and organisational measures are appropriate to those risks.
The CJEU confirmed in answering the third question that data controllers bear the burden of proving that the technical and organisational measures they have adopted are appropriate in an action pursuant to article 82. The court acknowledged that expert reports might form part of the evidence employed, but, such reports are not a systemically necessary and sufficient means of proof — it is for the national legal order of Member States, subject to the principles of equivalence and effectiveness to establish the procedural rules for safeguarding the article 82 rights of data subjects.
In the fourth question, the CJEU had regard to recital 146 when it determined that article 82(3) allows a data controller to be exempt from liability to pay compensation for damage caused by a data breach only where the controller proves that it is in no way responsible for the event giving rise to the data breach.
Finally, in respect of non-material damage, the CJEU reiterated the position expressed in Case C-300/21 that article 82 requires the existence of damage in addition to the existence of an infringement of the GDPR and a causal link between the damage and infringement. Further, the court re-affirmed that there can be no de minimis requirement for non-material damage in order for such damage to give rise to a right to compensation. The CJEU again referred to recital 146 which provides that damage should be broadly interpreted and also, to recital 85 which posits that loss of control over personal damage may constitute damage. In light of this, the court held that fear over possible future misuse of personal data may amount to non-material damage, but the court assessing the claim must verify that such fear can be regarded as well-founded in the specific circumstances of the data breach and data subject concerned.
Judgment 2: Thresholds of Non-Material Damage
Case C-456/22 VX, AT -v- Gemeinde Ummendorf
This case involved a reference from the Regional Court in Ravensburg, Germany in proceedings where two data subjects sought compensation for non-material damage arising from the publication of their personal data (their names) by the Municipality of Ummendorfwithout their consent on the internet as part of an agenda for a meeting of the municipal council meeting. The personal data remained available on line from 19 June 2020 to 22 June 2020 only.
The referring court was satisfied that there had been a breach of the GDPR, but considered that the mere loss of control over the personal data was not sufficient to constitute non-material damage within the meaning of article 82. The court thus posed the question whether the concept of non-material damage in article 82 requires a noticeable disadvantage and an objectively comprehensible impairment of personal interests of the data subject, or put another way, whether a de minimis threshold of non-material damage exists.
In giving its decision, the court referred to its decisions in Case C-300/21 and Case C-340/21 where it has already stated that national rules preclude the imposition of national rules which require that damage suffered by a data subject has reached a certain degree of seriousness. As a consequence, article 82 does not allow the imposition of conditions such as the tangible nature of the damage the objective nature of the infringement.
However, notwithstanding the absence of any de minimis threshold, a data subject alleging non-material damage is required to demonstrate that the infringement of the GDPR has had negative consequences which constitute non-material damage. The mere infringement of a provision of the GDPR is not, by itself, sufficient to confer a right to compensation.
Judgment 3: Health Data Processing and Compensation
Case C-667/21 ZQ -v- Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts
The facts in this case relate to the processing of personal data concerning health by a public body tasked with carrying out medical reports relating to incapacity for work of persons insured by compulsory sickness funds.
ZQ was an employee of the public body, but was also the subject of such medical report following a period of medical incapacity to work. ZQ sought and was sent a copy of the expert report retained by the public body by one of his colleagues. ZQ alleged that sensitive personal data relating to his health had been unlawfully processed by the public body, his employer, and sought €20,000 compensation for damage. ZQ asserted that the medical report should have been carried out by another medical service provider in order to prevent his colleagues having access to data concerning his health, and that the security measures surrounding the archiving of his report were inadequate and in breach of data protection laws. The court of first instance dismissed ZQ’s claim.
On appeal to the High Labour Court, Düsseldorf, that court referred a number of questions to the CJEU. The court posed a number of questions relating to the interpretation of article 9 relating to processing of special categories of data including health data. These questions are outside the scope of this article and are not addressed at this time. In respect of article 82, the referring court sought confirmation as to whether article 82 has a preventative nature which must be taken into account in the assessment of non-material damage, and whether the degree of seriousness of the fault of the data controller or processor affects the assessment of compensation for non-material damage.
The CJEU held that the function of article 82 of the GDPR is a compensatory one and it does not have deterrent or punitive function. Article 82 provides a right to compensation which must make it possible to compensate a data subject in full for damage actually suffered as a result of an infringement of the GDPR.
In respect of the question as to whether the degree of seriousness of fault of the controller or processor is relevant to the assessment of compensation, the CJEU again confirmed that a data controller is presumed to have participated in processing which constitutes an infringement of the GDPR, and the controller bears the burden of establishing the contrary (Case C-340/21). The CJEU recognises that it is for the national courts to apply domestic rules relating to the assessment of pecuniary compensation subject to the principles of equivalence and effectiveness. Article 82 does not require that the level of seriousness of an infringement is taken into account when assessing the quantum of compensation, but rather, requires that the amount of compensation is sufficient to compensate in full for the damage actually suffered.
Judgment 4: Negligence in Data Handling and Compensation
Case C-687/21 BL -v- MediaMarktSaturn Hagen-Iserlohn GmbH, formerly Saturn Electro-Handelsgesellschaft mbH
In this case, the applicant in the main proceedings purchased a household electrical item from the defendant company financed by way of a loan agreement with the defendant. In the course of transaction, the loan documents which contained the applicant’s personal data was mistakenly provided by an employee of the defendant to another customer.
The error was noticed expediently by the defendant’s employee and the documentation was retrieved within thirty minutes. The defendant company offered compensation to the applicant by way of free delivery of the appliance to the applicant’s home. The applicant considered this compensation was inadequate and commenced proceedings seeking compensation for non-material damage pursuant to the GDPR.
The defendant argued there had been no infringement of the GDPR, and that for an infringement to occur, it must reach a threshold level of seriousness which was not reached on the facts. Further, it asserted that the applicant had not suffered any damage since if had not established or even alleged that the third party had misused the applicant’s personal data.The Amtsgericht Hagen (Local Court, Hagen) stayed the proceedings and referred seven questions to the CJEU.
The referring court first questioned the validity of article 82 in circumstances where the article appeared to the referring court to lack detail as to its legal effects in the event compensation for non-material damage was ordered.
The court sought clarification on whether a claimant must establish both an infringement of the GDPR and damage, particularly non-material damage.
Thirdly, the court questioned whether the erroneous provision of printed documents containing the personal data of the claimant amounted to an infringement of GDPR.
The fourth question asked whether the fact of the negligent handover of documents was an infringement given the obligations of a data controller to implement appropriate security measures.
Fifthly, the court asked whether non-material damage in the form of fear of a future risk could be established where it appeared that the unauthorised third party was unaware of the contents of the personal data prior to its return.
The sixth question returns to the question of the relevance of the severity of the infringement in circumstances where the referring court had determined the controller could have adopted more secure procedures. Finally, the court was again requested to determine the purpose of compensation for non-material damage.
The first question was deemed inadmissible as the referring court did not provide any specific information to allow the question to be determined.
Relying on its decisions in Case C-300/21, Case C-340/21, Case C-456/21 and Case C-667/21, the court reiterated that a claimant must establish an infringement of the GDPR, that he suffered material or non-material damage which is causally linked to the infringement.
The court addressed the third and fourth questions together. Following its decision in Case C-340/21, the court reiterated that an assessment of the appropriateness of technical and organisational measures must be carried out in a concrete manner having regard to the factors outlined in articles 24 and 32 and the particular data processing concerned. The accidental disclosure of data is not, by itself, sufficient for the court to determine that appropriate technical and organisational measures were not in place.
The answer to the fifth question mirrors the position adopted by the court in its previous decisions. Fear about possible future misuse of personal data may constitute non-material damage, but it is for the applicant to prove such damage. A purely hypothetical risk of unspecified future damage does not give rise to a right to compensation.
The sixth and seventh questions were answered by the court in similar terms as in Case C-667/21. The severity of the infringement by a controller does not have to be taken account of in assessing damages which have a compensatory and not a punitive function.
Six key messages
In light of the increasing jurisprudence from the CJEU on the interpretation of article 82 of the GDPR, the following principles can be distilled:
- The right to compensation for damages for breach of the GDPR requires a claimant to establish an infringement of the GDPR, that he has suffered damage, and that there is a causal link between the infringement and the damage suffered.
- The fact of an infringement of the GDPR gives rise to a presumption that the technical and organizational measures adopted by the controller / processor were insufficient. This presumption can be rebutted by a data controller.
- The concept of damage is to broadly interpreted. There is no de minimis threshold.
- Non-material damage may include a loss of control over personal data or fear about potential future misuse, but such damage must be proven by a claimant.
- The damages regime provided by article 82 serves a compensatory function only and does not have a punitive or deterrent function.
- The concept of damage must be given an autonomous interpretation across all Member States, but it is for individual Member States to establish the procedural rules to determine liability.
- Mark D Finan BL and R. Caroline McGrath BL are practising barristers. This article first appeared on the Law Library website.