Advocate General at the CJEU: Concerning the appropriateness of technical and organisational measures and compensation for non-material damages in the event of a hacker attack

Advocate General at the Court of Justice of the European Union (CJEU), Giovanni Pitruzzella, published his opinion in case C-340/21 on 27. April 2023 regarding the conditions for compensation for non-material damages and the burden of proof for the appropriateness of technical organizational measures (TOMs) under Art. 32 GDPR in connection with a hacker attack.

The proceedings have an important practical relevance for the topics of data protection and IT security, so that the future decision of the CJEU will be of relevance for the implementation of the TOMs by controllers and processors.

Background

The starting point of the case was a hacker attack, in the course of which unauthorized access to the information system of the National Revenue Agency (NAP) of Bulgaria took place and, as a result, tax and social security data of millions of people were published on the Internet. Several people then sued the NAP for compensation for non-material damage.

The Supreme Administrative Court of Bulgaria referred several questions to the CJEU. Of particular importance is the question of whether, in a case of a proven personal data breach, only the worries, fears and anxieties suffered by the data subject about a possible future misuse of personal data are covered by the broadly interpreted concept of non-material damage, if such misuse has not yet taken place and/or no further damage has been caused to the data subject. Furthermore, questions on the appropriateness of TOMs, their judicial review and the burden of proof were submitted to the CJEU.

Questions referred and opinion of the Advocate General

The following questions were referred to the CJEU, on which the Advocate General expressed the views set out below.

1. Are TOMs considered inappropriate if unauthorized disclosure / access to personal data by third parties has taken place?

Key message: The violation of the protection of personal data does not lead to the TOMs being considered inappropriate per se.

• The controller has a margin of discretion in the selection of the TOMs. However, he must take into account the factors specified in Art. 24 and Art. 32 GDPR when making the selection (including processing purposes, severity of the risks for the data subjects).
• The appropriateness of the measures is subject to possible judicial review.
• According to Art. 32 GDPR, the controller must consider the state of the art. Thus, only those technical measures can be required from the controller that correspond to the state of the art at the time of implementation of the TOMs and are reasonably implementable, whereby a balancing must take place between the prevention of danger, the current state of the art (which also includes the current state of science, technology and research) and the implementation costs for the controller.
• Even appropriate measures can still be circumvented by cybercriminals, according to the Advocate General. In this regard, he correctly refers to Art. 32 (1) (c) GDPR, according to which the TOMs to be implemented must also include measures for the timely recovery of personal data after physical or technical incidents. This provision would not have been necessary if a personal data breach would always have to be prevented. Therefore, it cannot be the intention of the legislator that the controller must completely prevent every personal data breach. Rather, it must be sufficient for the controller to prove that it has properly fulfilled the obligations imposed.
• The assessment of the appropriateness is carried out within the framework of a balancing exercise, in which the interests of the data subjects in a high level of protection on the one hand and the economic interests and technical capacity of the controller on the other are to be taken into account.

 

2. What should be the scope of the judicial review of the TOMs with regard to their appropriateness under Art. 32 GDPR?

Key message: the national court must conduct a review that includes the specific analysis, the content of the TOMs, as well as the manner in which they were applied and practical effects.

• The GDPR does not lay down binding provisions for determining the TOMs that the controller must implement.
• The court does not review whether the controller has formally provided for specific TOMs, but rather the manner of implementation, their effects, and compliance with the requirements set forth in Articles 24 and 32 of the GDPR, based on the available evidence and the circumstances of the specific case.

 

3. Does the controller bear the burden of proof that the TOMs are appropriate pursuant to Art. 32 GDPR? Is it sufficient to obtain an expert’s report if the unauthorized access/disclosure is the result of a hacker attack?

Key message: The controller must prove that the TOMs implemented were appropriate in accordance with Art. 32 GDPR.

• The controller bears the burden of proof that the technical and organizational measures it took were appropriate, because in practice the data subject will not be able to prove that the TOMs implemented by the controller were inappropriate. However, the data subject continues to bear the burden of proof for the infringement, the resulting damage and the causal connection between the two.
• With regard to the obtaining of an expert’s report, the Advocate General refers to the Member State rules, as the GDPR does not lay down any rules on the determination of admissible evidence and its probative value.

 

4. Does the fact that the unauthorized access/disclosure is made by a third party by means of a hacker attack exclude the liability of the controller?

Key message: The fact that the infringement was committed by a third party does not exempt the controller from liability. To exclude liability, it must rather prove that it is not responsible for the infringement in any way.

• 82 (3) of the GDPR grants the controller the possibility of exemption from liability if it proves (high standard of proof) that it is not in any way responsible for the event giving rise to the damage. To this end, it must prove that it has done everything possible to restore the availability and access to the data in a timely manner.
• No exemption from liability in the event of a cyber-attack, as this circumstance may be the result of the negligence of the controller (e.g. through inappropriate TOMs) and an exemption from liability for external attacks would weaken the rights of data subjects and is incompatible with the objective of protection pursued by the GDPR.

 

5. Are the worries, fears and anxieties suffered by the data subject about a potential misuse of his personal data sufficient to justify a claim for non-material damages?

Key message: Only if the data subject proves that he or she has individually suffered actual and certain emotional damage can the mere fear of potential future misuse of his or her personal data constitute non-material damage.

• The damage resulting from the fear of possible future misuse of their personal data as a result of a hacker attack, the existence of which the data subject has proven, may constitute non-material damage.
• In the opinion of the Advocate General, however, not all non-material damage, regardless of how serious it is, is eligible for compensation. Ultimately, the line is drawn between mere upset (non-compensable) and genuine non-material damage (compensable). The fact that misuse has not yet occurred, but is only possible, may be sufficient to constitute non-material damage.
• To this end, however, the data subject must demonstrate that the mere fear has already specifically caused him or her actual and certain emotional damage and must produce precise evidence of the facts leading to this. In the opinion of the Advocate General, it is decisive for this that it is not a matter of a mere subjective and changeable perception, but rather the objectification of a demonstrable impairment of the physical or psychological sphere or the personal relationships of a person.

 

Outlook and recommendations:

The CJEU has not yet reached a final decision in this proceeding. Although the Advocate General's submissions are not binding, experience shows that the CJEU often follows the Advocate General's findings.

In the future, it will be of great relevance for practice, on the one hand, which form of evidence by data subjects national courts consider sufficient to assume a compensable non-material damage. With regard to the TOMs to be implemented pursuant to Art. 24 and Art. 32 GDPR, on the other hand, the clarification of the Advocate General that a personal data breach does not per se indicate the inappropriateness of the TOMs is a positive aspect for controllers. Nevertheless, the burden of proof for the appropriateness is on the controller, so that corresponding evidence is of elementary importance.

We recommend that companies keep complete records of the TOMs implemented and, in particular, an assessment of the appropriateness of these measures and, in the event of data protection incidents, immediately initiate the necessary measures and document this in an audit-proof manner in order to exclude the liability risk.