Data Breach: the EU Court of Justice affirms the refundability of a non-pecuniary damage

On December 14 2023, the EU Court delivered a preliminarily judgement on case C-340/21 upon request of the Bulgarian Supreme Court, stating that the infringement of the principles established by the GDPR entails the compensation for the damages, also non-material ones, suffered by the interested party.

Therefore, in case of data breach, the controller of the processing must compensate data subjects for non-pecuniary damages if they fail to prove to have taken all suitable security measures to prevent the cyber-attack.

The case

In 2019, after an cyber-attack to the Bulgarian National Revenue Agency’s (NAP) IT system, the personal data of around 6 million people were unlawfully disclosed on the internet. After learning about the news, some data subject interested by the violation brought an action for compensation against the NAP, asking for the compensation of the non-material damage resulted from the disclosure of their personal data.

The damage turned out to be the fear that the personal data disclosed without consent could be object of other misuses, such as blackmail, aggression or even abduction. To support this request, the applicants stated that the cyber-attack was caused by the inadequacy of the IT security measure that NAP, as data controller, would have had the obligation to implement.

The Bulgarian Agency defended itself by showing the documentation aimed at demonstrating the adoption of all measures necessary to prevent the access to data contained in its system and, after the attack, to have promptly taken action to limit the effects of the breach and to reassure the citizens. Moreover, according to NAP, there was not causality between the non-material damage complained and the data breach, given that NAP itself was victim of the attack accomplished by hackers.

Reference for a preliminary ruling to the CJEU

The first decision, favorable to NAP, was followed by an appeal to the Supreme Administrative Court of Bulgaria, in which the Bulgarian Judges decided to stay the proceeding and refer the question to the CJEU.

In particular, the national judges asked the European Union Court of Justice to clarify whether the fact of having suffered a cyber attack is sufficient in itself to consider that the technical and organization measures implemented by the data controller were not “appropriate”.

Moreover, the court was asked if, on the basis of art. 82 of the GDPR, the fear of a person that a possible misuse of personal data can occur following a data breach can constitute a compensable “non-material damage”.

The principles stated by the CJEU

Having examined the question in light of the principles established by the GDPR, the Court excluded that the mere fact of having suffered a non-authorized access to personal data is sufficient to consider not “appropriate” the technical and organization measures implemented by the data controller.

In this regard, the Court recalled that the national courts must assess concretely the effectiveness of technical and organizational measures implemented by the data controller, taking into consideration the risks connected to its processing and evaluating if the nature, content and the implementation of such measures are appropriate in relation to those risks.

With reference to the compensable damage, the Court stated that, in the context of a request for compensation based on the infringement of the GDPR, the data controller must be able to demonstrate the appropriateness of the implemented security measures and can be exonerated by its obligation to compensate the damage to the interested party only if he or she is able to demonstrate that the cause of the damage at issue cannot be attributable to it. Therefore, suffering a cyberattack by third parties is not sufficient to exempt the responsibility of the data controller.

Lastly, for what concerns the possibility to compensate the non-material damage the interested data subject, the Court recognized that, pursuant to art. 82 of GDPR “the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of that regulation is capable, in itself, of constituting ‘non-material damage’ within the meaning of that provision”.

Ilaria Feriti