GDPR cyber liability and compensation rights clarified by EU court

Cyber risk expert David McIlwaine of Pinsent Masons said the judgment issued by the Court of Justice of the EU (CJEU) is a welcome clarification of the General Data Protection Regulation’s (GDPR’s) rules around data security.

A core principle of the GDPR provides that personal data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

Both controllers and processors also face specific requirements under Articles 24 and 28 of the GDPR respectively in relation to data security, focused on the implementation “appropriate technical and organisational measures”, while Article 32 further specifies that controllers and processors take “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”, taking into account the technology available and costs of implementing the measures, among other factors.

A court in Bulgaria asked the CJEU whether it can be presumed that controllers have failed to have implemented ‘appropriate’ data security measures if there is unauthorised disclosure of, or access to, personal data who are not employees nor subject to their control. The CJEU ruled, however, that personal data breaches to third parties in such circumstances “are not sufficient, in themselves, for it to be held that the technical and organisational measures implemented by the controller in question were not ‘appropriate’”.

McIlwaine said the ruling was welcome in the context of the heightened cyber risk organisations face.

“It is welcome news to receive clarification that just because an organisation suffers a cyber incident, this does not mean per se that it is in breach of the legislation,” McIlwaine said. “Instead, an assessment will need to be taken as to whether the controller used ‘appropriate technical and organisational measures’ to protect the personal data, as required under the GDPR. The case also highlights that the burden of proof falls to the controller to show that the necessary measures were in place.”

“The ruling is important in today’s society where cyber attacks are increasingly common. While the fact that an organisation has been attacked may be less newsworthy than it once was, the way an organisation responds to such an attack matters – both from a regulatory and reputation perspective. Their response will be closely monitored by the market, which places an onus on organisations having a robust and regularly-tested cyber incident response plan to hand to call upon should such an incident occur,” he said.

In its ruling, the CJEU also provided further clarification of the circumstances in which individuals may be eligible for compensation in the event their personal data is compromised in a cyber incident.

Under the GDPR, individuals are eligible for compensation where they have suffered material or non-material damage as a consequence of an organisation’s breach of the legislation. While the concept of ‘material’ damage is generally understood to refer to financial loss, there have been a number of cases brought before the courts – including the CJEU – in recent times seeking to clarify the concept of ‘non-material’ damage.

In its latest judgment on the issue, the CJEU ruled that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of the GDPR is capable, in itself, of constituting ‘non-material damage’.

Amsterdam-based Wouter Seinen of Pinsent Masons, who specialises in data-related dispute resolution, said: “The CJEU has built on its earlier decisions on liability for non-material damages and considers that the fear for future misuse of a certain data subjects’ personal data can – in theory – constitute ‘non-material damage’. However, it is important to note that it is for the national courts to verify whether ‘that fear can be regarded as well founded, in the specific circumstances at issue and with regard to the data subject’.”

“In taking this approach, the CJEU has steered away from specifying when non-material damage applies by default, highlighting the importance of individual, case-by-case assessment of the whether the claimant has indeed suffered non-material damage. This is in line with the Amsterdam court decision in the TikTok matter, where it – on the same grounds – held that such damages cannot be assessed in class-action proceedings,” he said.

While the CJEU’s ruling only applies to the interpretation of the EU GDPR, the UK GDPR contains substantially the same provisions.