TL;DR

This newsletter is about a 2023 case on data security under the GDPR. It looks at what is required of data controllers in this regard, the extent of their liability for data breaches and what data subjects can claim compensation for in the context of a breach.

Here are the key takeaways:

• The case of VB v Natsionalna agentsia za prihodite involves the National Revenue Agency in Bulgaria (NAP), an authority attached to the Bulgarian Minister for Finance. Among its responsibilities includes securing and recovering debts.

• In July 2019, the media reported NAP's IT systems had been compromised due to a cyber attack, resulting in unauthorised access to personal data that it held. That personal data had been published on the internet.

• Over 6 million people were impacted by the data breach. Several hundred of those affected commenced proceedings against NAP before the Administrative Court in Sofia claiming compensation for the alleged non-material damage suffered as a result of the breach.

• The case eventually reached the Court of Justice of the European Union (CJEU) which was essentially asked to rule on the liability of a data controller under the GDPR for data breaches it may suffer. In its verdict, the Court made 6 main stipulations:

  1. The unauthorised disclosure of, or access to, personal data by a third party itself does not show that the data security measures implemented by a controller were not appropriate.

  2. In the EU, national courts need to decide on the appropriateness of data security measures by assessing whether the nature, content and implementation of those measures are appropriate to the relevant risks.

  3. The controller is ultimately responsible for proving that the data security measures it has implemented are appropriate.

  4. In proving the appropriateness of data security measures, an expert's report does not constitute a systematically necessary and sufficient means of proof.

  5. The controller cannot be exempt from its obligation to pay compensation for the damage suffered by a data subject solely because that damage is a result of unauthorised disclosure of, or access to, personal data by a third party.

  6. The fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties due to an infringement of the GDPR is capable, in itself, of constituting ‘non-material damage’.

Facts of the case

The case of VB v Natsionalna agentsia za prihodite involves the National Revenue Agency in Bulgaria (NAP), an authority attached to the Bulgarian Minister for Finance. Among its responsibilities includes securing and recovering debts.

In July 2019, the media reported NAP's IT systems had been compromised due to a cyber attack, resulting in unauthorised access to personal data that it held. That personal data had been published on the internet.

Over 6 million people were impacted by the data breach. Several hundred of those affected commenced proceedings against NAP before the Administrative Court in Sofia. They claimed compensation for the alleged non-material damage suffered as a result of the breach. In particular, the claimant argued that NAP had failed to fulfil its obligations under Article 5.1(f), 24 and 32 of the GDPR. The claimant contended that the non-material damage suffered consisted of "the fear that her personal data, having been published without her consent, might be misused in the future, or that she herself might be blackmailed, assaulted or even kidnapped."1

During proceedings, NAP presented documents showing that it had taken all necessary measures to prevent a breach of its IT system and limit the affects of a breach. NAP also argued there there was no causal link between the alleged non-material damage and the breach it suffered. Additionally, NAP contended that since the cyber attack was not carried out by an employee, it could not be held liable for the consequences of the breach.

The case eventually reached the Court of Justice of the European Union (CJEU) which was essentially asked to rule on the liability of a data controller under the GDPR for data breaches it may suffer.

In its verdict, the Court made 6 main stipulations:

1. The unauthorised disclosure of, or access to, personal data by a third party itself does not show that the data security measures implemented by a controller were not appropriate.

2. In the EU, national courts need to decide on the appropriateness of data security measures by assessing whether the nature, content and implementation of those measures are appropriate to the relevant risks.

3. The controller is ultimately responsible for proving that the data security measures it has implemented are appropriate.

4. In proving the appropriateness of data security measures, an expert's report does not constitute a systematically necessary and sufficient means of proof.

5. The controller cannot be exempt from its obligation to pay compensation for the damage suffered by a data subject solely because that damage is a result of unauthorised disclosure of, or access to, personal data by a third party.

6. The fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties due to an infringement of the GDPR is capable, in itself, of constituting ‘non-material damage’.

Appropriateness of data security measures

Under the GDPR, a data controller has key data security obligations that it must abide by. This includes those under Articles 24 and 32.

Article 24 states that it is the controller's responsibility to implement the appropriate measures to ensure and demonstrate compliance with the GDPR. In doing so it must take into account the nature, scope, context, purposes and risks of the processing that it carries out.

Accordingly, under Article 32, a controller must implement technical and organisational measures to ensure a level of security appropriate to the risks of the processing.

The key question for the CJEU was to determine when data security measures can be considered 'appropriate'.

On this, the Court firstly stated that the GDPR requires a risk-based approach to data security and does not require that the risk of personal data breaches be completely eliminated.2 Instead, the GDPR requires that controllers (and processors) implement measures designed to avoid data breaches taking into account the criteria prescribed in the legislation. Accordingly, "the GDPR cannot be understood as meaning that unauthorised disclosure of personal data or unauthorised access to such data by a third party are sufficient to conclude that the measures adopted by the controller concerned were not appropriate."3

Next, the CJEU stated that determining the appropriate measures must be done in two stages:4

1. The controller should identify all the risks of a data breach (including their likelihood and severity) and the potential consequences for the data subjects.

2. The controller should then identify measures that address those risks, taking into account the state of the art, costs and the nature, scope, context and purposes of the processing.

When national courts are themselves reviewing the appropriateness of data security measures implemented by a controller, it should do so by analysing:5

• The nature and content of the measures

• The manner in which those measures were applied

• The practical effect of the measures on the level of security that the controller was required to guarantee, having regard to the risks of the processing

Regarding the burden of proof of showing the appropriateness of data security measures, the Court stated that this ultimately rests on the controller. The reasoning was twofold:

1. Given the requirements of the GDPR, "controllers must be encouraged to do everything in their power to prevent the occurrence of processing operations that do not comply with that regulation."6

2. If the burden were on data subjects instead, their right to compensation under the GDPR would be weakened, which was not the intention of the EU legislature.7

And when it comes to expert reports, the CJEU held that such reports cannot be relied on "exclusively or automatically" by national courts as evidence of the effectiveness of data security measures. Otherwise, such courts would not be able to "carry out an objective assessment of the appropriateness of the measures concerned."8

Compensation for damage suffered

Under Article 82.1 and 82.2, any person has a right to receive compensation from a controller or processor if:

• The controller or processor infringed the GDPR

• As a result of the infringement, the person suffered material or non-material damage

However, a controller may be exempt from such liability if it can prove that "it is not in any way responsible for the event giving rise to the damage."9

The CJEU held that this exemption applies only to circumstances "in which the controller is able to demonstrate that the damage is not attributable to it."10 Accordingly, in the case of a malicious cyber attack by a third party, such an event cannot be attributed the controller "unless the controller has made that infringement possible by failing to comply with an obligation laid down in the GDPR."11

Therefore:

...in the event of a personal data breach by a third party, the controller may be exempt from liability, on the basis of Article 82(3) of the GDPR, by proving that there is no causal link between its possible breach of the data protection obligation and the damage suffered by the natural person.12

Meaning of 'non-material damage'

The GDPR itself does not provide a definition of 'non-material damage' for the purposes of Article 82.1. Nevertheless, the CJEU gave its definition of the term based on its interpretation of the legislation.

In doing so, the Court noted the following:

• Non-material damage does not mean that the damage suffered by the data subject must reach "a certain degree of seriousness."13

• The wording of Article 82.1 does not rule out the fear of a data subject that "his or her personal data will be misused by third parties as a result of the infringement of that regulation that has taken place."14

• Recital (146) of the GDPR states that "the concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives" of the legislation.15

• Recital (85) mentions loss of control of personal data as an example of the type of damage that could be suffered by a data subject as a result of a data breach.16

• Nevertheless, national courts must be satisfied that the fear of the misuse of personal data is "well founded, in the specific circumstances at issue and with regard to the data subject."17

Thoughts on the case

This case is an important clarifier for what is expected of data controllers under the GDPR when it comes to data security. Three practical points to note include the following:

• Controllers need to assess and document the security measures they have in place. They are ultimately responsible for demonstrating that the specific measures address specific risks, and a favourable report from an external expert will not be enough to demonstrate compliance.

• If controllers do not properly assess and document their security measures, it will be more difficult to demonstrate that it is not liable for cyber attacks causing data breaches. Cyber attacks could happen to any organisation, and so having measures in place that deal with this specific risk is a must.

• The Court did acknowledge that the requirement here is not to eliminate all possibilities of a breach. However, breaches do occur, and so controller needs to have (tested) incident response protocols in place to effectively mitigate their impact. Controllers may not necessarily be responsible for the cyber attack itself, but they can be held responsible for exacerbating it if they do not have a plan to address such events when they occur.