Cybercrime: the fear of a possible misuse of personal data is capable, in itself, of constituting non-material damage (ECJ)

According to the Judgment (14.12.2023) of the Court of Justice in Case C-340/21 (Natsionalna agentsia za prihodite), the fear of a possible misuse of personal data is capable, in itself, of constituting non-material damage.

The Bulgarian National Revenue Agency (the NAP) is attached to the Bulgarian Minister for Finance. In particular, it is responsible for identifying, securing and recovering public debts. In this context, it is a personal data controller. On 15 July 2019, the media reported an intrusion into the NAP IT system, revealing that, following that cyberattack, personal data concerning millions of persons had been published on the internet. Many individuals brought legal actions against the NAP for compensation for non-material damage caused by the fear that their data might be misused. 

The Bulgarian Supreme Administrative Court refers several questions to the Court of Justice for a preliminary ruling on the interpretation of the General Data Protection Regulation (GDPR) . It seeks clarification of the conditions for awarding compensation for non-material damage relied on by a data subject whose personal data, held by a public agency, were published on the internet following an attack from cybercriminals. 

In its judgment, the Court answers the questions referred as follows: 

  • In the event of unauthorised disclosure of personal data or unauthorised access to those data, courts cannot infer from this fact alone that the protective measures implemented by the controller were not appropriate. The courts must assess the appropriateness of those measures in a concrete manner. 
  • It is for the controller to prove that the protective measures implemented were appropriate. 
  • In the event that the unauthorised disclosure of personal data or unauthorised access to those data has been committed by a ‘third party’ (such as cybercriminals), the controller may be required to compensate the data subjects who have suffered damage, unless it can prove that it is in no way responsible for that damage. 
  • The fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of the GDPR is capable, in itself, of constituting ‘non-material damage’.

(curia.europa.eu/ photo: freepik.com)

Comments

Editorial

Editorial
George Kazoleas, Lawyer

Top Stories

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

The name Pablo Escobar may not be registered as an EU trade mark

Nepotism and favouritism in the legal profession

First judgment of the ECHR: Lawless v. Ireland

The Lawyer's right to refuse the defense of an accused person for ethical reasons

Gigantic fine for unfair practices imposed on Booking.com by the Competition Authority of Hungary

Fine of €175,000 on the Greek Ministry of Migration and Asylum for GDPR breaches