On December 14, 2023, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of VB v. Natsionalna agentsia za prihodite (C‑340/21), in which it clarified, among other things, the concept of non-material damage under Article 82 of the EU General Data Protection Regulation (“GDPR”) and the rules governing burden of proof under the GDPR.

Background

Following a cyber attack against the Bulgarian National Revenue Agency (the “Agency”), one of the more than six million affected individuals brought an action before the Administrative Court of Sofia claiming compensation. In support of that claim, the affected individual argued that they had suffered non-material damage as a result of a personal data breach caused by the Agency’s failure to fulfill its obligations under, inter alia, Articles 5(1)(f), 24 and 32 of the GDPR. The non-material damage claimed consisted of the fear that their personal data, having been published without their consent, might be misused in the future, or that they might be blackmailed, assaulted or even kidnapped.

The CJEU’s Ruling

In its judgment, the CJEU takes the view that the mere fact that a personal data breach occurred does not mean that the Agency did not implement appropriate technical and organizational measures to comply with Articles 24 and 32 of the GDPR. The EU legislator’s intent, as explained by the CJEU, was to “to ‘mitigate’ the risks of personal data breaches, without claiming that it would be possible to eliminate them.” National courts should assess the measures implemented “in a concrete manner, by taking into account the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks.”

That said, the CJEU further notes that the fact that an infringement results from the behavior of a third-party (cyber criminals) does not exempt the controller of liability and that, in the context of an action for compensation under Article 82 of the GDPR, the burden of proving that the implemented technical and organizational measures are appropriate falls on the controller and not on the individual.

Finally, building on its Österreichische Post judgment, the CJEU indicates that the fear experienced by individuals with regard to a possible misuse of their personal data by third parties as a result of an infringement of the GDPR may, in itself, constitute non-material damage. In this respect, the national court is required to verify that the fear can be regarded as well founded, in the specific circumstances at issue for the concerned individual. Read the judgement.