Executive Summary

The Court of Justice of the European Union (CJEU) recently issued a decision that helps to clarify the liability of data controllers and data processors under the GDPR.  The key points of the decision include:

• That controllers/processors should not be automatically held liability for breaches of personal data by a third-party;
• Guidance for how courts should determine “appropriate” security measures implemented by a controller/processor;
• Expert reports are not required to prove a case for damages for a breach of personal data;
• Finding that the risk of misuse can be a recoverable, non-material damage under the GDPR.

Our team discusses the specifics of this decision below. 

Introduction

The CJEU, the highest court of the European Union, recently issued a decision¹ clarifying  the scope of liability and the measure of possible damages for data controllers and data processors as a result of a personal data breach.

The issues arose from a cyberattack on the Bulgarian tax authority, which resulted in the disclosure of personal data of millions of persons. Several hundred of them, including the applicant, brought actions for compensation for non-material damage allegedly caused by the breach, basing their case on Article 82 of the GDPR. The Bulgarian Supreme Administrative Court referred five questions on the interpretation of the GDPR, in particular Articles 5, 24, 32 and 82 , to the CJEU.

The CJEU's ruling has important implications for data controllers and processors, as it clarifies the scope of their obligations, the standard of proof required to demonstrate compliance, and the conditions for exemption from liability.

First Question

The first question posed to CJEU was whether Articles 24 and 32 of the GDPR should be interpreted to mean that any disclosure or unauthorized access to personal data (including by a third-party through a cyberattack) is sufficient to show that the controller did not hold “adequate” technical and organizational measures as required under the GDPR.  This would mean that, in essence, controllers or processors would face a presumption of breach of the GDPR for any cyber attack which manages to access or exfiltrate personal data. 

Noting that the GDPR specifically requires organizations to take into account the nature of the risks to the personal data they hold, the CJEU found that a breach, on its own, is “not sufficient” to confer liability, especially where the breach is caused by a third party. This is not to say that a controller or processor cannot be liable for breaches that result from a cyberattack, but rather that liability will not automatically follow. Rather, in such an action, the court examining the incident must take into account the nature of the incident, the risks inherent to the processing, and, fundamental to the assessment, the actual protections the controller or processor took to protect the data. 

Second Question

The second question which the CJEU addressed was whether the “appropriateness of the technical and organizational measures implemented by the controller” should be determined by national courts “in a concrete manner” by considering, in particular, the risks associated with the processing of the personal data. 

Looking to Article 32 of the GDPR, the CJEU determined that the appropriateness of such measures should be assessed in two steps. First, the risks of a personal data breach – and the potential harms to the “rights and freedoms of natural person” – should be the foremost consideration and analyzed in a concrete manner that takes into account both the probability of those harms occurring and the severity of the harms should they result. Second, these identified risks must be compared to the actual technical and organizational measures which have been implemented by the controller to determine whether these measures are “appropriate” to the risks. This analysis should consider:

• The state of the art;
• The costs of implementation; and
• The nature, scope, content, and purpose of the processing. 

Taking all of this into account, the CJEU found that national courts must look to the actual implemented measures, not just the measures a controller intended or included in its policies. 

Third Question

The third question posed to the CJEU was considered in two parts: 1) whether the burden of proof falls upon the controller to show that its implemented security measures were appropriate under Article 32 of the GPDR and 2) in analyzing the appropriateness of the security measures, whether an expert’s report “constitutes a necessary and sufficient” level of proof.

With regard to the first part, the CJEU held that, since the GDPR explicitly puts forth a principle of accountability for the controller, where a data subject has brought an action for damages, the burden of proof does fall onto the controller to show that the implemented security measures are appropriate. This principle is consistent with the similar principle that, in an action challenging the processing of personal data, the burden similarly falls onto the controller or processor to prove that personal data are processed in a way to ensure appropriate security of such data. 

With regard to the second part of the question, though, the CJEU found that an expert’s report is not a necessary and sufficient means of proof to showing that a controller’s security measures were not appropriate.  Consistent with the analysis related to question 2, courts (according to the CJEU) should consider not only all circumstances of a breach, but also the effectiveness of their review.  In some circumstances, an expert’s report may actually be superfluous in light of other evidence presented in the case, and so requiring such a report would not be an effective use of either the parties’ or the courts’ resources. 

Fourth Question

The fourth question considered by the CJEU is whether a controller should be exempt from liability (that is, the payment of compensation or damages) for harm caused to a data subject by a data breach because the damages is simply the result of actions by a “third party” not the controller itself.  

The CJEU quickly dismissed this  argument, refusing to recognize a wholesale exemption for the payment of compensation. Rather, the CJEU recognized that the controller (in order to avoid having to pay damages) must prove it is not responsible for the event that gave rise to the damages which are requested. This includes, as above, a showing that the controller had implemented appropriate security measures in light of the personal data held and processed by the controller. 

Fifth Question

Finally, the CJEU addressed the question of whether the possibility of misuse of personal data as a result of a data breach is capable of giving rise to a “non-material damage” under Article 82 of the GDPR. That is, whether the mere risk of misuse (without showing an actual, physical or other material harm) is sufficient to confer standing on a data subject and give rise to recoverable damages. 

In answering, the CJEU considers the broader principles of the European Union set forth by the Court of Justice, that non-material damages, including fear of misuse, if proven can form the basis of recoverable damages. Such recovery is not unlimited though.  Rather, the data subject must “demonstrate that [the complained of] consequences constitute non-material damage,” and where “fear” of misuse is claimed, the court must determine that such fear is “well founded.” Regardless of the difficulty in proving such damages, though, the CJEU does not outright deny that such damages could occur and be recoverable in an action – a principle somewhat at odds with similar questions in the United States.² 

Conclusion

Though many of the principles set forth by the CJEU are not unexpected, and largely consistent with similar principles within the  European Union, the decision has important implications for not only data subjects hoping to bring actions for damages, but also for controller responsibilities in protecting the personal data which is collected. The CJEU’s decision highlights certain core principles which will reduce liability and ensure that controllers may not be held financially responsible to data subjects for the actions of third party cyberattacks, provided they can satisfy the requirement for appropriate technical and organizational security.  From a proactive perspective, the decision emphasizes the importance of ensuring appropriate security measures are actually implemented, as these can provide a shield to liability. In addition, the decision provides guidance on the different burdens of proof present during an action for damages resulting from data breach: the burden on controllers for implementing security measures, but also the burden on data subjects for proving the non-material damages of which they complain.

Given the ever rising (and increasingly severe) risk of cyberattacks, it is becoming apparent that proactive preparations are necessary not only to protect a company’s infrastructure, but also to reduce (and even prevent) the possibility of liability resulting from an almost inevitable data incident. If you or your company have any questions regarding your readiness, our team would be happy to assist. 

²In particular, this contrasts with the principles of harm set forth by the United States Supreme Court in its TransUnion Ramirez decision, which our team has previously discussed here.

ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.