GDPR: Employers who get hacked could be held liable

According to the Court of Justice of the European Union, a cyberattack does not relieve the victim company of its liability or its obligation to compensate for the resulting damage.

This damage may consist of the "fear" of possible abusive use of personal data.

Context

Hackers organized a cyberattack on an agency attached to the Bulgarian finance minister. They leaked the data of more than six million people online.

Following the disclosure of this data, an individual brought an action against the agency before an administrative court and claimed compensation for non-material damage. His damage consisted in the fear that his data would be misused.

The Bulgarian national Court asked the Court of Justice of the European Union two questions:

1. Can a data controller be required to compensate for damage if only third parties have disclosed the data?

2. Does the fear of possible misuse of stolen data constitute non-material damage entailing a right to compensation?

CJEU decision

Regarding the first question, the court rules that any data controller may be liable to pay compensation for damage caused by processing that is in breach of the GDPR, if he has participated in that processing.

He is not obliged to pay compensation if he proves that he is not responsible for the event causing the damage.

The fact that the data is disclosed to a third party does not relieve the data controller of its liability.

If the breach is committed by cybercriminals, i.e. third parties, the data controller will be liable if it made the breach possible by failing to comply with an obligation under the GDPR.

Regarding the second question, any person has the right to obtain compensation from the controller if he or she has suffered damage because of a breach (Article 82 of the GDPR).

The concept of damage is interpreted broadly: the damage suffered does not need to be particularly serious.

An important point is that the damage may consist of the fear that personal data may be misused by third parties in the future. The European legislator has also included in the concept of damage the 'loss of control' over one's own data.

However, the Court points out that a person seeking compensation on this basis must prove that his or her fear is well-founded and must therefore prove the existence of non-material damage.

To remember?

The fact that a third party has disclosed the data will not relieve the data controller of its obligation to compensate for the damage, unless it can prove that he is not responsible for the damage caused. This will not be the case if the data controller made the data breach possible by failing to comply with one of its obligations under the GDPR. 

The fear that one's data may be misused in the future may constitute non-material damage. However, this fear must appear to be well-founded.

Source : C.J.E.U., 14 December 2023, C-340/21, www.curia.be