CJEU Rules That Fear May Constitute Damage Under the GDPR Privacy Information Security Law Blog

pGlobal Privacy and Cybersecurity Law Updates and AnalysisppOn December 14 2023 the Court of Justice of the European Union CJEU issued its judgment in the case of VB v Natsionalna agentsia za prihodite C34021 in which it clarified among other things the concept of nonmaterial damage under Article 82 of the EU General Data Protection Regulation GDPR and the rules governing burden of proof under the GDPRppBackgroundppFollowing a cyber attack against the Bulgarian National Revenue Agency the Agency one of the more than six million affected individuals brought an action before the Administrative Court of Sofia claiming compensation In support of that claim the affected individual argued that they had suffered nonmaterial damage as a result of a personal data breach caused by the Agencys failure to fulfill its obligations under inter alia Articles 51f 24 and 32 of the GDPR The nonmaterial damage claimed consisted of the fear that their personal data having been published without their consent might be misused in the future or that they might be blackmailed assaulted or even kidnappedppThe CJEUs RulingppIn its judgment the CJEU takes the view that the mere fact that a personal data breach occurred does not mean that the Agency did not implement appropriate technical and organizational measures to comply with Articles 24 and 32 of the GDPR The EU legislators intent as explained by the CJEU was to to mitigate the risks of personal data breaches without claiming that it would be possible to eliminate them National courts should assess the measures implemented in a concrete manner by taking into account the risks associated with the processing concerned and by assessing whether the nature content and implementation of those measures are appropriate to those risksppThat said the CJEU further notes that the fact that an infringement results from the behavior of a thirdparty cyber criminals does not exempt the controller of liability and that in the context of an action for compensation under Article 82 of the GDPR the burden of proving that the implemented technical and organizational measures are appropriate falls on the controller and not on the individualppFinally building on its Österreichische Post judgment the CJEU indicates that the fear experienced by individuals with regard to a possible misuse of their personal data by third parties as a result of an infringement of the GDPR may in itself constitute nonmaterial damage In this respect the national court is required to verify that the fear can be regarded as well founded in the specific circumstances at issue for the concerned individual Read the judgementppHunton Andrews Kurths Privacy and Cybersecurity practice helps companies manage data at every step of the information life cycle The firm is a leader in its field and for the fourth consecutive year has been ranked by Computerworld magazine in a survey of more than 4000 corporate privacy leaders as the top law firm globally for privacy and data security Chambers and Partners also rated Hunton Andrews Kurth the top privacy and data security practice in its Chambers Global Chambers USA and Chambers UK guidesppHunton Andrews Kurths awardwinning Privacy Information Security Law Blog is among the topranked legal blogsp