On 27 April 2023, Advocate General Giovanni Pitruzella delivered his opinion in Case C-340/21 (not available in English) regarding a compensation claim for non-material damages (e.g., emotional distress) following the unlawful disclosure of personal data as a result of a cyberattack.
The claimant argued that:
- the controller of their personal data had failed to implement appropriate security measures to protect the personal data as required by under the EU’s GDPR;
- as a result, they had suffered non-material damage in the form of distress from worries and fears about possible misuses of their personal data; and
- consequently they, as the data subject, were entitled to claim compensation from the controller for non-material damage under Article 82 of the GDPR.
The Advocate General’s opinion considered those issues and included statements regarding the burden of proof and the extent of judicial review by national courts.
When can data subjects claim compensation for distress according to the opinion?
The GDPR requires controllers to take ‘appropriate’ technical and organisational security measures to protect personal data. According to the Advocate General, the occurrence of a personal data breach does not necessarily mean that the security measures implemented by the controller were inappropriate. When verifying whether the measures were appropriate, the national court must carry out a review that includes specific analysis of the content of those measures, the way they were applied, and their practical effects.
Regarding the allocation of the burden of proof in the context of claims for compensation under Article 82 GDPR, the Advocate General reiterates that a data subject must prove:
- a breach of the GDPR;
- the damage suffered because of that breach; and
- a causal link between the breach and the damage suffered.
The GDPR provides that a controller is exempt from liability if it proves that it is not ‘in any way’ responsible for the event giving rise to the damage. The Advocate General opined that the level of proof required by this exemption is high. According to the opinion, the burden of proving that the measures used to protect the data were appropriate to the standard required by the GDPR falls on the controller.
Regarding the question whether a court ordered expert opinion is an admissible method of proof, the Advocate General states that the GDPR does not set out rules defining admissible evidence and its probative value. In accordance with the principle of procedural autonomy, it is for each EU Member State to determine the admissible methods of proof and their probative value, including the measures of inquiry.
In the Advocate General’s view, a fear of possible future misuse of personal data, if proved by the date subject, may constitute recoverable non-material damage under the GDPR. However, the data subject must prove they have objectively suffered real and certain emotional harm, a circumstance which the national court must examine in each individual case. Mere annoyance and inconvenience do not suffice.
What are the key take aways?
The Advocate General's opinion indicates that:
- a personal data breach does not automatically give the data subject a right to compensation;
- a data subject claiming compensation must demonstrate an objectively quantifiable real and certain harm (eg a sufficient level of emotional harm); and
- data controllers bear a high burden of proof when seeking to defend such claims by proving that they implemented appropriate security measures and are not ‘in any way’ responsible for the event giving rise to the damage.
The Advocated General’s opinion is not binding on the EU’s Court of Justice and it remains to be seen whether the court will follow the opinion. Nevertheless, if the court follows the opinion, data controllers may face increased exposure to the risk of compensation claims under the EU’s GDPR after successful cyberattacks.
