Cyberattacks present a multi-faceted challenge for organisations around the world. Beyond the immediate burden of handling the attack itself, the aftermath can be of even greater concern. Not only do organisations have to deal with regulatory investigations by data protection authorities, but they are also increasingly facing the prospect of mass claims for damages under Article 82 GDPR.
In this context, the recent decision of the Court of Justice of the European Union (CJEU) in Case C-340/21 on 14 December 2023 addresses the key issues of (i) fear of the data subject as a potential basis for non-material damage and (ii) the burden of proof concerning the appropriateness of security measures implemented by the data controller.
Fear as a Basis for Non-Material Damage
The CJEU acknowledges that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by threat actors may, in certain circumstances, be capable of constituting non-material damage under Article 82(1) GDPR. However, the wording “is capable of” reveals that there must also be circumstances in which fear does not constitute non-material damage. Generally, the data subject will bear the burden of proving any (non-material) damage claimed. In damage proceedings, it will be up to the national court seized to verify that the ‘fear’ that has been alleged is in fact well founded, with regard to the specific circumstances of the case.
Burden of Proof and Appropriateness of Security Measures
The CJEU notes that the GDPR does not require data controllers to eliminate the risks of personal data breaches, as their technical and organisational measures (TOMs) under Articles 24 and 32 GDPR must (only) be “appropriate” to the risk. Consequently, the fact that a hack or data breach occurred does not automatically mean that the data controller’s TOMs were inappropriate. However, in an action for damages under Article 82 GDPR, the data controller may be in a situation where it has to prove that the security measures it has implemented are appropriate under Article 32 GDPR. Again, it will be up to the national court seized to examine the nature and content of the measures taken by the data controller. In this respect, data controllers will likely benefit from the CJEU’s finding that they have “some discretion in determining the appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.
Implications for Businesses
The reference to ‘fear’ as a potential non-material damage means that businesses should be prepared for an increase in mass claims for GDPR damages in the event of cyberattacks. In this context, the CJEU’s ruling highlights once again that it is key to implement appropriate TOMs safeguarding data processing operations and to also have reliable documentation to evidence the appropriateness of these TOMs. Having the right TOMs documentation is not only increasingly important regarding the context of investigations by data protection authorities, but also as a line of defence against court claims. For businesses, this ruling is a call to action to re-evaluate their data protection strategies, ensuring compliance and preparedness for cyberattacks, in particular with regard to internal documentation.