The misuse of personal data can result in claims for damages by those affected. But under what conditions can claims for damages be asserted, in particular for non-material damage? This has been controversial until now. A decision by the European Court of Justice now provides clarity.
Non-material damage in the event of breaches of the GDPR
Any person who has suffered material or non-material damage due to a breach of the GDPR is entitled to compensation from the controller or processor. But when does non-material damage exist and who must present and prove this?
The German courts have recently set high hurdles for those affected if they wish to claim non-material damages due to data protection violations.
For example, the OLG Stuttgart recently ruled in two proceedings (Ref. 4 U 17/23 and 4 U 20/23 ) dismissed claims for non-material damages against Meta (formerly Facebook) due to a data leak in 2018, as the mere loss of control did not constitute a non-material impairment. Other higher regional courts are also reluctant to award non-material damages, possibly also because they fear a gigantic wave of lawsuits from those affected.
Proceedings before the ECJ
A case from Bulgaria has now reached the ECJ on the issue of non-material damage. The starting point was the following facts:
The Bulgarian National Agency for Revenue (NAP), which is subordinate to the Bulgarian Minister of Finance, is entrusted, among other things, with the determination, securing and collection of public receivables. In this context, it is also responsible for the processing of personal data. In 2019, it was reported that the NAP’s IT system had been breached. As a result of the cyberattack, the personal data of millions of people was allegedly published on the internet. As a result, numerous people sued the NAP for compensation for the non-material damage they allegedly suffered due to fears of possible misuse of their data.
Misuse of personal data justifies damages
The judgment of the ECJ (Judgment of 14.12.2023 – Ref. C-340/21) now has it all.
The mere fact that a data subject fears that their personal data could be misused by third parties as a result of a breach of the GDPR may constitute “immaterial damage”.
The person responsible bears the burden of proof that the protective measures taken were appropriate.
In the event of unauthorized disclosure of or unauthorized access to personal data by “third parties” (such as cybercriminals), the controller may be liable to pay compensation to the persons who have suffered damage, unless it proves that it is not responsible for the damage in any respect
.
In the case of unauthorized disclosure of or access to personal data, the courts cannot infer from this fact alone that the protective measures taken by the data controller were not appropriate. The courts must specifically assess the suitability of these measures.
Conclusion
The ECJ rejects the strict view in German case law. The loss of control alone can constitute immaterial damage. Those responsible must also prove that the protective measures taken were suitable for protecting the data and that they were in no way responsible for damage if they want to avoid a claim.
The decision significantly increases the risk of those responsible being held liable for damages and is likely to lead to an increased number of lawsuits from those affected.
The hurdles previously erected by some higher regional courts, which made it difficult to claim non-material damages, have in any case been largely demolished with this ruling. It remains to be seen how the national courts will now deal with the requirements of the ECJ.
