In its decision C 687/21 from 25 January 2024 the CJEU, among other things, held that the mere concern that a person’s personal data after a data breach could be misused is not sufficient for nonmaterial damage. Another important finding is that the controller can exonerate himself or herself if he or she can prove that appropriate technical and organisational measures within the meaning of the GDPR were otherwise taken despite the breach.
Facts
In the main proceeding, an employee of an electrical retailer inadvertently handed over both the device ordered by the applicant and the associated purchase and credit agreement with the applicant’s personal data to the wrong customer. The mistake was recognized immediately and the employee of the electrical retailer obtained the return of the device and the documents. About half an hour after the erroneous handover to the wrong customer, the aforementioned items were returned to the applicant.
The applicant then brought an action before the Hagen Local Court seeking compensation for the nonmaterial damage suffered. According to the applicant this damage resulted from the error made by the employee of the electrical retailer and the resulting risk of losing control of his personal data. The applicant relied, among other things, on the provisions of the GDPR.
Decision of the CJEU
The Hagen Local Court then referred several questions to the CJEU for a preliminary ruling.
In its decision, the Court held that unauthorized disclosure of, or access to, personal data by 'third parties' is not in itself sufficient for it to be held that the technical and organizational measures implemented by the controller were not ‘appropriate’ within the meaning of Articles 24 and 32 GDPR. Rather, the competent court must also take into account all evidence provided by the controller to demonstrate the adequacy of the technical and organisational measures adopted by him or her to comply with his or her obligations under Articles 24 and 32 GDPR.
It can therefore be concluded from the CJEU’s decision that data controllers can prove and exonerate themselves within the framework of the reversal of the burden of proof that, despite the breach, appropriate technical and organisational measures are in place and therefore no data protection breach has occurred.
Furthermore, the CJEU stated that, in principle, the data subject may suffer non-material damage within the meaning of Art 82 GDPR even in the event of a temporary loss of control over personal data.
However, the CJEU further held ‘[…] that it is for the applicant in an action for compensation under Article 82 of the GDPR to demonstrate the existence of such damage. In particular, a purely hypothetical risk of misuse by an unauthorised third party cannot give rise to compensation. This is so where no third party became aware of the personal data at issue.’
A purely hypothetical possibility of data misuse is therefore not sufficient to prove that the breach of the GDPR had negative consequences for the applicant.
Conclusion
With this decision, the CJEU therefore increases the requirements for the assertion of claims for damages and, de facto, thankfully sets a ‘de minimis threshold’ for such claims. A purely hypothetical risk of data misuse is thus not sufficient to assume non-material damage within the meaning of Art 82 GDPR. This can be of particular importance in practice, as it is often difficult to prove actual data misuse after a data leak whereas non-material damage is regularly claimed already based on the ‘fear’, that a misuse may happen. This, at least, will not be possible henceforward.
Link to the CJEU Decision:
https://curia.europa.eu/juris/document/document.jsf?text=&docid=282062&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1
Article provided by INPLP member: Árpád Geréd (MGLP Rechtsanwälte, Austria)
Co-Author: Tamara Thirring
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)