Two judgments of the Court of Justice of the European Union (“CJEU”) from mid-December last year dealt with preliminary questions from national courts in Bulgaria and Germany on the interpretation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”).

In the first case, the Bulgarian National Agency for Public Revenue (Nacionalna agencia za prichodite) was sued for collecting personal data in its role as controller for the purpose of identifying, securing and recovering public debts. As a result of hackers’ attack, the data from its information system were made public. Of the roughly six million individuals affected, several hundred filed suit. One of those persons was a plaintiff, who claimed that, as a result of the publication of her data, she had suffered harm consisting in the fear that her personal data, published without her consent, would be misused in the future or that she herself would be subject to blackmail, attack or even kidnapping.

During the hearing of the case, the Bulgarian Court of Appeal referred several preliminary questions to the CJEU, which considered them and reached the following conclusions. With regard to the adequacy of the security of the data managed, it is first necessary to assess the possible risks involved and their severity. Only then can it be determined what measures are sufficient, also taking into account the state of the art, the cost of implementation, as well as the nature, scope, context and purposes of the specific processing. Significantly, the burden of proof as to the sufficiency and appropriateness of the security measures taken rests with the administrator and not with the applicant. Regarding the question of how the controller is to prove the appropriateness of these measures, the CJEU stated that it is for the national law of each Member State to lay down rules on the means of proof, while expert evidence may not always be necessary, but may sometimes also not be sufficient, to prove that the controller has complied with the obligation. With regard to the liability of the administrator for the damage caused, the CJEU stated that the administrator can only be exonerated from liability if it proves that it is not in any way responsible for the event that led to the damage.

The final preliminary question raised by the Bulgarian Court of Appeal concerned the nature of the harm suffered. As mentioned above, the applicant already perceived harm from the fear of possible misuse of personal data by third parties. The court therefore asked whether this fear alone could constitute non-material damage. The conclusion of the CJEU in this respect was very interesting. According to it, in its illustrative list of examples of tangible or intangible harm the GDPR includes the loss of control over one’s personal data, even if, as the CJEU concludes, there has been no actual misuse of the data in question to the detriment of those persons.

The CJEU also ruled on damage, for which compensation can be claimed, in the case of an action brought by two persons against the German municipality of Ummendorf. The municipality published on its website for three days the agenda of a meeting of the municipal council, in which the names of the plaintiffs were mentioned several times without their consent, and the judgment, which gave their names and residential addresses. In this case, the German court asked the CJEU whether the concept of “non-material damage” under the GDPR is to be interpreted as a considerable damage and an objectively understandable interference with personal interests, or whether a mere short-term loss of control over the subject’s own data is sufficient. Here, the CJEU stressed that the GDPR does not refer to national legislation in this case, but itself states that “the interpretation of the concept of ‘harm’ should be broad and based on the case-law of the Court of Justice, taking full account of the objectives of the Regulation”. Compensation for damage cannot, therefore, be made conditional by national rule or practice on a certain degree of seriousness. One of the objectives of the GDPR is to ensure a consistent and high level of protection of individuals in the European Union in relation to the processing of personal data, therefore the interpretation of the concept of harm cannot be left to the fragmented practice of national courts.

However, in both of its decisions, the CJEU emphasised that a breach of the GDPR does not in itself give rise to a claim for compensation. The burden of proving the nature and extent of the harm suffered must be sustained, and that burden rests entirely on the persons affected by the infringement.

For the harm caused by a breach of the GDPR to be actionable, the extent of the harm is not decisive, nor is it related to the misuse of personal data that has already occurred or to the subject’s fear that such misuse may occur in the future. The only condition for claiming compensation is to prove that harm actually occurred.