Important CJEU ruling on Cyber attack damages

Even before the inception of the GDPR there has been lively argument over what damages are available for breach of data protection rights, not least in the leading Vidal-Hall and Lloyd cases, both against Google.  In December 2023, The Court of Justice of the European Union issued a judgment that provides some important points of clarity on the issue, at least for those in the European Union.  For those of us in other jurisdictions, the judgment provides useful guidance which should be taken into account by Courts considering the issue. 

The ruling in VB v. Natsionalna agentsia za prihodite (C‑340/21), delivered on December 14, 2023, concerned a cyber attack against the Bulgarian National Revenue Agency that affected 6 million individuals, one of whom sued alleging non-financial damage suffered as a result of the result (under Article 82).  The individual argued that this damage took the form of fear of future misuse of their data leading to possible blackmail, assault and kidnap. The CJEU's ruling contained (amongst other things) the following three key elements: 

1. The judgment followed an earlier CJEU decision in May, UI -v- Osterreichische Post AG, which had determined that Article 82 GDPR does not give rise to an automatic right to damages for mere infringement of an individual's data protection rights (echoing the UK Supreme Court's view in Lloyd -v- Google).  The VB judgment built on this earlier one by indicating that the alleged fear experienced by the individual may, in itself, constitute a form of non-financial damage for which the individual could receive compensation (a question to be decided back at national court level and for the data subject to prove). 

2. The fact of a data breach does not lead to a presumption that the data processor's security measures are inadequate (and therefore in breach of the GDPR). The Court must conduct a detailed assessment of the security measures in place, and the controller is only liable if a failure to implement appropriate security measures caused or contributed to the breach. This is a helpful aspect of the ruling for data controllers facing litigation as a result of a breach.  Many claims contain bare assertions that a single data breach means that the controller was negligent or had taken insufficient security measures, but of course this is often not the case.  However, the CJEU placed the burden of proving the adequacy of the security measures on the data processor. 

3. Less helpfully for data controllers, the CJEU confirmed that controllers are not necessarily absolved from liability where a data breach occurs as the result of a third party (here, cyber criminals).  Again, key to avoiding liability is proving the adequacy of the security measures in place (or if they were inadequate, they did not contribute to or cause the breach). 

This ruling has far-reaching implications for both data controllers and data subjects.  For the former, it provides a roadmap to ensure minimisation of risk in circumstances where a data breach arises as a result of a cyber attack by ensuring the design and implementation of appropriate security measures.  For the latter, it provides clear boundaries as to what a credible claim for damages following a data breach looks like, and should dissuade the more speculative claims often brought.  Hopefully a ruling of similar clarity and breadth will come along in England & Wales in order to provide some direct precedent.