Cyberattack and GDPR: The implications of data misuse and moral prejudice

The fear alone of data misuse does not suffice to demonstrate the inadequacy of a data controller's protective measures under Articles 24 and 32 of the GDPR.

Judges must assess these measures in a detailed and case-specific manner, considering the risks of the processing involved and evaluating if the measures' nature, scope, and implementation align with these risks. This approach directly reflects Article 32's criteria under the GDPR.

Significantly, the Court offers insightful guidance on how national courts should evaluate damage claims under Article 82 of the GDPR.

Article 82, still underutilized, allows direct action against controllers for "any person who suffers material or non-material damage due to a GDPR violation," ensuring full compensation for losses incurred.

In such cases, particularly concerning data breaches, the responsibility falls on the data controller to prove their security measures' adequacy. A breach resulting from unauthorized disclosure, such as a cyberattack, does not automatically absolve the controller. They must demonstrate that the damage-causing event is not attributable to them.

The Court clarifies that expert evidence is not always necessary or sufficient for this purpose; national courts retain discretion in evaluating the controller's proof.

However, the judgment's key aspect lies in the Court's final stance. Traditionally, damage claims require the claimant to show actual harm suffered. As ruled on May 4, 2023, this harm need not reach a specific severity level.

Consequently, the Court determines that mere apprehension over potential misuse of personal data post-GDPR breach can constitute compensable non-material damage. This decision draws on Recital 146 of the Regulation, advocating a broad interpretation of "damage."

National courts must validate claimed damages based on the specific case and affected individual.

This ruling should ease such damage compensations, clarifying the admissibility of these claims.

This serves as both a reminder and an expansion of the potential dual penalties facing data controllers for negligence. Data breaches can lead to supervisory authority fines and compensation claims in civil courts.

Our IT Contracts, Data & Compliance Department is ready to assist with managing personal data in your business operations.

For inquiries, please feel free to reach out.