Compensation for moral damages suffered by a person whose personal data have been disclosed. Conditions to be met in the light of the Regulation (EU) 2016/679
Through this analysis, we intend to examine the conditions under which the data subject may claim compensation for non-material damage caused as a result of the unlawful disclosure of his or her personal data, by reference to the provisions of Article 82 of Regulation 679/2016 and having regard to the conclusions of the Advocate General set out in Case C-340/21 – VB v Natsionalna agentsia za prihodite.
I. Data controller and processor – brief considerations on the concepts, roles, and responsibilities
The concepts of controller and processor have been established by the Directive 95/46/EC and remain essentially similar under the Regulation (EU) 2016/679, their definition being essential to determine the allocation of legal obligations under the Regulation to each.
In practice, due to the complexity and evolving nature of the business environment, there are situations where it is difficult to clearly determine the roles established between organizations in the various contractual relationships concluded between them from the perspective of Regulation (EU) 2016/679 (i.e., controller/processor). Although the legal context may be relevant to the identification of the operator, the factual elements are decisive and determining which party is a controller and which party is a processor is crucial to assigning primary responsibility and liability of each to data subjects in case of a breach of the GDPR.
According to Regulation (EU) 2016/679, a data controller is the natural or legal person, public authority, agency, or any other body that alone or jointly with others determines the purposes and means of the processing of personal data. In other words, the data controller is the main decision-maker regarding personal data and is primarily responsible for compliance with the Regulation. This responsibility includes, inter alia, providing information to the data subject, ensuring the processing has a legitimate basis and that the rights of the data subject are respected, carrying out data protection impact assessments in the case of high-risk processing, ensuring that there is adequate data security and determining whether it is necessary to notify data protection authorities or data subjects in the event of a personal data breach.
A processor, on the other hand, refers to the natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. While the processor has certain obligations under the Regulation (e.g., having an adequate security system and notifying data controllers in case of a data breach), it remains a subordinate entity, contractually obliged to process personal data only based on documented instructions from the controller, who retains the majority of responsibility under the Regulation.
As follows from the provisions of the Regulation (EU) 2016/679 stated above, an entity qualifies as a controller to the extent that it determines the purposes and means of processing.
However, in practice, there are situations in which the controller may delegate decisions on technical and organizational aspects of the processing to the processor, without changing the status of the parties under the Regulation. As long as the controller reserves the most important decisions regarding the purposes or means of processing, the processor can have a high degree of discretion in carrying out its duties. However, these obligations still fall under the notion of “how the data are processed.” If a processor violates the regulation by determining the purposes and means of processing, the processor is considered the controller for that processing, which can lead to potential liability for the activities carried out.
II. Liability of the controller/processor. The possibility for the data subject to seek compensation for non-material damage caused by the disclosure of personal data
II.1. Brief considerations on the liability of the controller/processor
The processor may be civilly liable (i) contractually towards the operator, for any breach of the contract concluded between them and (ii) in tort, for material damage suffered by injured parties through the actions of the processor. In the latter situation, the processor is liable only if it has not complied with the obligations specifically incumbent on processors under the Regulation (EU) 2016/679 or has acted outside or in contradiction with the controller’s lawful instructions. In contrast, the controller has higher liability and may be liable even for the actions of the processor.
If a processor recruits another processor to carry out specific processing activities on behalf of the controller, the same data protection obligations set out in the contract or other legal act between the controller and the processor shall apply. If the second processor fails to comply with their data protection obligations, the original processor remains fully liable to the controller for the performance of these obligations.
Regarding the data controller, Article 24 of Regulation (EU) 2016/679 lays down in general terms the obligation for the controller to implement appropriate technical and organisational measures to ensure that the processing of personal data is in compliance with the Regulation and to be able to demonstrate this, while Article 32 requires the operator to take into account the „current stage of development” – implying limiting the technological level of the measures to be implemented to what is reasonably practicable at the time the measures are taken.
However, even if the measures are adequate at the time of implementation, they can be circumvented by cybercriminals using highly sophisticated tools. In this situation, questions arise regarding the liability of the controller, specifically whether the occurrence of a “personal data breach,” as defined in Article 4(12) of Regulation (EU) 2016/679, is sufficient to conclude that the technical and organizational measures implemented by the controller were not “adequate” to ensure data protection.
Analyzing this issue in reference to the Regulation (EU) 2016/679, in Case C-340/21, the Advocate General concluded that the mere existence of a “personal data breach” is not sufficient by itself to determine the inadequacy of the technical and organizational measures implemented by the controller for ensuring the protection of the data concerned. The Advocate General argued that it would be illogical to impose on the controller an obligation to prevent any breach of the security of personal data, regardless of the diligence shown in implementing security measures.
Furthermore, if a controller is the victim of a cyber-attack, the event that caused the damage may not be directly attributable to the controller. However, it is not excluded that the controller’s negligence may have facilitated the occurrence of the attack due to the lack or insufficiency of personal data security measures that the controller is obliged to implement. These aspects are factual assessments specific to each case, which are left to the national court seized, responsible for examining them based on the entirety of the evidence.
In any case, in an action for damages under Article 82 of Regulation (EU) 2016/679, the burden of proving the adequacy of technical and organizational measures, as defined in Article 32, lies with the controller of personal data.
The processor may also be held liable for a contravention if the supervisory authority sanctions the processor.
II.2. Compensation for moral damages suffered by a person whose personal data has been disclosed
First, it should be recalled that the concepts of “material or non-material damage” and “compensation for damage suffered” set out in Article 82 of Regulation (EU) 2016/679 are autonomous under European Union law and must therefore be uniformly interpreted in all Member States. Article 82 explicitly states that not only material damage but also non-material damage may give rise to a right to compensation and recital 146 of the Regulation also emphasizes the broad interpretation of the concept of damage. Thus, an action for damages may concern both material and non-material damage, without a gravity threshold being required for the right to compensation.
However, to claim compensation for the damage caused, the data subject must be able to prove the following conditions cumulatively: (i) the existence of “injury” or “damage” that has been “suffered,” (ii) the existence of a breach of Regulation (EU) 2016/679, and (iii) the existence of a causal link between the damage and the breach.
Secondly, regarding non-material damage, the question has arisen whether a right to compensation can arise based on mere concerns, anxieties, and fears felt by the data subject about possible future misuse of personal data, even if no actual misuse has been established, and/or the data subject has suffered no other damage.
The Advocate General’s conclusions in Case C-340/21 are relevant in this regard. According to them, although the case-law of the Court of Justice allows it to be argued that there is a principle of compensation for non-material damage in European Union law, it cannot be inferred that any non-material damage, however serious, can be compensated for. A distinction must be made between mere grievances that do not warrant damages and actual non-material damage that is compensable. The line between the two is fine, and national courts, responsible for distinguishing it on a case-by-case basis, should carefully assess all elements provided by the data subject seeking compensation. The burden of proving the existence of “actual non-material damage suffered” as a result of the personal data breach lies with the data subject, who must present concrete elements supporting the claim, even if there is no pre-established threshold of particular gravity.
In summary, damage consisting of the fear of possible future misuse of personal data, as established by the data subject, may constitute non-material damage giving rise to a right to compensation, provided that the data subject demonstrates that they have individually suffered real and certain emotional damage. The national court is responsible for verifying this in each individual case.
*
It should be noted that while the reasoning set out by the Advocate General in Case C-340/21 is persuasive, the final interpretation of the notion of “non-material damage” under Article 82 of Regulation (EU) 2016/679, as well as the analysis of the conditions for invoking it, is within the competence of the Court of Justice of the European Union. The CJEU may endorse or provide its own interpretation on these matters.
Laura Mihaila, Associate