ECJ judgment: compensation for anxiety and worry following data breach

The European Court of Justice (ECJ) delivered a landmark judgment on 14 December 2023 on compensation for non-material damage in the event of data breaches.

When a company is the victim of a hacking attack, it often has to spend a lot of money just to deal with the immediate consequences of the attack: business interruption, loss of reputation, correspondence with the data protection authority. But this is only the tip of the iceberg. Lurking in the shadows of the acute challenges is another risk that can be enormously costly: people whose data has been affected by the incident may have a claim for compensation. And that can be a very large number of people - several million in the case of the cyber-attack on a Bulgarian public authority that formed the basis of today's ECJ ruling.

In its judgment, the ECJ clarified the conditions under which such claims can be made. In particular, it decided whether a company could defend itself by claiming that it had taken precautions against hacking by having good IT security structures in place. It also explained whether an individual can claim compensation even if nothing has happened to their data and they only have anxieties, concerns and fears about possible misuse in the future.

Background

On 14 May 2021, the Supreme Administrative Court of Bulgaria referred several questions to the ECJ for a preliminary ruling on the interpretation of the conditions for a claim for compensation for non-material damage (Article 82(1) GDPR).

The request for a preliminary ruling was based on the following case: in 2019, media reports stated that a Bulgarian authority had been the victim of a cyber attack in which hackers had gained unauthorised access to various tax and social security data of millions of people. The data was then allegedly published on the internet. One of the individuals sued for damages, claiming that she had suffered anxiety, fear and worry about possible future misuse.

The Bulgarian court referred the following summarised questions to the ECJ for a preliminary ruling: (1) Can a company use the defence that it has taken appropriate technical and organisational measures, and how can a company prove that it has taken such measures? Can a company defend itself by claiming that it was in no way responsible for the data protection incident? (2) Do worries, anxieties and fears about possible future misuse also constitute non-material damage that can be compensated?

No claim if company has taken sufficient security measures

In its judgment, the ECJ emphasises that a claim for damages requires a breach of data protection rules. The mere fact that a third party gained unauthorised access to data does not automatically mean that the company can be accused of breaching the GDPR. However, in most cases, a company could be accused of having inadequate technical and organisational measures that made the hacking attack possible.

However, the ECJ allows companies to defend themselves by demonstrating that they have sufficient, up-to-date and appropriate security structures in place and are therefore in no way responsible for the consequences of the attack. The courts will then have to decide on a case-by-case basis whether the measures put in place by the company were sufficient. This can of course be a very complex and technically challenging question, which the courts can only answer with the help of experts.

Worries, fears and anxieties as non-material damage

The ECJ ruled that worries, anxieties and fears suffered by a data subject as a result of possible future misuse of the data could constitute non-material damage for which compensation must be paid. This decision has a very significant impact, as such anxieties, worries and fears are usually the first harm suffered by an individual, regardless of whether the data is actually misused at a later stage.

Given this, it is not surprising that many claimants base their claims for compensation on the fact that they have suffered such anxiety and fear. In German case law, it has so far been controversial whether these negative feelings in themselves constitute a compensable damage. The ECJ judgment therefore strengthens the legal position of claimants.

However, the ECJ also points out that the person concerned must have actually suffered these worries and anxieties and must be able to prove this. Yet law firms specialising in mass claims often simply use boilerplate to describe people's feelings. This may not be sufficient evidence. In particular, the expectation of high payouts that these firms often raise raises the suspicion that some people are also pursuing financial interests and have less need to be compensated for their negative feelings. As a result, it is likely that many cases will turn on how well claimants are able to present their negative feelings and how far the defending companies are able to challenge this.

Outlook

Until now, German case law on this issue has been very divergent. The ECJ ruling finally provides clear guidance on some key points. This means that the focus of litigation may increasingly shift from questions of law to questions of fact. While there are still many good arguments that can be used to defend claims for non-material damages, some legal questions remain open, such as the amount of compensation and other potential forms of damages.

Claims for non-material damages will be on the agenda of the ECJ and German courts for some time to come. We follow the case law of the German courts on our Noerr Damages Tracker.

We recommend that companies err on the side of caution and establish robust data protection governance structures, implement effective data subject rights management, and professionally assess and manage potential data protection incidents. Companies should therefore take a strategic approach to the challenges, opportunities and risks of Data Protection Litigation at an early stage. Our experienced team of recognised data protection and litigation experts are here to help.