Advocate General says that unlawful access to personal data by third parties leads to liability for presumed fault on the part of the controller

May 2, 2023

The Advocate General has issued his opinion in the case of Case C-340/21 | Natsionalna agentsia za prihodite.

In 2019, there was unauthorised access to the information system of the Bulgarian National Revenue Agency (NAP) and that various items of tax and social security information regarding millions of people had been published on the internet. VB brought proceedings against the NAP for compensation for non-material damage in the form of worry and fear that their personal data would be misused in the future. VB argued that NAP had infringed national rules, as well as the obligation to process personal data as controller in a manner that ensures appropriate security. The Bulgarian courts referred the case to the Court of Justice of the EU.

Advocate General Giovanni Pitruzzella said that the data controller must implement appropriate technical and organisational measures to ensure that processing of personal data is performed in compliance with the GDPR. Whether such measures are ‘appropriate’ will depend on the nature, scope, context and purposes of processing as well as the likelihood and severity of the risks for rights and freedoms of natural persons. This will be assessed on a case-by-case basis.

Firstly, the Advocate General said that a “personal data breach” is not sufficient in itself to conclude that the technical and organisational measures implemented by the controller were not appropriate to ensure data protection. When choosing measures, the controller must consider several factors, including the ‘state of the art’, which limits the technological level of measures to be implemented to what is reasonably possible at the time of implementation, and the implementation costs. The controller’s decision is subject to possible judicial review of compliance. The court’s assessment of the appropriateness of those measures must be based on a balancing exercise between the interests of the data subject and the economic interests and technological capacity of the controller, in compliance with the general principle of proportionality.

Secondly, the Advocate General stated that, when verifying whether the measures are appropriate, the national court’s review must extend to a specific analysis of the measures and how they were applied, as well as their practical effects. The court must consider all the factors set out in the GDPR, which may include the adoption of codes of conduct or certification systems.

Thirdly, the Advocate General states that the burden of proving that the measures are appropriate is on the controller. It is for the member state to decide what methods of proof will be considered.

Fourthly, the fact that the infringement was committed by a third party does not in itself constitute a ground for exempting the controller. To avoid liability, the controller must demonstrate, to a high standard of proof, that it is not in any way responsible for the event giving rise to the damage.

Lastly, the AG said that detriment consisting in the fear of a potential misuse of one’s personal data in the future, the existence of which the data subject has demonstrated, may constitute non-material damage giving rise to a right in compensation, if it constitutes actual and certain emotional damage and not simply trouble and inconvenience.