EU Court of Justice Confirms GDPR Security Measures Can Be “Appropriate” Even If Not Foolproof

On December 14, 2023, the EU Court of Justice (“CJEU”) issued its first ever ruling on the scope of data security requirements under the GDPR. In VB v. NAP, the CJEU held that an organization is not liable for a security breach unless it failed to implement appropriate security measures. The mere occurrence of a data breach is not on its own a GDPR violation, unless the absence of appropriate security controls caused or contributed to the breach. The CJEU also held that in order to be eligible for compensation following a breach, data subjects must show that they suffered specific harms as a result of the breach. A data subject’s fear of potential data misuse may count as sufficient damages, but only if the fear is well-founded and demonstrable.

What Happened?

In 2019, the Bulgarian National Revenue Agency (“NAP”) suffered a cyber attack affecting the personal data of more than six million individuals. Media outlets reported that the breach exposed tax and social security information.

VB, an individual affected by the breach, brought a claim against NAP seeking approximately 500 Euros in compensation for the breach. VB argued that she was entitled to compensation for “non-material damages” due to her fear that the public release of her personal data could potentially result in future misuse. However, there was no evidence that anyone had accessed or misused VB’s personal data, and VB put forward no evidence to support her claim of damages.

In its defense, NAP argued, first, that VB had failed to prove that NAP’s security controls were “inappropriate.” Second, NAP argued that a third-party threat actor – not NAP – was responsible for the attack. And, third, NAP argued that VB’s fear of potential misuse was not the type of non-material damage that required compensation under the GDPR. The trial court sided with NAP and dismissed the claim. On appeal, the Bulgarian Supreme Court referred several questions of law to the CJEU.

What Did the CJEU Decide?

In analyzing the GDPR’s security requirements (Art. 24 and 32) and provisions governing liability (Art. 82), the CJEU held:

  1. The occurrence of a data breach is not, on its own, sufficient evidence of fault – the complainant must also show that the organization failed to implement appropriate security controls.
  2. An organization can be held liable for a breach caused by a third-party threat actor, but only if the organization contributed to the breach by failing to implement appropriate security controls.
  3. The GDPR’s security standard is not one-size-fits-all. What constitutes “appropriate” controls depends on the nature, scope and context of the data processing, and the specific risks to individuals.
  4. Individuals can recover for non-material damages – including for fear – but only if they can prove that the scope of the harms they experienced and that any such harms are well-founded.

What Does This Decision Mean for Companies?

While the VB decision is the first CJEU case to address liability for data breaches under the GDPR, the court’s holdings are consistent with rulings by national courts . The decision emphasizes several key principles that are relevant for companies subject to the GDPR.

First, the occurrence of a data breach is not, on its own, a violation of GDPR. Organizations must take “appropriate” measures to prevent breaches. They do not have strict liability for all data breaches if they took such appropriate measures.

Second, an organization is liable for a breach only if its failure to implement appropriate security controls caused or contributed to the breach. Organizations are not liable if they designed their controls reasonably under the circumstances. This finding has important implications for data processing involving multiple parties, as it suggests that a party will not be jointly and severally liable for the conduct of another party “involved” in processing personal data if that party was not ultimately “responsible” for the breach due to any of its own acts or omissions. Clearly allocating data protection responsibilities in commercial contracts can help parties to limit the scope of their risk.

Third, to demonstrate that security measures are “appropriate,” organizations must document how their security measures address the specific risks for data subjects in light of the nature and scope of personal data the organization holds. This will require more specificity than is common in a standard information security risk assessment. Rather than evaluating only the potential vulnerabilities and risks of intrusion, security risk assessments should also consider the consequences of a breach for data subjects and address how security controls are reasonable and appropriate in light of those risks.

Fourth, data subjects claiming compensation must prove that they have suffered harm. VB confirms and reinforces the CJEU’s Osterreichische Post decision, which found that data subjects must demonstrate specific harm to claim compensation. The harm can take the form of ‘non-material damage.’ Fear of potential data misuse is a non-material damage, but the claimant must prove, using objective factors, that he or she experienced harm. Given that data subjects will need demonstrable facts to show damages that are eligible for compensation, the CJEU’s ruling may help deter some of the serial litigants that have targeted trivial instances of GDPR non-compliance in recent years.

Data breach cases are continuing to work through national courts in the EU, which will provide the CJEU additional opportunities to shape important data security concepts under the GDPR.