ECJ consolidates GDPR principles: Clarification on liability and damages

Analysis of the ECJ rulings in the proceedings Natsionalna agentsia za prihotide (C-340/21) and Municipality of Ummendorf (C-456/22) of 14 December 2023

Overview

Cases C-340/21 and C-456/22 of the European Court of Justice (ECJ) provide important clarifications in data protection law under the General Data Protection Regulation (GDPR). The focus is on liability for data breaches and the recognition of non-material damage. Judgment C-340/21 clarifies that a data breach alone is not sufficient to establish the inadequacy of a data processor's security measures. The ECJ emphasises that courts must carry out a concrete assessment of the security measures. C-456/22 strengthens the right to compensation for non-material damage by ruling out the application of a de minimis threshold for such damage. Both judgments have far-reaching implications for the practice of data processing in the EU (European Union) and underline the need for effective data protection management. 

Briefly 

C-340/21 - Evaluation of security measures 

• Adequacy test: The ECJ clarifies that courts must carry out a concrete assessment of the security measures taken by data processors. A data breach alone does not justify the inappropriateness of these measures. 
• Burden of proof: The burden of proof for the adequacy of the security measures lies with the data processor. 
• Liability for breaches by third parties: Data processors can be held liable if unauthorised access to personal data is made by third parties, unless the processor can prove that it is not responsible. 
• Non-material damage: The fear of misuse of personal data can be recognised as immaterial damage. 

C-456/22 - No de minimis limit for non-material damage 

• Exclusion of a de minimis limit: Art. 82 para. 1 GDPR excludes the application of a de minimis limit for non-material damage. This strengthens the right to compensation for data subjects. 
• Duty of proof: Data subjects must nevertheless prove that the breach of the GDPR has caused non-material damage. 
• Cumulative requirements: A claim for damages requires the existence of damage, a breach of the GDPR and a causal link. 

Effects and implications

These judgements emphasise the importance of a careful and specific assessment of data protection measures and increase the liability risks of data processors in the event of data breaches. By excluding a de minimis limit for immaterial damage, the ECJ confirms the right to compensation even for minor immaterial damage. 

• For companies: The judgements call on companies to rethink their data protection strategies and ensure that effective security measures are implemented and regularly reviewed. This also includes precise documentation and willingness to prove the suitability of these measures. 
• Legal implications: The decisions could lead to stricter practices in the assessment of data breaches and an increase in lawsuits for non-material damages. 
• Training and awareness: Organisations need to invest in training their employees to raise awareness of data protection and the risks of data breaches. 

Classification 

Judgements C-340/21 and C-456/22 build on existing case law and provide important clarifications. Compared to previous rulings, they emphasise the need for a concrete and individual assessment of security measures and the responsibility of data processors. The exclusion of a de minimis threshold for non-material damage marks a clear development in EU case law that further strengthens the rights of data subjects in the event of data breaches. This shows a trend towards stricter liability rules and a more comprehensive recognition of damages in the context of the GDPR. 

Forecast and recommendations  

• Legal adjustments and compliance: Companies should review and adapt their data protection policies and procedures to ensure compliance with the latest legal requirements. 
• Risk management and insurance: It is advisable to strengthen risk management and review insurance policies to cover potential liability risks. 
• Proactive measures: The introduction of proactive measures to minimize risk and improve the security of personal data is becoming increasingly important. 
• Continuous monitoring and adaptation: In view of the evolving legal situation and technological developments, companies should continuously monitor and adapt their data protection strategies. 

These judgements signal an increased legal responsibility and greater sensitivity to data protection in the EU and are likely to have a significant impact on data processing and security practices as well as data protection case law.