Update | Moral damage and data breach: the recent judgement of the European Court of Justice

Moral damage and data breach: the European Court of Justice (ECJ) has ruled on the interpretation of certain articles of the European Regulation on data protection (“GDPR”) to define the conditions for compensating damages to an individual whose personal data, held by a public agency, were published on the Internet following a hacker attack.

Specifically, the Court has established that:

• in the event of unauthorized disclosure or unauthorized access to personal data (such as in cases of attacks by cybercriminals), judges must examine the adequacy of security measures concretely, without automatically assuming that they were inadequate under Articles 24 and 32 of the GDPR;
• the burden of proving the adequacy of the measures falls on the data controller, and resorting to judicial appraisal cannot systematically constitute a necessary and sufficient means of proof;
• the data controller may be liable to compensate for damages suffered by individuals, even in cases where the act was committed by cybercriminals, unless they can prove that the damage is not attributable to them;
• the fear of future potential misuse of the data by third parties can constitute a moral harm in itself, entitling to compensation.

To read the whole italian verditic, click here.

The case arises from media reporting that the Bulgarian National Revenue Agency (NRA), responsible for safeguarding and recovering debts, was subject to a hacker attack resulting in the online publication of personal data of over six million individuals, both Bulgarian and foreign nationals.

Following the event, numerous individuals sued the NRA for compensation for moral damages, and among them, one individual claimed damages for an amount just over €500 (in local currency, 1000 BGN).

If you wish to read the Italian version of this article, click here.