Request for Preliminary Rulings on Data Controllers Liability in Case of a Data Breach
In 2019 the personal data of nearly 6 million Bulgarian citizens (approx. 4,66 million alive and 1.38 million deceased taxpayers in Bulgaria) processed by the Bulgarian National Revenue Agency (NRA) were hacked and leaked as a result of a hacker attack. Following the data breach, the Bulgarian Personal Data Protection Commission imposed a sanction in the amount of BGN 5,1 million (approx. EUR 2.55 million) which is currently being appealed by the NRA. In addition, numerous affected citizens have filed claims for non-pecuniary damages against the NRA. It seems that so far the legislation has been interpreted and applied by the national courts (acting as a first court instance) inconsistently in all elements regarding the controller’s liability. The claims were either rejected as unfounded or upheld in whole or in part.
Although the amounts of compensation for the non-pecuniary damages claimed under the individual claims are very low (approx. between EUR 200 and EUR 500), the number of affected persons may lead to a situation where the NRA will have to pay a significant amount for such compensations to the citizens.
The Bulgarian Supreme Administrative Court has referred questions to the CJEU for preliminary rulings with regard to a specific administrative case on the appeal of an individual against the decision of a first instance administrative court which rejected as unfounded her claim for compensation in the amount of BGN 1000 (approx. EUR 500) for non-pecuniary damages suffered as a result of the illegal inaction of the NRA as a controller, expressed in failure to fulfil to a sufficient degree the obligations under Art. 24 and Art. 32 of Regulation (EU) 2016/679. However, this preliminary rulings request has suspended all proceedings on all such cases in Bulgaria until the ruling of the CJEU.
The request for preliminary rulings concerns the following issues:
1. “Can the provisions of Art. 24 and Art. 32 of Regulation (EU) 2016/679 be interpreted in the sense that it is sufficient that an unauthorized disclosure or access to personal data within the meaning of Art. 4, item 12 of Regulation (EU) 2016/679 was performed by persons who are not employees in the administration of the controller and are not under its control, in order to assume that the applied technical and organizational measures are not appropriate?
2. If the answer to the first question is negative, then what should be the subject and the scope of the judicial control for legality when checking whether the technical and organizational measures under Art. 32 of GDPR are appropriate?
3. If the answer to the first question is negative, can the principle of accountability in Art. 5, para. 2 and Art. 24 in conjunction with Recital 74 of Regulation (EU) 2016/679 be interpreted in the sense that in the claim proceedings under Art. 82, para. 1 of Regulation (EU) 2016/679, the controller shall bear the burden of proof regarding the circumstance that the technical and organizational measures applied under Art. 32 Regulation (EU) 2016/679 are appropriate? Can the appointment of a forensic expert be considered a necessary and sufficient means of proof to establish whether the technical and organizational measures applied by the controller are appropriate in a situation such as the current one, where unauthorized access and disclosure of personal data is the result of a "hacker attack"?
4. Can the norm of Art. 82, para. 3 of Regulation (EU) 2016/679 be interpreted in the sense that unauthorized disclosure or access to personal data within the meaning of Art. 4, item 12 of Regulation (EU) 2016/679, in this case by "hacker attack", performed by persons who are not employees of the administration of the controller and are not under its control, is an event for which the controller is not liable and is it grounds for discharge?
5. Can the norms of Art. 82, para 1 and para. 2 in conjunction Recitals 85 and 146 of the preamble to Regulation (EU) 2016/679 be interpreted in the sense that in a case such as the current one, a data breach expressed in unauthorized access and dissemination of personal data, carried out through a "hacker attack", only the anxiety, concerns and fears experienced by the data subject of possible future misuse of their personal data, without such misuse and/or other harm to the data subject, fall within the wide range of meaning of the concept of non-pecuniary damage and is there grounds for compensation?”
Article provided by: George Dimitrov and Desislava Krusteva (Dimitrov, Petrov & Co., Bulgaria)
Dr. Tobias Höllwarth (Managing Director INPLP)