Liability of Data Controllers for Cyber-Attacks

Background

In VB v Natsionalna agentsia za prihodite, the Supreme Administrative Court of Bulgaria referred five questions to the CJEU querying, in essence, whether a data controller can be held liable for failing to comply with its obligations under Article 32 GDPR to ensure an appropriate level of security for personal data, in circumstances where a data breach is caused by a cyber-attack perpetrated by unknown third parties which was entirely outside of the control of the controller.

Advocate General Pitruzzella delivered his Opinion on 27th April 2023 which makes a number of points of practical relevance to data controllers, including when data security measures will be considered to be “appropriate” for the purpose of Article 32 GDPR, when the burden of proof might be reversed in data breach claims, and the nature of a controller’s liability under the GDPR.

When are data security measures “appropriate”?

Article 32 GDPR requires controllers to have in place “appropriate technical and organisational measures” to ensure security for personal data.

Helpfully, AG Pitruzzella confirmed that the occurrence of a personal data breach does not, in itself, mean that the security measures in place at the time of the breach are not “appropriate”. Rather, controllers benefit from a certain leeway in choosing appropriate measures.

However, this does not mean that the appropriateness of the data security measures taken is entirely a matter for the controller. AG Pitruzzella helpfully detailed a number of considerations that will be relevant to a court’s assessment of whether the choice of security measures taken by a controller complies with Article 32, namely:

• The GDPR does not prescribe a specific set of measures to be taken. Rather, the appropriateness of a given measure must be considered based on the evidence, including whether it is capable of reasonably preventing risk and minimising the negative effects of a data breach.
• The controller can take into account the “state of the art” and the costs of implementation and is not required to take measures which go beyond what is reasonably possible.
• The appropriateness of the measures depends on a balancing of the interests of data subjects in ensuring a high level of protection of their personal data, the economic interests of the controller and the controller’s own technical capacities.
• The way in which the controller has applied the security measures in practice is relevant.
• The obligation under Article 32 is an ongoing one and security measures must be re-examined and brought up to date continuously.
• Data security measures are not only aimed at preventing data breaches but also at limiting their effects.

Reversal of the burden of proof

Under Article 82, any person who has suffered damage as a result of an infringement of the GDPR has the right to receive compensation from the controller for the damage suffered. Article 82 goes on to provide that a controller is exempt from liability if it “proves that it is not in any way responsible for the event giving rise to the damage”.

AG Pitruzzella confirmed that the individual bringing a data breach claim must establish (a) a breach of the GDPR on the part of the controller, (b) damage and (c) a causal link between the breach and the damage.

However, the requirement on the individual plaintiff to show that there has been a breach of the GDPR does not mean the plaintiff must demonstrate that the data security measures adopted by the controller are inappropriate having regard to Article 32. AG Pitruzzella recognised that it would be almost impossible, in practical terms, for an individual plaintiff to prove that the controller’s security measures are inadequate. Accordingly, the Advocate General considered it more logical that the controller should bear the burden of proof in showing compliance with Article 32.

Where a plaintiff has been successful in establishing the three elements of a data protection claim, AG Pitruzzella confirmed that Article 82 nevertheless may allow the controller to escape liability in circumstances where it is not “in any way” responsible for the event giving rise to the contravention. In this regard, the controller is subject to a heightened burden of proof.

It follows that, when faced with a data breach claim under Article 82, where a plaintiff has been able to establish that a contravention of the GDPR has occurred causing them damage, the burden of proof shifts onto the controller to establish (a) that they have complied with their specific data security obligations under Article 32, or (b) that they were not in any way responsible for the data breach giving rise to the damage.

Strict liability?

Article 82 raises the perennial question of whether breach of GDPR is a strict liability tort. The Opinion makes a number of interesting comments regarding the nature of a controller’s liability under Article 82.

First, AG Pitruzzella confirmed that liability under the GDPR incorporates elements of “objective” or “strict” liability, on the basis of the intrinsic danger posed by the processing of personal data. However, he went on to note that liability under the GDPR cannot be described as “no-fault”, in that liability stems from a failure to adopt reasonable measures which are appropriate to prevent damage to the data subject, taking into account the risks for the affected data subjects. Accordingly, AG Pitruzzella appears to consider liability for data breaches to be hybrid in nature. It seems we are no nearer to a clear answer to the question of whether breach of GDPR is a tort of strict liability.

 

---

The views expressed above are the author’s own and do not reflect the views of The Bar of Ireland.

---

Discover the EU Bar Association