The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

Liability and damages in data breach cases (Natsionalna agentsia za prihotide (C-340/21) and Municipality of Ummendorf (C-456/22)):  ECJ data decisions are like busses…

19 December 2023

…you wait ages for one – and then two come along at the same time (14 December 2023).

In Natsionalna agentsia za prihotide, a Bulgarian agency involved in recovering public debts was the target of a cyber-attack, with 6 million data subjects affected and several hundred suing for compensation for non-material damage.  The European Court of Justice (‘ECJ’) dealt with five preliminary questions referred to it, most interestingly deciding that:

  • Unauthorised access by a third party to personal data did not automatically translate to a breach of the duty to have ‘appropriate’ technical and organisational measures in place, within the meaning of Articles 24 and 32 GDPR. The ECJ reiterated that what measures were ‘appropriate’ in each case depended on the risk which attached to the particular data—but liability is not strict and there is no expectation that risk of a breach will be eliminated altogether;
  • In assessing whether there had been a breach of duty, the court must review the substance of the security measures in a ‘concrete’ way, on the facts of that case. This is an assessment based on practical arrangements, not the processor’s/controller’s intentions (e.g. where intentions/policies are not properly implemented in practice);
  • In an action for damages, the controller has the burden of proving that its security measures are appropriate pursuant to Article 32 GDPR (in line with the ‘accountability’ principle). However, an expert report is not necessary for the controller to discharge that burden;
  • The sole fact that a third party caused the breach does not absolve the controller of liability to pay compensation, but it may be exempt from doing so if it can prove there is no causa link between any breach of duties and the damage suffered (i.e. the unauthorised access would have happened anyway);
  • Of significance to practitioners is the (rather unsurprising) conclusion that fear experienced by the subject due to possible future misuse of their personal data by third parties as a can, in itself, amount to ‘non-material damage’ and result in compensation. More helpful to organisations is the ECJ’s comment (at par. 85) that “the national court…must verify that that fear can be regarded as well founded, in the specific circumstances at issue and with regard to the data subject.” This provides welcome confirmation that it is appropriate to apply objective and evidence-led scrutiny to whether a subjective fear translates to recoverable damages for distress.

Municipality of Ummendorf involved a local authority’s erroneous upload on its website of unredacted names/addresses mentioned at a meeting. The error was rectified within a few days. The essential question for the ECJ is whether Article 82(1) of the GDPR must be interpreted as precluding national legislation or a national practice which sets a de minimis threshold in order to establish non-material damage. Back in May, the ECJ decided in Österreichische Post (C‑300/21) that, to show entitlement to compensation, it was “necessary” and (importantly) “sufficient” to satisfy  three conditions (i) the existence of ‘damage’ which was ‘suffered’ in Article 82 (1) (ii) infringement of GDPR and (iii) causal link between that damage and the infringement.

The ECJ in both Municipality of Ummendorf and Österreichische Post disparaged any national rule or practice imposing a “certain degree of seriousness” on that damage (i.e. a de minimis threshold). In the former case, the brevity of the period during which the subject was exposed to the damage (e.g. the local authority retaining the unredacted data on its website) was found not to provide a cut-off for damages. However, the ECJ added that “those persons must also demonstrate that they have actually suffered such damage, however minimal”, which differs from demonstrating the fact of the infringement itself.

With both these December judgments providing excellent stocking-fillers for those representing claimants, it remains to be seen what, if any, impact they have on the domestic de minimis doctrine confirmed by the UK Supreme Court in Lloyd v Google [2021] 3 WLR 1268. UK courts and tribunals are not bound by ECJ decisions made after 31 December 2020, but ECJ decisions may have persuasive value when applying legislation sourced from the EU. If continued application of de minimis in this jurisdiction effectively results in a lower level of protection to data subjects than in the EU, might this imperil the EU’s ‘adequacy decision’ in respect of the UK? The field is ripe for a test case on the de minimis issue after these ECJ developments. The author is currently awaiting judgment in one case where Österreichische Post was cited in response to a de minimis argument, so watch this space (but not until after the festive break).


Alex Ustych

Call 2010

Other articles in this edition

Loss for Moss

The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.

Visit the Information Law, Data Protection and AI area

Search The Data Brief

Portfolio Builder

Select the practice areas that you would like to download or add to the portfolio

Download    Add to portfolio   
Title Type CV Email

Remove All


Click here to share this shortlist.
(It will expire after 30 days.)