AG provides opinion on presumed fault of the controller in case of data breach
In his Opinion of 27th April 2023 (C 340/21), the Advocate General of the European Court of Justice (ECJ) examined the interpretation of the civil non-material right to damages in accordance with Article 82 (1) GDPR as well as the disclosure obligations and duty of care concerning technical and organisational measures under Articles 24, 32 GDPR in regards to a Bulgarian request for a preliminary ruling.
The Advocate General has asserted that the occurrence of a personal data breach does not, in itself, serve to indicate that the technical and organisational measures implemented by the controller were inadequate for data protection. Rather, a comprehensive assessment must be performed to weigh up the interests of the data subject against the economic interests and technological capabilities of the controller, all in accordance with the principle of proportionality.
It is thus incumbent upon the national court to conduct a thorough review, which comprises an examination of the content, application, and outcomes of such measures. The burden of establishing that these measures are appropriate ultimately lies with the controller.
If demonstrable evidence exists attesting to the probability of any future misuse of one’s personal information, it can constitute non-material damage giving rise to a right of remuneration so long as it substantiates actual, tangible distress and not merely inconvenience or unease.
Source: Europe: Opinion of the Advocate General on presumed fault of the controller in case of unlawful third-party access to personal data – Privacy Matters