The EU’s highest court has strengthened the rights of citizens against companies and authorities. If personal data is stolen during hacker attacks, those affected can claim compensation.
Hacker attacks on companies or authorities occur again and again. And this also regularly affects the personal data of citizens that was stored there. So far, the only consequence has often been that these bodies then informed the affected people about the data leak by letter or email.
This could change now. The European Court of Justice (ECJ) has made it clear in a new ruling: Even the fear of misuse of personal data can constitute damage that requires compensation.
Hacker attack on Bulgaria’s financial authority
The claim for damages is then directed against the “data controller”. This is the body that collected or processed the personal data. So against the companies or authorities that have fallen victim to cybercrime.
The underlying case concerned a Bulgarian financial authority, the National Revenue Agency. This fell victim to a large-scale hacker attack in 2019. Personal data of millions of people was then published on the Internet. Many of the affected citizens then sued the authority because of concerns that their data could be misused in the future.
Also claim for non-material damage
In principle, according to the European General Data Protection Regulation, those affected are entitled to a claim for compensation from the person responsible in the event of material or immaterial damage following a data protection violation. The ECJ has now made it clear: Just fear of future data misuse following a hacker attack can constitute such non-material damage.
In doing so, the EU’s highest court is strengthening the data protection rights of citizens. At the same time, it requires authorities and companies to pay greater attention to compliance with data protection standards.
Obligation to take appropriate protective measures
Data controllers can only avert this claim for damages if they themselves can prove that they have taken appropriate protective measures against cybercrime. So you have a duty.
In this context, the ECJ made it clear: The mere fact that a data leak occurred does not necessarily mean that the measures were unsuitable. The courts must therefore always assess this in the specific individual case.
Finn Hohen Schwert, SWR, tagesschau, December 14, 2023 3:44 p.m