ECJ strengthens consumer rights after hacker attack on Bulgarian authority
- 12/18/2023
- Reading time 2 Minutes
On December 14, 2023, the European Court of Justice (ECJ) issued a groundbreaking decision that significantly expands consumer rights in the EU.
ECJ defines new criteria for non-material damage after hacker attacks
The judgment (case no. C-340/21) concerns a hacker attack from 2019 in which a Bulgarian authority exposed millions of personal data on the internet. A large number of data subjects had sued the authority under Article 82 (1) of the GDPR for compensation for the non-material damage they suffered due to the fear of possible misuse of their data. The Bulgarian court referred the question to the ECJ as to when a person whose personal data was published on the internet following a cyberattack is entitled to compensation for non-material damage. The ECJ ruled that the mere concern about the possible misuse of personal data following a hacker attack can be considered non-material damage. This makes it easier for those affected by data breaches to assert their claims in court.
Reversal of the burden of proof: companies must provide evidence of their safety measures’ effectiveness
Another important aspect of the decision concerns the burden of proof in connection with hacker attacks. Companies and authorities whose systems have been hacked must now prove that their protective measures were appropriate and effective. Companies must not only prove the adequacy of their protective measures, but also that they are “in no way liable for the damage”. What this looks like in practice is entirely unclear. Even with technically comprehensive and up-to-date protective measures, hacker attacks cannot be ruled out, as these always include human error.
Consequences of the decision: Claim for damages much easier to enforce
With its decision, the ECJ has established clear criteria for the punishment of data protection breaches that are attributable to cyber-attacks. Companies and authorities are urgently required to review their security measures and ensure that they meet their responsibilities in the event of hacker attacks. The current case law further increases the risk, as hacker attacks continue to increase.