Data Breaches Not Excused by Employee Error
In case C-741/21 (JURIS), the Court of Justice of the European Union recently answered important questions regarding liability for data breaches, the assessment of damages and the influence of human error on liability. The decision confirms and builds on recent case law. Nevertheless, the decision provides an opportunity to clarify the understanding of immaterial damage and the requirements for proving such damage and the liability of those responsible.
The questions referred
Question 1: Requirements for non-material damage in the event of a GDPR breach
Question: The referring court asked whether a breach of provisions of the GDPR which favour the data subject is sufficient to give rise to a claim for "non-material damages" within the meaning of Art. 82(1) GDPR.
The Court's answer: A breach of the GDPR alone is not sufficient to justify non-material damage. Rather, three cumulative conditions must be met:
- the breach of the GDPR
- the existence of damage, and
- a causal link between the breach and the damage.
These conditions have already been clarified by the ECJ (e.g. in the judgment of 25 January 2024, MediaMarktSaturn, C-687/21, EU:C:2024:72, para. 58). The injured party must therefore prove that it has suffered non-pecuniary damage as a result of the infringement, without this damage having to reach a certain level of severity. Thus, it is again emphasised that there is no de minimis threshold for claims for damages under the GDPR. This is a significant difference from claims under German national law, where non-pecuniary damages are regularly awarded only if a de minimis threshold is exceeded.
Question 2: Exclusion of liability for human error
Question: The referring court asked whether liability for damages under Art. 82(3) GDPR is excluded where the breach is attributable to human error on the part of a person subordinate to the controller.
The Court's answer: The controller cannot exempt itself from liability by referring to the misconduct of a person under its authority. On the contrary, the controller must prove that he is not himself responsible for the damage. A mere reference to the human error of a subordinate is not sufficient to avoid liability. At most, the responsible party can argue that the person acting was acting outside the scope of his duties and on his own account, although this was not addressed in the present case (see judgment of 5 December 2023, Deutsche Wohnen, C-807/21, EU:C:2023:1022, para. 44, ECLI:EU:C:2023:950).
This is because the controller is obliged under Articles 24 and 32 GDPR to train and instruct its employees in such a way that personal data is adequately protected (see judgment of 25 January 2024, MediaMarktSaturn, C-687/21, EU:C:2024:72, para. 58). An error by employees, such as the disclosure of sensitive data to unauthorised persons, may therefore be an indication of inadequate security measures that the controller should have taken pursuant to Art. 24 and 32 GDPR. The controller must therefore prove that it was not negligent and that there were no organisational deficiencies. The decision is based on the fact that the controller, and not the data subject, bears the burden of proof for compliance with the GDPR (see judgment of 21 December 2023, Krankenversicherung Nordrhein, C-667/21, EU:C:2023:1022, paras. 92-94).
Questions 3 and 4: Assessment of damages and taking into account multiple infringements
Question: The national court asked whether the criteria for the assessment of fines (Article 83 GDPR) may also be used for the assessment of damages (Article 82(1) GDPR) and whether multiple infringements of the GDPR should be sanctioned with total damages.
Answer of the Court: The criteria for the assessment of fines set out in Art. 83 GDPR cannot be used for the assessment of damages under Art. 82 GDPR. The two provisions have different objectives. Art. 82 GDPR does not justify punitive damages, but serves exclusively to provide financial compensation for the damage suffered (judgment of 21 December 2023, Krankenversicherung Nordrhein, C-667/21, EU:C:2023:1022, para. 86). Accordingly, the severity of the breach of the GDPR is not to be taken into account in the assessment of damages.
Confirmation and clarification: the impact of recent court rulings on the GDPR
The decision confirms a number of CJEU rulings on damages under Art. 82 GDPR. (Judgment of 14 December 2023, Gemeinde Ummendorf, C-456/22, EU:C:2023:988, paragraph 21 and the decisions cited therein). These judgments did not contain any major surprises, but confirmed and consolidated previous case law.
The clarifications contained in the decision are to be welcomed: It is positive to emphasise that the standards for the assessment of fines under Art. 83 GDPR do not apply to claims for damages. While fines have a repressive, sanctioning character, damages serve only to compensate for actual losses. The competent court must therefore examine each individual case. When assessing damages, it is the actual loss suffered that counts. This is not only important for individual compensation. In practice, it could also mean that claims for damages under the GDPR cannot be the subject of insolvency proceedings under the Consumer Rights Enforcement Act (VduG). This is because it presupposes that the claims are similar (Section 15 VdUG). It is also important that the amounts of compensation are not simply added together. In other words, the actual damage suffered will be compensated, regardless of how many individual violations of the GDPR may have occurred.
As a result, this decision strengthens the compensatory function of the compensation rules and ensures that the compensation actually corresponds to the actual damage suffered by the data subject.
It also reiterates that instructions to employees are not sufficient to exempt the controller from liability. It is therefore important to ensure that data breaches are avoided as far as possible through the careful selection and implementation of technical and organisational measures.