In December 2023, the CJEU delivered two important decisions which supplement a growing body of jurisprudence on the issuance of administrative fines and claims for non-material damages.  

In Deutsche Wohnen C-807/21, the CJEU delivered effective guidance on the need to establish wrongdoing by a controller in order to impose a fine, while in Natsionalna agentsia za prihodite C-340/21, the CJEU has weighed in on the adequacy of a controller’s security measures and their exposure to claims for damages as a result.

Deutsche Wohnen

Background

On 5 December 2023, the CJEU delivered a judgment on the culpability of data controllers and the administration of fines by a supervisory authority for infringing the GDPR.

In this case, Deutsche Wohen, a German listed real estate company was fined by the Berlin Data Protection Authority approximately €14.5 million for the “intentional infringement” of the GDPR. The primary issue was Deutsche Wohen’s failure to delete personal data belonging to tenants when no longer necessary.

Deutsche Wohen brought an action against that decision which led to two fundamental questions being referred to the CJEU:

1. To address a complex faceoff between German law and the GDPR on the liability of undertakings, the CJEU was asked whether an administrative fine can be issued under Article 83 GDPR against an undertaking without that infringement being first attributed to identified natural person (e.g., member of bodies or represent of the concerned undertaking)?
   
2. The CJEU was asked whether an undertaking must have intentionally or negligently committed an infringement of the GDPR, or was the objective fact of the infringement suffice to impose a fine (i.e., is the undertaking strictly liable for the infringement)?

Key findings

Perhaps not surprisingly, in answering the first question, the CJEU held that the obligations and provisions of the GDPR do not permit the inference by Member States that the imposition of an administrative fine on a legal person as a controller is subject to a previous finding that that infringement was committed by an identified natural person.

In answering the second question the CJEU has provided some clear and direct guidance:

• A function of administrative fines is to incentivise compliance with the GDPR. However, to do so, they do not need to be imposed in the absence of any wrongdoing.
  
• Only infringements committed wrongfully (intentionally or negligently) can result in culpability and lead to a fine being imposed.
  
• Nothing in the GDPR allows for Member States to deviate from this requirement and to effectively establish a strict liability regime.
  
• Ignorance of an infringement is no defence.
  
• It is not necessary to establish that a member of management acted intentionally, negligently, or was even aware of the infringement.
  
• The concept of an undertaking is derived from EU competition law and that when a supervisory authority is calculating a fine to be imposed, they must do so on the basis of the percentage of the total worldwide annual turnover of the undertaking (group) in the preceding business year.

Natsionalna agentsia za prihodite

Background

On 14 December 2023, the CJEU delivered an important judgment on the conditions necessary to award compensation for non-material damage suffered by data subjects following a cyberattack.

The Bulgarian National Revenue Agency (NAP) is an authority attached to the Bulgarian Minister for Finance. Its function is to identify, secure and recover public debts. On 15 July 2019, it was revealed that a cyberattack had taken place on the NAP’s IT system leading to the unlawful dissemination of personal data of more than six million individuals, including both Bulgarians and foreigners.

A case was brought by an affected data subject against the NAP before the Bulgarian Administrative Court, seeking an order for compensation under Article 82 GDPR for the non-material damage suffered as a result of the fear that the data subject’s personal data may be misused in the future.

The case was referred to the CJEU by the Bulgarian Supreme Administrative Court seeking clarification on whether a person’s fear that their data may be misused in the future following unauthorised access due to a cyberattack amounts to non-material damage under Article 82 GDPR.

Key findings

• The CJEU confirmed that such fear can constitute non-material damage under the GDPR. However, a national court must satisfy itself that the fear is genuine and well founded, having regard to the specific circumstances of the infringement and of the data subject.
  
• The following factors were persuasive:
  
  • Article 82(1) GDPR establishes the right to compensation from the controller for the (non-material) damages.
  • The right of compensation requires three cumulative conditions to be met: (i) damage which has been suffered; (ii) an infringement of the GDPR; and (iii) a causal link between the damage and the infringement (as set out in the Austrian Post decision).
  • Once an infringement has been established, Article 82 GDPR cannot be interpreted as distinguishing between a scenario where the non-material damage suffered stems from actual misuse of personal data compared to where the damage stems from the fear over potential future misuse. In other words, the concept of non-material damage encompasses both.

Conclusion / implications

The Deutche Wohnen judgment is significant in that it develops the concept of culpability and wrongdoing and has thankfully provided long overdue clarity on whether Article 83 GDPR imposes a strict liability regime. The CJEU said that it does not.

Whereas from the NAP judgment, controllers must take account of not only the exposure to damages claims for tangible harm suffered due to a cyberattack but also the psychological distress that can be suffered from the fear of the misuse of compromised personal data. This case reifies the expression “better safe than sorry”. It elucidates the importance of having robust and state of the art technical and organisational measures in place. Controllers should consider both in tandem as controller exposure for infringing the GDPR can take form in both a fine imposed by a supervisory authority and an award for damages by a national court.

The two judgements, along with several other key CJEU decisions issued recently,[1] are a continuation of the CJEU beginning to impose its reach on controllers under the GDPR. The trickle up affect from the decisions of supervisory authorities and national courts to the CJEU is starting to bear fruit and over the course of 2024 we can expect a number of further important decisions from the CJEU on fundamental data protection issues.

[1] See for example, the Schufa case (C-634/21) and its impact on automated decision-making processes and the CJEU’s landmark decision in Meta vs Bundeskartellamt (C-252/21), where the CJEU imposed strict limitations on the use of the lawful bases of contractual necessity, legitimate interests and consent.