I have recently highlighted the increasing issue of fake or manipulated invoices. More and more clients are encountering payment difficulties due to highly professional-looking fake invoices. Criminals typically alter the IBAN, presenting it as the legitimate account of the invoice issuer. As a result, funds are diverted to unauthorized third parties instead of reaching the intended recipient.
While I previously examined liability issues from a civil law perspective (Sections 280 et seq. of the German Civil Code), this article focuses on the evolving developments surrounding Art. 82 GDPR. This provision introduces new considerations for affected parties.
Fake Invoices and GDPR: New Liability Risks Under Art. 82 GDPR
Background: The Threat of Fake Invoices and Compromised Systems
Most cases observed follow a similar pattern. Criminals gain access to internal email communications or original invoices. Once this data is compromised, documents are copied or "replicated" to appear deceptively genuine. Only the bank details are replaced within these documents.
Consequently, individuals making a transfer often discover the fraud too late. By then, the payment amount has already reached the fraudsters, becoming irretrievable. This type of fraud highlights significant vulnerabilities in digital communication and payment processes.
While civil law claims under Section 280 BGB are conceivable, proving a breach of contractual duties by the invoicing party presents considerable challenges for victims. It is often difficult to determine if and when an IT security failure occurred on the sender's side.
This is where Art. 82 GDPR offers a new avenue. A growing trend in legal literature and case law suggests that victims can assert damage claims for data protection breaches, especially those involving compromised email systems.
Art. 82 GDPR as an Additional Basis for Claims
Art. 82 GDPR provides a right to compensation for anyone suffering material or non-material damage due to a breach of the General Data Protection Regulation. A key advantage of this provision is the significant shift in the burden of proof, as outlined in its third paragraph.
Standard of Liability and Reversal of the Burden of Proof
“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor.”
Art. 82 para. 3 GDPR further clarifies the decisive reversal of the burden of proof:
“The controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not responsible in any respect for the event giving rise to the damage.”
Under Section 280 BGB, the injured party typically bears the burden of proving that the other contracting party breached its duties. However, Art. 82 GDPR reverses this.
Now, the company potentially facing a claim must actively demonstrate and prove that it is not responsible for the data protection breach. This fundamental shift significantly impacts potential litigation.
Comparison with Claims under § 280 BGB
In the classic civil law framework, Section 280 BGB serves as the basis for damage claims due to breaches of duty. Here, the claimant carries the entire burden of proof for all elements of liability, including breach of duty, fault, and actual damage.
Conversely, invoking Art. 82 GDPR requires the claimant to generally assert a GDPR breach. However, once there are indications of personal data misuse—such as email addresses, account details, or communication content—the controller must prove compliance with Art. 32 GDPR. This means demonstrating that all necessary technical and organizational measures were in place.
Practical Example: If a forged invoice is proven to originate from compromised email traffic, a strong presumption arises that the sender's system was indeed compromised. The sender then bears the burden of providing complete evidence that their IT system was not compromised. Without such proof, a claim under Art. 82 GDPR is likely to succeed.
Practical Relevance for Victims of Counterfeit Invoices
In my professional experience, clients are often surprised by the opportunities Art. 82 GDPR presents. A frequent question is: "Is there truly a breach of data protection law if only the IBAN has been altered?"
My observations indicate that fake invoices typically involve more than just an IBAN change. Personal data such as names, addresses, invoice content, employee details, or internal company information are often misused. As soon as this data falls into unauthorized hands, a GDPR violation becomes apparent.
Advantage for those affected: The resulting damages can be both financial and non-material. Non-material damages, for instance, might stem from the annoyance, stress, and time spent resolving the issue. German courts are increasingly inclined to award non-material damages for noticeable impairments, even in cases of relatively minor data protection breaches (e.g., LAG Baden-Württemberg, judgment of 21.08.2019 – 10 Sa 52/18).
While most published rulings do not explicitly address forged invoices, principles from general data protection breach decisions apply. These include cases of inadequate data security or unauthorized data disclosure. Thus, compromised email communication can fall under Art. 82 GDPR.
Furthermore, the jurisprudence of the European Court of Justice (ECJ) reinforces this view. The "Schrems II" ruling (C-311/18), for example, underscores the high priority of personal data protection. Although this case primarily concerned data transfers to third countries, it fundamentally demonstrates the strict approach courts now take towards data protection violations.
Sender's Responsibility and Recommended Measures
I frequently observe companies neglecting IT security, whether due to ignorance or cost-cutting. However, Art. 5 para. 1 lit. f GDPR and Art. 32 GDPR mandate the protection of personal data through appropriate technical and organizational measures (TOM).
These essential measures include:
- Secure Email Communication: Implement encryption (e.g., S/MIME), unique signatures, and robust spam filters.
- Up-to-Date Systems: Ensure firewalls, comprehensive virus protection, and regular updates to close known security vulnerabilities.
- Strict Access Rights: Establish clear assignment of authorizations within the company and thorough logging of all access attempts.
- Employee Training: Conduct regular training to raise employee awareness regarding phishing, social engineering, and suspicious attachments.
- Proactive Monitoring: Continuously monitor for anomalies, such as unusual changes to bank details or atypical login attempts.
Companies failing to implement these measures risk civil law liability under Art. 82 GDPR. This is in addition to potential fines from supervisory authorities under Art. 83 GDPR. Ensuring robust cybersecurity is therefore crucial.
Significance for Companies and Possible Defense Strategies
The reversal of the burden of proof under Art. 82 GDPR is a primary reason for its growing importance. Any controller held liable must provide detailed and comprehensible evidence demonstrating they are not at fault for the data breach.
Effective defense strategies include:
- Seamless documentation of all data security measures and associated controls.
- Presenting a clear organizational structure for the protection of personal data.
- Utilizing external certifications (e.g., ISO 27001) to substantiate a high level of security.
- In cases of third-party negligence, providing evidence that the compromise occurred exclusively outside the company's sphere. This could involve errors in the recipient system or inadequate protection on their side.
Such a defense, however, typically necessitates extensive IT forensic investigations and meticulous documentation. Often, clients only seek legal advice after the damage has occurred, complicating a thorough review of the events. This underscores the importance of proactive GDPR compliance.
Conclusion and Outlook
The application of damage claims under Art. 82 GDPR to cases involving manipulated invoices offers significant benefits for affected parties. The reversal of the burden of proof is crucial. It ensures that victims no longer need to prove precisely how and when IT systems were compromised. Instead, the sender of a potentially forged invoice must actively demonstrate the absence of a GDPR breach.
Recent case law, both nationally (e.g., LAG Baden-Württemberg, judgment of 21.08.2019 – 10 Sa 52/18) and from the ECJ ("Schrems II"), underscores the high level of protection provided by the GDPR. While no supreme court decisions in Germany explicitly address fake invoices under Art. 82 GDPR yet, the general principles of data protection law clearly apply.
Therefore, I strongly advise all companies to thoroughly secure invoice sending and related communication channels. Special vigilance is required when payment information changes. Customers should also remain alert, consulting their bank for unusual IBAN requests and always double-checking bank details.
For those who have already suffered financial losses, exploring GDPR compensation alongside contractual and tort claims is highly recommended. This often creates a significantly improved negotiating position, leading to more realistic prospects of recovering damages from the responsible controller. Proactive steps in data protection are vital for all organizations.