ECJ rulings strengthen data protection: important clarifications on liability and compensation for damages

The recent decisions of the European Court of Justice (ECJ) in the cases Natsionalna agentsia za prihotide (C-340/21) and Gemeinde Ummendorf (C-456/22) set new standards in data protection law under the General Data Protection Regulation (GDPR). These rulings provide significant clarification with regard to liability issues in the event of data protection breaches and the recognition of immaterial damages.

Liability and safety measures

Judgment C-340/21 focuses on the issue of liability for data breaches, a topic of great importance in today’s digital landscape. In this ruling, the European Court of Justice (ECJ) clarifies that a data breach alone does not automatically imply that a data processor’s security measures are inadequate. This finding is of crucial importance as it underlines the need for a differentiated approach in cases of data breaches.

Courts are now required to carry out a concrete assessment of the security measures implemented by data processors. This means that not every data breach automatically entails liability on the part of the data processor. Rather, the courts must examine whether the measures taken were appropriate, taking into account all relevant circumstances. In this context, the burden of proof for the adequacy of the security measures lies with the data processor. The latter must be able to demonstrate that it has taken all necessary and reasonable steps to ensure the security of the personal data processed.

Furthermore, the ECJ has clarified that a data processor can be held liable if unauthorized access to personal data is gained by third parties. This is particularly relevant in cases of cyberattacks or data leaks where external actors penetrate the data systems. In such situations, however, the data processor can avoid liability if it can prove that it is not responsible in any way for the damage caused. This presupposes that the data processor has taken appropriate technical and organizational measures to prevent such incidents.

This ruling has far-reaching implications for the practice of data processing and data protection management in companies. It emphasizes the importance of a careful and proactive approach to data protection and data security in order to prevent potential liability risks. Companies must therefore continuously review and adapt their data protection strategies in order to meet the constantly changing requirements and threats.

The fact that the liability of companies now also depends on the security measures implemented in advance could massively change the work of data protection lawyers and data protection officers. These professionals are now faced with the challenge of not only ensuring compliance with data protection regulations, but also proactively developing and implementing risk management strategies that meet the latest legal requirements. This requires in-depth knowledge of the technical and organizational aspects of data protection and constant adaptation to the evolving legal situation.

Recognition of immaterial damages

The judgment C-456/22 of the European Court of Justice (ECJ) marks a significant step forward in the area of data protection law, in particular with regard to the right to compensation for non-material damage. This ruling rules out the application of a de minimis limit for immaterial damages. This is a significant development as it means that even minor non-material damage resulting from data breaches can be recognized and compensated.

This decision of the ECJ expands the understanding of damage in the context of the GDPR. It recognizes that the fear of misuse of personal data, even if no actual misuse has taken place, can constitute immaterial damage. This reflects the growing recognition of the psychological and emotional impact that data breaches can have on individuals. The fear of identity theft, fraud or loss of privacy can have a significant impact on the well-being of the people concerned.

Furthermore, the ruling underlines the importance of protecting personal data and strengthens the rights of individuals in the digital age. It sends a clear signal to companies and organizations that they can be held liable not only for material damage, but also for immaterial damage caused by their data processing activities. This increases the pressure on companies to implement effective data protection measures and to take user privacy seriously.

In practice, this means that data protection violations can not only have financial consequences, but can also lead to claims for compensation for non-material damage. This requires a careful assessment of the risks and potential impact of data breaches, both from a legal and ethical perspective. Companies and organizations must therefore rethink their data protection practices and ensure that they not only comply with legal requirements, but also protect the rights and well-being of data subjects.

Implications and conclusion

The rulings of the European Court of Justice in cases C-340/21 and C-456/22 have far-reaching implications that go beyond the immediate question of liability for data breaches. They signal an increased legal responsibility and sensitivity for data protection in the EU, which will have a significant impact on the practice of data processing and security as well as on case law in data protection matters.

Companies are now faced with the challenge of fundamentally rethinking their data protection strategies. This concerns not only the implementation and regular review of effective security measures, but also a comprehensive adaptation of their data protection policies and procedures. The ECJ’s decisions could lead to stricter practice in the assessment of data protection breaches and to an increase in lawsuits for non-material damages. This requires companies to proactively manage risk and continuously adapt to the changing legal framework.

Furthermore, these rulings not only influence advice on data protection issues, but also have far-reaching consequences for other legal areas such as general terms and conditions, contract law and management consultancy. The need to integrate data protection aspects into general terms and conditions and contracts is becoming increasingly important. Companies must ensure that their contracts and T&Cs reflect the latest data protection requirements while clearly defining the rights and obligations of all parties.

Overall, these developments require in-depth expertise in data protection law and flexible adaptation to the dynamic legal landscape. For lawyers, data protection officers and management consultants, this means that they must continuously update and expand their consulting approaches in order to offer their clients comprehensive and up-to-date solutions. The ECJ rulings underline the importance of holistic and forward-looking legal advice that takes into account both the current legal requirements and the potential risks and opportunities for companies.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.