In Bulgaria, the Supreme Administrative Court has asked the Court of Justice of the European Union (CJEU) a number of pressing preliminary questions. This was prompted by an earlier hacking attack on the Bulgarian Tax Administration, which resulted in a data breach of enormous proportions. Among other things, the administrative judge wants to know whether mere concern, anxiety and fear about a possible (!) misuse of personal data justifies a claim for immaterial damages.
In 2019, the Bulgarian Tax Administration (NRA), reported that there had been a hack of its files. In the process, sensitive financial information of an estimated 5 million taxpayers was allegedly stolen. With Bulgaria's population barely 7 million, this data breach included the personal data of virtually the entire adult Bulgarian population. Among those affected, the NRA announced at the time, were also 2,400 Dutch nationals - with bank accounts in Bulgaria, for example.
The leaked information mainly concerned tax returns, social security contributions, health insurance payments. In addition to names, phone numbers and e-mail addresses, the data included, for example, fines, arrears and taxes. Various media reported that some of this data could even be traced back to 2007.(1) The scope and sensitivity of the incident was therefore enormous.(1)
The NRA reported the leak to the Bulgarian regulator and law enforcement agencies. It also had data subjects find out whether their data had also been leaked. The Bulgarian government agency therefore appears to have reported the incident in accordance with Articles 33 and 34 of the AVG.
Ultimately, the NRA received a fine of €2.6 million for violating Article 32 AVG. That is, a violation of the obligation to implement appropriate security measures. Hundreds of claims for immaterial damages were subsequently filed by data subjects, which would not have been decided uniformly by different national courts.
In the case that would eventually give rise to preliminary questions, the court decided to dismiss such a claim. While there had been unauthorized access to data, that data had not (yet) been misused.
The NRA simply took the position that it had been the victim of a hacking attack by persons acting in bad faith. Therefore, the government agency did not consider itself responsible for any immaterial damage suffered.
Responsibility, burden of proof and immaterial damage
The court ruled that the NRA, as a data controller, does not have an absolute duty to prevent unauthorized access to data. In doing so, the aggrieved data subject would not have met her burden of proof. Namely, that the security measures taken by the NRA were inadequate. Thus, it should have clarified what technical measures the government agency should have taken to prevent the hacking attack.
Moreover, the national court ruled that the psychological damage - resulting from the fear of the possible misuse of the leaked data - did not justify non-material damage.
Questions to the ECJ
The person concerned decided to appeal. The case is now being heard by the Supreme Administrative Court of Bulgaria (Varhoven administrativen sad), which has put a number of preliminary questions to the ECJ on the matter.
The ECJ - in brief - has the following questions to answer:
Does any personal data breach resulting from a hacker attack automatically mean that the controller has not taken appropriate measures, as referred to in Articles 24 and 32 AVG?
On what basis should a court determine whether the security measures were adequate under Article 32 AVG?
If a data controller is held liable - by a data subject - for immaterial damages, on whom does the burden of proof rest that the security measures were (or were not) appropriate?
Is a hacking attack an incident for which the data controller is exempt from liability under Article 82(3) AVG, because it would not be responsible in any way for the harm caused?
Does the term "intangible harm" include the concerns, anxiety and fear of data subjects about possible future misuse of their personal data, even if it has not yet been misused?
Any agency, including government agencies, can face a data breach. However, meeting remedial notification and documentation obligations under the AVG does not mean the end of the issue. What usually follows is the determination of liability, about which there is currently much uncertainty. Although the ECJ ruling is still some time away, it is certain that this judgment will be enormously relevant to practice in any case.
Footnotes
(1) https://www.reuters.com/article/us-bulgaria-cybersecurity/hackers-hit-bulgaria-send-data-from-russian-email-government-idUSKCN1UB0MA
