This landmark ruling by the European Court of Justice (ECJ) on December 14, 2023 (C-340/21) represents a significant turning point for all victims of cybercrime. It establishes that the mere fear of potential misuse of personal data can constitute an intangible harm. This means that victims not only have the right to claim compensation for intangible damages, but they can also seek a legal determination that companies are liable for all causal consequences of violating the General Data Protection Regulation (GDPR).
Landmark Ruling: Victims of Cybercrime Can Seek Compensation
This groundbreaking decision establishes that victims of cybercrime not only have the right to claim non-material damages, but also have the ability to seek judicial confirmation that companies are liable for all causal consequences resulting from a breach of the General Data Protection Regulation (GDPR).
In this landmark ruling, the European Court of Justice (ECJ) has made a significant decision regarding the aftermath of a cyber attack on a Bulgarian government agency’s IT system. The attack resulted in the unauthorized release of personal data on the darknet. This ruling establishes that victims of such data breaches can claim compensation for intangible damages, recognizing the fear and potential harm caused by the misuse of personal information.
The European Court of Justice (ECJ) has finally settled the long-debated question regarding whether victims of data breaches are entitled to compensation in the form of non-material damages. This landmark decision ensures that victims now have a clear legal right to seek compensation for the emotional distress and fear caused by the potential misuse of their personal data.
The immaterial damage refers to the fear that one’s personal data may be misused following a cyber-attack, potentially leading to unauthorized withdrawal of funds from bank accounts. This has been observed particularly in cases of victims affected by the Facebook data breach.
The European Court of Justice (ECJ) ruled that the data protection officer is responsible for providing evidence that the implemented security measures were sufficient. This landmark decision places the burden of proof on the data controller to demonstrate that adequate measures were in place to protect personal data. It emphasizes the importance of proactive and robust security measures to prevent data breaches and reinforces the need for organizations to prioritize data protection and privacy. This ruling will have significant implications for data controllers and potentially increase accountability in safeguarding personal information.
The practice of withholding technical details about the security standards of an IT system for reasons of confidentiality appears to have been definitively abolished. This means that companies can no longer hide behind claims of secrecy to avoid disclosing information about their security measures. Transparency and accountability are now key in ensuring the protection of personal data and preventing cyberattacks. This shift in approach will empower individuals and regulatory bodies alike to hold organizations responsible for any breaches or vulnerabilities in their IT systems.
The law firm CLLB, which represents victims of cybercrime and supports bank customers in reclaiming unauthorized debited amounts, advises individuals affected by data breaches to file a lawsuit as a precautionary measure.
This allows for a judicial determination that the data protection officer is also liable for any potential future causal consequences of the data breach. It ensures that the responsible party cannot escape accountability for the ongoing effects of the breach, providing a sense of justice and protection for individuals affected by the breach. This ruling sets an important precedent for holding companies accountable for the long-term consequences of data breaches and strengthens the rights of victims of cybercrime.
This groundbreaking decision by the European Court of Justice (ECJ) on 14.12.2023 (C-340/21) marks a significant turning point in favor of all victims of cybercrime. It establishes that the mere fear of potential misuse of personal data can constitute non-material harm. As a result, victims not only have the right to claim non-material damages, but they can also seek a judicial declaration holding companies liable for all causal consequences of GDPR violations. This ruling is expected to have a profound impact on ongoing cases, such as those against Meta (Facebook) or Scalable, and will empower many consumers to assert their rights in court.
