On 27 April 2023, Advocate General (AG) Giovanni Pitruzzella of the Court of Justice of the European Union (CJEU) issued an opinion on the interpretation of the General Data Protection Regulation (GDPR) regarding non-material damages in cases of unlawful access to personal data. The opinion was rendered in response to a reference for a preliminary ruling submitted by the Supreme Administrative Court of Bulgaria in the case 340/21 VB v Natsionalna agentsia za prihodite.
The case involves a person whose personal data, held by a public agency, was published online following a hacking attack. The AG’s opinion clarified that the mere occurrence of a personal data breach does not automatically imply that the technical and organizational measures taken by a data controller were inadequate. Instead, national courts must determine the appropriateness of the measures based on an analysis of the measures’ content, application, and practical effect.
The burden of proof lies with the data controller, who must demonstrate, to a high standard of proof, that they are not responsible for the event causing the damage. If they can do so, they may be exempted from liability.
AG Pitruzzella stated that the fear of potential misuse of personal data in the future may constitute non-material damage that grants the data subject a right to compensation. However, to receive compensation, the data subject must prove that they have individually suffered real and certain emotional damage. The competent national court is responsible for verifying this in each individual case.
The AG’s opinion provides important guidance on the interpretation of the GDPR, especially in determining the conditions for awarding compensation for non-material damages in data breach cases. While it does not bind the CJEU’s final decision, the court often follows the opinions of its advocate generals.