2023-12-19 13:38:05
It responds to a massive data leak from a public Administration and warns that the “fear” of the owners of that data of improper use can be compensated.
“The fear that a data subject experiences of potential misuse of his or her personal data by third parties as a result of a violation of the General Data Protection Regulation (GDPR) may constitute, in itself, non-material damage or harm (moral harm, damage to health…)”. This has been stated by the Court of Justice of the European Union (CJEU) in a ruling that resolves the consultation of the Bulgarian Supreme Court on the requirements for compensation for non-material damages claimed by a person whose personal data, in the hands of a public agency, were published on the Internet following a cyber attack. We all remember the computer attack that the Hospital Clínic of Barcelona suffered last March.
The events that motivated the consultation with European justice began when the Bulgarian National Collection Agency (NAP), dependent on the country’s Minister of Finance, suffered a cyber attack on July 15, 2019. The NAP is in charge of identification, assurance and collection of public credits and is responsible for the processing of personal data. As a result of the cyber attack it suffered, the personal data of millions of people were published on the Internet. Many affected parties filed actions against the NAP, demanding “compensation for the immaterial (moral) damages that they claim to have suffered due to fear of potential misuse of their personal data.”
According to the European regulatory framework, do these Bulgarian citizens have the right to compensation? The CJEU has said yes, with several clarifications. On the one hand, the person responsible for the custody of the data must demonstrate that all available means were put in place to ensure the best custody of the personal information. Because, before determining whether or not there is a right to compensate for damage in these cases, “the judges [de cada Estado miembro] “They must examine the appropriateness of these measures, in each specific case.”
THE CJEU
In the words of European justice: “In the event that unauthorized communication of personal data or unauthorized access to such data has been committed by third parties (such as cybercriminals), the controller may be obliged to compensate the persons who have suffered damage, unless said person responsible can demonstrate that the event that caused the damage in question is not attributable to him in any way.”
Another question is to determine what damage is compensable? Here the CJEU opens the door to compensating the citizen’s “fear” of improper use of their data. That is, the moral or non-material damage, to which the sentence refers.
Lawyer Francesc José María, expert in Health Law and member of the Health Jurist Association, interprets the CJEU ruling and says that “effectively, the European Court opens the door to compensation for moral damages, which includes fear of the use undue, but on a casuistic basis, that is, taking into account the specific case and not in a general or automatic manner. Furthermore, in a rigorous manner, since the entity can demonstrate that the security measures were appropriate.” Soledad Valley
#CJEU #opens #door #compensate #individuals #dissemination #data #cyber #attack #Administration #Health #Medicine