At a glance:
- On 14 December, the European Court of Justice issued two landmark decisions that will have a significant impact on data protection and cyber risk management.
- First, individuals whose data has been compromised by a cyber attack on a business may be entitled to compensation if they can prove non-material damage.
- Second, the ECJ lowered the bar for non-material damage claims, rejecting de minimis thresholds or additional hurdles.
- To successfully defend themselves against claims for damages, companies must now independently prove that they have taken appropriate cybersecurity measures.
Table of contents:
- What do the ECJ rulings mean for stakeholders?
- What will change for businesses?
- Recommendations for businesses: What you should be doing now
Dr Frank Schemmel, Senior Director at DataGuard, explains what the rulings mean for individuals, organisations and regulators in Germany and advises companies on the burden of proof for their cybersecurity measures.
What do the rulings mean for those affected?
In general, the ECJ rulings strengthen the data protection rights of citizens. Although Dr. Frank Schemmel expects a new wave of compensation claims, he points out that the hurdles are still high:
"Individuals whose data has been stolen in a cyber attack and who are now concerned that it will end up on the dark net, for example, will have to prove in court that they have suffered non-material damage as a result of this event.”
Non-material damage is governed by Article 82(1) of the GDPR and can take the form of depression, stomach ulcers or sleep disorders, for example. Europe's highest court has now clarified this: The non-material damage caused must be proven in concrete terms - for example, by a doctor's diagnosis - and must also be clearly traceable to the event.
In addition, national courts will no longer be allowed to impose further requirements for non-pecuniary damage regarding data protection violations, such as that the damage must be visible or objective. This is because the ECJ already established binding and conclusive requirements in May 2023.
The following three existing requirements must normally be met:
- There must be a damage.
- There must be a breach of the GDPR.
- There must be a causal link between the damage and the breach.
"It may now be easier for data subjects to claim damages," says DataGuard expert Dr Frank Schemmel on the new rulings. In the past, German courts often imposed additional requirements for the assessment of damages based on decades of tradition - this is no longer possible with the new rulings of the European Court of Justice. The result is, therefore, a relief for those affected.
More responsibility on supervisory authorities
According to Dr Frank Schemmel, another important aspect is that:
"From now on, for tactical reasons, those affected by a cyber attack will probably turn directly to the supervisory authorities more often. The watchdogs will then have to check the extent to which the accused company has taken sufficient cybersecurity measures.”
This will also put data protection authorities in a different position - the pressure on them will increase.
"As the first enforcement body after a cyber attack, they have a duty to investigate companies. As the GDPR enforcer, they'll likely need to conduct more frequent data protection audits for the companies involved, especially after major cyberattacks are disclosed" explains Dr Frank Schemmel.
This will give the supervisory authorities in Germany a more active role than before.
What will change for businesses?
Companies can expect a higher number of claims for damages - if only because some specialised law firms have made it their business to support victims in their lawsuits and actively solicit them. Dr Frank Schemmel is convinced of this.
Companies now have the burden of proof to successfully defend themselves against claims. They must now independently prove that they have taken sufficient technical and organisational measures to ensure their cybersecurity.
"Although many companies already have a sophisticated cybersecurity strategy on paper, there are still gaps in other areas," says Dr Frank Schemmel.
With over 3,500 corporate customers, DataGuard has a good overview of the market and knows what is important to companies but is often not consistently implemented in practice.
Recommendations for businesses: What to do now
Carry out regular risk assessments: It is no longer enough to have carried out a risk assessment some time ago. It is essential to review the risks on a regular basis and take appropriate action.
"This is particularly important for SMEs, as they often don't see the need for continuous risk management," explains Dr Frank Schemmel.
Properly document your security measures: "In court, only facts and evidence count - to prove that appropriate measures have been taken, it is essential to document them," advises our expert.
Minimise your cyber security risks: To prevent cyber attacks in the first place, this step is obviously essential. Read more about how you can improve your cyber security with ISO27001 certification.
"In addition to this holistic approach, companies may now also have to recognize respective accruals," predicts Dr Frank Schemmel. This is because the wave of compensation claims must also be considered from an accounting perspective, which will ultimately reduce profits. "And rightly or wrongly, a claim for damages is always associated with negative press, higher legal costs and the need for external legal advice," explains the DataGuard expert.
The ECJ rulings are, therefore, changing the rules of the game when it comes to liability in data protection and information security throughout Europe. Companies need to be prepared for an increased number of claims for damages and should act now to review their cyber security measures and, above all, do so on a regular basis and document them accordingly.
Our experts are available to provide you with detailed advice. Arrange a consultation today and start the journey to stronger cybersecurity with us.
