Liability and appropriate measures under the GDPR, the administrative sanction of the CPPD, and compensation cases for affected citizens
On 15.07.2019. , the nation was faced with the extremely unpleasant reality of the NRA Data Leak that had occurred. Although the initial dimensions of the event were not completely clear, the inspection conducted by the CPPD and the imposed fine following show that the personal data of a total of 6,074,140 people were affected, of which 4,104,786 were living Bulgarian citizens and foreigners, and 1,959,598 people are deceased.
The fine was appealed by the NRA to the Sofia District Court (SDC), and many Bulgarian citizens applied administrative cases for compensation. In this article, we will try to explain the progress of these processes by indicating some important concepts in the GDPR that often cause confusion and misunderstanding.
The CPPD sanction and the question of appropriate measures
The data leak resulted in a fine of BGN 5,100,000 for the National Revenue Agency, imposed by the CPPD. This size is the largest to this moment in the authority’s practice. The Commission found destruction, expressed in the fact that the administrator did not attach appropriate technical and organizational measures, as a result of which unauthorized access, the unauthorized reveal of personal data, and their distribution were made. This is the composition of Art. 83, par. 4 in conjunction with Art. 32, par. 1 GDPR, destruction of the controller’s obligation for processing security.
As the criminal decree is formulated and the subsequent case in SDC inevitably placed the concept of appropriate and technical and organizational measures established in the GDPR at the center of the case. The NRA’s main line of defense even goes through the argument that the agency cannot be held responsible for the leak that occurred because the hacking attack constituted a criminal act and the agency, as the controller of personal data, is not the blame on it for what happened.
Therefore, we must answer the question: “Is it important to take appropriate technical and organizational measures, or the occurrence of a security destruction is a reason to engage the responsibility of the administrator?” You can find a detailed answer in our article. In short, GDPR liability is not blameless. On the contrary, the GDPR in its Art. 83, par. 2, b. “b” explicitly elevates the blame of the administrator into a factor that is taken into account when assessing whether to impose a pecuniary sanction and what its amount should be. Moreover, the Regulation does not create an obligation for the controller to prevent the system from data leak. He/She is obliged to take appropriate technical and organizational measures and which will be the subject of investigation in the event of security destruction. If it is found that they are appropriate indeed and there is no other destruction, the administrator will not be responsible for the destruction that has occurred, which is further supported as an argument by the existence of the principle of accountability established in Art. 5, par. 2 GDPR.
The case before SDC.
In September 2019, the NRA appealed the criminal decree in front of the SDC, and in December of the same year, the case was initiated. At the moment, however, for various reasons, there is no significant development of the process. Expertise was assigned, which aims to answer 13 questions, all of them from a technical point of view concerning operations and security in the NRA systems. There is no result of the examination yet. The next judge meeting, scheduled for 08.02.2021, did not take place due to the fact that the court was unable to find sufficiently prepared experts.
The administrative cases for the compensation
A considerable number of citizens decided to defend their rights in court. More than 100 cases have been applied throughout the country, almost all of which are claimed for compensation in the amount of BGN 1,000. It was tried to apply a collective action, but the court accepted that the necessary requirements were not available so as to name the action as “collective ” – it does not change its “nature” and it is a question of subjectively joined claims, as a result of which the cases were divided. You can read more about the possibility of applying collective action in our article.
In the beginning, the applicants correctly oriented themselves towards a claim under Art. 1 of the Law on the Liability of the State and Municipalities for Damages (the Law on Liability for Damages). However, the Administrative Court held that Article 39(2) of the Personal Data Protection Act (PDPA) creates a special procedure within the meaning of Article 8(2) of the Law on the Protection of Personal Data. 3 of the Personal Data Protection Act for compensation for damages resulting from unlawful processing of personal data by the controller. Since this procedure requires objective joinder with a claim for a declaration of invalidity under Art. 39 par. 1 of the PDPA, dozens of claims were returned. In numerous judgments, the Supreme Administrative Court has overturned these orders of the court of the first instance on the ground that a claim for compensation is not necessarily joined with a claim under Article 39(1) of the GDPR. 1 OF THE LPLA. Section 39(2) of the LPLA does not exhaust the possibilities for seeking compensation and the procedure under the LPLA remains applicable, with the court making an assessment of legality as appropriate.
At present, we have a significant number of decisions on the merits of the first instance court. In most of them, it finds the claim unfounded on the ground that the requirements of Art. 1 OF THE CIVIL LIABILITY ACT. However, there are significant differences in the judgments, and the lines of reasoning of the court can be divided into 3 main groups:
- There is no illegal act on the part of the NRA.
- There is an unlawful act of the NRA, but no damage has occurred.
- There is an unlawful act by the NRA, the damage has occurred but there is no causal link between the act and the damage. This line is probably the most interesting, as in these cases the court has in practice held that the hacking attack constituted an intervening event that precluded liability on the part of the administrator.
However, there have been a number of decisions in which the claimant’s claims have been upheld. However, the court does not fully satisfy the claim of BGN 1,000, and the NRA is usually ordered to pay compensation of between BGN 100 and BGN 500.
Judgments of the Supreme Administrative Court /SAC/
Not all cases of citizens are without a final resolution. In its decision , the SAC found the cassation appeal of the NRA unfounded and held the judgment of the first-instance administrative court, and the NRA was finally sentenced to pay the affected citizen compensation in the amount of BGN 500. This is half of the amount claimed by her.
The case deserves attention. The Supreme Court indicates that the proving under Art. 82 GDPR requires the following mandatory elements:
- Presence of tangible or intangible harm;
- A proven violation of the GDPR; and
- A causal link between the harm suffered and the breach of the GDPR
The Court held that there was a proven violation of the GDPR for the reason that it was incumbent on the NRA to prove the implementation of appropriate technical and organizational measures in the proceedings. And since the Revenue Agency refused to formulate tasks for the expert on the ex officio forensic technical examination, the Court accepts the fact of non-application of appropriate measures as proven. Thus, the Revenue cannot benefit from the exemption from liability under Article 82 para. 3 GDPR.
The SAC also held that there is harm because a personal data breach that results in unauthorized disclosure of or access to personal data that is transmitted, stored, or otherwise processed invariably causes harm in the form of emotional and psychological distress to the individual.
Finally, the SAC also establishes the link between the infringement and the harm suffered, stating that it is irrelevant whether the unauthorized disclosure was made possible by the successful hacking attack and whether it constitutes a criminal offense.
Reference for a preliminary ruling from the CJEU
In another case, however, the SAC has issued a reference for a preliminary ruling, which means that this and all other administrative cases for compensation for the data leak will stay pending a ruling by the Court of Justice of the European Union (CJEU).  There are five questions raised and, without repeating them, I will try to extract the essence of each of them and give a reasoned guess as to what answers we can expect from the CJEU.
The first question essentially asks whether the existence of a security breach under Article 4(12) of the GDPR means that the technical and organizational measures applied are inadequate and therefore a breach of the GDPR has occurred. In other words, whether one follows from the other; if ‘A’, then it means ‘B’. I have pointed out repeatedly in this article that the two concepts are not necessarily related. The occurrence of an incident that results in unauthorized disclosure of or access to personal data is not in itself a breach of the GDPR. It becomes one when the requirements of Art. 32, par. 1 GDPR.
The second question is based on a negative question to the first and asks what the court is checking when it examines whether the measures applied are appropriate. Art. 32, par. 1 GDPR makes clear which factors are taken into account when assessing what measures to apply. These are:
- The achievements of technical progress;
- Implementation costs;
- The nature, scope, context, and purposes of the processing; and
- The risks of varying likelihood and severity to the rights and freedoms of natural persons.
Where appropriate, they should also be applied:
- Pseudonymisation and encryption of personal data;
- Ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident; and
- A process for regularly testing, assessing, and evaluating the effectiveness of measures.
The third question is more interesting. It concerns the burden of proof and, in particular, whether compliance with the principle of accountability under Article 5(2) GDPR reverses the burden of proof in the judicial process, and whether the appointment of a forensic expert can be accepted as a necessary and sufficient means of proof to determine whether the technical and organizational measures implemented are sufficient. It is debatable whether the ECJ would answer such a procedural question. Nevertheless, its consideration deserves attention. The documentation of the specific and appropriate technical and organizational measures applied is the primary obligation of the controller. It is not in itself a substitute for the actual implementation of the measures, but acts as a refuge for the controller’s liability should the other party fail to prove otherwise.
The fourth question asks whether Article 82(3) GDPR can be interpreted to mean that the NRA can be exempted from liability for the leak because it was the result of a hacking attack. The specific provision states that the controller is exempted from liability if it proves that it is in no way responsible for the event that caused the damage.
The answer to this question again lies in the concept of appropriate technical and organizational measures. When the GDPR states that the measures should be appropriate, the Regulation means, of course, that they need to be appropriate in view of the potential threats. The nature of the attack and the target are therefore examined here. Is it reasonable to expect an attack on a government institution that processes the personal data of millions of citizens? Is there something so innovative about the hackers’ approach that the affected administrator, even if it had implemented appropriate measures, could not have prevented the leak? These questions should certainly be explored. However, the concept is clear: If airplanes have been around for over 100 years and are commonplace in warfare, it might be a good idea to equip yourself with radar.
The last fifth question is probably the most interesting. It asks whether, in the event of a data breach consisting of unauthorized access to and dissemination of personal data, the mere fear, worry, and apprehension experienced by the data subject about possible future misuse of personal data, without such misuse having been established and/or other harm has occurred to the data subject, falls within the broad meaning of the concept of intangible harm and is a ground for compensation. The texts referred to are Recitals 85 and 146 GDPR. In other words: in a situation like this, what is harmed, and what is compensated?
At the heart of this inquiry is actually a far more fundamental question, namely: what value does the law protect when it protects privacy? Perhaps the doubts come precisely from the Bulgarian legal system’s decision to translate “privacy” as “protection of the inviolability of personal data”. This approach can be misleading.
The genesis of the right to “privacy” took shape in American doctrine in the 1890s as the right to be left alone. There is a word in the English language that reflects this meaning well – privacy. The right to “privacy” is the right to be left alone. And when someone makes public your personal data, which should have been kept secret, that in itself violates your right to privacy.
Undoubtedly, the culmination of this case and the hundreds of lawsuits that have resulted from it is yet to come. At the moment, everything seems to depend on the ECJ’s decision. Certainly, the final outcome will provide valuable answers on the application in Bulgaria of the GDPR norms concerning appropriate technical and organizational measures and will raise the question of the nature of liability and the nature of damages under the Regulation.
 Judgement No. 5587 of 10.05.2021 of the Supreme Administrative Court under Adm. c. No. 12911/2020, V o.
 Art. 144 APC, in conjunction with Art. 229, para. 1, item 7 of the Civil Code, in conjunction with Art. 631 and Art. 633 of the Civil Code; see also Judicial Definition No. 260103 of 24.02.2021 of the Court of Appeals – Plovdiv under pr. c. case No. 90/2021