The EU court has ruled that the mere fear of the possible misuse of personal data leaked in a data security breach can be considered intangible damage.
A person may be entitled to compensation, even if the personal data exported in a data breach was not misused. The mere fear of the possibility of abuse can be enough. ronstik
The Court of Justice of the European Union has taken a position on the reasons why a person who has been the target of a data security breach can seek damages from an organization.
The background of the line is a cyber attack on the information system of the Bulgarian tax authority in 2019, which led to the personal data of millions of people being leaked online.
After the incident, several lawsuits were filed in the country against the tax authorities, and many Bulgarians demanded compensation for emotional distress.
Fear can be intangible damage
The Court of Justice of the European Union has now ruled that an organization may have to pay damages to the victims of a data breach, even if the personal data was not misused.
According to the guidelines, the mere fear of possible misuse of personal data can be considered intangible damage.
The Office of the Finnish Data Protection Commissioner points out in its announcementthat the fear must nevertheless be justified in order to entitle it to damages.
“It is the responsibility of the organization to show that it is not responsible”
The Office of the Data Protection Commissioner emphasizes that the organization is not automatically liable for damages, even if an outside party has gained access to the personal data entrusted to it.
A person who has suffered damage can submit claims for compensation directly to the organization that violated the data protection regulation, but the assessment of liability for damages is the task of the courts.
When the courts assess the organization’s liability for compensation, they examine, among other things, the adequacy of the protective measures used.
– It is the organization’s responsibility to show that it is not in any way responsible for the event that caused the damage, and that its safety measures have been appropriate.