CJEU AGs issue two opinions on GDPR liability

James Brown may have been the hardest working man in showbusiness, but spare a thought for the advocates general of the Court of Justice of the European Union (CJEU), whose job is to write impartial legal opinions on the cases before the CJEU. 

Collectively, the 11 AGs have issued 93 opinions so far this year (that’s more than one opinion per working day), following 268 opinions in 2022 and 276 in 2021.  Although these opinions are not binding on the CJEU, they often have persuasive value and therefore provide useful insights into how a case may ultimately be decided.  

Data protection disputes comprise a core component of the AGs’ workload, and last week was no exception, with the release of two opinions that considered distinct but overlapping questions of GDPR liability.

Determining GDPR liability #1 

On Friday 27 April, AG Campos Sanchez-Bordona concluded that EU law permits a legal person (e.g., a corporate entity) to be fined under the GDPR without liability first being attributed to a natural person (e.g., an employee of that entity).  That may seen logical, but the position under the German law in question was that a GDPR fine may only be imposed on an undertaking if certain infringements committed by its managers, acting in a representative capacity, can be attributed to it.

Not so, said the AG.  “A legal person who can be classified as a data controller or processor must bear the consequences, in terms of penalties, of infringements of the GDPR committed not only by its representatives, directors or managers,” he wrote, “but also by natural persons (employees, in the broad sense) acting in the course of the legal person’s business and under the supervision of its representatives, directors or managers.” 

Again, this likely won’t be news to most readers — but it is a salient reminder that almost all data protection and security issues can be traced back to human activity (or inactivity), which is why getting engagement and buy-in from employees on their handling of personal data is one of the cornerstones of an effective compliance programme.

Helpfully, the AG confirmed that Art. 83 of the GDPR excludes a strict liability — i.e., no fault — regime, meaning that punishable conduct must be intentional or negligent on the organisation’s part.  That shouldn't be thought of as a 'get out of jail free' card, however, given that intentionality and negligence cover a wide range of scenarios.

Determining GDPR liability #2 

Also on Friday, AG Pitruzzella found that the occurrence of an Art. 4(12) GDPR personal data breach does not automatically mean that the controller’s security measures were not “adequate”.  This is a sensible position, and the AG noted that a national court will take into account the proportionality and context of the measures when determining whether they were appropriate.

For example, an organisation that is subject to a nation-state hack will likely have little chance of repelling the attack, but that should not mean that the threshold for adequacy of an entity's systems is their ability to withstand the most sophisticated attacks possible.  Indeed, Pitruzzella said that it would be “illogical” to hold controllers to this standard.

However, the burden of proving that the measures were appropriate lies with the controller, and in order not to be liable, it must demonstrate that it was not in any way responsible for the event giving rise to the damage.  That is likely to be high bar in cases where the breach was not caused by a third party, given that it necessarily would not have occurred without the involvement of the controller. 

The AG also weighed in on a feature of GDPR liability that continues to hold interest for individuals and organisations alike: the threshold beyond which non-material damage can give rise to compensation.  Pitruzzella reiterated the position that emotional damage resulting from the fear of one’s personal data being misused must be actual and certain, rather than simply causing trouble and inconvenience — albeit we continue to see claimants taking a different (that is to say, more expansive) view than the court.

The CJEU’s first judgment on the issue of Art. 82 GDPR non-material damages is expected soon, and it will be interesting to see whether the court follows the AG in that case by finding that mere infringements of the GDPR are not sufficient to create a right to compensation.  I expect that this will be one of the cases where the CJEU does follow the AG.