The GDPR As a Cyber Risk Management System: The ECJ Cautiously Tackles Data Breaches in the NAP Case
By: Maria Grazia Porcedda (European Law Blog)
In 2019, the Bulgarian National Revenue Agency (Natsionalna agentsia za prihodite or ‘NAP’) experienced a damaging data breach, joining the increasing number of organizations falling victim to cyberattacks. In the digital age, where security is often overlooked, data breaches have unfortunately become a common reality. Beyond the facade of digitalization and the data-driven economy lies an underground world of illicit markets, with stolen data being a prized commodity.
The NAP data breach, impacting 6 million Bulgarian and foreign citizens, prompted various efforts to seek restitution, including legal proceedings such as the case involving the Natsionalna agentsia za prihodite (NAP). While the Breyer case marked the first ECJ judgment linked to a cybersecurity incident, the NAP case holds significance as the first to address data breaches and cyber offenses within the framework of the GDPR. Its importance cannot be overstated, as proceedings against the Irish Health Service Executive following a 2021 ransomware attack have been put on hold pending the outcome of similar cases like this.
The fact that a request for preliminary ruling was only submitted to the Court in 2021, despite data controllers facing breaches for over two decades, is due to the delayed inclusion of cybersecurity within the scope of EU law. Regarding data breaches specifically, discrete provisions have been added to existing legislation over the past 15 years, resulting in a fragmented regulatory landscape. The first steps were taken with the 2009 amendment to the e-privacy Directive, which, however, had a limited scope and lacked a dedicated liability framework, unlike the GDPR, which establishes a comprehensive system of civil law remedies.
The interpretation of this system of remedies, along with the rules regarding the responsibility of data controllers in the event of a breach, led to a request for a preliminary ruling by the Bulgarian Varhoven administrativen sad (Supreme Administrative Court) in proceedings brought by VB seeking compensation for non-material damage due to the alleged failure of the NAP to meet its legal obligations as a data controller.
In a judgment issued on December 14th, the Court employed literal, systemic, and teleological reasoning to determine that a cyberattack does not automatically absolve data controllers of their responsibilities under the GDPR, nor does it inherently demonstrate the inadequacy of the technical and organizational measures in place. The burden falls on the controller to demonstrate the adequacy of such measures, which must be evaluated by a national court without necessarily relying on expert testimony. The fear of potential misuse of personal data can constitute non-material damage warranting compensation under Article 82 of the GDPR…