The protection of personal data is one of the issues that generates the most commotion within the law of the European Union. The protection of personal data not only aims to protect the fundamental rights of individuals, but also seeks to protect their economic and financial interests. Therefore, illegal access to someone’s personal data can cause moral and economic damage, and individuals should be entitled to compensation for that damage.
Compensation for your leaked data
Data breaches happen almost every week. Operators, technology companies, energy companies, etc. Giovanni PitruzzellaAdvocate General of the Court of Justice of the European Union (CJEU), points out that compensation for moral damage caused by the violation of the protection of personal data should be available to anyone, not just those who have suffered financial damage.
This opinion arises from a Unauthorized access to the computer system of the National Tax Agency of Bulgaria (NAP by its initials of origin). Tax and social security information for millions of people was then published on the Internet.
This is a clear example of a breach of their personal data, even if they had not necessarily suffered a direct financial loss. This EU Advocate General supports compensation for moral damage caused by illegal access to personal data. The fact that the victims of these data breaches fear that their personal data may be subject to possible misuse they can be compensated for the moral damage caused by that fear.
Of course, Pitruzzella clarifies the cases in which this fear should end in compensation. In his opinion, only the reward would be actual emotional damage. “Not a mere disorder or annoyance.”
This opinion of the Advocate General does not have the force of law, but it is significant because it is a non-binding legal recommendation for the Court of Justice of the European Union. This is responsible for making decisions in cases involving the interpretation and application of European Union law. If the Court follows this opinion, would set an important precedent for the protection of the rights of EU citizens regarding the protection of their personal data.
Greater protection of citizens’ rights
Furthermore, this would have significant implications for companies and organizations that handle personal data, as they could face increased penalties for non-compliance and possible liability for damages.
This has significant implications for the protection of the rights of EU citizens and for companies and organizations that handle personal data. Pitruzzella affirms that the controller must apply appropriate technical and organizational measures in order to ensure that the processing of personal data is in accordance with the Regulation 016/679 regarding the protection of individuals with regard to the processing of personal data and the free movement of such data.
When choosing the measures, the data controller must take into account a number of factors, among which is the state of the art, which implies a limitation of the technological level of the measures to what is reasonably possible at the time of adoption, also taking into account implementation costs.
Finally, it concludes that “the fact that the infringement of the Regulation has been committed by a third party does not in itself constitute a reason to exempt the data controller from liability. To be exempt from liability, the data controller must demonstrate, with a high level of evidence, that the event causing the damage is not attributable to him in any way. The assumption of illegal processing of personal data has, in effect, the nature of aggravated liability due to presumed fault. From this follows the possibility that the person in charge of the treatment present a proof of exculpation”.