On 18 September 2020 Regional Court of Frankfurt am Main rendered an interesting judgement which holds, in the main, that data leakage does not on its own evidence controller’s breach of the GDPR and warrant payment of non-material damages. More is required for a plaintiff to succeed in his or her claim.
A Belgian subsidiary of the US-based leading company in global payments industry operated a marketing and customer loyalty program in Germany. The customers of the Belgian subsidiary, who had payment cards issued in Germany, were able to register for the loyalty program on the Internet by providing personal data (i.e. name, e-mail address, date of birth and their card number). They could collect points with each payment transaction they made with a card, and later use earned points for rewards.
The Belgian subsidiary, as a data controller, had an unsigned agreement in electronic form with a service provider who managed the online platform created for the operation of the bonus program. The agreement stipulated that the service provider, as the data processor, was to impose the same obligations as those of the processor to any other member of the same group of companies (“Group”) that might participate in activities on the platform. As it turned out, another company which belongs to the Group did act as a sub-processor. The Belgian subsidiary, as a data controller, did not conclude a separate processing agreement with that company.
On 21 May 2019 there was an unauthorized access to the Group’s system from a foreign IP address and the administrator password was changed. On 19 August 2019, the hacker made the data of around 90,000 participants in the loyalty program publicly available on the Internet. The Belgian subsidiary informed the participants of the leakage. One of the participants in the loyalty program whose data was leaked initiated the proceedings against the Belgian subsidiary asking, amongst other, to be compensated for the damages he suffered due to the leakage. There were no indications of the data abuse by the time the proceedings commenced.
What security measures are sufficient?
The participant in the loyalty program whose data was leaked claimed that the data controller and the Group disregarded technical and organizational security measures. The plaintiff pointed to the fact that the data processor’s headquarters are a single-family house in residential area, which suggests that necessary security measures cannot be met in such an environment. The court refused that line of reasoning and noted that causality between the leakage and the location of the processor’s headquarters was not established.
The plaintiff also claimed that the access to the data occurred because the administrator’s account, through which the Group’s system was accessed, had a pre-set password (default password which was not changed by the user). However, the court stated that a pre-set password does not have to be less secure than a personally set one.
The plaintiff also claimed that the defendant disregarded technical and organizational security measures because the data were not stored in hashed form. However, the court held that the GDPR does not require using hash function. The plaintiff did not prove that the processor did not use other strong cryptography when collecting and storing the data.
In which form can a processing agreement be concluded, and is it mandatory that a data controller has a processing agreement with the data sub-processor?
The court stated that it is irrelevant that the processing agreement between the data controller and the data processor was not signed. As it results from the GDPR (Art. 28), written form, including an electronic form, is sufficient. This means that the signatures are not mandatory. Also, the fact that the data controller and the data sub-processor had not concluded a processing agreement is irrelevant. It was enough that the agreement between the data controller and the data processor contained a clause which obliged the processor to impose at least the same data protection obligations on data sub-processors. This, again, is in accordance with the GDPR (Art. 28).
Does being a data controller automatically mean having access to the data?
The plaintiff claimed that it had the right to damages because his data had been made accessible to the US-based company, a founder of a Belgian subsidiary, as a joint controller. The court stated that the US-based company could have acted as a joint controller (i.e. decided on the purpose and means of processing) without accessing the data and being itself involved in the processing.
Does data leak automatically entitle data subjects to damages?
The plaintiff’s request for damages was based on the fact that his personal data had been accessible to third parties. However, the court said that the damage must have been caused by an infringement of GDPR, that the causality between the infringement and the damage must have been established, and that a legal interest of the data subject must have been adversely changed in order for him to be entitled to damages. The court could not determine that the publication of the data represents a violation of GDPR, since it was not established that the publication was made unlawfully. The plaintiff must prove the violation and provide proof, which he failed to do.
Moreover, the court took a stance against broad interpretation of the concept of damage under Art. 82 GDPR, according to which unlawful processing automatically gives rise to damages. The act of infringement must lead to violation of a specific personality right of the data subject. The court established that, even though the plaintiff’s data was leaked, there was no evidence that he actually suffered damage.
Data leakage does not automatically represent a breach of GDPR on the part of the data controller. A data subject who claims damages must prove that GDPR was infringed, that he or she suffered the damages, and that there is a causality between the infringement and the damage. Even if the controller is responsible for an infringement, the data subject does not necessarily suffer any damage and in that case compensation claim cannot succeed. That, at least, is the position taken by the German court in the case reviewed here. However, the question of what amounts to compensatable damage under GDPR Art. 82 does not yet have a uniform response, as some supervisory authorities and courts – relying on the wording of GDPR recital 85 – embrace the position that data subjects’ perceived loss of control of their data justifies compensation in case of an infringement of the GDPR.
[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU member states may therefore serve as an instructive guidance for compliance with local regulations.]