New Years Eve is a time when we all tend to look back on the past year and revel in achievements and berate ourselves for mistakes made or goals not yet achieved. I also find that this is a time when I start to regret some of the holiday gifts I purchased. Things I thought were fabulous on Black Friday have become a nightmare; either the toy is too loud, it didn’t stand up to a tantrum thrown by a 4-year-old or is the source of contention between my children. I try to make informed, well-educated decisions when it comes to holiday shopping; thinking of noise levels, sturdiness and how many of something is needed to satisfy all the individuals in my home, but sometimes no matter how much I research in advance (sometimes ignoring the one or two bad reviews) or referee after the fact, the things I bought for Christmas were just mistakes. I have no one to blame but myself, I created the kid, and I bought it a loud obnoxious toy that he insists he needs his parents in order to play, but his sibling cannot touch.
Holiday gift regrets are a reminder of how choices—and their consequences—can follow us. Similarly, businesses must reckon with their responsibility for personal data security, where missteps can have significant consequences. Companies are liable for the equipment, infrastructure and employees who work with personal data under their umbrella. At Christmas time last year, the Court of Justice of the European Union (CJEU) illustrated, in multiple court decisions, how the responsibility of processing personal data in a secure manner cannot be passed on or erased. In these cases, the court confirms that a controller or processor is presumed to be liable for the damage caused in the case of a data breach, unless it can prove that it was not in any way responsible for the event giving rise to the damage. This means that a company cannot escape liability pointing the finger at someone else, unless they can prove they had no part in what caused the damage.
Lessons from Recent CJEU Cases
In the cases the CJEU decided last December the controllers attempted to state that they fell within the exception laid out in Art. 82 GDPR, stating the damages came from the actions of others, whether it be employees, hackers or other parties. In the case, VB v. Natsionalna Agentsia za Prihdite (C-340/21), the court states the following, when it comes to a hacker attack,
“The controller cannot be exempt from its obligation to pay compensation for the damage suffered by a data subject, under Article 82(1) and (2) of that regulation, solely because that damage is a result of unauthorised disclosure of, or access to, personal data by a ‘third party’…”
The controller is responsible for protecting the personal data it processes and must establish technical and organizational measures that are appropriate to the risk that the data may be accessed, altered or deleted by a third-party causing damage to data subjects. The burden of proof that their efforts were appropriate for such a claim lies solely with the controller. The court stated in ZQ v. Medizinischer Dienst der Krankenversicherung Nordrhein (C-667/21), that, “the GDPR … provides for fault-based liability in which the burden of proof rests not on the person who has suffered damage, but on the controller.”
To strengthen this argument, the court argued, in VB v. Natsionalna Agentsia za Prihdite, that the EU legislature intended to strengthen data subjects’ rights and the obligations of controllers, requiring the later to demonstrate that all security measures are appropriate and encouraging them to take greater care when processing personal data.
The courts have repeatedly had to make sure that data controllers know when they are responsible for non-compliance with the General Data Protection Regulation (GDPR). In April of this year a decision in the case GP vs. Juris GmbH (C-741/21) came out of the Landgericht Saarbrücken. This case again stated that controllers are liable for damages coming out of the processing of personal data. In this case the argument that the controller was not responsible for damages was that an employee acted causing the data breach. However, the court stated,
“…that the controller is to take steps to ensure that any natural person acting under the authority of the controller, who has access to such data, does not process them, except on instructions from the controller, unless he or she is required to do so by EU or Member State law.
An employee of the controller is indeed a natural person acting under the authority of that controller. Thus, it is for that controller to ensure that his or her instructions are correctly applied by his or her employees.”
The court again stated that if liability could be avoided merely by the act of being attributable to someone under the control of the controller, the essence of the law would be undermined. This case underscores that comprehensive employee training and supervision are non-negotiable in GDPR compliance.
Taking Responsibility
Although I enjoy seeing the light in the eyes of those I give gifts to, I know that my choices are liable for the noise and contention any holiday purchase may cause. Just as the joy of giving a gift can be overshadowed by its unintended consequences, the benefits businesses derive from processing personal data come with the weight of responsibility. Controllers must take ownership of their data processing choices and outcomes. It’s not enough to blame others, responsibility lies with those who process personal data for their purposes, and only by embracing this accountability can a safer environment be created.
Controllers must understand that the effort that they put into creating standard operating procedures cannot outweigh implementation of those procedures. Controllers must train employees, audit processes and maintain state-of-the-art security so that the protection of the personal data they are processing remains at the forefront.
So, as you look back on the past year and forward to the next make sure that your company is not found arguing in court about who is liable for damages. Make data protection a priority. Review your policies, train your employees, and ensure your systems are secure and ready for the challenges ahead. Ensuring that the gifts of trust and privacy offered to customers do not become regrets in hindsight. In the end, responsibility isn’t a burden—it’s the foundation of trust and the key to a safer digital world.