Österreichische Post and VB vs NAP

NAPleaks is the mocking name for a personal data breach incident connected to the Bulgarian National Revenue Agency. The incident took place in July 2019 and made a lot of waves in the public discourse, the media and the Bulgarian courts as the leaked data belonged to more than 6M Bulgarian citizens and there were some unexplainable circumstances surrounding the event.

In 2020, with the help of litigation financing from the DFF, a collective redress claim was launched by Digital Republic against the NRA for the #NAPleaks incident. The claimants require the NRA to demonstrate that it has raised the security of the personal data processed in a meaningful and easily demonstrable manner, instead of damages; they also seek to establish that there were no adequate technical and organizational measures in place at the time of the incident and that NRA’s illegal actions and inactions constituted a serious breach of EU law. The case had been stopped by the first instance until the decision on the case 340/21 VB vs NAP was issued on 14 December 2023 and must continue in 2024.

Besides the collective redress claim, there are numerous individual cases in various stages ongoing in Bulgaria seeking to establish damages in connection with the breach, a criminal case (a “hacker” was involved), an administrative penal case and 2 preliminary hearings, one of which ended with the VB vs. NAP decision in December 2023. 

The blog post analyses the conclusions of ECJ against the backdrop of another important ECJ decision related to damages from personal data breach – the one in Österreichische Post and draws parallels from the Bulgarian court practice which has accumulated with respect the NAPLeaks case. 

According to the author, the combined conclusions of the ECJ in Österreichische Post and VB vs NAP appear to be the following:

  • There is no presumption that damages occur in all cases of data breaches. Damages and their consequential connection with the incident must be proven by the claimant in individual claims.
  • Non-material damages may take the form of grounded fear or anxiety of the data subject in the court’s discretion based on an assessment of the circumstances of the individual case and the individual claimant.
  • The adequate and effective nature or the measures is also subject to a case-by-case assessment by the court based on the national procedural rules in line with the principles of effectiveness and equivalence. An expertise may well be assigned by the court but this is neither systemically “necessary”, not sufficient as a standalone procedural means. The final assessment belongs to the court. 
  • The burden of proof that the measures are adequate and effective is on the administrator and not the data subject (to prove that they were not) – the latter was wrongly assumed by some Bulgarian courts and ECJ issued a clarification. 

The blog post also analyses the possibility for the administrator to be released from liability for the damages caused by the incident against the key ECJ’s conclusions analysed above. 

The second preliminary hearing initiated by a Bulgarian court on the matter of #NAPleaks is also analysed briefly, in particular on the interplay between the NRA’s power to request the disclosure of bank accounts’ information from the court and the allegedly still inefficient/inadequate measures for protection of the personal data thus acquired.

For more information, see the Bulgarian blog here.

Leave a comment