Auditors, lawyers, tax consultants and management consultants: Four perspectives. One solution. Worldwide. Find out …
Our clients entrust us with their most important legal matters. Learn more about our legal services!
Tax laws are complex and dynamic. We face the challenge of tax law together with you - find out more.
Baker Tilly advises CFL on container vessel acquisition
US tariffs: Short term optimization – medium-term preparation
Germany’s Coalition Agreement and Tax Law – A Document to Fiscal Pragmatism
BAG overturns forfeiture clause for share options after termination
Art. 273a ZPO: More protection for trade secrets in civil proceedings
Social insurance obligation for freelance teachers only from 2027
Industry-specific knowledge is essential in order to create the best conditions for customised solutions. Find out …
Baker Tilly advises biotech startup Real Collagen GmbH investment by US investor
Energy study: Uncertainty slows down investments by industry and utilities in Germany
After ECJ ruling: Financial investors still have no direct access to medical care centers
Benefit from bundled interdisciplinary competencies, expert teams and individual solutions. Learn more!
Baker Tilly offers a wide range of individual and innovative consulting services. Find out more!
On December 14, 2023, the European Court of Justice (ECJ) issued a groundbreaking decision that significantly expands consumer rights in the EU.
ECJ defines new criteria for non-material damage after hacker attacks
The judgment (case no. C-340/21) concerns a hacker attack from 2019 in which a Bulgarian authority exposed millions of personal data on the internet. A large number of data subjects had sued the authority under Article 82 (1) of the GDPR for compensation for the non-material damage they suffered due to the fear of possible misuse of their data. The Bulgarian court referred the question to the ECJ as to when a person whose personal data was published on the internet following a cyberattack is entitled to compensation for non-material damage. The ECJ ruled that the mere concern about the possible misuse of personal data following a hacker attack can be considered non-material damage. This makes it easier for those affected by data breaches to assert their claims in court.
Reversal of the burden of proof: companies must provide evidence of their safety measures’ effectiveness
Another important aspect of the decision concerns the burden of proof in connection with hacker attacks. Companies and authorities whose systems have been hacked must now prove that their protective measures were appropriate and effective. Companies must not only prove the adequacy of their protective measures, but also that they are “in no way liable for the damage”. What this looks like in practice is entirely unclear. Even with technically comprehensive and up-to-date protective measures, hacker attacks cannot be ruled out, as these always include human error.
Consequences of the decision: Claim for damages much easier to enforce
With its decision, the ECJ has established clear criteria for the punishment of data protection breaches that are attributable to cyber-attacks. Companies and authorities are urgently required to review their security measures and ensure that they meet their responsibilities in the event of hacker attacks. The current case law further increases the risk, as hacker attacks continue to increase.
View all news