2023 will be a decisive year for data breach litigation in the EU

European Court of Justice’s positioning could open the floodgates for claims after larger cyber incidents

Damage claims for infringements of the EU General Data Protection Regulation (GDPR) are on the rise. There are multiple court decisions scheduled for 2023 which will determine whether we’ll see a data breach claims industry focusing on cyber incident-related damage claims.

Most cyber incidents have data privacy implications. Ransomware threat actors often exfiltrate data prior to encrypting the compromised systems. These data almost certainly include personal data, in many cases very sensitive information about customers or employees. Breach notifications obligations towards data protection authorities and affected individuals may require the attacked organisation to disclose non-compliance with the GDPR, e.g. the lack of appropriate security measures. This could give rise to damage claims by the affected individuals under Article 82 GDPR.

We already see attempts by an alliance of experienced claimant law firms, litigation funders and legal tech companies trying to commercialise cyber incidents by compiling large volumes of individual claims. In Germany we have seen the first courts awarding €1,200–€2,500 in non-material damages per affected individual. The courts linked the damage to the risk that exfiltrated data could be used for identity theft. The claimants did not have to prove actual identity theft or fraud. The loss of control over personal data was sufficient.

Whether these cases could open the floodgates to damage claim litigation after every larger cyber incident depends on how the European Court of Justice (ECJ) positions itself on fundamental questions on the interpretation of GDPR damage claims. A total of nine cases on Article 82 GDPR are currently pending with the ECJ. The main focus of these cases is on the question of whether a GDPR infringement alone is sufficient to award non-material damages or whether there is a de minimis threshold requiring the claimant to demonstrate that he or she developed concerns, fears or anxieties due to the loss of control over his or her personal data.

Other key questions are dealing with the burden of proof regarding the different requirements under Article 82 GDPR. Even though the Advocate General at the ECJ tends towards restrictive interpretation of non-material damages in the Opinion on the first of the cases, this approach is not binding for the judges. How the ECJ will decide on GDPR damage claims in 2023 will be key for data breach litigation throughout the EU.

View all our Insurance 2023 Predictions here