The use of cloud storage services has become a common practice, offering many advantages in terms of cybersecurity safeguard, scalability and accessibility. However, this choice does not imply the absence of significant risks, especially concerning the possible data breaches occurred to the provider.
In this article, we explore the kind of damages caused by a data breach suffered by a cloud storage provider, in accordance with the General Data Protection Regulation (GDPR), and the possibility of claiming compensation for the data breach.
Data breach under GDPR
Article 33 of the GDPR requires Data Controllers to notify the competent Supervisory Authority in the event of a data breach. A data breach can compromise the confidentiality, integrity, and availability of personal data, potentially leading to serious consequences for the affected individuals and the businesses involved.
When a data breach occurs, several parties can be involved: (a) The data subjects, the individuals whose personal data has been compromised, including customers, suppliers, employees, and other individuals whose data was stored in the controller’s system, (b) the Data Controller, the entity that determines the purposes and means of said personal data processing, (c) the Data Processor, the cloud service provider handling the personal data on behalf of the Data Controller.
Liability and damages
The GDPR clearly outlines the responsibility of both the Data Controller and the cloud service provider in a different and complementary manner. The controller is liable for damages caused by the breach of GDPR rules towards the data subjects, as specified in Article 82, paragraph 2, and Recital 146 of the GDPR.
On the other side, the cloud provider could be deemed liable for damages resulting from non-compliance with GDPR, absence of safeguards to protect the confidentiality of the information stored or infringment of the controller’s instructions, both towards the controller and the data subjects, as regulated by Article 1292 of the Italian Civil Code.
In most cases, it is assumed that the damage is attributable to the processor or a sub-processor, especially when the incident results from a failure to implement the security measures required by Article 32 of the GDPR.
To mention some examples, some years ago a serious incident occurred to a popular cloud provider in France hosting thousand of web sites and web platforms whose data center burnt in one night. In a another case, whose lawsuit has been entrusted to Valentina Apruzzi, partner of Princivalle Apruzzi Danielli law firm, an unjustified disruption of data storage services by a cloud provider caused a serious data breach and related damages to our client.
The source and nature of the damages.
On one hand, contractual damages can be financial or non-financial, including reputational harm to the Data Controller. The provider may have failed to meet its obligations under the Data Protection Agreement (DPA) or to follow the controller’s instructions regarding the handling of personal data.
On the other hand, non-contractual damages, regulated under Article 82 of the GDPR, cover material and non-material harm, such as direct financial losses and moral damages. Therefore the Data Controller could be entitled to claim compensation for both kind of damages due to the data breach.
In the first mentioned case concerning the fire incident occurred to the clud provider, the decision of the Commercial Court of Lille in January 2023 marks a mainstone. The provider was ordered to compensate for damages, including loss of business goodwill, investment loss, reputational damage, and other related costs. Similarly, in another case, the Regional Court of Cologne recognized non-material damage to a data subject due to the controller’s failure to change access credentials, leading to a cyberattack.
Impact on the Data Controller
Data unavailability can cause significant disruption to day-to-day business operations, with serious financial impacts, including downtime costs and recovery expenses. Additionally, regulatory infringments can result in material fines, customer and partner’s trust may be severely damaged, leading to reputational harm. Businesses must also bear substantial costs to mitigate the damage and respond to the data breach.
For the data subjects, the unavailability of their personal data can lead to a loss of control over their information, limitations on their rights, discrimination, identity theft, or fraud, for instance. They may also experience financial losses. The unauthorized decryption of pseudonymized data can harm their reputation, and the loss of confidentiality in personal data protected by professional secrecy can have significant economic and social consequences.
Apologies can be considered a sufficient restore?
The decision of the Court of Justice of the European Union (CJEU) on 4 October 2024 concerning – among others issues -Article 82, paragraph 1, of the GDPR introduces a significant interpretation regarding compensation for claiming compensation for the data breach. It establishes that a formal apology may, in some cases, be considered an adequate remedy for such damage under the GDPR.
Here the key points of the decision:
- The ruling clarifies that an apology can be viewed as sufficient compensation for non-material or intangible harm, such as emotional distress or reputational damage, under Article 82(1) GDPR. This reflects the court’s recognition of the nuances in addressing non-economic harm.
- The court highlights that, in cases where it is impossible to fully restore the affected individual’s situation to what it was before the data breach or violation, other forms of compensation, like an apology, can be considered. This is especially relevant in scenarios where the harm caused cannot be undone by financial compensation alone.
- The CJEU stresses that for an apology to be deemed adequate, it must be sufficient to compensate for the entire damage suffered. This means that the apology must provide real value in alleviating the harm experienced by the individual, addressing both the legal and emotional aspects of the damage.
This interpretation confirms and broadens the possible remedies available to individuals under the GDPR, beyond just financial compensation, allowing for more flexible and context-sensitive approaches to addressing data protection breaches.
For organisations found in breach of the GDPR, the ruling implies that non-monetary remedies, such as issuing a formal apology, may sometimes suffice, particularly in cases involving reputational damage or emotional distress. This could lead to a shift in how companies approach GDPR compliance and liability management.
While this ruling offers an alternative to financial compensation, it also raises questions about how the adequacy of an apology can be measured. Courts and regulators may face challenges in determining when an apology genuinely compensates for the damage suffered and when additional remedies are required.
In the case described above, where a provider suffers a data breach involving the personal data of a business entity claiming compensation for the data breach, we strongly doubt about the possibility to fairly restore the non tangible damages (such as the business reputation) claimed by the client by addressing him the most polite apologies.
Conclusion
To conclude, the unavailability of personal data caused by a breach of a cloud storage system can have devastating effects on both the Data Controller and the data subjects. As a result, it is crucial for businesses to adopt proactive measures to protect data and ensure business continuity in the event of a data breach. Recent court rulings, such as those from the Commercial Court of Lille and the Regional Court of Cologne, underscore the importance of a robust security strategy and regulatory compliance to mitigate the risks associated with data breaches.