Data leaks could cost you dearly
Last year, one of the historically highest penalties for breaches of personal data protection, CZK 1.5 million, was imposed on a well-known e-shop that had failed to protect its customers’ personal data including passwords to their user accounts. This year, the same e-shop faces another consequence of this failure: an individual customer has successfully claimed in court compensation for non-proprietary loss caused by the data leak.
The e-shop reported a data leak in 2017. Two months later, an individual customer filed an action for CZK 125,000 as compensation for a breach of privacy. The first-instance court did not award the compensation in full, on the grounds that some of the plaintiff’s personal data leaked had also been published on the internet by the plaintiff himself, and that he could not hold the e-shop accountable for his own repeated use of weak passwords to access various services. However, the court did award the plaintiff reasonable satisfaction of CZK 10,000, on the grounds that he had to change the passwords that had been leaked.
Recently, the appellate court decided that while the above arguments were, to a certain degree, valid, the plaintiff was indeed entitled to damage compensation in the amount awarded, but not on the grounds of harm consisting in the need to change the passwords, but rather on the grounds of an infringement on the right to informational self-determination, part of the right to privacy guaranteed by the constitution and comprising the right to decide to whom and in what manner a person will provide private facts and information. In its decision, the court also took into consideration the significant market position of the e-shop being sued, and the extent of data controlled. The court also emphasised the preventative and punitive purpose of its decision.
The judgement has now entered into effect, and the e-shop has stated that it will respect it. At the time of publishing the appellate court’s decision, the court had not been aware of any other similar cases pending. However, since the claims of other potentially injured parties have not yet been statute barred, it is possible that the successful lawsuit may inspire others. On the other hand, in the Czech legal environment, success in a single case does not necessarily mean the success of other potential lawsuits, especially where the court’s arguments are problematic or controversial.
Any similar cases will be strongly affected by the new legal regulation of class actions currently being prepared. The new regulation should make it possible for injured parties to assert their claims collectively, through a joint representative. It is thus to be expected that the number of lawsuits will grow. If successful, they may, in their final effect, do more harm to personal data controllers than penalties imposed under the GDPR.
As for the record penalty, the e-shop has challenged it in an administrative court proceeding, which is still pending.