Data protection breaches do not entitle per se to claim damages that damages have to be proven by the plaintiff  according to the Italian Supreme Court. 

Data protection breach

The Italian Supreme Court, the Corte di Cassazione, held that an unlawful treatment of personal data had been performed by the Italian Ministry of Justice which had processed health related sensitive data concerning a police officer without the prior authorization from the Italian data protection authority.  However, such breach was not considered sufficient by the Court to entitle the plaintiff to claim potential damages that had to be proven rather than being a direct consequence of the breach.

Rules on damages to be claimed

A general principle of Italian law is that damages have to be proven and that courts cannot issue punitive damages/penalties which are prohibited.  But, in relation to data protection breaches, the Italian Privacy Code provides that whoever causes damages to a third party has to prove to have adopted any necessary measure to avoid that.  The consequence of such provision is therefore that the burden of proof in case of data protection breaches is on the defendant once the plaintiff has proved the breach.

The position of the Supreme Court

Based on this decision of the Italian Supreme Court in case of data protection breaches, the plaintiff shall also prove to have suffered damages. However, according to the principle referred above, once the damages are proved it will still be on the defendant to show that they were not caused by his negligence or willful misconduct and that any measure aimed at avoiding them had been put in place.  If the defendant succeeds in this test, he will not be considered liable for them even if the breach and the damages had occurred.

The consequence on data breaches

The above principle is interesting also in relation to data breaches occurring as a consequence of a cybercrime performed by hackers which might lead to the disclosure or the unauthorized access to data, credit cards’ details or other types of sensitive information (e.g. health-related data in case of telemedicine or eHealth projects) relating to users, patients or a company’s employees.  Following the reasoning of the court, in such case the user whose credit card details have been accessed by a hacker or even published on the Internet shall prove to have suffered damages as consequence of this conduct and the data breach itself will not entitle him to claim a compensation.

Given the difficulty in proving data protection damages the risk is that such decision will not encourage operators to be comply with privacy rules.   But the increase of data protection fines for breaches up to 5% of the global turnover that will be introduced by the upcoming European Privacy Regulation will certainly be a sufficient disincentive for operators.