In its judgment No.1 As 238/2021 from 11.11.2021, the Czech Supreme Administrative Court dealt with a question whether or not liability for data breach is absolute under Czech law. Although the case was considered under the rules of old Directive 95/46/EC, the court held that these conclusions can also apply to the GDPR. The case involved a leak of hundreds of thousands of data from a large Czech e-shop.
The Czech DPA fined e-shop owner for this leak, even though e-shop claimed to have complied with all at the time available and reasonable security measures. Although the Municipal Court in Prague upheld the DPA’s decision, the Supreme Administrative Court overturned the judgment. According to the Supreme Administrative Court, the Municipal Court considered as essential whether there had been a data breach and, consequently, whether the e-shop in question had detected the misuse of personal data in time. As this had not been the case, there was no need, according to the Municipal Court in Prague, to address the quality of the security measures taken by e-shop. In other words, if the e-shop did not protect the personal data and did not detect the theft in time, it was, in the opinion of the Municipal Court, without any further clear that the measures taken by the e-shop were insufficient. However, the Supreme Administrative Court rejected this approach. According to the Court, the controller or processor cannot foresee all potential scenarios that may occur. The e-shop should have of course foreseen the risk of potential cyber-attacks and should take reasonable measures. However, this does not mean that controller had to be able to defend itself against any attack. It can hardly be expected that the security measures taken will always be strong enough to repel any possible cyber attack, even a sophisticated and targeted one.
The decision is available (in Czech) here.