Accountability for Bulgaria’s Personal Data Leak
In the summer of 2019, unknown hackers attacked the data sets of the Bulgarian National Revenue Agency (NRA), one of the biggest personal data controllers in the country.
As a result of the attack, the hackers published online the personal data of more than 5 million. people. This is roughly 70% of the Bulgarian population.
Among other things, the hackers published structured data sets individuals’ names, personal identification numbers, addresses, details of the professional occupation, gross and net personal incomes, emails, and information from electronic signatures. The amount of the published data was so big that it was easy to identify the persons to whom it related.
The official reaction
The Bulgarian institutions, including government institutions and those investigating the issue, initially neglected the issue, choosing to launch a criminal case against the potential hacker instead. That case is still pending.
The Bulgarian Data Protection Authority (DPA) imposed a record fine of EUR 2.5 million on the NRA claiming that it has not applied basic data protection techniques in order to prevent potential attacks or to mitigate the negative effects of such attacks.
The NRA appealed the decision, but since then, the initial hearing of the appeal has been consistently delayed on a variety of grounds, from judges withdrawing from the case to appointed experts claiming that they do not have sufficient information to prepare their expert witness statement.
It quickly became clear that the incident was not taken sufficiently seriously by the Bulgarian government. The then Minister of Finance publicly joked about the breach blamed it on the fact that the NRA provides electronic services. He also discussed the importance of the fine issued by the DPA because both DPA and NRA are public bodies, meaning that, in effect, the State fines itself. The NRA’s executive director at the time did not even bother to interrupt her summer vacation.
Notably, while the NRA submitted a GDPR personal data breach notification to the regulator, that notification did not include all the information required by the GDPR. Individuals affected by the breach were not aware that their data was leaked, which of their data was shared, and which measures were taken.
In the end, the NRA developed a very basic online tool which merely allows people to check if they were among the hacker’s victims. However, the tool does not individuals to access any of the remaining information about the breach. Most elderly data subjects did not use the tool due to lack of awareness or digital literacy.
As a result of the data breach, the Global Forum on Transparency and Exchange of Information for Tax Purposes stopped exchanging information with Bulgaria. Several countries, including Switzerland, Germany, Singapore, etc. also stopped exchanging bilateral tax information with Bulgaria.
Bulgarians were shocked. Although there was a general awareness that Bulgarian authorities and public institutions tended not to follow the rules in the GDPR to the letter, the data security breach was so severe that people feared becoming the victims of identity theft. Some cyber security experts claimed that this kind of leak could, in fact, be seen as a threat to national security. The media was full of stories how our bank accounts will be compromised, identities stolen, etc.
…the data security breach was so severe that people feared becoming the victims of identity theft
Interestingly, it was not the leak itself which made people most angry. Instead, the leak was proof for the ever-absent State when digital rights are at stake:
Although the GDPR had been in force for more than a year at the time of the leak and although Bulgarian businesses had worked hard to achieve GDPR compliance, that the leak made it apparent that the NRA, one of the most important personal data controllers in the country, had in fact done almost nothing to update its processes and security features to comply with the new data protection framework.
In addition, Bulgarian authorities did not admit their fault in failing to prepare the NRA to meet basic personal data protection standards and procedures. There was no accountability for the leak either. Although a small number of lower-ranking employees lost their job as a result, no one from the NRA’s management or the Finance Ministry accepted any responsibility. The incident therefore exposed the total inability of the Bulgarian State to provide modern administrative e- services.
In addition, Bulgarian authorities did not admit their fault in failing to prepare the NRA to meet basic personal data protection standards
The massive data leak and the fact that the personal data of two thirds of the Bulgarian population has been made public presents a legal challenge. There is a possibility that the case will result in a competence dispute between the civil and the administrative courts, and there is also the concern that claimants will face a range of formal impediments. That said, individual claimants have already successfully sued NRA for causing them immaterial damages including stress, lack of sleep, etc. In these cases, the court usually awards compensation of approximately EUR 300 per claimant.
However, our firm, KDBM Law, has a different plan. In our view, the data security breach is so severe that it does in fact put into question the State’s ability to provide administrative services and to be a reliable partner, at international level, for the purpose of exchanging tax information with other countries. We have therefore decided to file a collective redress claim.
In our view, the data security breach is so severe that it does in fact put into question the State’s ability to provide administrative services and to be a reliable partner
In Bulgaria, collective claims have a relatively short history. In fact, there has not yet been a successful claim where a court decision has actually become enforceable. We therefore expect a significant number of challenges.
Our lawsuit is not aimed at compensation or monetary damages. Instead it focuses on proving that the NRA has breached a range of legal and administrative obligations including its GDPR obligations (failure to notify the breach, lack of proper personal data protection measures, breach of the purpose limitation principle, etc.) and its obligations under relevant the cyber security legislation.
In addition, we want to use the case to prove that the NRA and, in particular, the Bulgarian state have breached their obligations under national and international law (i.e. the Bulgarian constitution and the EU Charter of Fundamental Rights) and international agreements to which they were subject, for example (with respect to exchanging tax information with other countries and public bodies).
Since this type of collective action is new for the Bulgarian legal system, we expect that the case will face many procedural and legal challenges and will likely take several years to conclude. However, our greater objective is also to change the way Bulgarian institutions think of digital rights and their obligations under data protection and cyber security legislation. Our aim is that, going forward, those institutions should apply a privacy-by-design approach to their data processing activities. This means that the data security breach itself is not the most important issue per se. Rather, it is a sign of a failed state where public institutions pretend to observe the rules but where, in fact, they do not.
Since 2010 Bulgaria has pretended to observe the rule of law while the economic growth that followed its accession to the EU has covered the signs of a deteriorating democracy where one political party became dominant and where the media was silenced with economic measures and more. But since the beginning of this year, the political playground has changed.
The current caretaker government – already the second for this year – has made public many of the dubious practices of the previous government. This has raised questions. We believe that our collective redress case will show Bulgarian citizens that collective actions are possible and that they are an important democratic legal tool that allows people to have their say on the way our country is governed and our rights respected.
Dimitar Kaldamukov is a partner with KDBM law, Sofia-based law firm and a practicing lawyer. He specialises in personal data, digital money and fintechs.