Lithuanian data leak lawsuit could involve around a thousand people

A lawsuit against the state over a data leak at the Lithuanian Registrų centras (RC, Centre of Registers) could involve around a thousand people, according to a report by public broadcaster LRT.

Advocate Paulius Galubickas, who is preparing the case, told ELTA news agency that approximately a thousand individuals have expressed interest in joining the group action. Some may later withdraw, but the initial response suggests significant participation.

Galubickas said the defendants in the case would likely be the Ministry of Justice, which oversees the registers, and the RC itself, which manages the data. While the exact non-pecuniary damages claimed are still being determined, he estimated that each affected individual could seek around €3,000 in compensation.

The non-pecuniary damages would be based on the loss of control over personal data, a principle recognised in courts across the European Union. Galubickas noted that sensitive information, such as financial assets and bank obligations, was exposed, increasing the risk of fraud.

He criticised state institutions for failing to promptly inform the public about the data breach. “The biggest mistake was that the institutions did not inform people in a timely manner. This could have been done with a public announcement,” he said.

The Lithuanian Supreme Administrative Court (LVAT) has noted a trend in both national and EU case law where data protection violations are no longer treated as merely formal issues. Courts increasingly acknowledge that even technical breaches can cause real harm to a person’s emotional state, reputation, and sense of privacy, warranting legal protection and compensation for non-pecuniary damage.

A 2025 ruling by the EU Court of Justice in the “Quirin Privatbank” case reinforced this interpretation, stating that negative emotional experiences—such as fear, humiliation, or a loss of control due to unauthorised data disclosure—can constitute non-pecuniary damage under the General Data Protection Regulation (GDPR).