It is more than five years now since the GDPR came into force. Compared to the old Directive 95/46/EC, the GDPR is considerably a more complex and more far-reaching law, as it includes a very extensive set of data subject rights. Not surprising at all if we think that strengthening data subject’s rights was one of the main goals of the European Commission when revamping Directive 95/46/EC.
Under Article 23 of the Directive 95/46/EC data subjects were entitled to obtain compensation from the data controller for damages suffered. The Directive did not specify the type of damages that would give rise to compensation nor did it contain a definition or examples of damages.
The GDPR brough changes in this sense providing data subjects with a right to claim compensation for both material and non-material damages. Article 82
paragraph 1 of the GDPR provides that:
Any person who has suffered material and non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
Recital 85 of the GDPR refers to loss of control over personal data or limitations of individuals rights, discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymization, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.
The meaning of damage has given rise to some challenges of interpretation in the past. For example, in the UK, it was long the case that damage meant financial loss, but that position was reversed by the decision of the Court of Appeal in Google Inc. v Vidal-Hall & Others [2015] EWCA Civ 311, which held that damage also means distress and other nonpecuniary harms. In contrast, the DPAs have always been sure that damages include distress. Emotional distress (IIED; sometimes called the tort of outrage) is a common law tort meaning emotional distress caused by another individual who intentionally or recklessly inflicted emotional distress by behaving in an “extreme and outrageous” way. Some courts and commentators have substituted mental for emotional, but the tort is the same.
The Regulation resolves any remaining ambiguities. The phrase material or non-material damage points very clearly to the idea that damages include distress. Recital 146 also makes it clear that the concept of damage should be interpreted broadly.
Moreover, since the data protection law is considered in the same context as human rights law, where the law has always recognized the right to compensation for distress, the position should be that indeed damage must include distress.
The EU Commission guidance notes marks that individual can claim compensation if a company or an organisation infringed the General Data Protection Regulation (GDPR) and they have suffered material damages, such as financial loss or non-material damages, such as reputational loss or psychological distress.
Any violation of GDPR requirements could, in principle, give rise to compensable immaterial damage.
This even applies to violations of the extensive transparency obligations under the GDPR. Labor Courts in Germany, for instance, held that the loss of control over personal data could constitute a compensable immaterial damage.
According to this approach, no proven actual damage, such as reputational or financial damage, is required. The German data protection authorities seems to take the view that any violation of data protection requirements could in principle constitute a compensable immaterial damage.
This has very significant implications for controllers and processors if a compensation culture around the Regulation develops, which is a very likely trend to come.
An individual does not necessarily have to make a court claim to obtain compensation. There are cases when the organization may simply agree to pay the individual. However, if the organization refuses to pay the next step would be for the individual to make a claim in a Court of Law. According to the EU Commission guidance notes proceedings are brought before the courts of the EU Member State where the controller or processor has an establishment or where the citizen claiming compensation lives (habitual residence).
Some Courts of Law have held that under Article 82 GDPR only damages of some significance are to be compensated. Other Courts argued that the amount of the damage depends on, among other factors, the financial strength of the defendant. Even minor infringement of data protection rules can affect a large number of data subjects and lead to mass proceedings against companies. It is likely that plaintiffs, consumers, lawyers, and law firms may consider these judgments giving rise to considerable opportunity to bring class actions for damages in the future cases for negligible harm.
As to the allocation of responsibility paragraph 2 of Article 83 retains that
A processor shall be liable for the damage caused by processing only when it was not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to the lawful instructions of the controller whilst paragraph 4 provides that Where more than one controller or processor or both a controller and a processor are involved in the same processing and where they are responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
The best way to avoid claims for damages is to put in place an effective data protection management system to ensure the highest possible level of GDPR compliance. Should claims for damages nevertheless arise, the thorough documentation of all data protection measures taken (Article 5 (2) GDPR) will prove to be a valuable
means of defense.
The following aspects entail particular high data protection risks with regard to damage claims:
- High risks of individual enforcement of GDPR infringements exist with regard to the processing of employee data, if we look at the fact that relevant Courts of Law decisions on claims under Article 82 GDPR were issued by German labor Courts of Law
- Shortcomings in the processing of data subject rights are quite often the subject of complaints from data subjects
- In the event of security incidents (data breaches), companies often face a large number of claimants who may potentially be entitled to compensation
- Companies that engage in direct marketing (e.g. via e-mail advertising or personalized banner advertising) are confronted with similar risks. Direct marketing has always been one of the most relevant topics in data protection law and is traditionally in the focus of the courts, consumer protection agencies and data protection authorities
- Similar risks are associated to the use of cookies or other tracking technologies
- Given the much discussed “Schrems-II” judgment of the European Court of Justice of 16 July 2020, case no. C-311/18 international data transfers have come into focus of regulators and data subjects. In case of violations, all data subjects whose personal data have been transmitted could potentially be entitled to compensation
Author: Petruta Pirvan, Founder and Legal Counsel Data Privacy and Digital Law