Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
Focus on the GDPR: Civil claims
The General Data Protection Regulation brings with it potentially massive fines for breach, but data subjects’ rights to damages are also significant.
From 25 May 2018, the General Data Protection Regulation (2016/679, the GDPR) will apply in all EU Member States. It purports to impose obligations on all data controllers and processors where processing relates to offering goods or services to, or monitoring the behaviour of, data subjects within the EU. The class of organisations covered by the GDPR is, therefore, vast.
To ensure compliance, the administrative fines for non-compliance with the GDPR are many times greater than under the current regime. At present the UK’s data protection regulator can impose fines of up to £500,000; under the GDPR the maximum fine will be the higher of €20million or 4% of the total worldwide annual turnover for the preceding financial year.
So it is not surprising that the level of fines is the headline point that many have taken from the reforms. However, both data controllers and processors need to be aware of their potential civil liabilities under the GDPR.
Civil liability under the Data Protection Act
The 1995 Data Protection Directive (95/46/EC) required that Member States provide data subjects with judicial remedies for breaches of national implementing legislation. The relevant legislation in UK law, the Data Protection Act 1998 (DPA), provided individuals with a right to compensation from a data controller for a breach of the DPA resulting in pecuniary loss or other material damage, but only for distress where financial loss had also been suffered.
The second limb (section 13(2) DPA) reduced the potential for claims from individuals: some breaches might result in an actual financial loss, but many more individuals “only” suffer a distressing violation of privacy and are denied a remedy under the Act. However, in Google Inc v Vidal-Hall & Ors  EWCA Civ 311 the Court of Appeal disapplied the relevant provision as being incompatible with EU law, thereby significantly increasing the instances where damages might be claimed by data subjects.
Vidal-Hall is currently the subject of an appeal to the Supreme Court on this point.
Article 82 GDPR
The appeal in Vidal-Hall, when decided, will only have limited relevance in this context, as the GDPR will replace the DPA in less than two year’s time. The relevant provision is Article 82:
- Individuals have a right to compensation against both controllers and processors for infringement of the GDPR for material or non-material damage suffered.
- Processors’ liability extends to the damage caused by processing where they have not complied with obligations specifically directed to processors or where they have acted outside or contrary to the lawful instructions of the controller.
- A controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
- Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are responsible for any damage caused by processing, each controller or processor is jointly and severally liable for the entire damage in order to ensure effective compensation of the data subject.
- Controllers or processors can claim contributions against other such parties where they have paid full compensation.
- Such proceedings may be brought before the national courts of a Member State where the controller or processor is established or (unless the controller or processor is a public authority acting in the exercise of its powers) where the data subject habitually resides.
The key points to note are that:
- Compensation is expressly available for non-material damage.
- Processors are liable in addition to controllers, for breaches of processor-specific obligations or if acting outside the instructions of the relevant controller.
- All breaching parties are jointly and severally liable for the full loss.
- The burden of proof in at least some circumstances will shift to the defending controller or processor.
- In most cases data subjects will be able to bring claims in their own national courts, rather than those of the controller or processor.
- Controllers and processors without an establishment in the EU may also be liable.
Major infringements of data protection obligations tend to fall into one of two categories: activities using personal data in an inappropriate manner (as alleged in the Google v Vidal-Hallproceedings, involving tracking individuals’ web use); or failing to properly protect and minimise personal data. Many ICO enforcements fall into the latter category, with inadequate protections often exposed by major data breaches and hacks.
In respect of both categories of breach, there may be thousands (or even millions) of individuals in different Member States affected, exposing controllers and processors to a large number of claims (including group/class actions) in various jurisdictions.
Data controllers and processors should ensure their terms recognise and provide for the potential liability to individuals that may result from their activities. When an incident that gives rise to a potential liability does occur, both controllers and processors should take urgent legal advice on dealing with the matter appropriately and avoiding perceived admissions in the midst of the crisis.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.