Private enforcement under the GDPR
While the new data protection regulation provides for severe administrative penalties for failure to comply, it is well known that whether a penalty is effective is determined not by its severity but by its inevitability. Even though the personal data protection authority has been given broad powers, it does not have adequate means of exercising them. A solution could be a private enforcement mechanism within the regulation, whereby any person whose data has been breached can independently seek a judicial remedy.
Private enforcement is being used more and more as an addition to the public law mechanism for the enforcement of regulatory provisions. This solution has been introduced recently in compensatory liability cases for breach of competition law. A solution of this kind is also possible under the GDPR.
The GDPR provides for two kinds of individual remedies:
- A right to compensation from the controller or processor for damage suffered as a result of breach of the regulation,
- A right to an effective remedy in the form of a demand that specific action be taken.
Compensatory claims
Under art. 82 of the GDPR, any person who has suffered material or non-material damage as a result of an infringement of the regulation has the right to receive compensation from the controller or processor for the damage suffered.
We see this provision as grounds for pursuing claims on an individual basis (doubts concerning this subject are discussed here). The regulation gives a broad definition of the term “damage.” Compensation can be sought for material damage (actual loss or lost profits) and non-material damage (compensation for harm inflicted). This approach is in line with the European case law to date on personal data breaches under the previous legal regime (see for example the English Court of Appeal judgment in Google Inc v Vidal-Hall and Others (2014), in which it was stated clearly that under European law compensation can be sought for harm caused as a result of data breaches).
The definition of the term “breach” is also very broad. It has been held that a breach is any action that is contrary to the regulation and the acts implementing it (delegated and secondary). This means that non-compliance alone, surrounding the actions of the controller, with secondary legislation laying down the technical standards for certification mechanisms issued by the European Commission in the future under art. 43(9) of the GDPR, will be independent grounds for seeking compensation.
There are no limits on a controller’s accountability under the regulation, but certain restrictions apply with respect to a processor. This is due to the processor’s function in the personal data protection system. A processor is only responsible for damage in cases where:
- It does not comply with obligations of the regulation that are specifically directed to processors,
- It acts outside or contrary to lawful instructions of the controller.
Art. 82(3) of the GDPR provides for the presumption of liability of a controller and processor for events that result in damage. This means that if court action is taken the defendant is required to prove that it is not “in any way” responsible for the event giving rise to the damage.
The regulation also states that where more than one entity (both a controller and a processor, for example) are responsible for the same damage, each entity shall be held liable (each for the entire damage). This solution enables private individuals to seek compensation. Under art. 82(5) of the GDPR, where a controller or processor has paid full compensation, they are entitled to claim back compensation from other controllers or processors that contributed to the breach.
The regulation might be a popular means of seeking damages due to the presumption of liability of an entity in breach. When seeking a pecuniary amount according to the general grounds for compensation, a plaintiff would be required to prove by itself that a controller or processor in breach was liable. A remedy of this kind could be particularly important where claims are being pursued against large firms. Where claims are pursued on the basis of the GDPR, the firms being sued are required to demonstrate that they took the necessary organisational and technical measures to ensure data protection as required under the GDPR.
What kind of defence is possible?
Controllers and processors do have a means of defence against claims by way of substantive and formal arguments.
Above all, as the burden of proof rests with controllers and processors, in the event of a dispute, they are required to demonstrate that the damage occurred due to an event for which they are not responsible. In practice, this amounts to demonstrating that a business exercised due diligence when implementing data procedures required under the GDPR and followed these procedures. As the GDPR is not ruled-based but objective-based, each case is evaluated individually. Compliance certificates, which can be issued under art. 43 of the GDPR, will be of major practical importance. Obtaining a certificate of that kind is not a safeguard against civil liability, but it could be important in the event of evaluation of whether GDPR standards were implemented with due diligence. These certificates will be an important component of the argument proving that a party is not responsible. Demonstrating that data processing risk assessment is conducted correctly as required under art. 35 of the GDPR might prove to be equally important. This process involves correct identification of risks, risk analysis by evaluating the likelihood of an incident, a final evaluation of the risk, and measures taken to mitigate that risk. If a controller is able to demonstrate that the risk assessment was conducted correctly and conscientiously, this will be an additional factor indicating that they are not liable.
Processors will also have additional options with regard to defence. Responsibility is determined by whether the damage is due to failure to fulfil obligations to which they are directly subject under the regulation, or it is due to actions outside or contrary to the lawful instructions of the controller.
Controllers and processors also have the option of raising formal objections, above all statutory limitation of claim. This issue is not regulated independently in the GDPR but is provided for in the secondary act to the regulation. Art. 92 of the Personal Data Protection Act of 10 May 2018 states that the Civil Code applies to issues not addressed in the regulation with regard to civil claims for breach of personal data protection provisions. As claims for compensation are treated as torts, claims for remedy of damage inflicted through an unlawful act expire three years from the day in which the injured party learned or could have learned, exercising due diligence, of the damage and the person under an obligation to remedy the damage. This time limit cannot exceed ten years from the day on which the event that caused the damage occurred.
Amount of damages
Data has become one of the world’s most precious commodities, and today there is no sector in which data is not used. Data circulation plays an ever greater part not only in the economy but also in the way modern society functions. Therefore, laws regulating this area need to safeguard basic rights of individuals but cannot place excessive restrictions on businesses, potentially hampering economic growth.
It may appear hard to strike this balance in an era of increasingly frequent attacks from the outside on a business’s information technology resources. This year’s report on data breaches, drawn up by the US telecommunications operator Verizon Communications, leaves no doubt about this issue. According to this report, in 2017 there were more than 53 thousand incidents and more than 2,200 data breaches. These incidents occurred in a diverse range of sectors and affected businesses in the financial sector, academic services, and public administration, and even in education, healthcare, and gastronomic services. This could be an argument supporting placing specific obligations on all data processors, with penalties and financial liability for non-compliance. It needs to be kept in mind that protection of user data is, above all, in the interest of firms that process data. Without this protection it would be hard to gain universal approval and trust for innovative technologies.
The growing social awareness of data protection issues is having a direct effect on the amount of damages that can be sought in court proceedings. A good example of how pecuniary awards are evolving can be found in English case law developed when the European Data Protection Directive was still in effect, on the basis of secondary legislation [1].
The amount of compensation awarded by English courts is gradually rising. For example, for a single breach resulting in incorrect recording of entries in a plaintiff’s bank account history, a court awarded GBP 750 (Halliday v Creation Consumer Finance Ltd, 2013), while for the long-term unlawful collection by local police of data regarding an employee GBP 9 000 was awarded (Andrea Brown v Commissioner of Police of the Metropolis and Chief Constable of Greater Manchester Police, 2016). Amounts ranging from GBP 2 500 to 12 500 were awarded when the UK Home Office made public online information about approximately 1 600 people seeking asylum or residence (TLT and Others v Secretary of State for the Home Department, 2016). An interesting judgment was issued in Mirror Group Newspapers v Gulati & others (2015);in this case, relatively high amounts were awarded (between GBP 85 000 and 260 250 for hacking of a telephone and making public the material obtained). One of the reasons given for this award was that the deprivation alone of total control over private data is a form of damage and should be examined notwithstanding the material loss incurred and harm suffered.
These cases demonstrate\ that similar claims could have increasingly serious financial consequences for businesses. Breach of regulations can also lead to public relations disasters and other unforeseeable adverse consequences. How expansive the consequences of incidents of this nature can be is demonstrated by the notorious case of Cambridge Analytica, which was forced to file for bankruptcy at the beginning of May after contributing to the breach and unlawful use of data of Facebook users.
Claim for an effective remedy
Regardless of the options for seeking damages, and other possible administrative or non-judicial remedies, a person whose data has been breached can seek an effective legal remedy in court. In practice, this provision requires member states to ensure that remedies for protection of personal data function effectively.
To meet these obligations, Polish lawmakers chose to include the above-mentioned reference to the Civil Code in the Personal Data Protection Act. This means that a data subject may file the relevant lawsuit against the controller of its data or against the processor, demanding that the defendants are ordered to take necessary measures to secure the breached data. In such a case, a list of legal remedies for protection of personality rights given in art. 24 of the Civil might be particularly useful. Under these regulations, Polish courts can order parties in breach to cease the breach of the GDPR, to remedy all of the effects of the breaches, and to make an appropriately worded statement (for instance issue an apology in the mass media).
Where will proceedings be conducted?
The GDPR itself also states the countries in which proceedings can be initiated in courts for damages or an effective legal remedy. There are two options: which are conduct of cases in courts in the member state in which the controller or processor have their establishment, or, except where the defendant is a public authority performing its public functions, in courts in the country in which the data subject has its habitual residence.
Further explanations regarding the term “establishment” are given in the regulation recitals. This term encompasses effective and actual business activity using stable structures. Moreover, the deciding factor should not be a specific legal form or national branch of organisational structures. This is in line with a past Court of Justice of the European Union (CJEU) judgment in Weltimmo. In that case, it was held possible to establish the governing law for the establishment according to the location of its true business activity and where the activity had real and effective consequences, instead of the official seat of the legal person. When determining the governing law in the case, the CJEU examined the language under which the party presenting the establishment’s services was operated, the country whose citizens were the service target group, whether the establishment had representatives in a different country, the country in which it had its postal address, and where it had a bank account.
Initially, such a broad range of options for determining the governing law may not seem significant, especially since the person whose data was breached would usually file a lawsuit according to their place of residence. This might be a significant issue, however, when filing class actions. The GDPR itself does not state whether class actions for damages for breach of personal data are possible. These issues have been left for determination in member states’ legal systems. At best, this issue is unclear in Poland. The Collective Claims Act is very specific about restrictions on class actions for breach of personality rights, but allows claims for torts. In other EU countries, however, these doubts no longer arise, as the laws are much more liberal. The question arises whether laws of this kind allow class actions to be pursued in the jurisdictions that are suitable for that purpose (where the processor operates in multiple EU countries), and whether they allow accession to proceedings in cases of that kind that are being conducted in other countries.
Is there a risk of a flood of data breach lawsuits?
In the next few years we expect to see a massive increase in the number of lawsuits for damages relating to data breaches. Although the amounts of compensation awarded to date might not seem significant, they will gradually rise due to the increasing importance of data and the increased awareness of the dangers connected with the loss of data.
The scale of potential claims should also give businesses processing data on a massive scale cause for reflection. Each incident leading to a data breach could affect hundreds of thousands of people. The data breach in 2017 by the US credit scoring bureau Equifax affected more than 145 million residents in the US. Therefore, even low damages not exceeding a few hundred euros, multiplied by the number of injured parties, could mean millions in damages.
People instigating these cases can also count on significant aids. In some European jurisdictions, there is the option of class actions. Above all, however, the GDPR provides for an alternative to class actions. Private individuals can mandate a non-profit body, organisation, or association active in the field of personal data protection to file claims on their behalf with a court or a complaint with the supervisory body.
Organisations of this kind, specialising in the protection of privacy, now exist and provide assistance in pursuing claims under the GDPR. The best known is probably My Privacy Is None Of Your Business (NOYB). This is a Europe-wide non-government organisation created by well-known data privacy activist Max Schrems. In the past, he has helped develop this area of law in Europe by pointing out wrongdoings in personal data protection on the part of Facebook. A CJEU judgment in C-362/14 Maximilian Schrems v. Data Protection Commissioner concerning transfer of personal data of EU citizens to outside of the EU proved particularly important. He helped to secure inclusion in the GDPR of the institution described above of a claim for an effective remedy. NOYB wishes to operate a permanent platform that uses all of the instruments provided for in the GDPR to protect personal data on a broad scale. It is intended to operate in strategic litigation, i.e. find and initiate specific court cases that might help bring about universal change and a standard of protection of the rights of all EU citizens.
The organisation has collaborated with a number of distinguished lawyers and specialists, including members of the European Parliament and academics of prestigious European universities. To finance its completely transparent activity, NOYB also performs crowdfunding – in the form of both monthly payments for day-to-day activity and financing of specific projects. This means that in reality the next steps taken by the organisation will be decided by its supporters. Even before the GDPR came into effect, the organisation filed a complaint concerning unlawful activity of entities such as Google, Instagram, WhatsApp and Facebook. Each reported breach could cost those firms more than a billion euros and is intended to induce them to implement the requirements under the regulation properly.
Adam Polanowski, Łukasz Lasek