The General Data Protection Regulation (GDPR) will enter into force on 25 May 2018.
1. The Right to an “Effective Judicial Remedy”
1.1 Under Article 78(1) each natural or legal person shall have the right to an effective judicial remedy against any “legally binding decision of a supervisory authority concerning them”. Therefore data controllers and processors may bring actions as well as data subjects. The words “concerning them” would appear to mean that the person must be directly affected by the decision and not that they have a general concern or interest in a matter. The decision must also be legally binding. This could cover a refusal by a supervisory authority to act on a complaint or the dismissal of a complaint.
1.2 All appeals against decisions of supervisory authorities must be brought in the courts of the Member State where the supervisory authority responsible for the decision is based.
1.3 In addition to the rights of appeal against substantive decisions, article 79(2) includes a specific right for data subjects to have an effective judicial remedy where the supervisory authority fails to handle a complaint properly. Again, the right is without prejudice to any other administrative or non-judicial remedy. It applies where a complaint has been lodged under Article 77 and the competent supervisory authority does not act on a complaint, or does not inform the data subject of the progress or outcome of the complaint within three months of it being lodged.
1.4 Article 79(1) provides data subjects, not other parties, with the right to a judicial remedy against controllers or processors. This must be clearly distinguished from a right to financial compensation awarded by the courts, although in practice data subjects are likely to apply for both a judicial remedy and compensation at the same time. The right applies where the data subject considers that “his or her rights under the Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation”. The right to a judicial remedy against the controller or processor is therefore limited to those cases where the specific rights of data subjects have been infringed as opposed to the right to complain to the supervisory authority which applies in any cases where the data subject considers that he/she is affected by non-compliance with the Regulation.
1.5 The potential liability of controllers and processors under the GDPR is not the same. Article 82(2) states that "any controller involved in processing shall be liable for the damage caused by processing which infringes this regulation". A processor will be liable for “the damage caused by processing only where it has not complied with obligations of this regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of a controller”. The responsibility of a processor therefore extends to the actions of its sub-processors. If the controller or processor proves that it is not “in any way” responsible for the event giving rise to the damage, it is exempt from liability.
1.6 The right to seek a judicial remedy is without prejudice to the existence of any other administrative or non-judicial remedy, including the right to lodge a complaint with the supervisory authority. Therefore the data subject has a choice of options available to him or her. The individual does not appear to have to show damage, simply that his or her rights are infringed, for example by the failure of a data controller to provide subject access.
2.1 The same rules for the choice of venue apply to actions for compensation, that is the courts of the Member State where the controller or processor has an establishment or the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority acting in the exercise of its public powers. As under the current law, it is likely that litigants will often seek both mandatory orders to enforce rights and compensation at the same time.
2.2 Under Article 82(1), "any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. The right to compensation applies to “any person”, which extends the right to legal persons as well as natural persons. There is no limitation to “data subjects”, which would mean that an individual who is not a data subject will also be able to bring a claim in an appropriate case.
2.3 There does not seem to be an express provision in the General Scheme of the Data Protection Bill giving effect to Article 82(1). Instead, the explanatory note to Head 24 (on data processing and freedom of expression and information) comments that Article 82 GDPR “clarifies that damages are payable in the case of data breaches giving rise to non-material damage”. This seems to assume that Article 82 is horizontally effective.
3.1 The Data Protection Commissioner in Ireland does not currently have the power to impose fixed monetary penalties. Summary legal proceedings for an offence under the Data Protection Acts 1988 and 2003 (DPA) may be brought and prosecuted by the Office of the Data Protection Commissioner (ODPC). Under the DPA, the maximum fine on summary conviction of such an offence is set at €3,000 per instance or €5,000 under the e-Privacy Regulations 2011. On conviction on indictment the maximum penalty is a fine of €100,000 or €250,000 under the e-Privacy regulations 2011. Largely, the Data Protection Commissioner's powers to enforce compliance with the DPA are achieved through enforcement notices and prohibition notices.
3.2 Under the GDPR supervisory authorities will have powers to issue fines for a wide range of breaches of the Regulation. The fines can be issued against any data controller or processor, whether a corporate body, an association, or an individual. Therefore for the first time data processors as well as data controllers will be liable for fines. There are two levels of fine: the lower level has a maximum of €10 million or, in the case of an undertaking, up to 2% of annual worldwide turnover, whichever is higher. The second has a maximum of €20 million or, in the case of an undertaking, of up to 4% of annual worldwide turnover, whichever is higher.
3.3 The level of fines therefore represents a significant increase in those currently available to supervisory authorities. The ability to impose significant fines will therefore be a new power for supervisory authorities, even those with existing fining powers. In addition, the fines can be imposed for almost any failure to meet the stringent and detailed obligations imposed under the GDPR.
3.4 Article 83(2) makes clear that fines can be imposed as well as, or instead of, the measures listed in Article 58 including the power to issue warnings, reprimands or mandatory orders, impose bans on processing or order the withdrawal of certification. Article 83(1) sets out the overarching requirement that fines for the infringement of the GDPR shall in each individual case be "effective, proportionate and dissuasive". Due regard must be given to the nature of the infringement, the culpability of the controller or processor, and "any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided directly or indirectly from the infringement".
3.5 The level of fines will be strongly influenced by the guidance published by the European Data Protection Board under Article 70(1)(k) and the Board will have the task of determining fines under the consistency mechanism where there are different views from supervisory authorities. The guidance of the Board will therefore be of central importance.
3.6 Article 84 also requires Member States to lay down rules on other penalties applicable to infringements of the Regulation. This applies in particular for infringements which are not subject to administrative fines. Recital 152 states that this applies where the Regulation does not harmonise administrative penalties or where necessary in other cases, for example serious infringements of the GDPR.
- A data subject has the right to lodge a complaint with the Data Protection Commissioner if he/she considers that the processing of personal data relating to him or her infringes the GDPR.
- Every natural or legal person has a right to appeal a legally binding decision of the Commissioner concerning them. This applies to both controllers/processors and data subjects.
- Data subjects can bring a court action against the Commissioner where the Commissioner fails to handle a complaint or fails to handle it properly.
- Data subjects have rights and remedies against data controllers and processors where they consider that their rights have been infringed under the Regulation.
- Data subjects can seek a range of orders from the courts to enforce their rights as well as seeking compensation.
- Any person who suffers material or non-material damage as a result of a failure to comply with the GDPR can seek compensation for the damage. This right applies to any natural or legal person and is not limited to data subjects.
- If a number of controllers/processors are implicated in proceedings the liability will be joint and several.
- Where connected cases are brought in more than one member state other cases can be suspended until the court first seized of the matter makes its determination.
- Data subjects may be represented by representative bodies and such bodies may be empowered by Member States to bring independent actions.