In a recent German case, a court decided that a CEO was personally liable for a data privacy breach after they hired a detective to investigate possible criminal acts by the plaintiff. Given the potential risks, this case raises a number of issues for companies and their boards to consider.
Data privacy debates in Europe
This is one of a number of recent cases in Europe where the courts have dealt with the question about what is necessary for damages to be awarded under article 82 of the EU General Data Protection Regulation (GDPR). Article 82 provides that anyone who suffers non-material damage as a result of a GDPR infringement shall have the right to receive compensation for the damage suffered. In a series of blog posts, we have taken a deep dive into the current case law on non-material damages for data privacy violations in Europe. We look at what the threshold for awarding non-material damages is, and the average amount that has been rewarded for non-material damages for data privacy breaches.
Other posts in this series:
This debate continues as the German Higher Regional Court, Dresden (the court) raised the stakes for CEOs, as a broader interpretation of ‘data controller’ was applied and the CEO was held personally liable for data privacy violations.
A CEO, on behalf of the defendant company, commissioned a detective to investigate possible criminal acts committed by the plaintiff who had submitted a membership inquiry to the company. The detective’s findings revealed that the plaintiff had been involved in criminal acts. When the company's shareholders were informed of this, they rejected the membership application.
The court ruled that the CEO hiring a detective violated data protection law and awarded the plaintiff €5,000 in non-material damages. In line with other German court rulings, the court found that data protection violations must not be trivial and that there is a threshold for awarding non-material damages. The sum of damages awarded also aligns with other German court rulings on damage claims.
Personally liable, company consequences
Notably, the court held the CEO personally liable for the data protection violations and the damage claim, alongside the company. It classified the CEO as a data controller, which distinguishes him from an employee who is bound by instructions. Since the European Court of Justice has tended to apply a very broad interpretation of a data controller, it seems likely that other courts could follow suit.
Board members are generally at risk for personal liability for data privacy violations by their company but if more courts choose to follow this opinion, it may potentially increase the standards for duty of care even further. There is a particular risk where a board member or executive initiates the data processing underlying the data protection breach or where he/her participates in corresponding decisions or assignments. A lack of oversight can also trigger personal liability. It is becoming increasingly more important for boards to manage risk in relation to the company’s data processing activities.