According to the ECJ, the General Data Protection Regulation (GDPR) allows individuals to choose between administrative and civil remedies in the event of a violation of their rights under the GDPR. This may lead to an increase in the field of data breach litigation.

What is the Background?

Administrative remedies, such as filing a complaint with a supervisory authority, can lead to an investigation and potential enforcement action against companies that are non-compliant with GDPR. This can result in fines or other sanctions being imposed. The data protection supervisory authorities however tend to be slow, and the data subject cannot seek compensation before the authorities.

Civil remedies, such as filing a lawsuit, can lead to compensation for damages suffered because of the GDPR non-compliance. This can include compensation for financial loss, as well as non-pecuniary damages, such as for distress.

Having the flexibility to choose between administrative and civil remedies under the GDPR provides individuals with multiple options for seeking redress in the event of a violation of their rights. This can also increase the deterrent effect of the GDPR by providing for both enforcement action and compensation for affected individuals – even more so, once the Directive on representative actions for the protection of the collective interests of consumers – which also allows class actions in GDPR-cases – has been transposed by the member states by June 2023.

The GDPR explicitly only deals with the relation between administrative and court proceedings which happen simultaneously in different members states (Art. 60-63, 81 GDPR). But what happens when administrative remedies before a data protection supervisory authority (and potentially an administrative court) as well as civil remedies before a court are sought in one Member State at the same time? This is the question that was put before the ECJ.

What did the court decide?

The court pointed out that making several remedies available strengthens the objective set out in recital 141 of the GDPR of granting every data subject the right to an effective judicial remedy. Thus, the remedies provided for in Article 77(1) and Article 78(1) of the GDPR (Right to lodge a complaint with a supervisory authority), on the one hand, and Article 79(1) thereof (Right to an effective judicial remedy against a controller or processor), on the other, can be exercised by the data subject concurrently with and independently of each other.

But the ECJ also held that the GDPR needs to be applies consistently and homogeneously. It is for the Member States, in accordance with the principle of procedural autonomy, to lay down detailed rules as regards the relationship between those remedies in order to ensure the effective protection of the rights guaranteed by the GDPR and the consistent and homogeneous application of its provisions, as well as the right to an effective remedy.

How can civil and administrative remedies be aligned?

The rules regulating the relationship between administrative and civil remedies differ between the various Member States. In Germany, for example, civil courts can decide to delay a decision until an administrative procedure has been finalized, or vice versa. However, quite a lot of discretion is possible, here. Given that administrative cases often take longer than the civil case, the civil court may decide to go ahead before the authority has taken a decision.

But even when an administrative decision had already been taken, its influence on civil cases can be limited: The “facts” established in administrative decisions must be applied also by civil courts, however, the legal reasoning of the authority does not strictly bind the civil courts, which may come to a different conclusion.

What are the two main practical consequences for privacy litigation?

All the above concerns the law “as it was” until now. Considering the decision, the law or the practice of the courts may change. The tools provided by national procedural law to prevent conflicting decisions should be used. This may require an intelligent litigation strategy.

But what happens if administrative remedy and civil remedy are sought in different Member States?

Administrative remedy and civil remedy could be sought in different Member States. The rules regarding competence of data protection supervisory authorities and (civil) courts under the GDPR differ. Data subjects can sue before the courts of their home Member State. Thus, a bit of “forum” shopping may be expected by data subjects, in particular if a lead authority competent for a specific company is known to be rather lenient.

Main Takeaways

  1. Data Subjects can pursue their rights simultaneously with administrative and civil remedies.
  2. Avoiding conflicting decisions may depend on an intelligent litigation strategy.
  3. The ruling may boost civil privacy litigation, especially cross-border litigation.