There has been a significant amount of coverage in recent months of the EU General Data Protection Regulation (GDPR) which is due to come into force on 25 May 2018. This has tended to focus on the significant fines that may be imposed on organisations for failing to implement the requirements of the legislation. What has received less coverage is the extent to which the GDPR expands the ability for claimants to bring compensation claims against companies in the event that there is an infringement of the regulations. This article will focus on the ability to seek compensation under the GDPR and the implications this may have for both businesses and individuals.
Under Article 82 of the GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the data controller or processor for the damage suffered. The individual is entitled to bring a compensation claim in the courts.
Implications for businesses
There are a number of implications arising out of this article:
- Expansion of liability for compensation claims to both controllers and data processors Under the previous legislation it was only possible to bring a claim against a data controller. This potentially makes it easier for claimants to bring compensation claims for breaches of the GDPR since it expands the pool of defendants who could be held liable. It also raises the issue of whether the GDPR has opened the floodgates to claims against data processors for these types of claims because now claimants are able to choose whether to bring a claim against either the controller or the processor. However, it is also possible to view this as making the system fairer; especially as previously, the liability for these claims fell solely to the controller regardless of whether the controller was responsible for the event giving rise to the damage. What is clear is that both data controllers and processors will need to ensure that their relationship with the other party is very carefully crafted so that the contract clearly sets out each party’s obligations and includes adequate compensation in the event that a claim is brought against them as a result of a breach by the other party.
- Where more than one data controller/processor is involved in the same processing each defendant shall be held liable for the entire compensation This provision is included to ensure the effective compensation of any data subjects. It is possible for any data controller or processor that has paid out compensation in full to recover from the other controllers or processors, a contribution for any amount of the compensation arising out of the other party’s responsibility for the damage. This certainly makes it easier for the claimant data subjects, who can potentially have a choice of defendants (perhaps whichever appears to be the easiest to sue, and presumably the company that is most likely to pay out). It is then for the defendants to sort out between them who is responsible for the damages. This could result in a significant amount of additional litigation as companies fight over which is responsible for the damage. As is set out above, to ensure that your company does not become embroiled in this litigation it will be advisable to ensure all obligations and liabilities are clearly set out in any contract between the parties.
- Clarification that compensation is available for both material and non-material damage Whilst this is not a significant change in the current position following the 2015 case of Vidal-Hall v Google, where the claimants were able to recover under the concept of “moral damages”, the GDPR does explicitly state that it is possible to recover for non-material damage. It seems that claimants will be able to bring compensation claims even if they have not suffered a financial loss arising from an infringement of the GDPR and potentially even if the damage suffered is very minor. This could include a claim for (but not limited to): -Distress -Anxiety -Reputational damage
- Exemption from liability if company is not “in any way responsible” for the event giving rise to damage A data controller or processor will be exempt from liability for a compensation claim under the GDPR if it proves that it is “not in any way responsible” for the event giving rise to the damage. As yet, there is no case law to provide guidance on how the courts will interpret this article. However, this provision seems likely to place an extremely high burden on a controller or processor to demonstrate that it did everything it reasonably could to protect data subjects. We would expect this to require, as a minimum, to lead to a need to not only comply with the GDPR minimum standards but also to have adequate audit trails evidencing this, and possibly to go further to require a balance of what is ‘reasonable’ in each case for each processor or controller. We envisage cyber security to be a hot topic here and evidence of appropriate security measures will inevitably feature heavily.
The extent of compensation claims
The key question that many companies will be asking is: what is the extent of any compensation claim that my firm may be required to pay? It is very difficult to predict at this stage as the courts have not yet considered any compensation claims brought under the GDPR. However, it is possible that this liability could be significant for companies in the event that they face claims from multiple claimants for a breach of their data if this occurs on a large scale. The example often given is that of the Talktalk hack in 2015 where the personal details of 157,000 customers were accessed leading to a number of customers becoming the victims of fraud and many others suffering the anxiety of wondering if they could become the victims of fraud. It is possible to envisage compensation claims in similar circumstances potentially amounting to millions of pounds.