Enforcement of data protection violations has become a powerful tool. Since the EU general data protection regulation (GDPR) came into force, Europe’s data protection authorities (DPAs) have imposed administrative fines totalling over €500m.
In the same period, data subjects have also been lodging claims directly with the civil courts (as opposed to their DPA) for (alleged) GDPR violations by data controllers or processors. As a result, data protection litigation in many European jurisdictions is on the rise.
This type of litigation covers more areas then one might expect. In this blog, we summarise the most important ones.
Under Article 82 of the GDPR, any person who has suffered material or immaterial damage (such as emotional distress) as a result of a data protection violation has the right to compensation.
We are not aware of any published decision dealing with material damages due to GDPR infringements. But there are several national court decisions dealing with compensation for immaterial damages.
It was an Austrian court that was the first to award a data subject compensation for emotional harm due to the unlawful processing of their personal data (see our blog for further details). However, the court set quite a low threshold for relevant ‘immaterial damage’ as it held that the mere feeling of being disturbed constituted immaterial harm and awarded the claimant €800 of the €2,500 claimed.
Then, in September 2019, a Dutch court awarded a data subject €250 of the €500 claimed as compensation for the anxiety and stress they suffered as a result of a third party’s unlawful disclosure of certain health data to her employer. Awarding compensation for anxiety and stress is a higher (and more reasonable) threshold for immaterial damages than the mere feeling of being disturbed, as was the case in Austria.
In Germany, the courts have (so far) been reluctant to award compensation for immaterial damages as a result of GDPR infringements. Indeed, German courts in general set a high bar for immaterial damages: they want to see that a noticeable disadvantage and comprehensible impairment have arisen in order to decide in favour of such claims.
The above cases show that, even though all these claims were based on Article 82 of the GDPR, domestic courts are taking different views of the legislation. It remains to be seen whether (and, if so, how) these court decisions will influence future domestic cases, and when (or if) a uniform materiality threshold for the existence of immaterial damage will be applied throughout the EU.
Ultimately, we will have to wait for the Court of Justice of the European Union to clarify this question.
So far, the courts have awarded data subjects only small amounts of compensation. Yet data protection violations, by their nature, affect multiple individuals so could lead to collective actions by hundreds or even thousands of claimants.
The risk of large-scale litigation is real. In Austria, a representative organisation for claimants is preparing to file a collective action, with claims for immaterial damages of up to €3,000 for each data subject who allegedly suffered as a result of the unlawful processing of their personal data.
Given recent developments in data protection litigation, Austria is unlikely to remain the only country where collective actions are going to be the instrument of choice for claimants and litigation funders.
But the rules on whether (and, if so, how) collective actions can proceed vary by jurisdiction: in some member states, claims for compensation for immaterial damages may not meet the domestic requirements.
Protecting data subject rights before the court
Under Article 77 of the GDPR, data subjects have the right to lodge a claim with a supervisory authority (typically a DPA) if they consider that the processing of their personal data infringes the GDPR.
But Article 79 also gives them the right to an effective judicial remedy if they believe their data rights have been infringed as a result of GDPR non-compliance.
So an infringement could result in two-pronged legal action. And, even though the DPA and civil court would examine the same facts (although possibly different facets of those facts), a data processor or controller could face contradictory decisions on the same matter.
Take this very simple (and hopefully still theoretical) example regarding the response to a data subject access request. The DPA might deny the request to provide unredacted information to the data subject in order to avoid infringing the rights of third parties. But the civil court could order that the data subject be given the information unredacted.
Again, domestic rules and procedures will be important here. But hopefully national civil courts and DPAs will consult each other before deciding on the same matter.
As well as the collective actions mentioned above, under Article 80 of the GDPR, member states may allow non-profit entities to exercise the data subject rights as per Article 79 without a mandate from the data subject.
Even where a member state has not implemented this, domestic law may allow for representative actions with a data protection angle – again, without the need for a data subject to be involved.
For example, in some jurisdictions, consumer protection laws provide remedies for the protection of collective interests. This has empowered consumer-related associations to file representative actions to prohibit the continued use of unfair and unlawful general terms and conditions (including provisions violating GDPR rules).
Claims for injunctive relief
The GDPR does not explicitly prohibit the securing of data protection-related claims through interim measures. So claimants could obtain an interim injunction – a powerful tool in any litigation.
However, whether this is possible depends on domestic rules and procedures. Interim injunctions may be issued to, for example, avert imminent irreversible damage. However, granting an interim injunction may require prima facie evidence of entitlement and risk.
The actual scope of possible interim injunctions relating to data protection remains unclear. So far, we have not come across relevant court decisions.
Unfair competition claims
If a data controller or processor infringes its GDPR obligations, remedies under unfair competition law (including injunctive relief claims) may be available.
However, there is no uniform approach to unfair competition regulation in the EU so the issue depends on domestic rules, in particular how the national unfair competition legislation defines a competitor’s ‘unfair action’.
In some jurisdictions, unfair competition claims may be an effective remedy for companies to enforce GDPR violations of its competitors; in others, relying on unfair competition might not be effective at all.
The first case law in this regard comes from Germany, where a few courts have recognised a competitor’s right to claim in this regard. But in general the courts seem rather reluctant to grant such claims.
One vital question remains: can the right to bring proceedings under unfair competition laws be established at all based solely on a violation of the GDPR?
As shown above, private GDPR enforcement is a broad field and goes way beyond claims for damages. Further, domestic laws may allow claimants to take private enforcement actions for GDPR violations.
Data protection litigation and private enforcement of GDPR violations is here to stay. Organisations should be prepared for potential civil claims with a data protection focus and factor this in to their GDPR compliance programmes.