GDPR Individuals Right to Redress
Article 82 GDPR has created a right for compensation and edict the liability as a result of an infringement of this Regulation:
Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).
Recital 146 add :
The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law. Processing that infringes this Regulation also includes processing that infringes delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation. Data subjects should receive full and effective compensation for the damage they have suffered. Where controllers or processors are involved in the same processing, each controller or processor should be held liable for the entire damage. However, where they are joined to the same judicial proceedings, in accordance with Member State law, compensation may be apportioned according to the responsibility of each controller or processor for the damage caused by the processing, provided that full and effective compensation of the data subject who suffered the damage is ensured. Any controller or processor which has paid full compensation may subsequently institute recourse proceedings against other controllers or processors involved in the same processing.
Several national jurisdictions have added specific criminal liabilities into their legislation. In France for instance, Article 226-16 and following has created a criminal offense for unauthorised processing of personal data.
A data controller that process personal data directly or trough a data processor, should do so lawfully and in accordance with the six principles of data protection. If a damage is caused to data subjects in due course, the controller should be held liable for compensation. This goes in pair with the obligation of security stated in article 32 GDPR. Processing data :
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate“
Pseudonymisation and encryption of personal data come in first on the list of appropriate measures to consider. In this Specific context of the pandemic, working from home and sharp rise of cyberattacks and ransomware, it’s an important duty for professionals, especially when bound by confidentiality, to use all existing measures to keep data secure during storage and transfers. Encryption is still missed by many legal professionals exchanging large amount of personal data. Access to data should be limited to the strict minium. Using external data processors require privacy audit and DPIA. How can legals use free accounts for large file transfers without DPIA or clarifying the access to these files is a mystery. The rising number of law firms or other legal professionals cyberattack and ransomware is highly concerning due to the large amount of sensitive data they hold.
When data breach occurs, the damage is not immediate and measurable. A cyber attack can take possession and data that goes trough a cycle of data monetisation before ending as it has happened in various cases, dumped in the dark net. It can take a while before a data subject victim could realise how the data has been misused and measure the magnitude of the damage.
The obligation of keeping data secure demonstrated by a privacy impact assessment plays a key role in determining liabilities. If a professional has been negligent, its liability should be engaged.
I should be discussing the subject of GDPR compliance, data protection and data security in law firms on Friday 17th September at InfoGovWorld EXPO 2021 with the security expert Alexandre Blanc and French IT lawyer Marc-Antoine Ledieu.
So far, national courts have been rather reluctant or inconsistant at allowing compensation.
One case of referral to the ECJ concerns a non encrypted email sent to a lawyer in Germany. The Court affirmed that the sending of an unencrypted e-mail might infringe Article 32 GDPR. The view that the sending of an unencrypted e-mail might violate Article 32 GDPR is also the opinion of the Data Protection Authority of North Rhine-Westphalia (DPA NRW), which says the following on its website:“The communication by e-mail requires at least the transport encryption, as it is offered by the considerable European providers by default. … It must be taken into account that in the case of transport encryption the e-mails are available on the e-mail servers in plain text and can basically be viewed. In the case of particularly sensitive data (e.g. account transaction data, financing data, health status data, client data from lawyers and tax consultants, employee data), transport encryption alone may not be sufficient”. (DPA NRW, Technical Requirements for Technical and Organisational Measures for E-Mail Sending, available here in German)
14 January 2021, the German Federal Constitutional Court considering that the materiality threshold has neither been subject to an interpretation by the CJEU (acte éclairé) nor was the application of EU law so obvious to leave no room for reasonable doubt (acte clair) and the GDPR does not clarify the extent of compensation for immaterial damage following data privacy violations. The Federal Constitutional Court held German authors had not yet adopted a uniform approach on the scope of GDPR damage claims. For these reasons, the Federal Constitutional Court determined the concrete scope of Article 82 of the GDPR remains unclear. Therefore referred to the EUROPEAN Court of Justice.
The Austrian Supreme Court referred the following three questions to the CJEU this August 2021:
1- Is it necessary that the plaintiff has suffered damages or is the breach of provisions of the GDPR itself sufficient to award damages under Art. 82 GDPR?
2- Are there any other requirements for the assessment of damages in addition to the principles of effectiveness and equivalence under European law?
3- Does an award of immaterial damage require that the infringement has consequences of at least some weight which goes beyond the distress caused by the infringement? Interestingly, in the reasoning for initiating the preliminary reference procedure the Supreme Court refers to the judgment of the German Constitutional Court (1 BvR 2853/19). In this case, the Constitutional Court decided that the right to a fair trial (Art. 6 ECHR) was infringed because the lower Court of Goslar did not refer the question regarding the interpretation of Art 82 GDPR for a preliminary ruling to the CJEU, even though the interpretation was not clear enough. The Austrian Supreme Court stated that it does not share this point of view, but for the sake of a more coherent interpretation of European law it nevertheless refers the above-mentioned questions to the CJEU.
Case C-340/21: Request for a preliminary ruling from the Varhoven administrativen sad (Bulgaria) lodged on 2 June 2021 — VB v Natsionalna agentsia za prihodite
The Consiglio di Stato (Italy) lodged a request for a preliminary ruling on 31 May 2021
1. Are Articles 24 and 32 of GDPR to be interpreted as meaning that unauthorised disclosure of, or access to, personal data within the meaning of point 12 of Article 4 of GDPR by persons who are not employees of the controller’s administration and are not subject to its control is sufficient for the presumption that the technical and organisational measures implemented are not appropriate?
2. If the first question is answered in the negative, what should be the subject matter and scope of the judicial review of legality in the examination as to whether the technical and organizational measures implemented by the controller are appropriate pursuant to Article 32 of GDPR?
3. If the first question is answered in the negative, is the principle of accountability under Article 5(2) and Article 24 of Regulation (EU) 2016/679, read in conjunction with recital 74 thereof, to be interpreted as meaning that, in legal proceedings under Article 82(1) of Regulation (EU) 2016/679, the controller bears the burden of proving that the technical and organizational measures implemented are appropriate pursuant to Article 32 of that regulation? Can the obtaining of an expert’s report be regarded as a necessary and sufficient means of proof to establish whether the technical and organisational measures implemented by the controller were appropriate in a case such as the present one, where the unauthorised access to, and disclosure of, personal data are the result of a ‘hacking attack’?
4. Is Article 82(3) of Regulation (EU) 2016/679 to be interpreted as meaning that unauthorised disclosure of, or access to, personal data within the meaning of point 12 of Article 4 of Regulation (EU) 2016/679 by means of, as in the present case, a ‘hacking attack’ by persons who are not employees of the controller’s administration and are not subject to its control constitutes an event for which the controller is not in any way responsible and which entitles it to exemption from liability? 5. Is Article 82(1) and (2) of Regulation (EU) 2016/679, read in conjunction with recitals 85 and 146 thereof, to be interpreted as meaning that, in a case such as the present one, involving a personal data breach consisting in unauthorized access to, and dissemination of, personal data by means of a ‘hacking attack’, the worries, fears and anxieties suffered by the data subject with regard to a possible misuse of personal data in the future fall per se within the concept of non-material damage, which is to be interpreted broadly, and entitle him or her to compensation for damage where such misuse has not been established and/or the data subject has not suffered any further harm?
The Regional Court of Feldkirch had held that it was sufficient for the purposes of Article 82 GDPR that there was an unlawful processing of the plaintiff’s party preferences by the Austrian Postal Service, but the Higher Regional Court of Innsbruck reversed, holding that the plaintiff must actually feel impaired or distressed in order to be able to claim compensation for non-material damages: “A data protection violation must in any case intervene in the emotional sphere of the victim, … a minimum level of personal impairment will have to be required for the existence of non-material damage”.
The aim of the article 82 GDPR should be to compensation this non-material damage – or in some translation moral damage – that is not tangible. Otherwise the non-material liability provision of the article 82 would render inefficient. Germany, Austria and Italian courts have each submitted a preliminary question to the European Court of Justice to clarify the conditions of this liability.
My all time advice : consider data minimisation as your best friend. Handle personal data like a hot potato.
Thanks for the beautiful GDPR text created by Dr W Kuan Hon from Fieldfisher.
Also thanks to Dr Carlo Piltz, German Lawyer, Partner at Piltz Legal, for his summary and translations of German cases.
Further read :
This work is licensed under a Creative Commons Attribution 4.0 International License.