Non-Material Damage Compensation
Non compliance with the GDPR has three series of legal consequences : We’ve extensively heard of the administrative enforcement by national Data Protection Authorities. We have less heard of Criminal liabilities for non compliance, especially for the absence of measures of security. The third level is civil liability as set by the Article 82 GDPR. This article establishes a right to compensation and liability to ‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.‘ Action can be taken individually or in a class action. This is a serious threat while we are witnessing high rise of data breach incidents with increase cyber attacks and ransomware. When a controller has neglected to take appropriate security measures, it has to be liable for compensation. The difficulty here is that often the damage caused is not measurable or not imminent.
In its recent enforcement against an online payment company Slimpay, the French Data Protection CNIL clearly states that non compliance with the obligations of security in Article 32 GDPR is sufficient without the need to prove access to the data.
“La formation restreinte considère que l’absence de preuve d’une utilisation frauduleuse des données est sans incidence sur la caractérisation du manquement à l’obligation de sécurité. En effet, le risque d’utilisation frauduleuse des données à caractère personnel était réel, indépendamment des cas de fraude, dans la mesure où les données de nombreuses personnes ont été rendues accessibles à des tiers non autorisés. L’absence de dommage avéré pour les personnes concernées n’a pas d’incidence sur l’existence du défaut de sécurité, qui constitue le manquement à l’article 32 du RGPD.“
The restricted panel considers that the absence of evidence of fraudulent use of the data has no bearing on the characterisation of the breach of the security obligation. The risk of fraudulent use of personal data was real, irrespective of the cases of fraud, in so far as the data of many persons were made accessible to unauthorised third parties. The absence of proven damage to the data subjects does not affect the existence of the security defect, which constitutes the breach of Article 32 of the GDPR.
The Recital 146 goes more into detail on the indemnity:
The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law. Processing that infringes this Regulation also includes processing that infringes delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation. Data subjects should receive full and effective compensation for the damage they have suffered. Where controllers or processors are involved in the same processing, each controller or processor should be held liable for the entire damage. However, where they are joined to the same judicial proceedings, in accordance with Member State law, compensation may be apportioned according to the responsibility of each controller or processor for the damage caused by the processing, provided that full and effective compensation of the data subject who suffered the damage is ensured. Any controller or processor which has paid full compensation may subsequently institute recourse proceedings against other controllers or processors involved in the same processing.
Recital 85 in the context of a data breach states that :
A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.
Several recent data breaches, British Airways, EASYJET, MARRIOTT, TICKET MASTER, ETC… have been hurt by class actions. In The UK, the case raised by Mr Lloyd against unlawful data access by Google was ultimately rejected by the Supreme Court base to the fact that not all class members had suffers identical harm. When could that ever be the case?
Loss of control and distress have been the criteria in civil compensation following a data breach. Several German and Austrian courts have recognised the liability for non-material damages caused by data subjects. Three referrals for clarification have been made to the EUROPEAN COURT OF JUSTICE. If interested by this important subject, you can have a deeper read on all relevant cases we could curate here.
As for the Criminal liabilities, EU National legislations have introduced into their criminal laws specific incriminations. We know about the offense of Computer Misuse Act 1990 in the UK.
The chart below shows some of the main criminal offences introduced in the French legal system related to data protection.
Art. 226-16 The fact, including negligence, of carrying out or having carried out processing of personal data without having complied with the formalities prior to their implementation provided for by law is punishable by five years’ imprisonment and a fine of 300,000 euros. The same penalties shall be imposed on the act, including negligently, of carrying out or having carried out a processing which has been the subject of one of the measures provided for in 3 ° of III of Article 20 of Law No. 78-17 of 6 January 1978 relating to data processing, files and freedoms.
Art. 226-16-1 The fact, except in cases where the processing has been authorized under the conditions provided for by Law No. 78-17 of 6 January 1978 cited above, of carrying out or having carried out a processing of personal data including among the data on which it relates the registration number of persons in the national register of identification of natural persons is punishable by five years’ imprisonment and a fine of 300,000 euros.
Art. 226-17 The fact of carrying out or having carried out a processing of personal data without implementing the measures prescribed in Articles 24, 25, 30 and 32 of Regulation (EU) 2016/679 of 27 April 2016 or in 6 ° of Article 4 and Articles 99 to 101 of Law No 78-17 of 6 January 1978 cited above is punishable by five years’ imprisonment and a fine of 300,000 euros.
Art. 226-17-1 The fact that a provider of electronic communications services or a controller does not notify a personal data breach to the Commission nationale de l’informatique et des libertés or to the interested party, in breach of Articles 33 and 34 of Regulation (EU) 2016/679 of 27 April 2016 or the provisions of II of Article 83 and Article 102 of Law No. 78-17 of 6 January 1978, is punishable by five years’ imprisonment and a fine of €300,000. The same penalties shall apply to a processor failing to notify the controller of this breach in breach of Article 33 of Regulation (EU) 2016/679 of 27 April 2016 or Article 102 of The aforementioned Law No 78-17 of 6 January 1978.
Art. 226-18 Collecting personal data by fraudulent, unfair or unlawful means is punishable by five years’ imprisonment and a fine of €300,000.
Art. 226-18-1 The fact of processing personal data concerning a natural person despite the opposition of this person, when this processing meets prospecting purposes, in particular commercial, or when this opposition is based on legitimate reasons, is punishable by five years’ imprisonment and a fine of 300,000 euros.
Art. 226-19 The fact, except in the cases provided for by law, of placing or storing in computerized memory, without the express consent of the person concerned, personal data which, directly or indirectly, reveal the racial or ethnic origins, political, philosophical or religious opinions, or trade union memberships of the persons, or which relate to their health or sexual orientation or gender identity, is punishable by five years’ imprisonment and a fine of €300,000. The same penalties shall apply, except in the cases provided for by law, to placing or storing in computerized memory personal data concerning offences, convictions or security measures. The provisions of this Article shall apply to non-automated processing of personal data the implementation of which is not limited to the exercise of exclusively personal activities.
Art. 226-19-1 In the event of the processing of personal data for the purpose of research in the field of health, the following is punishable by five years’ imprisonment and a fine of 300,000 euros: 1 ° Without having previously informed individually the persons on whose account personal data are collected or transmitted of their right of access, rectification and opposition, the nature of the data transmitted and the recipients thereof; (2) Despite the objection of the person concerned or, where provided for by law, in the absence of the informed and express consent of the person, or in the case of a deceased person, despite the refusal expressed by the latter during his lifetime.
Art. 226-20 The fact of keeping personal data beyond the period provided for by law or regulation, by the request for authorisation or opinion, or by the prior declaration addressed to the National Commission for Informatics and Freedoms, is punishable by five years’ imprisonment and a fine of 300,000 euros, unless this retention is carried out for historical purposes, statistical or scientific under the conditions provided for by law. The same penalties shall apply to the fact, except in the cases provided for by law, of processing personal data stored beyond the period mentioned in the first paragraph for purposes other than historical, statistical or scientific purposes.
Art. 226-21 The fact, by any person holding personal data on the occasion of their registration, classification, transmission or any other form of processing, of diverting this information from its purpose as defined by the legislative provision, the regulatory act or the decision of the National Commission for Informatics and Freedoms authorising automated processing, or by the declarations prior to the implementation of this treatment, is punishable by five years’ imprisonment and a fine of 300,000 euros.
Art. 226-22 The fact, by any person who has collected, on the occasion of their registration, classification, transmission or other form of processing, personal data the disclosure of which would have the effect of undermining the consideration of the interested party or the intimacy of his private life, to carry, without authorisation of the interested party, these data to the knowledge of a third party who does not have standing to receive them is punishable by five years’ imprisonment and a fine of 300,000 euros. The disclosure provided for in the preceding paragraph is punishable by three years’ imprisonment and a fine of 100,000 euros when committed by recklessness or negligence. In the cases provided for in the two preceding paragraphs, prosecution may be brought only on the basis of a complaint by the victim, his legal representative or his successors in title.
Art. 226-22-1 Carrying out or causing to be transferred personal data which is or is intended to be processed to a State not belonging to the European Union or to an international organisation in breach of Chapter V of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, or Articles 112 to 114 of Law No 78-17 of 6 January 1978 cited above, shall be punishable by five years’ imprisonment and a fine of EUR 300 000.
Art. 226-22-2 The following are punishable by one year’s imprisonment and a fine of €15,000 for hindering the action of the National Commission for Informatics and Liberties: 1 ° Either by opposing the exercise of the missions entrusted to its members or authorised agents pursuant to the last paragraph of Article 10 of Law No. 78-17 of 6 January 1978 aforementioned when the visit has been authorised by the judge; 2 ° Either by refusing to communicate to its members or to the agents authorised pursuant to the last paragraph of Article 10 of the same law, or to the agents of a supervisory authority of a Member State of the European Union pursuant to Article 62 of Regulation (EU) 2016/679 of 27 April 2016 cited above, the information and documents useful for their mission, or by concealing such documents or information, or by removing them; 3 ° Either by communicating information that does not conform to the content of the recordings as it was at the time when the request was made or that does not present this content in a directly accessible form.
Art. 226-23 In the cases provided for in Articles 226-16 to 226-22-2, the erasure of all or part of the personal data subject to the processing that gave rise to the offence may be ordered. The members and agents of the National Commission for Informatics and Liberties are entitled to note the erasure of this data.
Art. 226-24 Legal persons declared criminally liable, under the conditions provided for in Article 121-2, for the offences defined in this section shall incur, in addition to the fine in accordance with the procedures laid down in Article 131-38, the penalties provided for in 2 ° to 5 ° and 7 ° to 9 ° of Article 131-39. The prohibition mentioned in 2 ° of article 131-39 relates to the activity in the exercise or in the course of the exercise of which the offence was committed.
These are few of the French incriminations making liable the data controller or the person unlawfully accessing personal data.
The UK Data Protection Act 2018 has introduced several offences:
Offences under the DPA 2018
Section 119: Obstructing the Commissioner in inspecting personal data to discharge an international obligation
Section 119 is described as a ‘future-proofed’ version of s.54A DPA 1998. It is a provision that criminalises obstructing the ICO’s inspection of European information systems. The Commissioner may inspect personal data where the inspection is necessary in order to discharge an international obligation of the United Kingdom, subject to the restriction in subsection (2). Section 119 (6) states that it is an offence (a)intentionally to obstruct a person exercising the power under subsection (1), or (b)to fail without reasonable excuse to give a person exercising that power any assistance the person may reasonably require.
Section 132: Prohibition placed upon the Commissioner, or the Commissioner’s staff against disclosing information obtained in the course of their role (which is not available to the public)
Section 132 replaces section 59 DPA 1998 and criminalises action by former or current ICO staff who disclose data obtained during the course of their duties. Section 132 (2) clarifies the circumstances in which disclosure – with lawful authority – may be made. Section 132 (3) however confirms that it is an offence for a person knowingly or recklessly to disclose information in contravention of subsection (1).
It is an offence for a person, in response to information notice from the Commissioner, to make or recklessly make, a statement which they know to be false in a material respect.
Under Section 148 (2) (a) it is an offence for a person to destroy or otherwise dispose of, conceal, block or (where relevant) falsify all or part of the information, document, equipment or material. Section 148 (2) (b) makes to cause or permit the actions set pout in the previous subsection.
Section 170 of the Act builds on section 55 DPA 1998 which criminalised knowingly or recklessly obtaining, disclosing or procuring personal data without the consent of the data controller, and the sale or offering for sale of that data. The provision was most typically/commonly used to prosecute those who had accessed healthcare and financial records without a legitimate reason. Section 170 adds the offence of knowingly or recklessly retaining personal data (which may have been lawfully obtained) without the consent of the data controller. There are some exceptions: for example where such obtaining, disclosing, procuring or retaining was necessary for the purposes of preventing or detecting crime. Section 170 (2) and (3) set out the defences to Section 170 (1).
Section 171 – a new offence – criminalises the re-identification of personal data that has been ‘de-identified’ (de-identification being a process – such as redactions – to remove/conceal personal data). Section (5) states that it is an offence for a person knowingly or recklessly to process personal data that is information that has been re-identified. Sections 171 (3) and (4) set out the defences to Section 171 (1) – for example, the re-identification was necessary for the purposes of preventing or detecting crime. Sections 171 (6) and (7) set out the defences to Section 171 (5).
Section 173 relates to the processing of requests for data from individuals for their personal data. Section 173 (3) makes it a criminal offence for organisations (persons listed in Section 173 (4)) to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure. It builds on an offence under the Freedom of Information Act 2000. Possible defences to an offence under section 173 (3) are set out in Section 173 (5).
Section 184 (1) makes it an offence for a person to require another to provide them with or give them access to a relevant record linked to the employment, continued employment of one of their employees or a contract for the provisions of services to them. Section 184 (2) makes it an offence for a person to require another to provide them with or access to a relevant record if the requestor is involved in the provision of goods, facilities or services to the public or the requirement is a condition of providing or offering to provide goods, facilities or services to the other person or a third party. Section 184 (3) details the possible defences to offences under subsection 184 (1) or (2).
It is an offence under paragraph 15 (1) for a person to intentionally obstruct a person in the execution of a warrant issued under this Schedule or to fail without reasonable excuse to give a person executing the warrant such assistance as may be required. Under paragraph 15 (2) it is an offence for a person to make a statement in response to a requirement under paragraph 5(2(c) or (d) or 3(c) or (d) which the person knows to be false in a material respect or recklessly make such a statement.
There are no custodial sentences in respect of offences under DPA 2018 and no powers of arrest; all offences are punishable only by a fine.
Schedule 15 – Powers of entry and inspection, sets out the circumstances in which the Information Commissioner may apply for a search warrant.
The DPA 2018 removed Section 77 (power to alter penalty for unlawfully obtaining etc personal data) of the Criminal Justice and Immigration Act 2008.
The Irish Data Protection 2018 has introduced in Section 144 et all a series of offences :
- Unauthorised disclosure by processor
- Disclosure of personal data obtained without authority
- Offences by directors, etc., of bodies corporate
- Prosecution of summary offences by Commission