Non-compliance with the EU General Data Protection Regulation (GDPR) may lead to severe liability risks for companies inside and outside the European Union, stemming from claims by consumers, claims by competitors or business partners such as service providers and business customers, and from enforcement by supervisory authorities. In this article, we put a spotlight on liability towards consumers.
Are consumers entitled to compensation in case of violations of the GDPR?
Under Art. 82 GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR is entitled to compensation from the data controller or data processor.
These claims can be brought forward by individuals whose personal information (e.g. name, contact details including e-mail address, payment information, IP address, device fingerprints, and location or other behavioral data) your company collects, retains, use or otherwise processes within the scope of the GDPR.
Who is entitled to claims under Art. 82 GDPR?
Violations of the GDPR that may lead to claims for compensation may include, amongst others:
- Processing of personal information without a legal basis under Art. 6 and/or 9 GDPR, such as consent, legitimate interests, or necessity for the performance of a contract
- Failing to comply with the rights of data subjects under Art. 15-22 GDPR, such as the “right to be forgotten” under Art. 17 GDPR
- Non-provision of or insufficient privacy statements under Art. 13-14 GDPR
- Data breaches due to insufficient technical and organizational measures for data security under Art. 32 GDPR
Any person whose personal information is affected by such case of non-compliance may be entitled to damages. If, for example, a privacy notice of a web service does not meet the legal requirements, this may be any user of the service. A company is not liable if it proves that it is in no way responsible for the violation of the GDPR, neither intentionally nor negligently.
Art. 82 GDPR usually concerns data collected in B2C settings. It may also include individuals whose data were gathered in B2B settings (e.g. content of e-mails from an employee of one of your business customers), however, their employer as a legal entity is not entitled to claims under Art. 82 GDPR. The respective employee may file a legal action on his or her own behalf.
What kind of damages may be claimed? How to calculate compensation?
Firstly, the consumer being affected by the GDPR infringement may claim material damages. This may, for example, include situations where, for example, a hacker attack leads to unauthorized disclosure of user data to the public, the data controller failed to implement appropriate measures for data security, and the user becomes a victim of an identity theft or other fraud that leads to financial damages.
Secondly, also non-material damages may be subject to claims for compensation. If, for example, in the scenario described in the paragraph above, the hacker attack leads to the unauthorized revelation of information such as private communications including compromising details on his or her private life, the user may claim compensation also for his or her reputational damage.
The precise scope and factors to calculate such non-material damages are subject to disputes in various legal actions. In particular, it is unclear whether financial compensation must be paid only in case the individual has suffered severe (non-financial) disadvantages, or whether the mere violation of GDPR obligations is sufficient to trigger a financial compensation.
Recently, a higher regional court in Austria ruled the practice of a leading Austrian direct marketing service provider unlawful (Landesgericht Feldkirch, judgement of August 7, 2019, case no. 57 Cg 30/19b – 15). The company had sold postal address data that has been attributed to target groups to political parties without the residents’ consent. The court granted compensation in the amount of 800 EUR to the plaintiff – who was only one out of potentially 2.2 million consumers that were affected and are potentially entitled.
Due to an appeal, this judgement is not yet legally binding. As a consequence of the judiciary system in the EU, it sometimes takes years until landmark cases arrive at the European Court of Justice, which is the highest authority when it comes to interpreting EU laws. Therefore, patience is required to get the full picture, as often with regard the relatively new GDPR, .
Who is responsible in case service providers are involved?
The data controller in the sense of Art. 4(7) GDPR (i.e. the legal entity which, alone or jointly with others, determines the purposes and means of the data processing in question) is liable for any damage caused by processing which infringes the GDPR.
A data processor in the sense of Art. 4(8) GDPR (i.e. the legal entity which handles personal data on behalf of others) will be liable only if it violated the data controller’s instructions, or if it infringes a GDPR obligation that is directly addressed to data processors. For example, data processors must ensure a technical environment that meets the GDPR requirements for data security.
On the contrary, if a data controller unlawfully collects personal information on consumers and uses a cloud or SaaS service to manage these data, the cloud service provider is generally not liable for GDPR infringements of its customer. However, for some companies, regulations of the EU e-Commerce may apply and force them to take down illegal third-party content upon notice.
How severe is the risk in practice?
There are no reliable statistics on how many claims have been raised throughout the EU. According to our practical experience, the number of claims being brought to court remains on a low level. For the moment, consumer protection agencies are the major drivers, bringing test cases to the courts. If the European Court of Justice gives clear and consumer-friendly precedence, this may encourage legal tech startups to seek for financial benefit from accumulating claims and initiating class actions, for example in case of major data breaches that affect high numbers of consumers.