Happy consumer lawyers due to new data privacy damages claims?
February 2018 | SPOTLIGHT | DATA PRIVACY
Financier Worldwide Magazine
February 2018 Issue
The upcoming EU data protection law will massively change current data privacy laws. One less well known change is the fact that civil claims based on actual or alleged data privacy violations may create high exposure for companies. This article explains the risks and gives advice on how companies can manage them.
In May 2018, a new harmonised data privacy law comes into effect across the entire EU. The EU General Data Protection Regulation (GDPR) massively changes current data privacy laws. Among other things, it brings along extensive information obligations for companies which process personal data of clients or employees, documentation obligations and a large number of procedural requirements. The fines for not processing personal data in compliance with the GDPR may amount to up to 4 percent of a company group’s global revenue. Unlike under current data privacy laws in the EU, few C-suite executives are willing to take this risk. Consequently, many firms are currently running large projects which aim at implementing the GDPR.
But there is one risk which few managers and consultants have so far identified. Civil claims, due to actual or alleged data privacy violations, may create even more exposure than the hefty fines provided for under the GDPR. This overview explains why the new EU-wide data privacy law may be the perfect playground for ambitious data privacy or consumer protection attorneys and for lawyers representing employees in court.
There are three major game changers. First, compensation for immaterial data protection violations, such as moral damages, for instance. Second, companies processing personal data must be able to prove that they are in full compliance with the considerable requirements of the GDPR. And third, the new EU data privacy law also provides for mechanisms which are fairly similar to class actions.
Compensation for immaterial damages
Any person that has suffered material or non-material damages because of a violation of GDPR requirements has the right to receive compensation from the company responsible for the violation. Under current law, in most EU Member States it is almost impossible or restricted to special cases that data subjects may claim non-material damages because of data protection law violations. While it is often hard to prove any material damages because of data protection law violations, data subjects and their lawyers can easily claim immaterial damages. It is more than plausible that a data subject may suffer from emotional distress after, for example, personal medical or financial information about the data subject is wrongly disclosed to third parties. Therefore, companies will have to expect such claims after almost every data breach that occurs. Eventually, courts may rule that the unlawful processing in itself may be seen as damages which need to be compensated.
Under the GDPR, companies must be able to prove compliance with the data protection requirements. For claims of data subjects it may be sufficient to prove the possibility of a data privacy law violation of the company. Obviously, this is significantly easier to prove. Data subjects and their lawyers can find indications of GDPR breaches in data privacy notices or other published data protection information of the companies. If they do not find any indications for non-compliance with the GDPR in already available information, they can make further use of the data subject’s right of access. Data subjects have the right to obtain information about the processing of the data subject’s personal data by a company. This includes, among other things, information about the purposes of the processing, information about the categories of personal data concerned, information about controllers of personal data and about the envisaged period for which the personal data will be stored. If a company is not prepared for such requests, data subjects will often find enough information indicating a breach of GDPR requirements in this information to claim material or non-material damages. To be able to defend against such claims, the company must prove that it processes personal data of the respective data subject in full compliance with the GDPR. As you can imagine, it is significantly more complicated to prove compliance with data protection regulations than to prove the possibility of a violation. To stand a chance against such claims, companies must implement a comprehensive documentation process.
Data subjects have the right to mandate a not-for-profit body, organisation or association to lodge their complaint on his or her behalf, where provided for by local EU Member State law. Some Member States already have respective laws, for example in Germany, the German Act on Injunctions for the Protection of Consumers’ Interests. Other Member States will probably provide for such regulations in their GDPR implementation acts. Therefore, many data subjects will be able to claim damages without having to take the risk of paying for a lost lawsuit. The experience in other areas of law shows that the number of lawsuits will rise considerably as soon as natural persons have the chance to mandate third parties on their behalf.
Options for consumer or data privacy lawyers
The GDPR gives data subjects and their lawyers the perfect tools to claim high compensation for actual or alleged data privacy violations. Where companies are not able to prove that they have complied with the complex obligations according to the GDPR, they face lawsuits for substantial payment claims. There is a significant likelihood that we will see large-scale data privacy litigation from May 2018 onward. The question is, what can companies do in order to reduce their exposure? The obvious answer is that they will need to structure their GDPR implementation projects efficiently and professionally. However, this will not be enough. A key aspect of a reliable GDPR defence strategy is to prepare adequately for litigation. Most importantly, firms need to get their data privacy and GDPR project documentation into a shape which permits them to produce required documentation as proof in lawsuits. Some firms in high exposure business fields are already preparing sample briefs for court proceedings, in which they summarise the efforts which they have undertaken in order to comply with the GDPR.
It will be highly interesting to see how courts across the EU will deal with the changed data privacy landscape and how much compensation they will award to data subjects alleging that their privacy rights may have been infringed upon. There is one thing which we can safely assume: data privacy litigation is going to be an attractive source of income for data subjects and their lawyers as of May 2018.
Tim Wybitul is a partner and Lukas Ströbel is an associate at Hogan Lovells. Mr Wybitul can be contacted on +49 69 962 36 321 or by email: firstname.lastname@example.org. Mr Ströbel can be contacted on +49 69 962 36 326 or by email: email@example.com.
© Financier Worldwide
Tim Wybitul and Lukas Ströbel