Author: Olivia Tambou

 

1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).

 

A.Preliminary remarks

Art. 82, reflecting the principle ubi jus, ibi remedium (where there is a right, there is a remedy),[1] provides for an individual cause of action for material or non-material damage resulting from unlawful processing of personal data: where an individual feels wronged, concerning data processing falling under the GDPR, he or she can initiate remedial actions. This provision is broadly in line with landmark rulings on liability for breach of European Law by public or private bodies, such as Francovitch[2] or Courage[3]. Art. 82 is also an illustration of the growing EU secondary law on private enforcement remedies, which has included individual cause of action for damages.[4]

The DPD contained a general, and rather short, provision on liability. Art. 23 para. 1 DPD imposed on Member States the obligation to “provide that any person who has suffered damage (…) is entitled to receive compensation from the controller for the damage suffered”. Para. 2 of the same article exempted controllers who could demonstrate they are “not responsible for the event giving rise to the damage”.[5] Art. 82 GDPR is more detailed; and it clarifies, as well as extends, the liability regime. First, it introduces liability of processors.[6] Thus, Art. 82 takes into due account contemporary processing realities, where many entities may be involved in the processing chain – ⁠and may be liable for damages therein. Second, Art. 82 GDPR expressly mentions that the concept of damage covers both material and non-material damages.

Such a specific and extended liability regime, taken together with possible collective redress (under national laws),[7] could shape the behaviour of both controllers and processors. Importantly, the liability regime appears to go beyond public sanctions, including administrative fines (Art. 83 para. 2) or penalties (Art. 84 para. 4).

However, the GDPR sets out the liability-minimums; and this might raise three difficulties. First, being underdeveloped, the liability regime could create legal uncertainty, where courts address liability-issues on a case-by-case basis; or it could discourage data subjects who have been damaged to use this cause of action.[8] Second, it may be hard to foretell how Member States will address liability- and damage-related issues, without concrete guidance (e.g. on how to quantify data protection damages) and interpretation by soft law or the CJEU.[9] Third, inspiration could be drawn from other legal fields, such as competition law, to establish an effective liability regime favouring the data subject and responsibilising actors involved in decision-making on the why and how of the data processing.[10]

 

B.Legislative history

The Comm-P contained three paragraphs. The initial amendments of the EP and the Council aimed at clarifying the scope of the right to compensation regarding non-pecuniary damages. Subsequently, the liability scope was the main subject of the discussion. The Comm, followed by the EP, proposed a joint and several liability scheme for the entire amount of the damage, where more than one controllers or processors are involved in the processing. The Council suggested a joint liability between processors and/or controllers to ensure effective compensation for the data subject; it introduced the possibility for the controller or the processor, who pays the entire damage, to a recovery action against the other controllers and/or processors. Furthermore, the Council added a paragraph on jurisdiction. The final version includes most of the amendments submitted by the Council with some minor changes in the wording.

 

 

 

 

[…]

 

 

 

 

[1]See Zanfir-Fortuna, ‘Art. 82’ in Kuner/Bygrave/Docksey, 1160, p. 1162, citing AG Sharpston “because rights under EU law must be effective, no right can exist without a corresponding remedy”.

[2]CJEU Joined Cases C-6&9/90, 19/11/1991, Francovitch, ECLI:​EU:​C:​1991:428.

[3]CJEU Case C-453/99, 20/09/2001 Courage and Creham, ECLI:​EU:​C:​2001:465.

[4]See Wilman, ‘The end of the Absence? The growing body of EU legislation on private enforcement and the main remedies it provides for’, CMLR, (2016), 53, pp. 887–936. The Product liability Directive 85/874 and the Competition Damages Directive 2014/104 focus exclusively on compensation for damages.

[5]See Van Alsenoy, ‘Liability under EU Data Protection Law: From Directive 95/46 to the General Data Protection Regulation’, 7 (2016) JIPITEC 271, para. 1.

[6]Under the DPD, liability of the processor could be introduced by national law. Wolters, ‘The security of personal data under the GDPR a harmonised duty or shared responsibility?’ International Data privacy law 2017, Vol. 7 n° 3 p. 168, who mentions that such a processor liability had been introduced in the Dutch implementation of the DPD. A court recently asked the CJEU on the possibility to extend liability to processors; see Request for a preliminary ruling from the Bundesverwaltungsgericht (Germany) lodged on 14 April 2016 Wirtschaftsakademie Schleswig-Holstein GmbH v Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (Case C-210/16).

[7]See Art. 80 GDPR.

[8]See Larouche/Peitz/Purtova, Consumer privacy in network industries, A CERRE policy Report (CERRE 2016), p. 57.

[9]See C-40/17 Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV [2019] OJ C319/2; to the CJEU, the website operator, who embeds a plugin that can enable the website-visitor’s browser to request content from the provider of that plugin and, to that end, to transmit personal data to the provider of the plugin, can be seen as a controller within the meaning of the DPD; liability of this controller is limited to the particular processing operation(s) that she actually determines.

[10]For example, Google has been held liable for its (intrusive and abusive) ads-related activities under both data protection and competition laws. See Google Inc v Vidal-Hall, Court of Appeal of England and Wales (discussed in Zanfir-Fortuna, ‘Art. 82’ in Kuner/Bygrave/Docksey, p. 1173); Comm, ‘Antitrust: Commission fines Google 2.42 billion euros for abusing dominance as search engine by giving illegal advantage to own comparison shopping service’ (Press Release, 27 June 2017) <https://ec.europa.eu/commission/presscorner/detail/en/IP_17_1784> accessed 3 January 2023.