When the General Data Protection Regulation (GDPR) was first introduced, the enforcement provisions, up to EUR 20 million or 4 percent of global turnover (whichever was higher!), took centre stage as businesses scrambled to comply. Three years after coming into force, we are left to wonder if the enforcement provisions are nothing more than an empty threat.
In July 2019 the UKs Information Commissioner’s Office (ICO) fined British Airways £183m for a data breach that affected 400,000 customers as well as a fine of £99.2m for Marriot International. It started to appear that the regulation would have real teeth. However, since then, both fines have been significantly reduced to £20m in the case of British Airways and £18.4m for Marriott International.
It is undoubted that the pandemic played a role in the fine reductions. Both travel and tourism have been disproportionately affected by “stay at home” requirements. Nonetheless, when examining enforcement actions in the privacy and data protection world, most have taken place in the United States where in 2019 the Federal Trade Commission fined Facebook $5b and Google/YouTube $170m.
For all the talk about GDPR presenting a paradigm shift in privacy and data protection, the lack of heavy fines belies this claim. This certainly does not mean organisations do not have to take the regulation seriously. Quite the contrary as eye catching fines, or the lack thereof, do not tell the whole story.
The GDPR provides several enforcement provisions and mechanisms that must be considered. On the one hand we have the familiar provision of regulator action, but the regulation itself also provides the possibility of civil litigation and collective action. This has created a parallel track where both private individuals and administrative entities can seek to enforce personal data protection. Private individuals, or “data subjects,” who believe the processing of their data has infringed their rights can bring a claim against the data controller or processor in national courts and appeal to their Supervisory Authority.
Right to Compensation and Liability
Article 82 of the GDPR covers the “Right to Compensation and Liability.” The article states:
“Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
The thing about lawsuits is that they are expensive, and often compensation is relatively small, between EUR 250 and EUR 500 per violation. Hardly worth the cost of bringing a lawsuit. Where individuals come together and pool the costs, the cost-benefit analysis looks quite different.
Collective Action and Jurisdiction – A tale of Member States
GDPR provides a solution for collective action. Article 80 states the data subject has the right to mandate a not-for-profit body, organisation, or association with statutory objectives in line with the public interest and active in the field of data protection to lodge a complaint on behalf of the data subject.
When individual claims are combined, a third party takes over as a whole against the defendants. In the collective representation of interests an organisation will bring a ‘class action’ lawsuit. ‘Class actions’ have parallel examples in a variety of areas of law like competition and employment law.
Spreading the cost of litigation across many plaintiffs creates a greater likelihood of challenges being brought in court. Where before there was little financial incentive and organisations could count on lengthy legal proceedings squeezing plaintiffs with insufficient liquidity. A new situation has emerged providing different avenues for the protection of data and privacy.
However, the situation of bringing collective action is not uniform across the EU. While the GDPR provides that the data subject “shall have the right to” initiate actions. The regulation fails to provide an actionable procedure. Rather, the regulation leaves it to the Member States to do so. Therefore, reference must be made to national procedural law meaning the GDPR potentially creates a right to 28 different collective actions.
The types of collective rights of action found across Member States can summarised into three groups:
- A representative joint action where data subjects can mandate an authorised entity to lodge a complaint for them with a data protection authority or exercise the right to judicial remedy
- A limited compensatory representative joint action where data subjects have the right to mandate an authorised entity to exercise their right to receive compensation, if the Member State provides for such a possibility
- A limited class action where authorised entities can act for data subjects without a mandate from them in case of a violation of the rights of a data subject, if the Member State provides for such a possibility
This lack of uniformity creates a thorny issue related to jurisdiction. Under Article 79 of the GDPR, cases can be brought where the data subject is located, or where the controller and processor are established. Again where the organisation is established plays a role, in that class action is left to the Member States to regulate in their own legislative version of the GDPR with some states providing relief in the form of compensatory damages while other Member States do not.
As per the right to bring collective action, remedies that can be sought are also different from Member State to Member State and this creates one of the situations where the GDPR fails to create a uniform system across the European Union. This variance between the Member States opens the possibility for forum shopping (see below) with plaintiffs looking for the most favourable jurisdiction to bring a legal challenge.
In addition, GDPR does not set out any criteria to assess the recoverability of damages but leaves it to the Member States to enact national laws that apply. For example some member states only allow for injunctive relief for data class actions while others have introduced compensatory data class actions.
Spotlight on Germany, the Netherlands, and the UK
If we look first to Germany, there are two mechanisms to bring collective action. The first representative action is called a “Verbandsklagen” whose goal is a cease-and-desist order of the illegally processing. The second type of action is a “Musterfestellungsklage” which seeks a binding declaration on factual or legal grounds for consumer claims. In itself the Musterfestellungsklage does not allow for monetary compensation but renders a declaratory judgement of a breach that can be used in the case of further action. The only relief that can be sought as a class is a cease-and-desist order or a finding of a violation that can be used for later action. If the data subject wants to bring further action for compensation, they will have to do so by themselves and at their own expense.
Comparing Germany to the Netherlands, the latter allows for the collection of damages in a collective action. Proving damages however can be a major roadblock for challenges of illegal data processing in the Netherlands. Under Dutch Law, the individual must prove that the processing of data was done illegally, and the data subject must also prove harm occurred to the individual.
There is an emerging bit of case law in the Dutch courts exploring the evidential requirements to prove harm. One Dutch court agreed with the claim that there was a breach of a fundamental right through the disclosure of an illness to the data subject’s new employer. This was seen as a violation of a fundamental right, which in itself justified damages and the Employee Insurance Agency had to pay the amount of EUR 250. However, the law is not settled. In another civil case brought in the Administrative Jurisdiction Division of the Council of State’s, the court required a substantiation of damages suffered and a violation of data subject rights was not a per se demonstration of damages. Rather, the court held that the failure to respond adequately to a data subject request did not rise to the level that required an award of damages. The diverging rulings create an opaque situation about what the law requires.
In the UK, the Data Protection Act (DPA) states that a body or other organisation that meets the conditions set out in Article 80 of the GDPR may be authorised to exercise the data subject’s rights. This includes the right to lodge a complaint to the supervisory authority or to obtain judicial remedy and claim compensation.
Under UK Civil Procedure Rules, there are several ways to bring a claim with multiple claimants. These include:
- Claims by more than one claimant managed together
- Group Litigation Orders (GLOs) where more than one claimant has a cause of action giving rise to “common or related issues of fact or law” and the cases are managed together
- Claims by representative claimants where more than one person has the “same interest” in a claim
As you can see, laws vary on whether class action lawsuits can be brought for compensatory damages, and organisations need to know the laws of the Member States where they are located.
What Comes First: The Complaint, the Lawsuit, or the Egg?
Data class action proceedings before national courts can be filed in conjunction with lodging a complaint to the supervisory authority and can be filed in multiple Member States at once. Where a class action is initiated based on a sanction potentially issued by the supervisory authority, it is possible to request the national court issue a stay of proceedings until the sanction decision is final. However, this possibility is not available in all Member States. Another key point to keep in mind is that elements of the administrative investigation can be introduced in court proceedings and are something to take very seriously including mitigating activities.
This all brings me back to British Airways. While the original fine was reduced significantly, more than 16,000 people have joined a case seeking compensation from the airline related to the data breach. The potential class is 400,000. The class action lawsuit that was originally filed in 2018 has a deadline of March 2021 to join the suit. Though the fine was reduced significantly, British Airways may very well still incur a heavy cost.
This should be a lesson that all organisations learn well. The threat of failing to comply with GDPR will not only be the cost of fines imposed by the Supervisory Authority but may also result in civil action.
Issues to Expect
The broad territorial scope given to GDPR paired with the mandate that class action is governed by national law may give rise to forum shopping. Under the GDPR, a case may be brought either where the controller or processor is located or the courts of the Member State where the data subject resides. (Art. 79) This choice will lead data subjects to preference Member States with individual or class action national laws.
Burden of Proof
The GDPR imposes the burden of proof on organisations processing data. It is up to the organisation to comply with the provisions of the GDPR, as well as the laws of the Member States that implement the regulation in their own national laws. This burden means organisations must be prepared in the case of an audit by the Supervisory Authority and maintain records of processing activities (ROPA Art. 30) available on request. It must be a part of every organisations strategy to record documents showing compliance with the legislation as well as implementing appropriate technical and organisational measures.
The GDPR provides extensive rights to the data subject including the right to request access to their own personal data as well as make a complaint to the supervisory authority. Where there is a data subject request, organisations must respond within thirty days of the request. This enables the data subject to collect evidence and build their case. Organisations can refuse to respond to a subject request in the case it is “manifestly unfounded or excessive,” but organisations must then prove this is the case.
Ways Organisations Can Prepare
Step 1: Have a Process for Responding to Data Subject Requests: Verify the identity, find the data, and give the data subject what they ask for
Step 2: Anticipate Forum Shopping. If you have multiple establishments or subsidiaries and process data across borders, understand the class action laws of the Member States where your organisation is located
Step 3: Have in Place an Audit Trail Demonstrating Compliance with GDPR (ROPA Art. 30)
Step 4: Map your data and establish a system to prove who had access to what data, when, and what actions were taken with it
Fines are not the only challenge organisations face under GDPR. There is also the potential for civil action in court, and evidence from administrative findings of the supervisory authority can be used as evidence. Pursuing litigation is made more attractive by the proposition of class actions that pool together many individuals and spread out the costs of litigation. Organisations must be prepared to respond to data subject requests and keep records of their processing activities in the case of an audit by the supervisory authorities.
While class action data lawsuits are a threatening proposition, there are barriers as well. These include organisations meeting the specified requirements under the Article 80 to bring a collective action while also dealing with the opt-out/opt-in issue . This issue is also left to the Member States to decide. Where the law is opt-out all potential members of a class are included. In the case of an opt-in, the organisation must go through the time-consuming task of collecting signatures.
The laws of the Member States also differ on what relief may be sought in court. Individuals and organisations seeking to bring a lawsuit will look to jurisdictions more favourable to them and organisations must be prepared. Big fines do not provide the only challenge. In fact, the GDPR provides many instances of food for thought.