Companies which violate the GDPR may face not only severe fines (as we reported), but also actions for non-material damages. In practice, we are starting to see an accumulation of legal actions, filed not only by data privacy activists and consumer organizations, but also by individual data subjects, typically seeking unreasonably high damages for pain and suffering. With a sprawling case law, particularly in the labor courts, and increasing use of legal tech, there is currently a risk that companies will be exposed to a large number of actions for non-material damages which, at least in aggregate, could pose a substantial risk. In this article, we will explain what companies need to do in order to counter this often underestimated risk.
The four key aspects for companies
In accordance with Article 82 of the GDPR, any person who suffers (material or non-material) damages due to infringement of the GDPR has the right to receive compensation, unless the other party proves that it was not in any way responsible for the event giving rise to the damages. The individual prerequisites for asserting a claim seeking non-material damages are the subject of considerable debate at the moment. In this article, we will therefore concentrate on the following aspects, which are of relevance in practice:
1. Violation of the GDPR
Undoubtedly, there must be a violation of data protection law. The company could have acted as either a controller or a processor, since either of these are subject to damage claims under this statute. Accordingly, companies can prevent the assertion of damage claims by preventing violations from occurring in the first place through good data protection processes, and by quickly rectifying any violations, e.g. by way of incident response.
2. Responsibility for GDPR violations
A key point for companies is that they can avoid damage claims if they are able to establish that they were not responsible for occurrence of the damages. To do so, however, they need to establish that they did not act with intent or in a negligent manner: simply arguing that a third party is also at fault is not sufficient. Moreover, the conduct of the company’s employees can generally be attributed to the company itself. We therefore advise companies to ensure adequate documentation of all of their processing actions so that, in case of dispute, they will be able to furnish the necessary evidence that they acted in accordance with data protection law. Ideally, documentation should be performed in clearly defined data protection processes so as to ensure that complete evidence can be provided if necessary.
3. Causation of damages
According to the prevailing view, a non-material damage claim may only be asserted if the data subject actually sustained non-material damages which were caused by a violation of the GDPR. The term “damages” is interpreted broadly for the protection of data subjects. For example, the GDPR lists the cases of discrimination, identity theft, reputational damage, loss of control over data and the restriction of data subjects’ rights (as we reported). Some in the case law and literature have argued that even the smallest and most minimal infringement establishes a damage claim. Should this trend continue, it would be a considerable handicap for companies, which may find themselves facing a large number of damage claims in the future for even the smallest infringement. Fueled by legal tech providers, data breaches could quickly develop into firestorms.
4. The actual amount of the damages
In the end, there is general agreement that the amount of the damages must conform to the functions of non-material damage claims: to provide compensation and satisfaction for the victim and to serve the purpose of general prevention, and that damages should not be awarded merely for symbolic purposes or to punish the responsible party. In a related decision, the Higher Regional Court of Koblenz stressed that the amount of non-material damages should be set high enough in order to create an incentive for controllers to conduct themselves in accordance with data protection law but that the amount should not be out of proportion to the actual circumstances of the individual case. These circumstances may particularly include the scale of the infringement or the contributory negligence of the data subject. At the same time, it stated that courts should avoid giving data subjects an incentive to provoke data protection violations in order to seek unreasonably high non-material damages. Accordingly, the purpose of general prevention is served not by awarding particularly high non-material damages in individual cases but rather by the impact of these claims over a large scale. This approach is to be welcomed, since it means that the unreasonably high non-material damages which have been awarded in isolated cases, particularly by the labor courts, will likely remain the exception, not the rule. On this basis, companies would be able to effectively counter claims for non-material damages, even in case of litigation.
Conclusion and recommendation for companies
All indications are that companies will be confronted with more frequent actions for non-material damages in the future in the event of data protection violations. Particularly due to the increased role of legal tech companies, companies may face an accumulation of lawsuits and a broad impact which could pose a considerable risk.
In order to minimize this risk, we advise companies to implement a data protection compliance management system which includes both preventive measures in order to avoid future violations of the GDPR and measures for effective defense against non-material damage claims. This will give companies a good chance to defend themselves even in the event of litigation.back