reusch­law report: Actions for dama­ges under data pro­tec­tion law in 2023

Ana­ly­sis of cur­rent court rulings on Art. 82 GDPR

The num­ber of actions for dama­ges due to data pro­tec­tion brea­ches has fur­ther increased in 2023. The­re are a varie­ty of poten­ti­al brea­ches – from pro­ces­sing wit­hout a legal basis or omit­ted or late respon­se to a request for infor­ma­ti­on to ina­de­qua­te infor­ma­ti­on pro­vi­ded to the data sub­jects. Com­pa­nies are still facing num­e­rous lawsuits and some of them are about con­sidera­ble amounts of money.

Scra­ping

Last year, court rulings on Art. 82 GDPR were domi­na­ted by the scra­ping issue. After enorm­ous amounts of per­so­nal data had been coll­ec­ted on the Face­book plat­form and published in various forums on the inter­net, the­re was a veri­ta­ble wave of actions brought by tho­se affec­ted. The juris data­ba­se alo­ne con­ta­ins 75 published decis­i­ons on scra­ping. In most cases, the plain­ti­ffs clai­med, among other things, pay­ment of com­pen­sa­ti­on for imma­te­ri­al dama­ge in the amount of 1,000 euros based on Art. 82 GDPR. The vast majo­ri­ty of actions were unsuc­cessful. Only in 16% of the cases the plain­ti­ffs were part­ly suc­cessful. In the lat­ter cases, the avera­ge amount award­ed was 533 euros.

A spe­cial case: Scraping

  • After publicly acces­si­ble per­so­nal data had been coll­ec­ted on the “Face­book” plat­form by means of scra­ping and appeared on the Inter­net in various forums, a wave of lawsuits was filed.
  • Juris data­ba­se con­ta­ins 75 decis­i­ons (as of Novem­ber 2023).
  • In most cases, tho­se affec­ted clai­med 1,000 euros in damages.
  • In only 16% of the cases, the plain­ti­ffs were – only part­ly – successful.
  • On avera­ge, 533 euros in dama­ges was award­ed in suc­cessful cases.
Based on the ana­ly­sis of cur­rent court rulings on Art. 82 GDPR
Source: reusch­law

Still only few actions to succeed

Many of the trends alre­a­dy iden­ti­fied in the last reusch­law report are ongo­ing. The chan­ces to suc­ceed with actions under Art. 82 GDPR are still mode­st. Only 35% of the actions are at least part­ly suc­cessful. Nevert­hel­ess, this is an increase over the figu­res recor­ded last year when it was only 30%. The quo­ta of suc­cess in labour courts con­ti­nues to be signi­fi­cant­ly hig­her at 67% and remains rela­tively con­stant com­pared to the pre­vious year (pre­vious year: 68%).

Results of the ana­ly­sis of court rulings on Art. 82 GDPR

Based on the ana­ly­sis of cur­rent court rulings on Art. 82 GDPR
Source: reusch­law

Amount of dama­ges award­ed almost unchanged

Exclu­ding the scra­ping cases, the avera­ge amount of dama­ges award­ed has remain­ed almost unch­an­ged. The amount is still in the low four-digit ran­ge and aver­a­ges 2,246.87 euros. What stands out here is that the num­ber of claims for dama­ges award­ed in the over 5,000 euro ran­ge has risen by 500% com­pared to the pre­vious year. Even if small amounts keep the avera­ge value low, the risk of being sen­ten­ced to high sums is incre­asing. While the amounts award­ed by the labour courts last year were still lower than the afo­re­men­tio­ned avera­ge amount, they have now almost con­ver­ged at an avera­ge of 2,228.94 euros.

Key issue: Data pro­ces­sing wit­hout legal basis

The result of the ana­ly­sis of cur­rent court rulings on Art. 82 GDPR with regard to the types of breach is as fol­lows: As in the pre­vious year, the majo­ri­ty of cases in which dama­ges were award­ed were, with a total of 71%, based on pro­ces­sing wit­hout or with an incor­rect legal basis. Brea­ches of data sub­jects’ rights (26%) and data secu­ri­ty (3%) fol­low at a con­sidera­ble distance. Howe­ver, at an avera­ge of 2,567 euros, the hig­hest amounts are award­ed for brea­ches of data secu­ri­ty. The­se are slight­ly lower for pro­ces­sing wit­hout a legal basis at 2,294.80  euros. Com­pared to the pre­vious year, the amounts impo­sed for brea­ches of data sub­jects’ rights have increased signi­fi­cant­ly. While the avera­ge amount in the pre­vious year was 1,621 euros, it has now risen to 2,112.50  euros.

Dama­ges bro­ken down by type of breach

Based on the ana­ly­sis of cur­rent court rulings on Art. 82 GDPR
Source: reusch­law

Recom­men­da­ti­ons for cor­po­ra­te action

The chan­ces of suc­cess are admit­ted­ly mode­st with an avera­ge of 35% of (part­ly) suc­cessful actions. Nevert­hel­ess, com­pa­nies should not allow them­sel­ves to be lul­led into a fal­se sen­se of secu­ri­ty. As the scra­ping inci­dent at Face­book shows, data pro­tec­tion brea­ches repea­ted­ly trig­ger mass actions, some of which are hea­vi­ly publi­cis­ed by law firms. If the per­so­nal data of all cus­to­mers are pro­ces­sed wit­hout a legal basis or if employees are not pro­per­ly infor­med about pro­ces­sing ope­ra­ti­ons, the worst-case sce­na­rio is a wave of lawsuits, which can beco­me a serious risk for com­pa­nies even with low amounts in dis­pu­te due to the sheer volu­me. In addi­ti­on, the incre­asing num­ber of claims for dama­ges over 5,000 euros being award­ed shows that the courts are slow­ly aban­do­ning their reluc­tance to award lar­ge sums. In order to avo­id unneces­sa­ry risks, com­pa­nies should check and docu­ment all pro­ces­sing ope­ra­ti­ons and the cor­re­spon­ding legal bases, ensu­re that data sub­jects are infor­med in accordance with data pro­tec­tion regu­la­ti­ons and imple­ment tech­ni­cal and orga­ni­sa­tio­nal mea­su­res to pro­tect per­so­nal data. This can be achie­ved through a data pro­tec­tion com­pli­ance manage­ment sys­tem. If claims for dama­ges are asser­ted, the cla­im should be legal­ly exami­ned with regard to respon­si­bi­li­ty for the dama­ge and the amount asser­ted. In order to avo­id fines from the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties, report­ing obli­ga­ti­ons for data pro­tec­tion brea­ches must also be obser­ved. We have pre­pared an over­view of fur­ther recom­men­da­ti­ons for cor­po­ra­te action here.

reuschlaw report: Actions for damages under data protection law in 2023

reusch­law report: Actions for dama­ges under data pro­tec­tion law in 2023

back

Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.