Analysis of current court rulings on Art. 82 GDPR
The number of actions for damages due to data protection breaches has further increased in 2023. There are a variety of potential breaches – from processing without a legal basis or omitted or late response to a request for information to inadequate information provided to the data subjects. Companies are still facing numerous lawsuits and some of them are about considerable amounts of money.
Scraping
Last year, court rulings on Art. 82 GDPR were dominated by the scraping issue. After enormous amounts of personal data had been collected on the Facebook platform and published in various forums on the internet, there was a veritable wave of actions brought by those affected. The juris database alone contains 75 published decisions on scraping. In most cases, the plaintiffs claimed, among other things, payment of compensation for immaterial damage in the amount of 1,000 euros based on Art. 82 GDPR. The vast majority of actions were unsuccessful. Only in 16% of the cases the plaintiffs were partly successful. In the latter cases, the average amount awarded was 533 euros.
A special case: Scraping
- After publicly accessible personal data had been collected on the “Facebook” platform by means of scraping and appeared on the Internet in various forums, a wave of lawsuits was filed.
- Juris database contains 75 decisions (as of November 2023).
- In most cases, those affected claimed 1,000 euros in damages.
- In only 16% of the cases, the plaintiffs were – only partly – successful.
- On average, 533 euros in damages was awarded in successful cases.
Still only few actions to succeed
Many of the trends already identified in the last reuschlaw report are ongoing. The chances to succeed with actions under Art. 82 GDPR are still modest. Only 35% of the actions are at least partly successful. Nevertheless, this is an increase over the figures recorded last year when it was only 30%. The quota of success in labour courts continues to be significantly higher at 67% and remains relatively constant compared to the previous year (previous year: 68%).
Results of the analysis of court rulings on Art. 82 GDPR
Amount of damages awarded almost unchanged
Excluding the scraping cases, the average amount of damages awarded has remained almost unchanged. The amount is still in the low four-digit range and averages 2,246.87 euros. What stands out here is that the number of claims for damages awarded in the over 5,000 euro range has risen by 500% compared to the previous year. Even if small amounts keep the average value low, the risk of being sentenced to high sums is increasing. While the amounts awarded by the labour courts last year were still lower than the aforementioned average amount, they have now almost converged at an average of 2,228.94 euros.
Key issue: Data processing without legal basis
The result of the analysis of current court rulings on Art. 82 GDPR with regard to the types of breach is as follows: As in the previous year, the majority of cases in which damages were awarded were, with a total of 71%, based on processing without or with an incorrect legal basis. Breaches of data subjects’ rights (26%) and data security (3%) follow at a considerable distance. However, at an average of 2,567 euros, the highest amounts are awarded for breaches of data security. These are slightly lower for processing without a legal basis at 2,294.80 euros. Compared to the previous year, the amounts imposed for breaches of data subjects’ rights have increased significantly. While the average amount in the previous year was 1,621 euros, it has now risen to 2,112.50 euros.
Damages broken down by type of breach
Recommendations for corporate action
The chances of success are admittedly modest with an average of 35% of (partly) successful actions. Nevertheless, companies should not allow themselves to be lulled into a false sense of security. As the scraping incident at Facebook shows, data protection breaches repeatedly trigger mass actions, some of which are heavily publicised by law firms. If the personal data of all customers are processed without a legal basis or if employees are not properly informed about processing operations, the worst-case scenario is a wave of lawsuits, which can become a serious risk for companies even with low amounts in dispute due to the sheer volume. In addition, the increasing number of claims for damages over 5,000 euros being awarded shows that the courts are slowly abandoning their reluctance to award large sums. In order to avoid unnecessary risks, companies should check and document all processing operations and the corresponding legal bases, ensure that data subjects are informed in accordance with data protection regulations and implement technical and organisational measures to protect personal data. This can be achieved through a data protection compliance management system. If claims for damages are asserted, the claim should be legally examined with regard to responsibility for the damage and the amount asserted. In order to avoid fines from the data protection supervisory authorities, reporting obligations for data protection breaches must also be observed. We have prepared an overview of further recommendations for corporate action here.