Were you worried in the lead up to GDPR?
Has the danger passed? Are you just keeping the head down and hoping for the best?
Are you in a good place with respect to compliance or do you still have some concerns but hope the fears generated were exaggerated?
Just to remind you new regulations concerning personal data protection came into force in the EU from 25th May, 2015: the GDPR regulations.
What has happened since then? Was the fear and loathing justified? Was it another “Y2K” scare-all hat and no cattle-or is it too early to decide?
Firstly, GDPR came into effect in Ireland 24 hours after the commencement of a new data protection act, the Data Protection Act, 2018. There is a certain degree of trepidation amongst data controllers and processors that this new law will lead to a significant increase in the number of legal cases arising as a result of breaches for the law now allows data subjects bring civil actions for compensation.
Data subjects can also now authorise not for profit organisations to bring complaints and act on their behalf. This kind of “class” action is a new development in Ireland and is likely to be availed of when there is a significant breach of personal data on a wide scale affecting a large number of individuals.
Two of these not for profit type organisations, NOYB (‘None of Your Business’) in Austria and La Quadrature du Net (‘La Quad’) filed complaints in some European countries against large tech companies within a short time of GDPR coming into effect. There is nothing stopping them from popping up in Ireland.
Right to Compensation and Damage
The right to compensation and damage is set out in regulation 82 which states,
Right to compensation and liability
1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).
The game changer in this regulations is the reference in subsection 1 to “material or non-material damage”.
Up to this point you had to show you had suffered actual loss or damage in Ireland to be compensated, but you could not be compensated for non-material damage.
You will also see that subsection 1 refers to “controller or processor”. Prior to this only the controller could be held liable but now a processor can be also named as a defendant.
Article 78 sets out the right of the data subject to sue-that is, a judicial remedy. It states,
Right to an effective judicial remedy against a supervisory authority
1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.
3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
4. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.
This right to bring a data protection action in Ireland is set out in section 117 of Data Protection act, 2018. This action is founded on tort-that is, a civil wrong, and can be instituted in the Circuit Court or High Court.
Section 117 obliges the plaintiff data subject to prove that
his or her rights under a relevant enactment have been infringed as a result of the processing of his or her personal data in a manner that fails to comply with a relevant enactment
The critical change now is a data subject can sue for material and non material damage and non material damage is set out in recital 85 as follows:
A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned
You will see from regulation 82 above, section 2, that the controller and processor will be held liable where they are not compliant with the regulations; it is irrelevant whether they were negligent or at fault in any way.
How much compensation?
It is too early to say what level of compensation Irish courts will award, especially for non material damage such as damage to reputation or unauthorised reversal of pseudonymisation or loss of confidentiality.
Clearly, from the perspective of a controller or processor the smart thing to do is try to ensure that there is no breach of personal data rights in the first place. However, it is vital that a breach is notified to the Data Protection Commissioner within 72 hours of becoming aware of the breach as the Act refers to doing so “without undue delay”.
85. Where a processor becomes aware of a personal data breach, the processor shall notify the controller on whose behalf the data are being processed of the breach—
(a) in writing, and
(b) without undue delay.