News

Private enforcement in data privacy law

31.01.2022

With court cases and judgements on claims for non-material damages under data privacy law on the rise, companies have never before run such a high risk of facing civil actions from persons affected by data privacy breaches. This trend is being exacerbated by media reports raising public awareness of possible data privacy breaches. Recently, for example, there were reports of a security loophole at an interface service provider [in German], which apparently led to the data of 700,000 customers of online retailers being made freely available on the internet. The legal and actual developments make it likely that in the future companies will face more and more claims for damages, including even class actions. Private enforcement is increasingly supplementing public enforcement of data privacy law by data protection supervisory authorities, giving it even more weight as a compliance issue.

Context

Under Article 82(1) GDPR, any person who has suffered non-material damage as a result of an infringement of data privacy has the right to claim damages. The highest German courts have not yet decided when non-material damages exist and what amount of compensation is due. Since EU law is the basis for the claim, it must be interpreted in line with EU law. The case law on other non-material claims for damages in German law is therefore not directly transferrable.

After the GDPR came into force, unresolved legal issues and the traditionally restrictive attitude of German courts to non-material damage meant that claims for damages for data privacy breaches were rarely enforced in the past.

Change of course in the case law

However, in early 2021, Germany’s Federal Constitutional Court overrode certain arguments used by courts to easily reject claims for damages for data privacy breaches. Subsequently, the decisions handed down by German courts have become increasingly claimant-friendly. Rulings awarding sums of damages of up to €5,000 per claim have encouraged more and more people to seek damages following data privacy breaches.

To clarify unresolved legal issues about “non-material damage” within the meaning of Article 82 GDPR, several questions submitted by German courts are pending at the Court of Justice of the European Union (CJEU) (see examples here and here). The expected clarifying decisions by the CJEU have the potential to kick off a mass filing of claims for damages for data privacy breaches.

Private enforcement in data privacy – Hot topic for an increasingly professionalised claimant industry

Legal services providers have also caught wind of a lucrative new business model. Data privacy breaches often affect a large number of people equally. Since courts are now already awarding four-figure sums to individuals for fairly minor infringements, the players in an increasingly professionalised claimant industry hope to be able to file very large collective claims for damages. Legal services providers hope to build on their experience in other class actions such as cartel damages, the diesel emissions issue or the “cancellation argument” in consumer loan agreements. They are currently trying to litigate individual cases and obtain decisions in their favour from the highest German courts. The new class action models make the risk to companies even greater.

Current case law in Germany at a glance

Given the large number of court cases, it’s not easy to maintain a full overview of the various positions taken by the courts. Even so, there are certain lines and factions in court practice that are increasingly becoming apparent on the following key topics.

Recent decisions on the merits of claims

Many recent decisions by German courts show a very broad understanding of damage eligible for compensation. For example, discrimination, identity theft or fraud, reputational damage or loss of control over personal data have been recognised as non-material damage. The courts have ruled that liability for minor losses is not excluded.

If the CJEU confirms this broad concept, many data privacy breaches would give rise to non-material claims for damages. When there is a data leak, for example, those affected may feel uneasy, anxious or insecure, even without any actual misuse of the data by third parties. Companies might then potentially face mass actions for damages.

Recent decisions on the amount of compensation

As far as calculating the amount of compensation is concerned, the courts broadly agree that such compensation has to be complete and effective. The courts that also refer to a necessary deterrent function arrive at fairly high sums of compensation. It remains to be seen whether this approach ultimately prevails. We believe that there are solid arguments to be raised against this approach. After all, in data privacy law, penalties under public law exist alongside private enforcement via claims for damages under civil law. The public-law fines already serve to punish companies for unlawful conduct. So the purpose of the civil-law claim can only be to compensate for damage that has actually occurred.

Conclusion

Given the recent developments set out above, it is increasingly important for companies to acknowledge and face the challenges, opportunities and threats of data protection litigation, early on and strategically. The focus here must be on data privacy law, which at the same time serves as the interface to other areas, especially the relevant procedural and litigation laws. In defending against civil-law class actions, it is also essential to seamlessly combine data privacy and litigation expertise. With our outstanding experience in handling mass proceedings, our seasoned teams of recognised data privacy and litigation experts can support you on this path.