We have been covering the proposed EU data legislation. The full changes to society and benefits from the internet are far from complete, but one thing is clear, in the future the strong countries and economies will be those that have the best digital capability. The EU Data Protection Regulation threatens to limit and slow the growth of the digital economy in Europe.
In this post we look at the changes to the rules as to when individuals can claim compensation if they have suffered damage due to non- compliance with the proposed Regulation.
The current data protection legislation, Article 23 of the 1995 EU Data Protection Directive (95/46/EC) allows for individuals to claim compensation for damage suffered due to non- compliance with the Directive .
The current article states:
1. Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.
2. The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage.
The proposed changes are in Article 77 of the draft Regulation and the current text would widen the rights of individuals to be able to claim compensation in the event of non- compliance with the Regulation as they would be able to make claims against data processors Iin the case of multiple controllers/processors they would be jointly liable for the full amount. The proposal in full is:
1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.
2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage.
3. The controller or the processor may be exempted from this liability, in whole or in part, if the controller or the processor proves that they are not responsible for the event giving rise to the damage.
The points of concern the proposed text raises are:
• Data processors located within the European Economic Area ( the 27 Member States of the EU plus Iceland, Lichtenstein and Norway) (EEA) could be liable for failings by data controllers outside of the European Economic Area (EEA)
• The definition of damage and the risk that it fosters a compensation claims culture
1) Liability between data controllers and data processors
If the data controller is located outside of the EEA then it brings a risk for any data processor located within the EU to deal with such a data controller. A data controller located outside the EEA may not be familiar with the EU data protection legislation, and under the draft Regulation the data processor located within the EEA could be liable for for the actions of the data controller in cases of non- compliance with the legislation. Such actions of the data controller could be outside the data processor’s control. This may stem the ability of data processors located within the EU to grow and deal internationally. This is not in the EU’s economic interest..
What is the benefit of adding liability to the data processor for the actions of data controllers? Data processors are required to have data processing agreements in place with the data controllers for whom they are processing personal data. Under such agreements a data processor should be liable to the relevant data controller for any breaches of data protection legislation. Giving individuals the right to claim compensation from data processors as well as data controllers may mean more disputes between data controllers and data processors as to which one should pay the compensation for damage caused by non-compliance with data protection legislation
2) The definition of damage
What is damage? The UK Information Commissioner’s Office believes it is the European Commissions’ intent for damage to include ‘damage or distress’ suffered. Given the historical difficulty and subjectiveness of establishing whether distress has been caused and the monetary value of that distress, this is bound to lead to expensive court cases to establish these parameters. The loser will be the consumer as increased risks and legal costs will be passed on by business and ultimately paid for by the consumer. The alternative is some data processors will be forced to go out of business. To avoid this, clarity as to the meaning of damage in the draft Regulation is needed- does this mean “quantifiable monetary damage” as is currently the case in UK law?
Overall this change appears to bring in unnecessary additional legal risk, the costs of which will ultimately land upon the consumer and will limit the growth of the European digital economy.