Fines and Class Actions under the GDPR are taking off!
Fines under the GDPR
Most companies trading in Europe will by now be aware of the fact that under the EU General Data Protection Regulation (GDPR), the data protection authorities of the EU Member States (now more commonly referred to as supervisory authorities or SAs) can impose administrative fines on companies that breach the regulation, to a maximum of €10million or 2% of a company’s annual turnover (whichever is the highest), or double that for particularly serious breaches: €20million or 4% of turnover (Article 83).
In practice, although the number of fines has significantly increased, in most countries the fines have so far been relatively modest: the vast majority of the 281 fines recorded by CMS’s “GDPR Enforcement Tracker” were in the thousands or at most tens of thousands of euros.
However, in October last year, the Berlin Commissioner for Data Protection and Freedom of Information issued a €14.5 million fine on a German real estate company, Deutsche Wohnen – the highest German GDPR fine to date. The infraction related to the retention of personal data for a substantially longer period than necessary. Two months later, the Italian SA, the Garante, imposed a €3million fine on gas company ENI; this was followed in January this year by a fine of €27.8million on a telecoms company, TIM. In March, the Swedish SA imposed a €7million fine on Google in relation to the “right to be forgotten”. The largest fine to date - €50million – was imposed, also on Google, by the French SA, the CNIL, in January.
Other SAs were initially less tough. The UK ICO has so far, in December 2019, only actually issued one relatively small fine under the GDPR for £275,000, despite having received 22,181 personal data breach notifications by January 2020.However, on 8 July last year, it announced its “intention” to fine British Airways (BA) £183million for “infringements of the GDPR…[relating] to a cyber incident notified to the ICO by BA in September 2018” which led to around 500,000 of its customers’ personal data being collected by a fraudulent website. The following day, the ICO announced its “intention” to fine Marriott International, Inc. just over £99million for violations of the GDPR relating to “a cyber incident which was notified to the ICO by Marriott in November 2018”.But these fines are likely to be reduced in view of representations that the companies can make to the ICO and/or in litigation. Moreover, although the announcements were made almost a year ago, both cases are still pending. One legal expert suggested that the current COVID-19 crisis may mean those fines will never materialize, given that the ICO’s own guidance is for an erring company's “ability to pay” to be considered when calculating a fine (although that may be wishful thinking on his part).
Nevertheless, it is expected that the SAs, especially in the EU 27 Member States, will become tougher and will begin to impose (yet) bigger fines – although that is also likely to lead to extensive (and extended) litigation (but that is of course also costly).
Class actions are beginning
The GDPR grants a right of compensation for non-material damages:
In the meantime, companies should be aware of another means to take action against those who breach the regulation: class actions. The GDPR provides in Article 82(1) that:
Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
In two cases, the Court of Justice of the EU (CJEU) has awarded €3,000 and €20,000 as compensation for “non-material damage” resulting from unlawful processing or leaks of personal data by EU institutions, and in another case, the European Court of Human Rights has awarded €8,000 damages against a State-Party that had insufficiently guaranteed the right to compensation for such damages.[i] In many EU Member States, national courts already awarded compensation for non-material damages resulting from wrongful processing and leaks of personal data prior to the entering into effect of the GDPR, under the laws on civil wrongs (FR: faut; DE: unerlaubte Handlung; NL: onrechtmatige daad) and/or consumer law.[ii]
In the UK, the Court of Appeal in October 2019 overturned the High Court’s November 2018 rejection of a claimant’s argument that data subjects were entitled to compensation because of a data breach alone. The High Court had ruled that it was necessary for a claimant to demonstrate a causal link between the breach of the DPA and the damage suffered, and that in that case the claimants had not done so. However, the Court of Appeal ruled that the claimants could recover damages simply for loss of control of their personal data under S. 13 of the DPA 1998.[iii] The claim – a class action against Google – will now be considered, at some future date, in the Media and Communications Court in London.[iv]
In the meantime, individual claimants in several EU Member States have already been awarded compensation purely for breaches of the GDPR, either in relation to personal data breaches (leaks and other security breaches) or in relation to otherwise wrongful processing. In the Netherlands, the personal details of a person who a local council felt made excessive freedom of information requests were sent around to other councils, in violation of the GDPR and the Dutch law further specifying the law, the Algemene verordening gegevensbescherming (AVG). He was awarded compensation of €500.[v] Similar (if anything somewhat higher) awards have been made in Germany and France.
The GDPR allows for class actions (representative actions):
Article 80 GDPR stipulates that, “where provided for by Member State law”, data subjects can:
mandate a not-for-profit body … active in the field of [data protection] … to exercise the right to receive compensation referred to in Article 82 on his or her behalf.
The above-mentioned individual awards in civil claims may not appear to amount to much, each in themselves. However, in cases in which tens or even hundreds of thousands of individuals have been affected by a personal data breach or by other wrongful processing (e.g., processing on the basis of invalid consent, or without having properly informed the individuals, or improper sharing of data), the total awards can quickly accumulate, as this article (while originally written well before the GDPR) well illustrates.[vi] Apart from the significant costs of dealing with thousands of letters and claims in terms of person-hours and court fees, the actual damages would also multiply. If in a case like the above-mentioned British Airways case, which affected 500.000 individuals, just 10% of those individuals join a representative claim under Article 80, that would still amount to 50.000 claims. Multiplied by €500 that comes to total damages of €25million; by €1000, to €50million. More individual damages and/or more claimants would further increase these sums.
Civil society groups active in the fields of digital rights and data protection are beginning to avail themselves of this possibility. The most well-known are the French NGO La Quadrature du Net (LQN) and the Austrian NGO, None of Your Business (nyob), founded by data protection activist Max Schrems.[vii] In Germany, a new organisation, Civil Liberties Union for Europe, includes representative actions as one of its specific aims.[viii] And in the UK, some law firms are beginning to specialise in class actions, and are also looking at the GDPR (and UK data protection law). One, the law firm PGMBM, recently filed a class-action lawsuit on behalf of 9 million affected EasyJet customers whose personal data was accessed by unauthorised parties, claiming up to £2,000 per affected customer, taking the total claim to £18 billion, yes, £18 billion!
That claim is obviously overstated. But the risk of such claims – and very serious awards, even if not quite on that proposed scale – is undoubtedly strongly increasing.
Companies must take their responsibilities under the GDPR serious. Breaches of the regulation – including not just “personal data breaches”, i.e., security breaches in the narrow sense, but also any other kind of non-compliance such as not obtaining [valid] consent from data subjects, not sufficiently authenticating a person (and consequently compromising that person’s data), or not properly informing them, or retaining data for [much] longer than necessary – will increasingly incur serious financial penalties, issued by the regulators in the form of GDPR-mandated administrative fines.
And now it is becoming clear that in many EU Member States companies may – nay, will – also face extensive, expensive (in terms of legal costs and, especially, cumulated individual claims) and costly (in terms of bad press) class suits from large groups of individuals that can, and often are, affected by a company’s non-compliance with the regulation.
In addition, exposed and widely reported breaches of the regulation leads to serious hits to a company’s reputation, share price and to customer trust – undermining a company’s standing and future.
Companies that fail to take privacy and data protection – and the legal requirements relating to those – serious will be punished in the courts, in their markets, in their wallets, and in the court of public opinion.
Professor Douwe Korff
-Nikolaou v, Commission, Case T-259/03;
-V. v. European Parliament, Case F-46/09.
-I v. Finland, Application 20511/03, judgment of 17 July 2008
For summaries of all these (and other) cases, see: Christopher Kuner et al., The EU General Data Protection Regulation: A Commentary, OUP, 2020, Commentary on Article 82, sections 4.1 and 4.2, pp. 1170 – 1173.
[ii] See Kuner et al. (previous note), section 4.3, pp. 1173 – 1174.
[iii] Lloyd v. Google  EWCA Civ 1599. For a summary of the judgments, see:
[v] Arnoud Engelfriet, De eerste schadeclaim onder de AVG is binnen, maar het is wel een rare zaak (“The first civil claim under the AVG has been made, but it is an odd case” – why the author feels the case is odd is not quite clear), iusmentis blog, 12 June 2019, at:
[vii] See the lists of LQN and nyob cases, listed in Kuner et al. (note 6, above), pp. 1151 – 1152.