Hogan Lovells Publications | 24 July 2018

How Article 82 of the GDPR has revised the rules on liability, compensation claims, and class actions when data breaches occur in Europe

The General Data Protection Regulation (GDPR) is driving tremendous changes in the European Union (EU), and companies that haven’t implemented their data protection requirements could face serious consequences regarding civil liability.

Those requirements, some of which are found in Article 82 of the GDPR, introduce new rights for persons affected by breaches of data protection. Not only does Article 82 govern compensation under civil law and enable affected persons to make compensation claims for data breaches, the GDPR also simplifies the process, reduces the data subjects’ risk of litigation, and, for the first time in many member states, allows claims against controllers and processors. Because data breaches often result from a failure in company security, many litigators anticipate substantial increases in the number of plaintiffs and proceedings across the EU. 

In this hoganlovells.com interview, Martin Strauch, senior associate in the Hogan Lovells Munich office, discusses the trends expected in GDPR data breach litigation, how claims will now be made and who can make them, and the future of class actions in the EU.

What is the EU perspective on data breach litigation, and what changes have regulators made to date in response to the enactment of the GDPR?

Strauch: The situation with multiple regulators in Europe is just getting started on this issue. In the past, we’ve seen regulator activity under the national laws of the countries of the European Union. But in general, you can say that regulatory bodies, especially the data protection authorities (DPAs), were not really prepared and were not staffed for those kinds of issues, especially more complex data breaches.

But what we see now, especially with the GDPR coming into force, is that the DPAs are hiring more staff and increasing their capabilities — at least in some countries. In just one recent case, we reported a data breach to the DPAs for a client and we saw that they started an investigation within the same day — something we have not seen before. 

So even though we can’t say yet how this is going to develop in terms of how high the fines are going to be, we can see they are changing the way they approach this. We can also see that other authorities, like banking and stock exchange authorities, are changing their views, too, especially after ransomware attacks in the past two years, where we saw that, for example, stock prices of companies that were attacked dropped dramatically. The stock exchange authorities especially see this as an event that needs to be reported. 

From an EU perspective, we look to the U.S. and see a direction that this field might go, but we’ll see if that develops. But we expect authorities to become a lot more active in this way.

How is Article 82 driving changes on the civil litigation side, especially regarding class actions?

Strauch: In the EU, the topic of class action does not have a lot of history to it. So the GDPR is trying to give data subjects several ways to better enforce their rights. 

One of those ways is found in Article 82, which gives all data subjects that are subject to the GDPR a damages claim against the controller. What is new, however, is that it also allows a direct claim against the processor of data. That is quite interesting because so far, in most countries, it had not been possible for a data subject to make a direct claim against a processor of data. 

That means that a processor might actually become subject to a direct claim by a data subject, even though the processor might be a company that is only acting in a B2B (business-to-business) setting and actually never interacted with the data subjects themselves. For example, the processor could be only a service company that is working with HR data for a company. 

What the GDPR is trying to do is give data subjects a similar type of regulatory framework that the GDPR gives DPAs, so that the data subjects can actually receive damages and also, if necessary, cease-and-desist decisions.

Please summarize what has changed under the GDPR regarding data breach litigation, compared to how things were under the national laws of the member states.

Strauch: What is important to understand is that the national laws still exist, and so do the civil regimes where you have a claim against a data controller that is subject of a breach, for example. And they will continue to exist for all of the EU: this Article 82 of the GDPR just comes on top of that. 

What Article 82 is doing is trying to give people a way to effectively pursue their rights. In fact, “effectively pursue their rights” is what the regulator actually wrote in the GDPR. And four major changes to the way data breaches are addressed have come out of Article 82: a right to nonmaterial damages, a reversed burden of proof, rights to information, and the need to disprove one's own fault. They also want to overcome something that is known as a “rational lack of interest.” This rational lack of interest existed for claims after data breaches because you could only claim material damages and these are usually very small. For example, you may have a right to be reimbursed for a new credit card for €5. Taking this to court would cost much more. But under the GDPR, the scope of damages is broadened to also include nonmaterial damages, which may be a lot higher, especially when you had a lot of incidents or affected people. 

And that’s actually the more important point: the burden of proof has changed. This means that the data controller or data processor will have to prove that they acted within the GDPR, and that is something that is very different from how the situation was before. In the past, the claimant (e.g., in Germany) had to prove that there had been a breach and that the claimant had damage caused by this breach. But now a lot of commentators reading the GDPR are saying that it will be turned around, and it will be the companies or processors that will have to prove that they acted within the GDPR. And the data subjects are also being given information rights to find out what happened. So they will have a very easy case to present in court.

Who can be claimants in these issues?

Strauch: The claimants can be customers, employees — only natural persons, but they have to be people who were somehow affected, directly or indirectly. The defendants can be controllers, processors, companies, or public authorities, but theoretically, they must also be natural persons.

How does a claimant actually make a claim?

Strauch: There are different ways to address this. In Europe, there are a lot of consumer associations that protect the rights of consumers. The GDPR itself puts forward a way for consumer associations to actually have a right to pursue at least cease-and-desist claims against companies and data processors — without being asked to do so by a victim. 

Another way we’re expecting claims to be made is through professional claimants. We see this in antitrust matters especially, where professional claimants — they’re also known as claim vehicles — collect claims from victims and then sue for one big number. They often have a website where you can register, and then the professional claimant will actually make the claim. In this way, it makes a lot more sense to make a bigger claim than a lot of small claims.

A lot of European countries are introducing some method of class action and there are several class action methods now being put in place. For example, the Czech Republic, Finland, Germany, Greece, and Hungary all have regimes where consumer associations have a right to do some sort of a consumer association action like the one in Germany, where you can only get a cease-and-desist judgment. 

But we also see that there are a number of countries with class action regimes similar to the one in the United States. There are opt-in systems, such as Austria, Belgium, Denmark, France, Italy, Poland, Portugal, Spain, and Sweden. Some countries have opt-out systems, including Belgium, Bulgaria, Netherlands, Romania, and the UK. Other countries like Germany are working on introducing such real class action right now.

To learn more about class actions in Europe, we have created a guide "Blurred boundaries: The latest developments in class actions, mulitclaimant actions, and cross-border litigation in the EU and U.S."

About Martin Strauch

Martin Strauch focuses on commercial, corporate, and insolvency litigation as well as cybersecurity and data privacy disputes. He offers advice to national and international clients in prelitigation scenarios as well as in disputes before first instance and appellate courts. His clients include companies from the financial, commodities, technology, and IT sectors, as well as insolvency administrators.

Download PDF Back To Listing