Actions for damages under the Data Protection Directive and the GDPR

Slides:



Advertisements
Similar presentations
1 Enforcement Powers of National Data Protection Authorities and Experience gained of the Data Protection Directive Safe Harbour Conference Washington.
Advertisements

Peter Adams Health and Safety - Responsibilities and the Universitys Approach.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Mg.iur. Jānis Kubilis PhD Student (University of Latvia) Attorney at Magnusson Law Firm 19 May 2014.
Payment Systems Risk of Loss in the Checking System: Special Rules.
The Data Protection (Jersey) Law 2005.
Liability and Procedure in European Antitrust Law The EU Damages Directive Does the European Union overstep the mark again?
CIVIL & CRIMINAL LIABILITY Staff Development Emergency Operations Volunteer Training Legal Issues:
EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.
University of Sunderland Professionalism and Personal Skills Unit 11 Professionalism and Personal Skills Computer Legislation.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview
4Chapter SECTION OPENER / CLOSER: INSERT BOOK COVER ART Intentional Torts Section 4.1.
The Information Commissioner’s Office David Evans.
B u d a p e s t i Ü g y v é d i K a m a r a A l a p í t v a: Solatium doloris from the point of view of lawyer’s liability insurance in Hungary.
Customer Service Enforcement After AB 2987 John Risk Communications Support Group, Inc. (c) 2006 John Risk Communications Support Group, Inc. (c) 2006.
Chapter 5 Torts and Civil Law.
Unit 6 – Civil Law.
American Public School Law Torts n Definition of a tort – Intentional interference – Strict Liability – Negligence – Elements of Negligence – Defenses.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
Chapter 6 Torts and Strict Liability. Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall.6-2 Three Kinds of Torts A tort is a wrong.
The Role of the Courts.
DR ANDREA MULLIGAN BARRISTER-AT-LAW LLB, LLM(HARV.), PH.D Safe Harbor and Schrems v DPC.
Technology and Brand Law Implementing The New EU Data Protection Regulations.
Legal Foundations of European Union Law II Tutorials Karima Amellal.
Negligence Tort law establishes standards for the care that people must show to one another. Negligence is the conduct that falls below this standard.
Legislations.
GDPR 12 POINTS 679/2016 DATA LEX 2016.
The Spanish experience of enforcing privacy norms Two decades of evolution from sticks to carrots Dr. Artemi Rallo Constitucional Law Professor Regulator's.
Law-Related Ch Notes I. Torts: 1. A tort is a civil wrong.
Trinity College Dublin Medicine and the Law Causation in a fault based system Orla Sheils Introduction. SW = 7BR. Civil department handles clinical negligence.
E&O Risk Management: Meeting the Challenge of Change
Introduction to Environmental Law
The Law of Torts I’m going to sue you!.
Negligence Mr. Lugo.
THE NEW GENERAL DATA PROTECTION REGULATION: A EUROPEAN OR A GLOBAL STANDARD? Bart van der Sloot Senior Researcher Tilburg Institute for Law, Technology,
General Data Protection Regulation (GDPR)
Liability in negligence
Legal Aspects of Business Unit – I Breach of contract
Standard of Care.
By Richard A. Mann & Barry S. Roberts
Introduction to Torts: Civil Law
Chapter 13 Directors Duties: Remedies and Consequences
General Data Protection Regulation
Data protection issues in regulatory investigations
Practical cases UNIVERSITY OF ZAGREB EUROPEAN PUBLIC LAW
Damages under the Data Protection Directive and the GDPR
Damages in Patent Infringement Litigation
“Private Injuries v. Public Offenses”
Data Protection & Freedom of Information- An Introduction
Data Protection & Human Rights
Bob Siegel President Privacy Ref, Inc.
GENERAL DATA PROTECTION REGULATION (GDPR)
UNIVERSITY OF LUSAKA SCHOOL OF LAW ADMINISTRATIVE LAW
Dr. Andrea Mulligan BL LL.B, LL.M(Harv.)
Directive (EU) 2016/680 gap analysis results
Bart van der Sloot Data Protection 2.0 The proposal for a General Data Protection Regulation Bart van.
European actions.
How is the GDPR enforced ?
Negligence.
Bart van der Sloot Data Protection 2.0 The proposal for a General Data Protection Regulation Bart van.
General Data Protection Regulations 2018
Governing the risk of GDPR compliance
Section Outline Unintentional Torts Negligence Strict Liability
STRUCTURE OF THE PRESENTATION
Negligence Ms. Weigl.
Fines, Sanctions and Compensation The teeth in the GDPR & Data Protection Act 2018 by Simon McGarr, CIPP/E Data Compliance Europe.
Dr Elizabeth Lomas The General Data Protection Regulation (GDPR): Changing the data protection landscape Dr Elizabeth Lomas
Remedies for Breach of Contract
The reference for a preliminary ruling concerns the interpretation of Articles 2, 3 and 8 of Council Framework Decision 2001/220/JHA of 15 March 2001.
Presentation transcript:

Actions for damages under the Data Protection Directive and the GDPR Dr Andrea Mulligan LL.B, LLM(Harv.) BL Barrister-at-Law, Assistant Professor, School of Law, Trinity College Dublin.

Damages in Data Protection Law 1. Damages Under the Data Protection Directive – Irish Law 2. Damages Under the Data Protection Directive – UK Law 3. Data Protection Rights in EU Law and the Move Toward Robust Protection 4. Damages Under the GDPR – The New Regime 5. GDPR Damages: Practical Concerns

Damages under the Data Protection Directive – Irish Law DPD imposes obligation on Member States to establish procedures through which individuals can be compensated for breaches of Data Protection Law. Article 23(1): Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered. Leaves room for discretion on part of Member State. What kind of damage is compensable?

Damages under the Data Protection Directive – Irish Law The Article 23 obligation implemented in Irish law by Section 7 of the Data Protection Acts 1988-2003: For the purposes of the law of torts and to the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned…. Note – phrase “duty of care” implies a negligence type action. No reference to type of damage envisaged. Law unclear until case of Collins v FBD insurance.

Collins v FBD Insurance [2013] IEHC 137 Facts: Painter-decorator claims for stolen van. FBD investigate and discover conviction for theft of (different) van. Data protection breaches identified by Data Protection Commissioner: failure to comply with subject access request, engagement of private investigator, failure to provide adequate technical and security measures. Plaintiff initiates proceedings in Circuit Court, obtains award of €15,000. FBD appeals to High Court on issue of whether Plaintiff entitled to damages in absence of proof of actual damage. Feeney J: “Compensation is intended to place an individual in the position which that individual would have been apart from the wrong done. In general an entitlement to damages for distress, damage to reputation or upset are not recoverable save where extreme distress results in actual damage, such as recognisable psychiatric injury” Result: action for damages operates like ordinary negligence action.

Damages under the Data Protection Directive – UK Law Vidal-Hall v Google Inc [2016] QB 1003 Case concerning operation of cookies by Google. Action for misuse of private information. No claim for pecuniary loss, only damages in respect of anxiety and distress. UK implementation different to Irish implementation of DPD. Section 13(2) of the UK Data Protection Act 1988:  An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if— (a)the individual also suffers damage by reason of the contravention, or (b)the contravention relates to the processing of personal data for the special purposes. On literal interpretation - no damages available for distress.

Damages under the Data Protection Directive – UK Law Court of Appeal examines the Directive and concludes that proper interpretation requires compensation for non-material damage. Considers Articles 7 and 8 of the Charter of Fundamental Rights of the European Union – protecting the right to privacy and the right to data protection. Breach of fundamental rights requires right to compensation even where no economic harm. Court of Appeal disapplies limitations on definition of damage under Section 13(2).

Data Protection Rights in EU Law and the Move toward Robust Protection Vidal-Hall illustrates new approach to Data Protection Law damages, providing very high level of protection for fundamental rights. Court of Appeal considered FBD v Collins and refused to apply it. Note different methods of interpretation and resulting limitation on Feeney J. Appropriate emphasis on fundamental rights, reflecting cases such as Google Spain, Digital Rights Ireland, and Schrems. Reference to Article 47 and right to a remedy. Collins v FBD likely to be overruled.

Damages under the GDPR Article 82(1): Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. Note obligations on data processors: Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

Damages under the GDPR General Scheme of a Data Protection Bill, published May 2017. Head 91(1) provides:   Where a data subject considers that his or her rights under the Regulation or this Act have been infringed as a result of processing of his or her personal data, such infringement shall be actionable at the suit of the data subject ("data protection action"). Note abandonment of language of “duty of care”. All breaches of GDPR now actionable. Change in regulatory model – towards private enforcement.

GDPR Damages: Practical Concerns Volume of claims. Role of the Data Protection Commissioner Determination of DPC generally regarded as valuable/essential to building of case. Risk of DPC being swamped with minor cases – complaints of “digital ambulance chasing”. Quantum – the million dollar question. Kennedy v Ireland, et al may be useful. Purpose of damages in Data Protection Law – to compensate damage even where damage is mere anxiety and distress.

Questions or comments welcome. Dr Andrea Mulligan BL andrea.mulligan@lawlibrary.ie 086 3857328 The Law Library, Four Courts, Inns Quay, Dublin 7. DX 810120