It’s a big question for organizations: Can we be sued privately for violating the EU’s General Data Protection Regulation (GDPR)?
The short answer is: Yes, the GDPR creates a private right of action for data subjects whose privacy rights were violated. It also specifically allows for people to litigate as a group, similar to a class-action lawsuit in the United States. In many ways it's broader private right of action that’s found in the California Consumer Privacy Act (CCPA), though there is some nuance to the issue. There are also some details that are still being worked out by courts.
The GDPR clearly sets up a private right of action for individuals in the following three articles:
The takeaway is that data subjects can sue an organization for violating any of their GDPR rights, and can receive monetary compensation for those violations. However, this compensation is likely limited to actual damages suffered. In most cases that probably won’t be too great an amount, though in some situations such as a data breach, it could rise significantly. Because the costs of litigation would be prohibitive in most circumstances, data subjects can band together and have their case litigated jointly by a nonprofit group.
(Note: The issue of damages is entirely separate from the administrative fines that can be imposed by a country’s data protection authorities, which can go as high as €20 million or 4% of a company’s annual turnover, whichever is higher.)
This setup differs from the CCPA's private right of action in a couple of ways. First, it is much broader. The CCPA only allows consumers to sue businesses for violations related to a data breach; the GDPR allows data subjects to sue for any violation. However, the GDPR right to compensation is limited to actual damages, while the CCPA provides for the recovery of actual damages or statutory damages of up to $750 per consumer per incident.
While the GDPR does contain a private right of action, there is still some uncertainty over how it will work. At the root of this uncertainty is the fact that the GDPR is enforced internally by the data protection authorities and courts of each member nation of the European Economic Area and the United Kingdom. That’s 31 different countries with 31 different legal systems. In some of these nations, it is not yet clear if some additional local legislation is required to create a private right of action. Additionally, many important aspects of GDPR class-action lawsuits, such as what constitutes an appropriate forum and what a nonprofit group must show to demonstrate it has the mandate of data subjects, are still being litigated. The courts of different countries may also come to different conclusions, further complicating the issue.
The best defense for a lawsuit is to prevent it from ever happening in the first place, and in this case that means compliance. Though it may seem daunting without in-house privacy expertise or the help of a law firm, TrueVault Polaris brings GDPR compliance within the reach of any organization. Designed by attorneys, Polaris is a self-guided software tool that helps you become compliant on your own, and then stay that way. Schedule a demo to learn more.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.
Our attorney-designed software will step-by-step guide you through the compliance process from start to finish.
Request a Demo201 Mission Street, 12th Floor
San Francisco, CA 94105
Email: hello@truevault.com
2022 © All Rights Reserved. Privacy Policy | Terms of Use | California Privacy Notice