Recently on the Privacy List
By Jedidiah Bracy, CIPP/US
As we inch closer to finalized reforms to the EU’s data protection framework, several privacy pros discussed whether a private right of action exists in the current regime for a European data subject in a case of unauthorized use or access.
One subscriber queried, “Would money damages be allowed? Or only that the unauthorized use or access would be required to stop? Would the data subject proceed against both the controller and the processor? Or is the right to seek remedy reserved to the DPA?”
Within about an hour, six privacy pros jumped in to provide clarification to his queries.
“This is basically a matter of national law,” replied one pro.
Citing Article 23 (1) of the EU Data Protection Directive, the subscriber pointed out, “Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to the directive is entitled to receive compensation from the controller for the damage suffered.”
Since unauthorized use or access qualifies as unlawful processing, the pro concludes, “The question then is whether the person has suffered damage as a result of such unlawful processing.”
Another subscriber agreed, adding that Article 22 mandates that “Member States must provide individuals with judicial remedies,” while Article 24 directs Member States to “’adopt suitable measures,’ including sanctions,” when implementing the framework.
“Having said that,” he adds, “you will find few private lawsuits based on violations of the national data protection laws. It is much easier and cheaper to make a complaint to the data protection authority, although this seldom results in the payment of compensation to individuals.”
The same subscriber points out that, though some private actions have been taken against the paparazzi in the UK, “Claimants in Europe have the same fundamental problem in Europe that they do in the U.S.--establishing economic losses arising from a privacy violation as a measure for compensatory damages.”
Sean Robert Grinyer v. Plymouth Hospital NHS Trust and Johnson v. The Medical Defense Union were both cited as examples of notable private actions in the UK, though the privacy pro admitted private actions “are rare and difficult --not to mention expensive.”
Another privacy pro chimed in to say that, as part of the directive’s current review, “a commission proposal exists for group action” similar to U.S.-style class-action lawsuits.
The big issue, concludes one subscriber, is that “there isn’t any realistic interpretation that involves ‘damage.’” There is the possibility of damage, but nothing more. “In a class-action setting where a large group of people are lumped together, there are very few situations where there is actual damage. In my opinion, that’s the whole fight here. The courts--so far--have been pretty firm in requiring actual damage in order to allow a case to proceed.”
To participate in Privacy List discussions or to view list archives, visit the IAPP website. The Privacy List is a free service for IAPP members only.