GDPR ‘wave of litigation’

More than 80% of jurisdictions predict an increase in compensation claims for data protection breaches when the General Data Protection Regulation (GDPR) takes effect next year, research shows.

The GDPR aims to harmonise EU data protection law, and is due to come into force across all 28 EU member states on 25 May 2018. It will bring higher financial sanctions, rights to compensation and group litigation mechanisms. It will apply to EU organisations and to any organisation based outside the EU offering goods or services to EU residents.

An 18-month study by DAC Beachcroft, Personal Data: the new oil and its toxic legacy under the General Data ProtectionRegulation, looks at the potential impact. Data protection experts across all 28 EU member states were asked whether they expected data protection litigation to rise, and most respondents agreed that compensation claims would increase. Claims will be spurred on because of mandatory reporting requirements, making data breaches more public than ever before, and rights to nominate not-for-profit organisations to make claims on individuals’ behalf.

‘While the fines and penalties under the GDPR have quite rightly grabbed the headlines, what might not be appreciated is the incoming wave of litigation that organisations face if they are found to contravene the GDPR’s new rules,’ said Hans Allnutt, partner at DAC Beachcroft.

‘The GDPR looks set to bring in a whole new phase of privacy litigation. We are living in a Big Data age where personal data is often described as the “new oil” because of the ease with which it can be collected and monitised. The GDPR places control back into the hands of the individual. Those organisations that have ridden the boom and aren’t ready may be hit hard from its toxic legacy under the GDPR.’

The report states that at least half of EU member states will, for the first time, be entitled to claim compensation for personal data breaches. Moreover, fines and compensation levels vary widely between EU countries, for example, Spain fined Facebook €1,200,000 in 2017, yet some data protection authorities do not have fine-issuing authority at all.