The expected extent of compensation claims and regulatory sanctions under GDPR have been outlined in a document published by law firm DAC Beachcroft. The report sets out findings from an 18-month study with contributions from data protection experts across all 28 EU member states.

Partner and head of Cyber & Data Risk at DAC Beachcroft, Hans Allnutt, said the law firm wanted to find out how big a change the new regime will have and where those changes will be felt most in Europe.

"If there is one finding I would highlight over others, it’s that over 80% of jurisdictions expected compensation claims for data protection breaches to increase under the GDPR. While the fines and penalties under the GDPR have quite rightly grabbed the headlines, what might not be appreciated is the incoming wave of litigation that organisations face if they are found to contravene the GDPR’s new rules.

"The GDPR's tentacles are truly international," he said. "The financial risks are not just limited to organisations in the EU, as the GDPR applies to businesses based outside the EU offering goods or services to EU residents."

Among the key findings is that individuals in at least half of EU member states will, for the first time, be entitled to claim compensation if their personal data is breached. Local law in some member states -- for example in Bulgaria, Cyprus and Hungary -- already offers compensation rights but, for many EU countries, the right to compensation under the GDPR will mark a significant legal change.

DAC Beachcroft's study also reveals that fines and compensation levels for data breaches vary hugely between EU countries. For example, Spain fined Facebook €1,200,000 in 2017, yet some member states have issued no fines at all. There is a similarly large disparity in compensation awards across member states, with an €90,000 award in Italy while some member states currently provide no compensation at all.

Asked whether they expected data protection litigation to rise, most respondents agreed that compensation claims would increase. Claims will be spurred on because of mandatory reporting requirements, making data breaches more public than ever before, and rights to nominate not-for-profit organisations to make claims on individuals’ behalf.

"The GDPR looks set to bring in a whole new phase of privacy litigation," Allnutt concluded. “We are living in a big data age where personal data is often described as the 'new oil' because of the ease with which it can be collected and monitised. The GDPR places control back into the hands of the individual."

All 28 EU member states will have to comply with the new regime, which comes into force on 25 May 2018.


For more on DAC Beachcroft's report, see the next issue of CIR.

Share Story: