Summary

This dissertation examines the extent to which the right to compensation (Article 82 GDPR) can contribute to the enforcement of data protection law in practice. I have split this research into a number of subtopics and incorporated them into six publications. In view of the fi ndings as a whole, I conclude that the right to compensation currently cannot suffi ciently contribute to the enforcement of data protection law. Three problems lead to this conclusion.

Firstly, although unlawful processing of personal data may have a considerable impact on a data subject’s freedom and autonomy, there is often no damage eligible for compensation. Unlawful processing of personal data does not usually have a demonstrable or substantial impact on the data subject’s assets, unless the unlawfully acquired personal data is used for committing identity fraud. In most cases, unlawful processing of personal data only gives rise to mental discomfort, such as feelings of uncertainty, frustration, annoyance or light tension and emotions. Under Dutch law, by virtue of Article 6:106(b) Dutch Civil Code (DCC) these consequences do not easily qualify as compensable immaterial damage. Consequently, a data subject will not readily have a right to compensation for the unlawful processing of his personal data.

Secondly, the amount of damages awarded is often quite limited or uncertain, while the legal proceedings can be costly. This may cause a data subject to remain ‘rationally apathetic’, as the benefi ts of a legal suit may not outweigh the costs and time invested by a data subject. A low or uncertain amount of damages thus has a negative effect on the enforcement of data protection law. After all, if data subjects refrain from initiating legal proceedings, enforcement is less likely

Thirdly, to the extent that the material damage is substantial, it may be diffi cult for a data subject to demonstrate a causal link between the infringement of the GDPR and the material damage incurred. This may be because damage does not always occur immediately after an unlawful processing of personal data or because personal data only causes harm when it is combined with other personal data.

In my dissertation, I provide various solutions to tackle these problems so that the right to compensation contributes to the enforcement of data protection law.

With regard to the compensable damage, instead of applying Dutch law, a court must give an autonomous interpretation to the concept of damage within the meaning of Article 82(1) GDPR. That interpretation must take into account the GDPR’s context and the objectives of the GDPR (control over data, enforcement) and EU law in general (‘full effect’ and ‘effectiveness’ of provisions). This entails that the data subject may also be entitled to compensation for immaterial damage if the consequences of the unlawful processing of his personal data are not (very) concrete. This does not mean that every infringement of the GDPR must lead to compensation. Compensation for unlawful processing without concrete consequences should only be possible if the processing causes a substantial infringement of the GDPR. This would be the case if non-enforcement of the infringed provision would impair the effectiveness and full functioning of the GPDR. Article 83(2) GDPR could help in determining whether there is a substantial infringement. A judgment of the CJEU is ultimately decisive for the interpretation of the damage within the meaning of Article 82(1) GDPR. The CJEU, however, is dependent on requests from national courts for preliminary rulings. I therefore urge lower courts to request a preliminary ruling from the CJEU as soon as possible. Contrary to the highest national courts, lower courts do not have an obligation to request for a preliminary ruling about the interpretation of EU law. Nevertheless, it is important that especially lower courts make such a request and ask questions about the concept of damage under Article 82(1) GDPR. A preliminary ruling by the CJEU would lead to an accelerated development of the law and to a uniform application of the right to compensation, which may contribute to a higher level of data protection.

To mitigate the negative effects of the data subject’s rational apathy, I discussed multiple options in this dissertation. As of 1 January 2020, Dutch law allows data subjects to claim compensation through collective actions (Article 3:305a DCC). Since a collective action enables data subjects to share the fi nancial burden of litigating, it becomes more attractive for data subjects to take action even against minor harms. Combining forces by means of collective proceedings will also provide more expertise to data subjects, thus making it easier for them to substantiate their claim. In addition, allowing competitors to rely on the right to compensation of Article 82 GDPR will boost the enforcement of data protection law, as they have a strong economic interest in compliance with the GDPR. In this thesis, I set out strong arguments that support the interpretation that a competitor can rely on Article 82 GDPR. The GDPR intends to advance the free movement of personal data, strengthen the protection of personal data, and harmonize data protection law. Additional enforcement by competitors may contribute to these objectives of the GDPR, and thus to its full effect.

To mitigate the data subject’s rational apathy as such, I suggest that the EU legislator considers introducing a statutory lump-sum system with predetermined amounts for substantial breaches of the GDPR. I expect that it will have a positive effect on the enforcement of the GDPR. A lump-sum system, in which the amounts payable as damages are higher than the actual or demonstrable damage, can pull data subjects out of their rational apathy. It also ensures that data subjects can readily enforce substantial breaches of the GDPR even when demonstrable damage is lacking or is uncertain. Another effect of a lump-sum system is that the data controller already knows beforehand the amount of compensation he will have to pay to the data subject upon infringement of their rights. This increases the likelihood that data subjects will be able to enforce their rights without the need for legal intervention. After all, a data controller will want to avoid unnecessary legal costs. Finally, a lump-sum system also caters for cases in which the data subject is unable to demonstrate a causal link, insofar as it concerns substantial infringements with material damage.

With regard to problems of causation, I also discussed the Dutch legal doctrines of ‘alternative causation’ and ‘proportional liability’. It is, however, still unclear to what extent these doctrines can alleviate problems of causality. Ultimately, the national court must also interpret the causal link requirement through a European lens. The Kone judgment of the CJEU gives rise to the idea that a court may not interpret the causal link requirement too restrictively, in order to ensure the full effect of the GDPR. In this regard, I also recommend national courts to request the CJEU for a preliminary ruling on the interpretation of the causal link requirement in respect of an unlawful processing of personal data.

This dissertation does not solely point out obstacles for those seeking redress. Currently, Dutch case law shows that the requirement of a causal link between the infringement and the immaterial damage does not (yet) appear to be problematic for the data subject. In addition, demonstrating that the processing constitutes an infringement of the GDPR is not a burdensome task for the data subject. It (implicitly) follows from case law that data subjects only have to assert that the data controller processed their personal data in breach of the GDPR. Subsequently, the data controller must demonstrate that he processed the personal data in accordance with the provisions of the GDPR. Presumably, this reversal of the burden of proof derives from the obligation for a data controller to demonstrate compliance (‘accountability’) with the data protection principles (Article 5(2) GDPR). Yet, it remains to be seen whether a data subject in legal proceedings can always appeal to the accountability of the data controller, or whether they must at least provide evidence of a reasonable suspicion of unlawful data processing. Lastly, the GDPR and EU law do not forbid invoking contributory negligence as a defence for the liable data controller (Article 6:101 DCC). This defense, however, will not often be successful, as the GDPR imposes a great deal of responsibility on the data controller. Even if such a defense was to be granted incidentally, the doctrine of contributory negligence would not render the right to compensation (as laid down in Article 82 GDPR) practically impossible or excessively diffi cult to exercise, and would thus not compromise EU law’s principle of effectiveness.