Friday, 5 January 2018

Claims by Data Subjects against Data Controllers and Processors under the GDPR

Royal Courts of Justice
Author Rafa Esteve
Licence Creative Commons Attribution Share Alike 4.0 International
Source Wikipedia

Jane Lambert

In my article How the GDPR works 3 Dec 2017 I wrote that the General Data Protection Regulation ("GDPR") establishes a set of principles for processing personal data (data by which living human beings can be identified) and machinery for monitoring and enforcing compliance.  I added that "that machinery takes the form of rights for data subjects (the individuals who can be identified from the data) and obligations upon data controllers (those who control the processing of personal data) and processors (those who carry out the processing) to take reasonable steps to minimize the risk or effect of non-compliance."

Previous legislation required EU member states to establish supervisory authorities to regulate the processing of personal data in their respective territories and the supervisory authority for the United Kingdom is the Information Commissioner in Wilmslow near Manchester.  If a data subject believes that his or her rights under the GDPR have been infringed, he or she will be able to complain to the Information Commissioner or the supervisory authority of some other member state or sue the data controller or processor in the courts of the United Kingdom or some other member state.

This article considers the circumstances in which a data subject might wish to bring an action against a data controller or processor in the courts of England and Wales and how he or she might do so.

What is the GDPR?

In my Introduction to the GDPR 2 Dec 2017 I wrote that "the initials GDPR stand for the words “General Data Protection Regulation” which is "the short title for a law officially known as Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC." I added:
"The GDPR is thus a law to protect the interests of living individuals throughout the EU with regard to the processing of data by which they may be identified while safeguarding the free flow of information throughout the EU. It will come into being with equal effect in every member state without further intervention of the governments of those states."
It will come into force on 25 May 2018 and remain for as long as the United Kingdom remains in the European Union. However, many of its provisions will be preserved in a new Data Protection Bill which is now proceeding through Parliament (see my article Introduction to the Data Protection Bill  16 Sept 2017).

Right of Action

Art 79 (1) of the GDPR provides:
"Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation."
Such a right of action is not new.  EU member states are already required to provide a judicial remedy for any breach of the rights guaranteed by the national law applicable to the processing in question under art 22 of the Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data). In the United Kingdom, the judicial remedy mentioned in art 22 is implemented by s.15 (1) of the Data Protection Act 1998.

In what Circumstances could a Data Subject sue?

A data subject might wish to go to law to seek compensation under art 82 (1) of the GDPR for any material or non-material damage that he or she may have suffered as a result of an infringement of the regulation or for an order for the rectification or erasure of data, the restriction of data processing or any other relief that can only be granted by a court.

In which Court?

Art 79 (2) of the CDPR allow proceedings for compensation or other remedy to be brought in any member state in which the controller or processor.  Alternatively, they may be brought before the courts of the member state where the data subject has his or her habitual residence unless the controller or processor is a public authority of a member state acting in the exercise of its public powers. In that case the authority must be sued in the member state where it is located.  Clause 92 (13) of the Data Protection Bill provides that the jurisdiction to compel subject access requests may be exercised by the High Court in England and Wales, the High of Northern Ireland or the Court of Session in Scotland. Similarly, those courts have jurisdiction to hear objections to process under clause 97 (7) and to make orders for the rectification or erasure of personal data under clause 98 (6).  There is no equivalent provision for compliance orders under clause 158 or compensation under clause 159. By contrast, s.15 (1) of the Data Protection Act 1998 provides that claims under the Act may be brought before the High Court or the County Court in England and Wales or the Court of Session or a sheriff's court in Scotland.

How to bring Proceedings under the GDPR

It would appear that a claimant must prove:
  • the existence of a right under the GDPR;
  • an actual or threatened infringement of that right; and
  • damage resulting from the infringement.
The right may be express such as those that arise under Chapter III of the regulation or implied such as the right to object to the transfer of personal data abroad without the safeguards provided by Chapter V. The damage may be material or non-material and it must have resulted or be likely to result from an infringement of the data subject's right. A controller or processor has a complete defence under art 82 (3) of the GDPR if he or she can prove that he or she is not in any way responsible for the event giving rise to the damage.

Liability of Processors

One of the changes brought about by the GDPR is that processors can be sued for damage caused by non-compliance with the regulation or acts outside or contrary to the lawful instructions of the controller. This change is probably more apparent than real because processors that have failed to comply with relevant data protection legislation can usually be joined as Part 20 defendants either for breach of express or implied terms of their service level agreements or a common law duty of care.


In the absence of a pre-action protocol for data protection complaints, data subjects, controllers and processors will be expected to comply with paragraph 6 of the Practice Direction - Pre-action Conduct and Protocols. Wherever possible, disputes should be settled through direct negotiations, arbitration, mediation or some other form of alternative dispute resolution. Those that cannot be resolved through negotiation or ADR may be brought in either the Queen's Bench Division or the Chancery Division. Claims for compensation are more likely to be brought in the Queen's Bench Division whereas those for compliance orders are more likely in the Chancery Division

Alternative Dispute Resolution

Parties seeking the appointment of a neutral to resolve a dispute under the GDPR or other data protection legislation may wish to consider one of the arbitrators or mediators of 4-5 Gray's Inn Square as James Bridgeman SC, the Hon Louis Harms, Caroline Kenny QC, Anthony Connerty, several other members of chambers and I have relevant knowledge and experience.

Further Information

Anyone wishing to discuss this article, the GDPR or data protection in general is invited to call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.

No comments:

Post a comment