Wednesday 7 February 2018

Judicial Remedies under the GDPR and other Data Protection Legislation

Jane Lambert











A lot of attention has focused on the massive increase in the Information Commissioner's and other supervisory authorities' power to fine under art 83 (4) and (5) of the GDPR but she acquires no new powers to compensate.  If a data subject requires compensation from a data controller or processor under art 82 (1) or some other judicial remedy pursuant to art 79, he or she will have to sue.

The Data Protection Bill, which has now completed its passage through the Lords and is now awaiting its second reading in the House of Commons, makes provision for that judicial remedy.  The courts of the United Kingdom are to have the power to make compliance orders under clause 165 and award compensation under clause 166 and clause 167.

Clause 165 (2) defines a compliance order as
"an order for the purposes of securing compliance with the data protection legislation which requires the controller in respect of the processing, or a processor acting on behalf of that controller—
(a) to take steps specified in the order, or
(b) to refrain from taking steps specified in the order."
This would seem to include an order by the court to a data controller to comply with a subject access request under clause 94 (11), an order not to process personal data under clause 99 (5) and rectification and erasure under clause 100 (4). Though there is no specific provision in the Bill for the court to restrain the transfer of personal data abroad under clause 109 (1) or to order a controller to take steps to implement the data protection principles or minimize the risks to the rights and freedoms of data subjects under clause 103 (2) there seems to be no reason why it should not do so.

As I mentioned in Claims by Data Subjects against Data Controllers and Processors under the GDPR 5 Jan 2018, the provisions relating to subject access, rectification and erasure stipulate that the High Court of England and Wales has exclusive jurisdiction to make such orders. However, there seems to be a contradiction in that clause 177 (1) and (2) seems to suggest that compliance orders as well as compensation may be awarded by the County Court as well as the High Court.

Clause 166 (1) provides for compensation for material or non-material damage including distress under art 82 GDPR for contravention of that regulation and clause 167 (1)  for compensation for material or non-material damage including distress under any other data protection legislation.

In future articles I shall discuss pleading claims  for judicial remedies for alleged breaches of the GDPR and other legislation and possible defences.  Anyone wishing to discuss this article should call me on 020 7404 5252 during office hours or send me a message through my contact form.