Out-Law / Your Daily Need-To-Know

Out-Law News 3 min. read

New EU data protection laws could spark debate over liability for data breaches, says expert

New EU data protection laws could spark debate between businesses over the extent of their responsibility for data breaches if proposals that look like being finalised are included in the new laws, an expert has said.

A leaked document published by Statewatch (372-page / 914KB PDF), authored by the presidency of the Council of Ministers, the body that represents the views of the national governments that make up the EU, confirmed that "tentative agreement" has been reached on some areas of the planned new General Data Protection Regulation in ongoing negotiations over the new framework.

Trilogue negotiations on the wording of the Regulation, involving representatives from the Council of Ministers, the European Parliament and European Commission, have been taking place since the summer. Negotiations are expected to conclude before the end of the year.

According to the new leaked document, dated 20 November 2015, one of the areas of the GDPR's wording on which tentative agreement has been reached by the EU negotiators is on compensation rights and division of liability for breaches of the Regulation.

Under the proposals, data subjects would have "the right to receive compensation" from either a data controller or data processor if they have "suffered material or immaterial damage as a result of an infringement of the Regulation".

The provisionally agreed text states that data controllers involved in non-compliant processing are "liable for the damage caused" and that data processors are only liable for the damage caused "where it has not complied with obligations of [the] Regulation specifically directed to processors or [if they have] acted outside or contrary to lawful instructions of the controller".

It appears likely that some exceptions to liability for both data controllers and processors will be set out in the new Regulation, although no consensus has yet been reached by the negotiating parties on this wording.

The liability provisions that have been tentatively agreed, however, envisage cases of non-compliance where more than one data controller or processor have been involved in processing personal data in breach of the Regulation and share responsibility for the "damage caused".

The proposals, if finalised, would enable people to hold a single data controller or processor "liable for the entire damage", but allow organisations that have "paid full compensation for the damage suffered" to "claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage", subject to the rules that restrict the circumstances in which those companies can be held liable.

Expert in data protection law and dispute resolution Laura Gillespie of Pinsent Masons, the law firm behind Out-Law.com, said: "In cases where a data controller and at least one data processor are in-part responsible for a breach of the new Regulation, such as a failing on data security for example, then a debate is likely to ensue as to the extent of each party's liability. The extent of liability will depend on the level of control each party had over the non-compliant activity."

"It is possible, in cases where businesses disagree over the part they played in non-compliant activity, that a court would determine the extent of liability for each party to that activity," she said.

Kuan Hon of Pinsent Masons, a data protection specialist, said businesses with data processing contracts due to expire after the GDPR comes into effect should carefully negotiate new agreements to "allocate liability appropriately and clearly, with suitable indemnities".

Many areas of the proposed new GDPR remain unsettled, according to the leaked Council presidency document, including the definition of consent to personal data processing, the threshold for notification of data breaches to authorities and data subjects and the framework for serving financial penalties for non-compliance.

However, the Regulation negotiators have tentatively agreed on the factors that data protection authorities will have to take into account when deciding to impose a fine or determining what level of fine to serve.

Factors such as "the nature, gravity and duration of the infringement having regard to the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them" will have to be taken into account, as well as whether the breach of the Regulation was of an "intentional or negligent character".

Whether organisations take action to "mitigate the damage suffered by data subjects", whether they are serial offenders and their "degree of cooperation" with authorities will also be factors relevant to the assessment of serving fines. The level of fines could also differ depending on whether companies self-report incidents of non-compliance or not, according to the tentative agreement reached.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.