Category: Privacy

Cliff Richard v BBC – Part I – Police investigations and reasonable expectations of privacy

I just got to tell someone about the way I feel,
Shout it from the rooftop to the street,
And if I spread the word please tell me who’s it gonna hurt …

Sir Cliff Richard OBE in Sydney 2013 (element)1. Introduction
The words above are the opening lines of “Can’t Keep this Feeling In“, released in 1998 by Sir Cliff Richard [Sir Cliff], pictured left in a mellow pose at a concert in Sydney, Australia in February 2013. In August of the following year, arising out of an ongoing investigation into allegations of historic sex abuse, the South Yorkshire Police [the SYP] searched a property belonging to him in Sunningdale, Berkshire; and – on foot of a tip off from the SYP the previous month – the British Broadcasting Corporation [the BBC] gave the allegations and the search prominent and extensive television coverage. Sir Cliff was never arrested or charged; and, in June 2016, the Crown Prosecution Service [the CPS] decided that Sir Cliff would not face any charges. This decision was re-affirmed by the CPS the following September, following a full review of the evidence.

Meanwhile, in July 2016, Sir Cliff commenced legal proceedings against the SYP and the BBC, arguing that SYP’s leak to the BBC in July 2014, and the BBC’s coverage of the raid in August 2014, invaded his privacy and breached his data protection rights. Before the trial, SYP admitted liability and agreed to pay Sir Cliff £400,000 damages, plus costs (see Richard v BBC [2017] EWHC 1648 (Ch) (26 May 2017)). Earlier this week, in Richard v BBC [2018] EWHC 1837 (Ch) (18 July 2018) Mann J held that that Sir Cliff succeeded in his privacy claim against the BBC and awarded him £210,000 in general damages (£190,000 in compensatory damages, and £20,000 in aggravated damages), with some items of special damages to be decided at a future date. Because of the success of the privacy claim, Mann J held that he did not need to consider the data protection point.

There are three areas of interest in Mann J’s judgment: first, whether Sir Cliff had a reasonable expectation of privacy, having regard to Article 8 of the European Convention on Human Rights [the ECHR]; second, whether the BBC nevertheless were entitled to broadcast, having regard to Article 10 ECHR; and third, the quantum of damages awarded. I will deal with the question of Sir Cliff’s reasonable expectation of privacy in this post; and I will deal with the other two issues in subsequent posts.

2. Article 8 ECHR and Sir Cliff’s Reasonable Expectation of Privacy
In the earlier Irish case of Hanahoe v Hussey [1998] 3 IR 69, [1997] IEHC 173 (14 November 1997) Kinlen J awarded Ir£100,000 damages (worth approximately €185,000 or St£165,000 today) against the Commissioner of An Garda Síochána (Ireland’s National Police and Security Service) for a similarly unjustified leak of a similarly high-profile search. Kinlen J held that the leak was an “outrageous interference” with the defendants’ privacy rights ([1997] IEHC 173 [69]) but awarded damages for misfeasance in public office as a species of negligence ([1997] IEHC 173 [67], [73]). The SYP’s settlement, and this week’s judgment by Mann J, show that the direct protection of privacy interests has evolved sufficiently that their indirect protection via other torts is no longer necessary.

As with the phone hacking cases (see Mann J at first instance; see also the Court of Appeal), Sir Cliff’s case was commenced in the Chancery Division of the High Court, presumably reflecting the fact that the modern English protection of privacy interests began, under the impetus of Article 8 of the European Convention on Human Rights, by pressing the equitable claim for breach of confidence into service. The process continued by shearing that claim of limitations that affected its ability to protect privacy interests, before transmuting it into a claim for misuse of private information separate from breach of confidence. This claim is now characterised as a tort. So, in the present case ([2018] EWHC 1837 (Ch) [264]), Mann J referred to “the English tort which essentially gives effect” to Article 8 ECHR. This tort turns on on whether the claimant has a reasonable expectation of privacy that has been infringed by the defendant (see Campbell v MGN Ltd [2004] 2 AC 457, [2004] UKHL 22 (6 May 2004) [21]-[25] (Lord Nicholls), [134]-137] (Baroness Hale); Kinloch v HM Advocate [2013] 2 AC 93, [2012] UKSC 62 (19 December 2012) [18]-[21] (Lord Hope); R (Catt) v Commissioner of Police of the Metropolis [2015] 1 AC 1065, [2015] UKSC 9 (4 March 2015) [4]-[5] (Lord Sumption); Khuja (formerly PNM) v Times Newspapers [2017] UKSC 49 (19 July 2017) [21], [26], [34](1), [34](3) (Lord Sumption)). For this test in the present case ([2018] EWHC 1837 (Ch) [231]), Mann J cited Clarke MR for the Court of Appeal in Murray v Big Pictures (UK) Ltd [2009] Ch 481, [2008] EWCA Civ 446 (07 May 2008) [36] as affirmed by Lord Toulson in In re JR38 [2016] AC 1131, [2015] UKSC 42 (1 July 2015) [60], [88]:

… the question whether there is a reasonable expectation of privacy is a broad one, which takes account of all the circumstances of the case. They include the attributes of the claimant, the nature of the activity in which the claimant was engaged, the place at which it was happening, the nature and purpose of the intrusion, the absence of consent and whether it was known or could be inferred, the effect on the claimant and the circumstances in which and the purposes for which the information came into the hands of the publisher.

Mann J commented that the last two criteria (circumstances and purposes) were “very relevant” to matter in front of him ([2018] EWHC 1837 (Ch) [231]). He held that “on the authorities, and as a matter of general principle, a suspect has a reasonable expectation of privacy in relation to a police investigation” (ibid, [248]), but he stressed that this was only prima facie (ibid, [250]), and not invariable: “there may be all sorts of reasons why, in a given case, there is no reasonable expectation of privacy, or why an original reasonable expectation is displaced” (ibid, [251]). He therefore held that Sir Cliff was entitled to this prima facie reasonable expectation of privacy as against SYP both in relation to the investigation and in relation to the search, and that there was nothing in his public status, to deprive him of it (ibid, [256]). The BBC submitted that, once the material gets into the hands of a media organisation such as themselves, the position changes, but Mann J rejected that submission (ibid, [259], [262]): what matters is the substance of what is protected by means of the reasonable expectation of privacy, and the substance of the protection, and that is the same against both the SYP and the BBC.

It is an overstatement to say that the authorities clearly established that a suspect has a prima facie reasonable expectation of privacy in relation to a police investigation. At best, they are equivocal on the issue. Indeed, it could even be fairly concluded that they have, in fact, declined to lay down such a rule. In the earlier case of Hannon v News Group Newspapers Ltd [2014] EWHC 1580 (Ch) (16 May 2014) Mann J himself observed that “the question of the confidentiality or privacy of an arrest is likely to be a fact sensitive point”) (ibid, [99]). In Richard, he noted that, in PNM v Times Newspapers Ltd [2014] EWCA Civ 1132 (01 August 2014) [37] Sharp LJ acknowledged “a growing recognition that as a matter of public policy, the identity of those arrested or suspected of a crime should not be released to the public save in exceptional and clearly defined circumstances”. But that acknowledgment formed part of a submission by the appellant that she did not accept, as it did not properly accommodate the open justice principle (ibid, [38]), a conclusion that was upheld on appeal (see Khuja [2017] UKSC 49). In ERY v Associated Newspapers Ltd [2016] EWHC 2760 (QB) (04 November 2016), it was conceded that the fact that the claimant had been interviewed under caution attracted a reasonable expectation of privacy, and Nicol J held that this enabled him to conclude that the claimant also had a reasonable expectation of privacy in the more general information that he was being investigated by the police (ibid, [65]). In ZXC v Bloomberg LP [2017] EWHC 328 (QB) (23 February 2017) [29] Garnham J observed that the defendant’s concession in ERY meant that Nicol J’s conclusion provides only weak support for the proposition that the claimant before him had a reasonable expectation of privacy in in the contents of the formal document sent by a law enforcement agency in the context of a criminal investigation into a company. Garnham J also rejected the opposite argument that, in the absence of the sort of concession made by the defendant in ERY, there cannot be a reasonable expectation of privacy on the part of a suspect that he is the subject of a criminal investigation. And he concluded that “it is impossible to lay down any such blanket rule in an enquiry as fact-sensitive as this” (ibid, [30]). Hence, the authorities had not clearly established that a suspect has a prima facie reasonable expectation of privacy in relation to a police investigation; indeed, they had probably declined to lay down such a rule; though they probably did not probably did not preclude Mann J establishing it in Richard.

Whether he should have done so turns on his argument of principle. That amounted to quotations from the Leveson Report (2012; vol 2 (pdf); [2.39] 791; see also ibid [3.3] 984), the Judicial Response to the Law Commission Consultation Paper No 209 on Contempt of Court (2013; p5), the College of Policing’s Guidance on Relationships with the Media (pdf) (2013; [3.5.2]), and Sir Richard Henriques’ Independent Review of Metropolitan Police Service’s handling of non-recent sexual offence investigations (2016; [1.39]-[1.40], [1.94]), all of which said that the police should not, save in exceptional and clearly identified circumstances, release the names or identifying details of those who are arrested or suspected of a crime. But even in an era of rights-based policing, where good practice on the part of the police must be informed by human rights considerations, this is a long way short of saying that this must be so because a suspect has a prima facie reasonable expectation of privacy in relation to a police investigation. On the other hand, such a rule, even where it is not invariable, has the capacity to trench as much upon publicity that is a useful element of an investigation as it does upon prurient exposure.

The leading case on the impact of the principle of open justice upon reasonable expectations of privacy is Khuja (formerly PNM) v Times Newspapers [2017] UKSC 49 (19 July 2017). Here, the claimant had been arrested with several other men in connection with child sex offences. The claimant was released on bail; but nine of the others were charged and tried; and seven of them were eventually convicted. Before and during the trial, various orders were made prohibiting the disclosure of information that might identify the claimant until a decision had been made whether or not to charge him with an offence. Two months after the trial ended, and sixteen months after he was first arrested, the claimant was released from bail without charge. The trial judge indicated that he was therefore prepared to lift the reporting restrictions. However, the claimant sought an interlocutory injunction to prevent the media from identifying him and publishing material about him derived from the trial. However, his claim failed at every stage, essentially because he could, in the circumstances, have no reasonable expectation of privacy in respect of material of great public interest disclosed in open court.

In In re Guardian News and Media Ltd [2010] 2 AC 697, [2010] UKSC 1 (27 January 2010) [66] Lord Rodger commented that the “identities of persons charged with offences are published, even though their trial may be many months off. In allowing this, the law proceeds on the basis that most members of the public understand that, even when charged with an offence, you are innocent unless and until proved guilty in a court of law”. Consequently, at first instance in Khuja, Tugendhat J commented that “members of the public generally will understand the difference between suspicion and guilt, and will know that a person is to be presumed innocent unless and until proved guilty” and he had “no doubt that there is the highest public interest in the allegations of child abuse that have been, and remain, the subject of police investigations” ([2013] EWHC 3177 (QB) (22 October 2013) [77]-[78]); and this was upheld by the Court of Appeal ([2014] EWCA Civ 1132 (01 August 2014) [38] (Sharpe LJ; Lord Dyson MR and Vos LJ concurring)). In the Supreme Court, Lord Sumption for the majority (Lord Neuberger, Lady Hale, Lord Clarke and Lord Reed concurring) approved Lord Rodger’s comments in the Guardian case ([2017] UKSC 49 [8]). But he also warned that it “would be foolish for any court to ignore the extreme sensitivity of public opinion in current circumstances to allegations of the sexual abuse of children and the concerns about the safety of children generally to which those allegations give rise” (ibid). And he confessed that he “might have been less sanguine” than Tugendhat J had been about the reaction of the public to the way in which the claimant featured in the trial (ibid, [34]). However, these caveats should not obscure the fact that he held that the claimant did not have a reasonable expectation of privacy in the circumstances.

It is curious that Mann J in Richard ([2018] EWHC 1837 (Ch) [248]-[250]) should have focussed on Lord Sumption’s caveats and the joint dissenting judgment of Lord Kerr and Lord Wilson rather than upon the outcome in that case and in the earlier Guardian case. It is hard to see how a prima facie reasonable expectation of privacy in relation to a police investigation can stand with Guardian and Khuja. Instead, the careful judgments at all three levels in Khuja demonstrate that it is – and ought to be – a fact-sensitive enquiry in every case. More general, prima facie, expectations of privacy in relation to police investigations ought to be matters for legislation (see, eg, Home Office report on Pre-Charge Bail – Summary of Consultation Responses and Proposals for Legislation (pdf) (2015; p15)).

3. Conclusion
In holding that a suspect has a prima facie reasonable expectation of privacy in relation to a police investigation, Mann J certainly broke new legal ground. He may, however, have paid insufficient attention to the decisions of the Supreme Court in the Guardian case and Khuja. This is not to say that Sir Cliff did not have, or should not have been held to have had, a reasonable expectation of privacy in the circumstances. Rather, it is to say that any such conclusion should have been arrived at, not on the basis that such a prima facie expectation automatically arose, but after an appropriate fact-sensitive enquiry. There is certainly scope for an appeal on this issue, if only to , either to confirm or reject Mann J’s innovation, and thereby bring bring clarity to the law.

We’ve reached peak GDPR when Ross O’Carroll Kelly gets fired for a data breach

In today’s Irish Times, this week’s instalment (audio here) in the ongoing mis-adventures of Ross O’Carroll Kelly intersected with this blog. Ross is a hapless dad and clueless (if ruthless) estate-agent, who has been described as “Ireland’s most eligible married man” and “the greatest Irish [rugby] player never to actually make it in the game”, and the scene opens with our hero being summoned by the boss:

It’s, like, just before midday when Lauren tells me she wants to talk to me in her office. … She goes, “What do you know about GDPR, Ross?”

I’m like, “Quite a lot, actually.”

Oh, that shocks her – such is my reputation for being as stupid as a goose.

She’s like, “Okay, tell me what you know about GDPR.”

“First,” I go, “you make sure the patient is comfortable by putting some kind of cushion under their head and loosening any tight clothing. Then, you place the heel of your hand on the patient’s breastbone, with your other hand on top of it, interlocking your fingers …”

“That’s CPR, Ross.”

And so it goes on for a while, until Dave – “from Human Resources (formerly Payroll)” – arrives, and asks Ross where his laptop is. Poor Ross. We know from last week’s column (audio here) that he had left his car unlocked at a filling station, from which someone stole his “laptop bag, a briefcase and three Donnybrook Fair shopping bags out of the boot”. So, Ross eventually comes clean to Lauren:

I’m there, “Okay, I’m going to be finally honest with you. They were stolen from the boot of my cor when I pulled in to get petrol. Was there any sign of the three shopping bags from Donnybrook Fair that were also taken? There was six tins of individually, line-caught, white tuna fillets in there that cost 11 yoyos per pop.”

“Why didn’t you tell me about this?”

“Er, why would I tell you about it? It was my laptop. They were my client files.”

“I’m the Managing Director of this estate agency, Ross. It’s my responsibility to report breaches to the Data Protection Commissioner as soon as they’re discovered. Do you know what the penalties for this could be?”

“Chill out, Lauren. There’s no real damage done.”

And that’s when she says it. She fixes me with a look and goes, “You’re fired, Ross.”

As he will no doubt quickly learn, GDPR stands for the EU’s General Data Protection Regulation. It, and its incorporating Irish legislation, came into effect on Friday 25 May 2018. And the theft of the laptop and files (and, let’s not forget, tuna fillets and other overpriced groceries) came to light in the column published on Saturday 26 May. If the Saturday column is real-time reportage, or if it is reporting something that happened on Friday, then the data breach happened after the GDPR and Irish legislation came into force, and Lauren does indeed have to report it to the Data Protection Commission. However, if the column is reporting something that happened earlier in the week, then the GDPR was not in force, and the Rossmeister might just get away with it – again.

New politics and the digital age of consent

An Interesting Game

An Interesting Game (1881)
Frederick Arthur Bridgman (1847-1928)
via Brooklyn Museum
New politics certainly make for interesting times. Minority governments are no strangers to defeats, even to two defeats in one day, but yesterday marked another milestone, when the government lost not merely two votes, but votes on two successive legislative amendments. They both related to the protection of children in the Data Protection Bill, 2018. The first will make it an offence to process the personal data of a child for the purposes of direct marketing, profiling or micro-targeting; the second will set the digital age of consent at 16. In fact, seeing the writing on the wall, rather than suffer the indignity – surely unique, even in this era of new politics – of four defeats in one evening, the Minister accepted a third amendment and declined to press a fourth of his own. The third amendment that he accepted will permit not-for-profit bodies to seek damages on behalf of data subjects; and the amendment that he withdrew would have undercut the effect of the third successful amendment. (The three successful amendments are amendments 14, 15 and 115 here (pdf), amending this version (pdf) of the Bill, and debated here). Earlier versions of all three successful amendments had been defeated by the government at every previous stage of the Bill. Time will tell if any of them proves significant, but the one that has generated the most coverage so far is the amendment to the digital age of consent.

The aim of the Bill is to incorporate the General Data Protection Regulation (Regulation (EU) 2016/679) into Irish law. Article 6(1) GDPR sets out six bases for lawful processing of personal data, the first of which, specified in Article 6(1)(a), is that “the data subject has given consent to the processing of his or her personal data for one or more specific purposes” [on consent, see ICO | WP29]. A child can, in principle, provide such consent; but a minimum age at which children as data subjects can consent to having their personal data processed is not specified in the GDPR. Article 7 GDPR provides that the controller must be able to demonstrate this consent, and the younger the child is, the more difficult it will be for the controller to do so. To these flexible general rules relating to the consent of children, Article 8 GDPR provides a bright-line exception, which has become known as the digital age of consent. (more…)

From Mute to Dysaguria

Alexander Skarsgard in MutePictured left is Alexander Skarsgård (imdb | wikipedia) in the new Duncan Jones (imdb | wikipedia | blog) movie Mute (imdb | Netflix).

Skarsgård plays Leo, a mute bartender searching for girlfriend who has inexplicably disappeared in Berlin in 2052. In an interview in last Sunday’s Observer, he takes up the story:

… [Leo’s] search takes him deep into a neon-saturated underworld, populated by gangsters and a pair of anarchic American field surgeons (Paul Rudd and Justin Theroux) … “It’s very dystopian, but not that far-fetched unfortunately, because it’s a society run by corporations,” says Skarsgård. “You subscribe to a corporation and then they will provide everything for you – housing, healthcare, food – but they basically own you. …”. …

So we could be looking at the future then? Skarsgård looks a little traumatised and then sighs: “Hopefully not.”

I’m looking forward to the movie; but I’m not sure I agree that the best adjective to describe it is “dystopian”. It is entirely appropriate when a state goes bad; but it is not a good adjective to describe “a society run by corporations”. In fact, we don’t have a word for when a corporate society goes bad, so I’ve suggested “dysaguria”, as a noun meaning “frightening company”, and “dysagurian” as the adjective to describe that frightening company and the associated society run by frightening companies (see here | here | here). We can’t easily discuss a phenomenon until we have the proper words to describe it:

In his speech on leaving the US Presidency in January 1961, Eisenhower warned against the growing power of the military-industrial complex. In modern surveillance terms, we might term this the security-corporate complex. And we already have a word for when the military/security state goes bad, … That word is “dystopia”.

However, we don’t have a word for when the industrial/corporate society goes bad, … I think it’s beyond time we had one … I suggest that we need a word for “frightening company”, and that we can devise one by following the lead provided by More and Mill [in coining “dystopia” as a counterpoint to “utopia”] provides a guide. … Let’s keep “dys” [meaning “bad”] as the prefix, and look for a suitable word to which to add it. Greek provides “aguris”, which means “crowd” or “group” … Hence, from “dys” meaning “bad”, and “aguris” meaning “crowd” or “group”, I suggest “dysaguria”, as a noun meaning “frightening company”, and “dysagurian” as the adjective…

In my view, therefore, “dysagurian” is the perfect word to describe the society in Mute‘s Berlin in 2052.

Update: Mute did not find favour with Donald Clarke in the Irish Times. Further update: I’m with Donald on this; for all the production values, the movie is curiously flat.

Compensation for breach of the proposed ePrivacy Regulation [Ongoing updates]

Last major update: 15 January 2018

Note: a line was added at the end on 7 June 2018.

Compensation and ePrivacy (via edri)Parallel to my interest in compensation for breach of the General Data Protection Regulation [GDPR; Regulation (EU) 2016/679], I am also interested in the question of compensation for breach of the proposed ePrivacy Regulation (hereafter: pePR; see, eg, the EU Commission’s proposal for a Regulation on Privacy and Electronic Communications; on which see Flash Eurobarometer 443 Report on e-Privacy (pdf download)).

Article 22 of the Commission’s proposal provides:

Any end-user of electronic communications services who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the infringer for the damage suffered, unless the infringer proves that it is not in any way responsible for the event giving rise to the damage in accordance with Article 82 of Regulation (EU) 2016/679.

The emphasised words appear in exactly the same form in Article 82(1) GDPR. The remainder of Article 82 provides circumstances where an infringer is not responsible for the event giving rise to the damage and thus not liable for breach of the GDPR, and those circumstances apply mutatis to an infringer who would not be liable for breach of the pePR. This is not surprising: Article 22 of the pePR appears in a list of Articles (from 18 to 24) in which the supervision and enforcement of the pePR, and remedies for its breach, are integrated with those provided by the GDPR. The effect of Article 22 is to provide for compensation for breach of the pePR on the same basis as compensation is available for breach of the GDPR.


The UK’s Data Protection Bill 2017: repeals and compensation – updated

UK Data Protection image, via UK gov websiteIn the UK, the Department of Digital, Culture, Media and Sport (DCMS) has today published the Data Protection Bill 2017, to incorporate the General Data Protection Regulation (GDPR) and to implement the Police and Criminal Justice Authorities Directive (PCJAD) (respectively: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC; and Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA; aka the Law Enforcement Directive). The progress of the Bill through Parliament can be tracked here.

In Ireland, when the Department of Justice published the the General Scheme of the Data Protection Bill 2017 (scheme (pdf)), I expressed two concerns, both of which are equally applicable to the UK Bill. (more…)

Compensation for breach of the General Data Protection Regulation

I have just posted a paper on SSRN entitled “Compensation for breach of the General Data Protection Regulation”; this is the abstract:

Article 82(1) of the General Data Protection Regulation (GDPR) provides that any “person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. As a consequence, compliance with the GDPR is ensured through a mutually reinforcing combination of public and private enforcement that blends public fines with private damages.

After the introduction, the second part of this article compares and contrasts Article 82(1) GDPR with compensation provisions in other EU Regulations and Directives and with the caselaw of the CJEU on those provisions, and compares and contrasts the English version of Article 82(1) GDPR with the versions of that Article in the other official languages of the EU, and concludes that at least 5 of the versions of Article 82(1) GDPR are unnecessarily ambiguous, though the CJEU (eventually, if and when it is asked) is likely to afford it a consistent broad interpretation. However, the safest course of action at this stage is to provide expressly for a claim for compensation in national law. The third part of this article compares and contrasts the compensation provisions in the Irish government’s General Scheme of the Data Protection Bill 2017 with existing legislation and case-law in Ireland and the UK, and with incorporating legislation and Bills in other EU Member States, and concludes that the Heads of the Scheme do not give full effect to Article 82(1) GDPR. Amendments to the Scheme are therefore proposed.

To ensure that any person who has suffered such damage has an effective remedy pursuant to Article 47 CFR, Member States will have to provide, pursuant to Article 19 TEU, remedies sufficient to ensure effective legal protection in the fields of privacy and data protection. In particular, they will have to provide expressly for a claim for compensation, incorporating Article 82(1) GDPR into national law. Claims for compensation are an important part of the enforcement architecture of the GDPR. Private enforcement will help to discourage infringements of the rights of data subjects; it will make a significant contribution to the protection of privacy and data protection rights in the European Union; and it will help to ensure that the great promise of the GDPR is fully realised.

As I was working on this paper, I published several posts on this blog (here | here | here) including discussions of the literal meaning of Article 82(1) GDPR in each of the EU’s 24 official languages and the current status of GDPR incorporation in the EU’s 28 Member States. Thanks to everyone who has engaged with these posts – the analysis in my paper has improved immeasurably. All comments on the current version gratefully received.

What is the current status of GDPR incorporation in the EU’s 28 Member States? [Ongoing updates]

Last updated: 7 May 2018

GDPR incorporationHaving looked, in my previous post, at what Article 82(1) of the General Data Protection Regulation says and means in each of the EU’s 24 official languages, I’m interested in this post in the related question of the current status of incorporation* of the GDPR in each of the EU’s 28 Member States. I am interested in particular in whether provision has been made in any incorporating* legislation or draft for an express claim for compensation or damages to give effect to Article 82 GDPR. The list below is the current state of play so far as I have been able to find out. I would be grateful if you correct any errors and help me fill in the blanks – via the comments below, via email, or via the contact page on this blog – I would very grateful indeed.

Complete incorporation: Legislation to incorporate* the GDPR has been enacted in Austria, Belgium (though a further Bill is pending), Germany, Poland, Slovakia and Slovenia (a French Act anticipated some of its requirements, though a full incorporation Bill is pending). About half of the Member States are likely to complete the process before 25 May 2018.

No information: Drafts have not been published in Bulgaria, Cyprus, Italy, and Malta.

Compensation: Incorporations in various jurisdictions are taking differing positions on Article 82 GDPR. On the one hand, such express claims are included in legislation in Austria, Poland and Slovakia, in Bills in Denmark, Greece, Hungary, Ireland, Romania, Spain, Sweden and the UK. On the other hand, no such express claims appear in legislation in Belgium, France and Germany, in Bills in Belgium (again), Estonia, France (again), Latvia, Lithuania, Luxembourg, the Netherlands, Portugal and Slovenia. Croatia, Finland and Portugal take the view that Article 82 is directly effective; while the Czech Republic considers that the existing compensation provisions cover Article 82 GDPR.

As Katie Nolan points out, this matters a great deal, because – unlike Article 4 of the Data Protection Directive (Directive 95/46/EC) – the GDPR contains no choice of law mechanism to determine which national data protection legislation applies in cross-border cases. In the context of Article 82 GDPR, differences in national incorporations are likely to encourage plaintiffs to shop for the fora with the most generous compensation claims.