Category: GDPR

What is the current status of GDPR incorporation in the EU’s 28 Member States? [Ongoing updates]

GDPR incorporationHaving looked, in my previous post, at what Article 82(1) of the General Data Protection Regulation says and means in each of the EU’s 24 official languages, I’m interested in this post in the related question of the current status of incorporation of the GDPR in each of the EU’s 28 Member States. I am interested in particular in whether provision has been made in any incorporating legislation or draft for an express claim for compensation or damages to give effect to Article 82. The list below is the current state of play so far as I have been able to find out. I would be grateful if you correct any errors and help me fill in the blanks – via the comments below, via email, or via the contact page on this blog – I would very grateful indeed.

It seems that incorporations in various jurisdictions are taking differing positions on Article 82. On the one hand, On the one hand, such express claims are included in legislation in Austria, in draft Bills in the Netherlands, Poland, Slovakia, and Spain, and in reports in Sweden and the UK. On the other, no such express claims appear in legislation in Germany and France, in draft Bills in Estonia and Lithuania, or in a report in Finland. Somewhere in the middle comes Ireland.

(more…)

What is the literal meaning of Article 82(1) GDPR in each of the EU’s 24 official languages?

GDPRI’m trying to work out what Article 82(1) of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) says and means in each of the 24 official languages of the EU institutions, and I’d be very grateful for your help. In English, Article 82(1) GDPR provides

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

As I have said before on this blog (here, here, here), I think that this formulation is rather odd. It does not provide, in the present tense, that a person whose rights have been infringed “has” the right to receive compensation. Instead, it provides, in a much more congtingent fashion, that a plaintiff “shall have” such a right, which seems to imply that there is something more to be done in national law before plaintiffs actually have the claim. Although the language seems contingent, it does not replicate any of the usual strictures in a Directive, that Member States shall “provide” or “ensure” or “introduce” or “lay down” measures to achieve an outcome, such as a claim for compensation. Even so, the formulation in Article 82(1) GDPR still seems to envisage some national law mechanism in ensuring that a plaintiff “shall” have a claim to compensation. I’m interested in whether the text of Article 82(1) GDPR in other official languages uses a version of the present tense, or whether the formulation is as contingent as it seems to be in English. I have, therefore, set out below the text of that Article in each of the 24 official languages; I have highlighted the words that seem to me to be most relevant to that question; and I have provided a first attempt at a translation of those words. What I need now is a literal translation of these provisions by a native speakers, irrespective of what the EU Commission’s official translation or Google Translate might say. In particular, I need confirmation whether I have identified the relevant words, and translated them accurately. I’m not particularly interested in the various synonyms for damages (compensation, indemnification, reparation, and so on) so much as in the accompanying verbs, and in particular in whether those verbs are clearly in the present tense or whether they are more contingent. I know what Google Translate’s crowd-sourced machine-translation says, indeed it was one of the sources I used to zero in on what seem to me to be the relevant words in the various languages, but that is as far as I am prepared to go with it, as its translations will be very heavily influenced by the EU’s official translations. Instead, as I say, I am in need of human judgment as to the appropriate literal translations of the various texts of Article 82(1) GDPR.

The literal meaning of the precise wording may very well matter a very great deal in assessing whether Article 82(1) is sufficiently clear, precise and unambiguous to be horizontally directly effective. The contingent nature of the English text may not be, leading to potential problems which I have begun to explore here. Other texts may differ. For example, the French text of Article 82(1) GDPR (a le droit d’obtenir … reparation = has the right to obtain … compensation) is more likely to support a conclusion of horizontal direct effect, and the German text (hat Anspruch auf Schadenersatz = has a claim for compensation is entitled to compensation) is even more likely to do so, because they are both in the present tense (a, hat) rather than in more contingent terms. Indeed, of the 24 official languages of the EU institutions, if the assessments and translations below are correct, the text of the claim for compensation in Article 82(1) GDPR seems to be in the present tense in 19 of them: 12 are like the French text (the plaintiff “has the right to [receive/obtain] compensation”: Czech, Danish, Dutch, French, Finnish, Italian, Latvian, Lithuanian, Polish, Portuguese, Romanian, Slovenian); 4 have a similar formulation 5 are like the German text (the plaintiff “is entitled to compensation”: Bulgarian, Estonian, German, Greek, Hungarian), and 3 are like the German text 2 others have a similar formulation (the plaintiff “has [a claim for/the right to] compensation”: Croatian, German, Slovak). Only 5 seem to have a contingent text like the English (the plaintiff “shall have the right to [receive] compensation”: English, Maltese, Spanish, Swedish; the plaintiff “shall be entitled to compensation”: Irish).

Moreover, of the three EEA countries, Norway has begun the process of incorporating the GDPR. The literal English translation of the Norwegian text is “shall be entitled to receive compensation”, which is a sixth example of a contingent “shall”.

All help in confirming whether this is an accurate assessment or not – via the comments below, or better via the contact page on this blog – will be very gratefully appreciated indeed. [Note: as you can see, this paragraph has been updated to reflect a consensus on the German text which is different from my own initial assessment; this is exactly why I’m grateful for all help].

(more…)

Damages for Breach of the GDPR

Data Summit 2017 LogoTwo weeks ago today I was chatting over coffee with a data protection expert during the second day of the Data Summit 2017. He was annoyed at my blogpost on the Government’s General Scheme of the Data Protection Bill 2017 [the Scheme] to give further effect in Irish law to the EU’s General Data Protection Regulation [the GDPR]. Article 82(1) GDPR provides claim for compensation for anyone whose rights under the GDPR are infringed. In the post that annoyed him so much, I said that I couldn’t find a Head to this effect in the Government’s Scheme. He said: what about Head 91? I said: that’s where it should be, but it isn’t there. He wasn’t convinced. So, I went back and had a closer look at the Scheme and the GDPR. I also had a look at an associated Directive (the Police and Criminal Justice Authorities Directive [the PCJAD]) which is also being transposed by the Scheme. Article 56 PCJAD similarly provides for a claim for compensation for anyone whose rights under the PCJAD are infringed. Heads 91 and 58 (respectively) of the Scheme address these claims, but they do not completely provide for such claims for compensation. So, I’m still of the view that the Scheme does not provide a claim for compensation for breach of the GDPR and the Scheme. It seems to assume one, to be sure; but it never goes so far as expressly to provide one.

Article 79 GDPR provides for a right to an effective judicial remedy against a controller or processor; and Article 82 GDPR provides for a claim for compensation as part of that effective judicial remedy. Head 91 of the Scheme seems to be directed towards these Articles. Head 91(1) provides what it describes as “a data protection action” to data subjects whose rights under the GDPR or its translating legislation are infringed. Head 91(2) provides jurisdiction to the Circuit Court, concurrently with the High Court, to hear such actions. Head 91(3) provides:

In a data protection action under this Head, the Circuit Court shall, without prejudice to its powers to award compensation in respect of material or non-material damage, have the power to grant relief by means of injunction or declaratory orders.

And Head 91(4)(b) requires a plaintiff in a data protection action to specify, inter alia, “any material or non-material damage alleged to have been occasioned by the infringement”.

The reference in Head 91(3) to the provision of other remedies “without prejudice to [the Circuit Court’s] … powers to award compensation” assumes that the Court has such powers. And the reference in Head 91(4)(b) to “any material or non-material damage” further assumes that that the powers to award compensation cover both material and non-material damage. However, Head 91 does not expressly afford a claim compensation for material or non-material damage; nor is it expressly afforded elsewhere in the Scheme. It may be that this Head is predicated on the assumption that Article 82(1) GDPR is directly horizontally effective and thereby provides those “powers to award compensation”.

(more…)

The Heads of an Irish Bill to ensure GDPR compliance are very welcome, but they raise questions about repeals and compensation

GDPRThe Government has today published the General Scheme of the Data Protection Bill 2017 (press release | scheme (pdf)) to give further effect in Irish law to the EU General Data Protection Regulation and to implement the associated Data Protection Directive for law enforcement bodies. The publication of the Heads is a very welcome development indeed. There will, in the coming weeks and months, no doubt be much discussion of the Heads, and I hope that the draft will be improved as a consequence. For now, I want to make two points, about repeals of existing legislation, and the availability compensation for infringement of the GDPR.

Stamp Act Repealed (via Wikipedia; element)The first point is brief enough. Existing Irish law is contained in the Data Protection Acts 1988 and 2003 (also here and here; the ODPC’s unofficial but extremely helpful administrative consolidation is here), which are not very easy to work with. Head 5 deals with “Repeals”. My fervent hope is that the 1988 and 2003 Acts will be repealed, and that the new Bill will provide a single one-stop-shop for all Irish law on data protection. My hope has been neither fulfilled nor dashed by Head 5. It’s blank. The explanatory note says that the existing Acts “will be largely superseded by” the GDPR and Directive, and that this “Head will be completed during the drafting process”. The equivocation in that “largely superseded” is redolent of indecision both as to the scope and effect of the GDPR and as to the retention of the 1988 and 2003 Acts. All I can say is that the Head that emerges from the drafting process should repeal the 1988 and 2003 Acts, and that any parts of those Acts that need to continue should re-enacted in the new Bill.

CompensationThe second point is a little longer. The availability of damages, as an important element of the enforcement architecture of the GDPR was one aspect of my talk this week for the Irish Centre for European Law’s Privacy and Data Protection Conference 2017. Article 82(1) GDPR provides:

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. …

Update (11 July 2017): I can’t find a Head in the Scheme explicitly giving effect to Article 82 GDPR. (more…)

Damages and compensation for invasion of privacy and data protection infringements

Hulk HoganThe saga in Bollea v Gawker shows two remedies for invasion of privacy. Hulk Hogan (real name, Terry Gene Bollea; pictured left), is a former professional wrestler and American television personality. Gawker was a celebrity news and gossip blog based in New York. In October 2012, Gawker posted portions of a secretly-recorded video of Hogan having sex in 2006 with one Heather Cole, who (as Heather Clem) was the then-wife of his then-best-friend (the wonderfully-monikered radio personality Bubba “the Love Sponge” Clem). In March 2016, a jury found Gawker liable for invading Hogan’s privacy, and awarded him a total US$140m – Gawker itself was held liable for US$115m in compensatory damages (including US $60 million for emotional distress), and US$15m in punitive damages; Gawker’s CEO, Nick Denton, was held personally liable for US$10m in punitive damages.

Gawker and Denton immediately announced that they would appeal; but first Gawker, and then Denton, both soon filed for bankruptcy. In August 2016, Gawker itself was shut down, and the media group of which it was a centrepiece was sold for US$135m. This provided the funds for a settlement: in November 2016, the case was ultimately settled for US$31m; and, in March 2017, Denton came out of bankruptcy. The US$140m damages award and eventual US$31m settlement show one remedy for invasion of privacy. In particular, this raises the issue of the extent to which damages for invasion of privacy are available at Irish law – even if, in privacy claims as in so many other areas, damages in Ireland are not of the same order of magnitude as in the US.

In a plot twist that might once have been revealed by Gawker itself, it emerged that Hogan’s case had been secretly financed by Peter Thiel, a technology billionaire (after a short career as a lawyer, he co-founded Paypal, and was Facebook’s first outside investor; he is currently founder and Chair of Palantir Technologies, and a partner at VC firm Founders Fund). This was his revenge for Gawker’s outing of him as gay in December 2007. As an application of the principles of “don’t get mad; get even” and “revenge is a dish best served cold”, this is certainly a novel remedy for invasion of privacy; but it is one that is only available to American tech billionaires. More practical are claims for injunctions and damages.

Where there is a threatened invasion of privacy, by intrusion or publication, the usual remedy is to seek an injunction to prevent it. If an injunction is refused, or if the invasion of privacy has already occurred, then the plaintiff will often seek damages. Such damages will prove an important part of the enforcement architecture of the General Data Protection Regulation [GDPR] and the proposed Regulation on Privacy and Electronic Communications [Proposed ePrivacy Regulation; hereafter: PePR (my acronym)]. “Money remedies for invasion of privacy at Irish law, to provide compensation for breach of the GDPR and of the Proposed ePrivacy Regulation” was the theme of my talk for the Irish Centre for European Law’s Privacy and Data Protection Conference 2017.

(more…)

Dearer to us than a host of truths is an exalting illusion? EU Data Transfer Regulation after Schrems

Kuner & FennellyMy favourite Steve Jobs aphorism (and there are so many from which to choose) is

People who know what they’re talking about don’t need PowerPoint.

(see Steve Jobs by Walter Isaacson (Simon and Schuster, 2011) 337). Last Thursday, Chris Kuner elevated this from apothegm to axiom, resoundingly proving the truth of that insight, by providing a masterclass in compelling presentation without resort to the crutch of powerpoint or similar slides. Chris is pictured above left, chatting with David Fennelly, before delivering a powerful lecture on “Reality and Illusion in EU Data Transfer Regulation” in the light of the decision of the Court of Justice of the European Union in Case C-362/14 Schrems v Data Protection Commissioner [2015] ECR I-nyr (Grand Chamber, 6 October 2015) to a rapt audience in Trinity College Dublin. He began with a quote from Chekov:

Dearer to us than a host of truths is an exalting illusion.

This is from Chekov’s short story “Gooseberries” (see Richard Pevear and Larissa Volokhonsky (tr) Selected Stories of Anton Chekov (Random House, 2009) 311 at 317), where the Nikolai is deluding himself that his gooseberries – actually “hard and sour” – are in fact the succulent and luscious fruit which he had always dreamed of growing. So it is, Chris argued, with EU regulation of trans-border data flows, which is at present an exalting illusion running up against a host of political realities.

In Schrems, the CJEU held that national data protection authorities [DPAs] could independently make decisions on the adequacy of data protection regimes in countries to which EU data is exported, notwithstanding a Commission decision on such adequacy, and that the Commission Safe Harbour decision on the adequacy of the US data protection regime was invalid. Four themes can be discerned in the judgment. First, there is a strong affirmation of the right to data protection under the EU Charter of Fundamental Rights, building on the prior judgments in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger (Grand Chamber, 8 April 2014) [and Case C-131/12 Google Spain (Grand Chamber, 13 May 2014)]. Second, EU data protection standards – and in particular, the Charter – apply to transfers to third countries. Third, the CJEU elevated the role of independent national DPAs (especially as against the EU Commission) and empowered individuals to complain to such DPAs. And, fourth, the CJEU held that the “adequate level protection” of international transfers of data required by EU law is equivalent to the level of data protection provided by EU law – Chris stressed that “equivalent” here is not necessarily “identical”, but that this is still a high bar.

The impact of the CJEU decision in Schrems goes far beyond the context of the invalid safe harbour. Chris gave four examples. (more…)

Damages for infringement of data protection rights

ICEL and RIA logos, via their websitesAt the Irish Centre for European Law’s Privacy and Data Protection Conference today (programme pdf) in the Royal Irish Academy, many interesting themes were explored. I want in this post to pick up on one of them, relating to damages for infringement of data protection rights.

At present, the matter is governed by Article 23 of the Data Protection Directive (Directive 95/46/EC) [DPD], which provides

Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.

On the one hand, this has been implemented in Ireland by section 7 of the Data Protection Act, 1988 [DPA] (also here), which provides that

For the purposes of the law of torts and to the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned …

In Collins v FBD Insurance plc [2013] IEHC 137 (14 March 2013) (noted here) [3.6] Feeney J held that section 7 required that plaintiffs “prove that they have, in fact, suffered damage arising from a breach”.

On the other hand, Article 23 has been implemented in the UK by section 13 of the Data Protection Act, 1998. In Google Inc v Vidal-Hall [2015] EWCA Civ 311 (27 March 2015) [105], the Court of Appeal held that, having regard to Article 23, “compensation would be recoverable under section 13(1) for any damage suffered as a result of a contravention by a data controller of any of the requirements” of the Data Protection Acts (emphasis in original; (update: the appeal in this case has been withdrawn following agreement between the parties).

Speaking at the ICEL conference today, Emily Gibson gave a wide-ranging paper on data protection litigation after the entry into force of the UE’s new General Data Protection Regulation [GDPR]; and Orla Lynskey complemented this with a discussion of data protection enforcement from the perspective of data protection authorities. In this context, Helen Dixon called for the EU’s data protection authorities to work together on such issues.

On the issue of damages, Gibson commented simply that Collins and Vidal-Hall are conflicting authorities, and swiftly pointed out that Article 82(1) GDPR provides that

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

Dixon commented that this will provide very powerful new remedies. But this is for the future. What of data subjects who wish, right now, to seek compensation in Irish Courts for current infringement of their data protection rights? I have already argued on this blog both that Collins was wrong in its own terms, and that the reasoning in Vidal-Hall undercuts its analysis of EU law.

But there is a further argument in favour of data subjects’ claims for compensation as the law now stands. (more…)

From Ken Liu’s perfect match, via dysaguria, to Privacy Paradigm

Yours truly, at IAPP 2016, via their website; click through for full image

Yours truly, at IAPP 2016
I have commented on this blog in the past how much I love libraries (eg here | here | here | here). I walk to my local library regularly to borrow books. Quite often, I will borrow recent arrivals by authors unknown to me. It’s pot luck, and I take the rough with the smooth; sometimes I unearth a diamond, and it makes it all worthwhile. Last week, I borrowed Ken Liu The Paper Menagerie and other stories (Head of Zeus, 2106 | Amazon). As its title suggests, it is a book of short stories; and, en route to the International Association of Privacy Professionals conference in London later in the week, I read some of them. The title story is the first work of fiction to win all three of SF’s major awards: the Hugo, the Nebula and the World Fantasy Award; it is a magical and profound mediation on books and love, you can read it here; and, in fact, you should!

Other than the title story, another, in particular, piqued my interest. Entitled “The Perfect Match”, it concerned a ubiquitous social media company called Centillion, whose motto is “make things better”, and whose modus operandi is to acquire as much information about people as possible, the better to provide the most appropriate personalized information and advice to its users.

Our hero, Sai, interacts with Centillion via Tilly, an always-on intelligent personal assistant; it features a perfect natural language user interface; and its suggestions and decisions seem to guide every aspect of Sai’s life, from the music which wakes him up in the morning, to what he wears, to the small-talk on the date which – inevitably – Tilly had arranged.

However, as he gets to know his new neighbour, Jenny, she seeks to enlighten him about the dark side of Centillion’s ubiquity. Together, they hatch a plan to sabotage Centillion’s data. So much is predictable. We have been here many times before – think Dave Eggers’ The Circle (2013) meets The Island (2005, imdb), with a side-order of Her (2013, imdb). But there are two main differences between Eggers and Liu. First, Liu is a much better writer than Eggers, so the short stories in The Paper Menagerie are much richer than The Circle. Second, just as I was beginning to think that Liu wasn’t going to offer anything much by way of novelty or insight in “The Perfect Match”, the twist in the tale undercuts everything that had gone before.

There were many benefits to the story. It was entertaining, well-written, and provocative. In Centillion, it provided me with another example of a dysagurian company, after The Circle’s eponymous leviathan, and Parks and Recreation’s Gryzzl. And it put me in just the right frame of mind for the privacy conference. (more…)