I’m trying to work out what Article 82(1) of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) says and means in each of the 24 official languages of the EU institutions, and I’d be very grateful for your help. In English, Article 82(1) GDPR provides

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

As I have said before on this blog (here, here, here), I think that this formulation is rather odd. It does not provide, in the present tense, that a person whose rights have been infringed “has” the right to receive compensation. Instead, it provides, in a much more congtingent fashion, that a plaintiff “shall have” such a right, which seems to imply that there is something more to be done in national law before plaintiffs actually have the claim.…

Read More »

Two weeks ago today I was chatting over coffee with a data protection expert during the second day of the Data Summit 2017. He was annoyed at my blogpost on the Government’s General Scheme of the Data Protection Bill 2017 [the Scheme] to give further effect in Irish law to the EU’s General Data Protection Regulation [the GDPR]. Article 82(1) GDPR provides claim for compensation for anyone whose rights under the GDPR are infringed. In the post that annoyed him so much, I said that I couldn’t find a Head to this effect in the Government’s Scheme. He said: what about Head 91? I said: that’s where it should be, but it isn’t there. He wasn’t convinced. So, I went back and had a closer look at the Scheme and the GDPR. I also had a look at an associated Directive (the Police and Criminal Justice Authorities Directive [the PCJAD]) which is also being transposed by the Scheme. Article 56 PCJAD similarly provides for a claim for compensation for anyone whose rights under the PCJAD are infringed. Heads 91 and 58 (respectively) of the Scheme address these claims, but they do not completely provide for such claims for compensation.…

Read More »

The Government has today published the General Scheme of the Data Protection Bill 2017 (press release | scheme (pdf)) to give further effect in Irish law to the EU General Data Protection Regulation and to implement the associated Data Protection Directive for law enforcement bodies. The publication of the Heads is a very welcome development indeed. There will, in the coming weeks and months, no doubt be much discussion of the Heads, and I hope that the draft will be improved as a consequence. For now, I want to make two points, about repeals of existing legislation, and the availability compensation for infringement of the GDPR.

The first point is brief enough. Existing Irish law is contained in the Data Protection Acts 1988 and 2003 (also here and here; the ODPC’s unofficial but extremely helpful administrative consolidation is here), which are not very easy to work with. Head 5 deals with “Repeals”. My fervent hope is that the 1988 and 2003 Acts will be repealed, and that the new Bill will provide a single one-stop-shop for all Irish law on data protection. My hope has been neither fulfilled nor dashed by Head 5. It’s blank. The explanatory note says that the existing Acts “will be largely superseded by” the GDPR and Directive, and that this “Head will be completed during the drafting process”.…

Read More »

The saga in Bollea v Gawker shows two remedies for invasion of privacy. Hulk Hogan (real name, Terry Gene Bollea; pictured left), is a former professional wrestler and American television personality. Gawker was a celebrity news and gossip blog based in New York. In October 2012, Gawker posted portions of a secretly-recorded video of Hogan having sex in 2006 with one Heather Cole, who (as Heather Clem) was the then-wife of his then-best-friend (the wonderfully-monikered radio personality Bubba “the Love Sponge” Clem). In March 2016, a jury found Gawker liable for invading Hogan’s privacy, and awarded him a total US$140m – Gawker itself was held liable for US$115m in compensatory damages (including US $60 million for emotional distress), and US$15m in punitive damages; Gawker’s CEO, Nick Denton, was held personally liable for US$10m in punitive damages.

Gawker and Denton immediately announced that they would appeal; but first Gawker, and then Denton, both soon filed for bankruptcy. In August 2016, Gawker itself was shut down, and the media group of which it was a centrepiece was sold for US$135m. This provided the funds for a settlement: in November 2016, the case was ultimately settled for US$31m; and, in March 2017, Denton came out of bankruptcy.…

Read More »

At the Irish Centre for European Law’s Privacy and Data Protection Conference today (programme pdf) in the Royal Irish Academy, many interesting themes were explored. I want in this post to pick up on one of them, relating to damages for infringement of data protection rights.

At present, the matter is governed by Article 23 of the Data Protection Directive (Directive 95/46/EC) [DPD], which provides

Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.

On the one hand, this has been implemented in Ireland by section 7 of the Data Protection Act, 1988 [DPA] (also here), which provides that

For the purposes of the law of torts and to the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned …

In Collins v FBD Insurance plc [2013] IEHC 137 (14 March 2013) (noted here) [3.6] Feeney J held that section 7 required that plaintiffs “prove that they have, in fact, suffered damage arising from a breach”.…

Read More »