By popular demand, here is a quick and dirty translation of my column in the Dutch Financial Times of 25 July 2019. Follow this link for other columns (in Dutch).
What does a simple privacy breach actually cost? This straightforward question has been the subject of heated academic debate for decades. Recently, a Dutch district court gave the municipal authority of Deventer a short and effective answer: EUR 500,- plus legal costs.
The municipal authority of Deventer is probably able to pay up. However, governments and companies who process personal data of millions of people feel the heat. The stringent EU General Data Protection Regulation (GDPR), particularly in combination with the renewed Dutch Class Action (Final Settlement) Act and an international court procedure created in The Netherlands, create fertile ground in the Lower Countries for mass claims litigation lodged by international interest groups. Such collectives are now able to credibly claim EUR 500 per affected person for a simple privacy breach. Multiply that, or even EUR 50, with millions of end users, and the funk may soon hit the fan for large organisations that violate privacy laws on a large scale.
Enforcement actions by understaffed Data Protection Authorities (DPAs) have been few and far between in Europe for the past twenty years. However, funding is increasing for DPAs, as is their authority to issue fines that may even amount up to 4% of global annual turnover of a company. Especially the combination of such enforcement actions and mass claims litigation will become a game changer for privacy protections in Europe, and will force large companies and governments to handle our data in line with applicable laws, the GDPR in particular.
The ruling revolves around a civil servant of the glorious Dutch municipality of Deventer. This civil servant sent an email to colleagues in another municipal authority, when an inhabitant of Deventer was about to move to this other town because the inhabitant filed information requests under the Dutch Public Access to Government Information Act about a particular issue; not once but twice. Surely a nauseating citizen! The person found out through a data access request (see article 15 GDPR) and subsequently claimed non-material damage before a Dutch district court, because the sharing of his name among municipal overlords infringed his privacy, honour and good name.
Just recently, the Dutch Supreme Court decided that compensations based on non-material damage are unlikely to succeed in the Netherlands. As in most EU countries, a ‘mere’ breach of fundamental rights in itself does not form a basis for monetary compensation. According to the Dutch Supreme Court, the nature and the gravity of any breach of laws need to be sufficiently ‘severe’. The Supreme Court does provide a few – quite dramatic – examples of non-material damage that would qualify for limited monetary compensation, such as the distress or trauma that could follow when your house breaks down because a builder made a mistake or when a doctor makes an obvious mistake. The Supreme Court is clearly worried about creating a claim culture, not unlike the U.S. legal climate.
Nonetheless, the District Court of Overijssel based its judgement on the GDPR, rather than the recent ruling of the Dutch Supreme Court. The wording of the GDPR is more generous when it comes to compensation of damages. Some examples: responsible organisations “must compensate any material or non-material damages; the concept of damages should be interpreted broadly, in a way that fully reflects the objectives of the GDPR.” The logic here is quite straightforward: the GDPR aims not to allocate cash based on actual harm, but rather to ensure the essential and effective protection of the fundamental right to personal data protection. In other words, a breach in itself constitutes a sufficiently severe damage, that qualifies for compensation.
Academics have been wondering for years how to assess the monetary value of a privacy breach. Economists argue that organisations generally lack an incentive to respect privacy sufficiently, since a breach of privacy will cost them practically nothing. Similar to pollution, economists say, society should value privacy breaches as a market failure, that needs to be corrected. In short, put a price on privacy to incentivise privacy compliance. Legal experts usually point out that it is hardly possible to prove the ‘causality’ between a breach of privacy laws and actual harm. Privacy, they say, is too abstract for a price tag.
Scientists have kept the debate alive and kicking, but the beauty of litigation is that a court must hand in a decision, no excuses. In a simple sentence, the court states that in this case ‘a compensation of EUR 500 is reasonable’.
Data intensive industries are scared to death, and rightly so. Last January, the French Data Protection Authority CNIL fined Google EUR 50 million for systematic violations of Android users’ privacy, that already start as soon as you turn on your smartphone, are forced to open and log into a Google account, and cannot deny several tricky manifestation of tracking by Google. Shortly after CNIL published its decision, a foundation initiated proceedings to claim compensation of damages from Google. Android has 28 million users in France. If a French court grants EUR 500 to every Android user, Google has to hand out EUR 14 billion in damages, in France alone.
History teaches us that, in Europe, privacy law follows in the footsteps of competition law. In competition law, mass damage claims have been big business for several years now. As soon as the European Commission (the relevant supervisor in this context) fines a cartel, a single company can be faced with sometimes hundreds of civil damage claims from claim foundations. This well-established practice from competition law will emerge in the privacy space: the GDPR explicitly allows foundations or consumers’ associations to lodge mass claims on behalf of classes of affected users. Depending on your perspective, when a DPA establishes a privacy violation and imposes a fine, you either have a solid case, or need a solid defense lawyer.
The GDPR explicitly allows to litigate in every EU Member State where a company has been established. The Netherlands is an attractive country to take international mass claims to court. Both the renewed Dutch Class Action (Final Settlement) Act and the GDPR state that a citizen is allowed to be represented by a foundation. Standing is not the biggest issue, in other words. Since recently, the Netherlands Commercial Court facilitates quick proceedings – in English.
Courts will shape the future of mass claims in privacy law
The courts have, of course, just begun to assess monetary compensation for privacy breaches. The reasoning of the Dutch district court’s decision is rather “thin”. The municipality of Deventer will file an appeal against the judgement. Nevertheless, the European Court of Human Rights in Strasbourg did grant compensation for privacy violations, in general terms, multiple times. The Court of Justice of the European Union (CJEU) in Luxemburg, so far granted compensation only once, not even pursuant to the GDPR. The clear language of the GDPR suggests that the CJEU will actively involve itself on the matter when a case arrives in Luxembourg, as it did in the context of delays and lost luggage in aviation.
In the next few years, lower courts and ultimately the CJEU will have its say. Until then, lawyers will be heavily debating how to establish the aforementioned causal link between a violation and harm, the amount of the damages and especially to what extent the multiplier effect will exist for millions of users, if a single user is compensated. Even if the exact amount will be established by higher courts, by granting EUR 500 the District Court of Overijssel officially opened the door for mass claims litigation in the context of privacy.
Since the column was published, several new cases have emerged that awarded compensation between EUR 100 and EUR 250 for simple privacy violations.