Damages for data protection violations
Damages for Data Protection Violations: Overview
When a data protection violation occurs — such as unlawful processing, data breaches, or failure to protect personal data — individuals can suffer harm, including financial loss, distress, reputational damage, or loss of privacy. Courts can award damages to compensate victims for these harms.
Types of Damages:
Material damages: Actual financial losses, e.g., fraud or identity theft caused by leaked data.
Non-material damages: Emotional distress, anxiety, or loss of privacy.
In the EU, for example, the General Data Protection Regulation (GDPR) provides individuals the right to seek compensation for both material and non-material damages.
Case 1: Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González (CJEU, 2014)
Summary:
This landmark ruling established the “right to be forgotten.” Mario Costeja González wanted Google to remove links to old newspaper articles mentioning his financial difficulties. He argued that keeping the data accessible online violated his privacy.
Key points on damages:
The Court ruled that search engine operators are data controllers and must comply with data protection laws.
While the case itself was about data removal, the ruling laid groundwork for future claims related to data protection violations.
The decision emphasized the importance of balancing privacy rights with public interest.
Damages relevance:
It set the precedent that failure to protect personal data or respect privacy could lead to claims for damages and corrective action.
Case 2: Lloyd v Google LLC (UK Supreme Court, 2021)
Summary:
Claimants alleged Google unlawfully tracked their internet browsing using cookies without consent, violating UK data protection law.
Key points:
The Supreme Court recognized the right to compensation for breaches of data protection law even where no financial loss was suffered.
The Court rejected “representative actions” (claims on behalf of many people) for data protection damages but confirmed that individuals can claim damages for distress caused by unlawful data processing.
Damages relevance:
This case confirmed that damages can be awarded solely for non-material harm (distress), not just financial loss, reinforcing protection of privacy rights.
Case 3: Wainwright v Home Office (UK, 2003)
Summary:
Mrs. Wainwright sued the Home Office after a prison officer unlawfully searched her during a visit and disclosed her medical records.
Key points:
The court held the Home Office liable for breach of confidentiality and data protection principles.
Mrs. Wainwright was awarded damages for distress and invasion of privacy.
Damages relevance:
This case shows damages can be awarded not only for financial loss but also for distress and invasion of privacy caused by unlawful data handling.
Case 4: López Ribalda and Others v Spain (European Court of Human Rights, 2019)
Summary:
Employees claimed their employer unlawfully monitored their emails and internet use at work without adequate safeguards.
Key points:
The Court found a violation of Article 8 (right to respect for private life) of the European Convention on Human Rights.
The Court emphasized employers must respect privacy rights even in the workplace and that data monitoring must be proportionate.
Damages relevance:
The case demonstrates that data protection breaches in workplace settings can lead to compensation claims for privacy violations.
Case 5: Google LLC v CNIL (CJEU, 2020)
Summary:
The French data protection authority (CNIL) fined Google for refusing to apply the “right to be forgotten” globally.
Key points:
The Court ruled that search engines only have to remove links within EU domains, not globally.
It emphasized the balance between privacy and freedom of information.
Damages relevance:
While the case is about regulatory fines, it highlights the scope of data protection obligations and the potential financial consequences (damages and fines) for non-compliance.
Summary
Courts recognize both material and non-material damages in data protection violations.
Emotional distress and loss of privacy can be grounds for compensation.
Landmark cases like Lloyd v Google expanded recognition of non-material damages.
The right to be forgotten cases illustrate the evolving scope of data protection rights.
Employers and controllers must ensure proportional and lawful processing or risk liability.
RELATED Blog
0 comments