A fresh wave of compensation claims across Europe is likely as GDPR comes into force, finds DAC Beachcroft study

Compensation claims

A tide of compensation claims and regulatory fines is expected to occur across Europe when GDPR comes into force on 25 May 2018.

A study by DAC Beachcroft has found that data protection litigation is expected to rise across the EU, as individuals in all states will be granted the right to claim if their personal data is breached.

“If there is one finding I would highlight over others, it’s that over 80% of jurisdictions expected compensation claims for data protection breaches to increase under the GDPR,” explains DAC Beachcroft partner and head of cyber and data risk Hans Allnut. “While the fines and penalties under the GDPR have quite rightly grabbed the headlines, what might not be appreciated is the incoming wave of litigation that organisations face if they are found to contravene the GDPR’s new rules.”

Mandatory reporting

Mandatory reporting requirements will place data breaches ever more in the public eye. Non-for-profit organisations will be able to make claims on behalf of affected individuals, making it likely that claims numbers will increase.

The right to claim

Individuals in some EU member states, such as Bulgaria, Cyprus and Hungary, are already entitled to claim compensation if their personal data is breached. This is because they have incorporated provisions from the GDPR’s predecessor Directive 95/46/EC (the ‘Directive’) into their own laws.

However, the right to compensation under GDPR will be a big legal change in at least half of EU member states. People in all EU member countries will be granted this right next May.

Fines and compensation levels vary

The study also found that current fine levels for data breaches vary across EU member states. For example, the maximum fine in France is €3,000,000, compared to a maximum fine of €3,000 in Lithuania. Denmark and Finland do not have a limit at all.

It is a similar story with differences in compensation amounts across countries. In one instance, Italy paid out €90,000 to a claimant, while other countries offer no compensation whatsoever.

A global impact

“The GDPR’s tentacles are truly international” - Hans Allnut, DAC Beachcroft

Businesses operating in countries outside EU jurisdiction also need to pay heed.

“The GDPR’s tentacles are truly international,” Allnut continues. “The financial risks are not just limited to organisations in the EU, as the GDPR applies to businesses based outside the EU offering goods or services to EU residents.”

Control back in public hands

“The GDPR looks set to bring in a whole new phase of privacy litigation,” Allnut concludes. “We are living in a Big Data age where personal data is often described as the ‘new oil’ because of the ease with which it can be collected and monetised. The GDPR places control back into the hands of the individual. Those organisations that have ridden the boom and aren’t ready may be hit hard from its toxic legacy under the GDPR.”

When GDPR comes into force 25 May, businesses across Europe will need to be compliant or potentially risk hefty fines as what will be new form of compensation and litigation for many countries is born.