9 Min Read

‘Amicable Settlement Guidelines’ to provide consistency in European data breach claims

Read More

By Hans Allnutt & Florence Clissitt


Published 24 March 2022


Amicable settlements within the scope of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) are used to facilitate the resolution of data breach complaints. Whilst the GDPR does not define “amicable settlements”, they are, essentially, a form of alternative dispute resolution whereby an authority agrees to take no further action if an organisation deals with a data complaint satisfactorily.\n 

What are Amicable Settlements?

Amicable settlements within the scope of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) are used to facilitate the resolution of data breach complaints. Whilst the GDPR does not define “amicable settlements”, they are, essentially, a form of alternative dispute resolution whereby an authority agrees to take no further action if an organisation deals with a data complaint satisfactorily.

The only reference to amicable settlements can be found in Recital 131 to the GDPR in respect of the handling of local cases in accordance with Article 56(2) GDPR. Recitals to the EU GDPR are not strictly legally binding on their own, however they are there to assist in the understanding of the GDPR and to ensure that privacy law is applied properly.

Under these provisions, Supervisory Authorities (“SAs”), i.e. independent public authorities appointed by each Member State to monitor the application of the GDPR, are able to facilitate the amicable resolution between a data subject and a data controller or processor of a complaint lodged to the SA, or a possible infringement of the GDPR, if the subject matter relates only to the processing activities of the controller or processor in its Member State or substantially affects data subjects only in its Member State. There is, however, nothing in the GDPR to explicitly exclude amicable settlements in other cases.

In addition to acting as a facilitator, the SA must handle and investigate the complaint and keep the data subject updated as to any progress made.

Application of Amicable Settlements and Inconsistencies

The GDPR does not contain any specific regulations for amicable settlement of cross-border cases. This has resulted in Member States applying their own interpretations, or enacting differing national laws to deal with non-local data breach complaints. As a result, the practical implementation of amicable settlements differs greatly across the EU.

Following complaints from regulators, legislators and campaigners of the inconsistencies seen across EU Member States due to the lack of regulation in this area, the European Data Protection Board (“EDPB”), an independent European body which contributes to the consistent application of data protection rules throughout the EU, produced guidance (the “Guidance”) for implementing amicable settlements. Several EU countries, however, have already indicated that amicable settlements are not possible under their national laws. As such, amicable settlements will not be possible in the following countries: Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Greece, Malta, Poland, Portugal, Slovakia, Slovenia, Spain and Sweden.

The Guidance was adopted by the EDPB on 18 November 2021. The EDPB decided not to publish the Guidance, however the Guidance has been obtained via a Freedom of Information request.

EDPB Guidance on Amicable Settlements

The aim of the Guidance is to reach a satisfactory outcome for data subjects who have been victim to a data breach, as well as to ensure data controllers comply with the GDPR. To achieve this aim, the Guidance sets out best practice procedures to enable a consistent application of the GDPR both at EU and national level in response to complaints from data subjects.

The Guidance covers complaints which are either:

  1. National / local cases with no cross-border element;
  2. Cases which are cross-border in nature and the One-Stop-Shop system applies, i.e. where an organisation conducts cross-border data processing and the SA within the Member State of the main establishment acts as the primary regulator, or Lead SA; and
  3. Cross-border cases which are handled locally under Art 56(2) GDPR.

Whilst the Guidance provides for amicable settlements to be used by a Lead SA in cross-border cases, the Lead SA must still follow the Article 60 GDPR cooperation procedure.

In such cases, the complaint receiving SA will pass the complaint on to the Lead SA. The receiving SA will often have carried out some investigations of its own as part of a vetting process to determine whether the amicable settlement procedure would be suitable. Any information and documents gathered during the vetting process should be shared with the Lead SA as part of their own investigation. This ensures that the data subject is heard in the procedure attempted by the Lead SA and ensure compliance with fairness and due process in the investigation. The Lead SA should also bear in mind why amicable settlement could not be reached at the preliminary stage carried out by the SA and consider whether another attempt should be made. The Lead SA’s role is to act as the facilitator of the whole process through the exchange of documents and information with the other SAs.

When a Lead SA decides to proceed with the amicable settlement procedure, a key requirement is to cooperate with the other SAs to reach a consensus. The Lead SA is then able to investigate the matter how it sees fit, including holding formal hearings if necessary, or closing a case on the basis that the information received from the other SAs is sufficient to conclude the matter, with the agreement of all parties involved. Whatever the method or outcome, the Lead SA will need to keep the other SAs in the loop.

In accordance with the cooperation procedure, the Lead SA has discretion to decide whether informal consultation of the SAs would be a beneficial contribution to the procedure so that they can express their views prior to the proposed amicable settlement being drafted by the Lead SA. The Lead SA is required to share the proposed amicable settlement to the other SAs before it is finalised. This should set out the terms of the settlement, including the steps taken by the data controller or processor to satisfy the data subject’s complaint in full. The SAs will have an opportunity to provide comments and raise objections, however this should be considered carefully given that the cooperation procedure should have been followed throughout the investigation and any objections to amicable settlement should therefore have been raised at earlier stages. This is especially the case if a proper exchange of information has taken place. Any objections should therefore only be submitted in exceptional cases and be avoided.

Where no objections are raised, the draft decision becomes binding on the Lead SA and the SAs involved. The Lead SA notifies the decision to the relevant parties involved, including a summary of the relevant facts and grounds.

The following considerations have been suggested for SAs (including Lead SAs) to take into account when deciding whether to go down the amicable settlement route:

  1. That amicable resolution of the matter is likely;
  2. Only a limited amount of data subjects are affected;
  3. That there is no systemic failure;
  4. The data protection violation is incidental or accidental;
  5. The case involves the processing of a limited number of personal data;
  6. The effects of the violation are not of serious duration and nature, i.e. there are no severe consequences or infringements of freedoms and rights;
  7. Whether there is any likelihood of further violations in the future;
  8. The broader impact on society and public interest of enforcement action; and
  9. The extent to which a SA is able to take effective and efficient action.

The amicable settlement process can be used to resolve a complaint in full, or to partially resolve a complaint, leaving the relevant SA to investigate the issue further and enter into a separate procedure to resolve any outstanding issues.

Impact of the EDPB Guidance

The aim of the Guidance is to streamline the way in which data breach claims and amicable settlements are handled by SAs as a result of the difference in domestic legislation and approaches throughout the EU.

It is hoped that the Guidance will help eradicate the differences seen in the treatment of data subjects and enforcement action taken against organisations at a national level by having an overarching set of guidelines to follow, resulting in consistent results across the EU Member States. The amicable settlement process intends to lead to fairer outcomes being achieved, however the results of this Guidance, which is yet in its infancy, remains to be seen.

A link to the full EDPB guidance can be accessed here.