New report from DAC Beachcroft highlights impending wave of compensation claims and regulatory fines across Europe under GDPR

New report from DAC Beachcroft highlights impending wave of compensation claims and regulatory fines across Europe under GDPR's Tags

Tags related to this article

New report from DAC Beachcroft highlights impending wave of compensation claims and regulatory fines across Europe under GDPR

Published 9 noviembre 2017

New research, published today by international law firm DAC Beachcroft, highlights the extent of compensation claims and regulatory sanctions that the General Data Protection Regulation (GDPR) will have across all 28 EU member states, once the new regime comes into force on 25 May 2018.

The report, Personal Data: the new oil and its toxic legacy under the General Data Protection Regulation, sets out findings from an 18-month study with contributions from data protection experts across all 28 EU member states. The report focuses on four key areas:

  • current state of data protection laws
  • size and frequency of regulatory fines and sanctions for data protection breaches
  • level and frequency of compensation awards
  • expected changes under the GDPR

"We know the GDPR will usher in significant financial sanctions, rights to compensation and group litigation mechanisms but we wanted to find out how big a change the new regime will have and where those changes will be felt most in Europe," explains Hans Allnutt, partner and head of Cyber & Data Risk at DAC Beachcroft.

"If there is one finding I would highlight, it’s that over 80% of jurisdictions expected compensation claims for data protection breaches to increase under the GDPR. While the fines and penalties under the GDPR have quite rightly grabbed the headlines, what might not be appreciated is the incoming wave of litigation that organisations face if they are found to contravene the GDPR’s new rules.

"The GDPR's tentacles are truly international," he said. "The financial risks are not just limited to organisations in the EU, as the GDPR applies to businesses based outside the EU offering goods or services to EU residents."

Among the key findings is that individuals in at least half of EU member states will, for the first time, be entitled to claim compensation if their personal data is breached. Local law in some member states - for example in Bulgaria, Cyprus and Hungary - already offers compensation rights but, for many EU countries, the right to compensation under the GDPR will mark a significant legal change.

DAC Beachcroft's study also reveals that fines and compensation levels for data breaches vary hugely between EU countries. For example, Spain fined Facebook €1,200,000 in 2017, yet some member states have issued no fines at all. There is a similarly large disparity in compensation awards across member states, with an €90,000 award in Italy while some member states currently provide no compensation at all.

Asked whether they expected data protection litigation to rise, most respondents agreed that compensation claims would increase. Claims will be spurred on because of mandatory reporting requirements, making data breaches more public than ever before, and rights to nominate not-for-profit organisations to make claims on individuals’ behalf.

"The GDPR looks set to bring in a whole new phase of privacy litigation," Allnutt concluded. “We are living in a Big Data age where personal data is often described as the 'new oil' because of the ease with which it can be collected and monitised. The GDPR places control back into the hands of the individual. Those organisations that have ridden the boom and aren’t ready may be hit hard from its toxic legacy under the GDPR.”

Authors

Hans Allnutt

Hans Allnutt

London - Walbrook

+44 (0) 20 7894 6925

Key Contacts