Download the report
Global data risk
Litigation and damages claims
Data-related litigation is a growing risk for businesses, and not just in the US. We have analysed almost 40 damages claims brought in Europe since 2018 and identified some key trends below.
Germany has the highest number of individual data-related damages claims in Europe, with more than 20 cases heard since 2018.
The highest sum awarded to an individual data subject was €5,000 for a breach of data subject access rights (Art. 15 GDPR). The court ruled the defendant had failed to provide complete information and to provide it on time.
In another case, a data subject was awarded €4,000 after their psychotherapist forwarded on sensitive data. This was deemed a breach of Art. 9 GDPR, with the court imposing a high fine as a deterrent.
The Austrian courts heard nine cases between 2018 and 2020, including seven in 2019.
Austria’s Supreme Court handed down the country’s highest damages award (€2,400) in a case involving employee surveillance. The court heard the plaintiff was allowed to use a company vehicle but was not aware it was fitted with a GPS tracker that did not differentiate between private and work journeys. After the employee was fired, they claimed damages for infringement of privacy.
The Dutch courts have awarded damages to data subjects ranging from €250 to €500.
The highest award relates to a plaintiff whose Freedom of Information request was shared with other public authorities without the documents being anonymised. The court used Article 82 GDPR in conjunction with Article 6:106 of the Dutch Civil Code, holding that the misuse of the data was sufficient to justify non-material damages.
The UK courts have considered a number of group actions brought in relation to breaches of data protection law.
In April 2020, the Supreme Court issued a decision in a group action brought against the Morrisons supermarket chain. A large group of employees had sued Morrisons after a colleague published information about them online, but the court found that Morrisons was not vicariously liable for the employee’s actions. For more details on the decision, click here.
A significant UK group action is also expected to be heard by the Supreme Court in 2021. If the court decides in favour of the claimant, the case could open the floodgates to group data privacy claims. In particular, the court will determine whether damages can be awarded for ‘loss of control’ of data even if there is no resulting financial loss.
Most data privacy cases in the US are class actions that seek monetary damages. There is an emerging perception in the US that if a data breach has occurred, some failure of technical or organisational measures must have been involved. This in turn is seeing more plaintiffs join class actions in search of damages. In some cases, class action have been filed just weeks after a data breach has occurred, with plaintiffs not waiting to see if there is any regulatory enforcement. While the US courts have dismissed many claims early on so far, this is certainly an area to watch for the future.