GDPR, one year on - investigations and fines but what about compensation for users?

Last week’s terrific ITechLaw conference in Boston included much discussion and debate about current tech-related issues including GDPR and other pro-data protection legislative moves from around the world. It was great to get a sense of developments in different jurisdictions, including the EU - which is generally seen as the primary mover or ‘first adopter’ of ‘Data Protection 2.0’ – if I can call it that. 

Indeed, I was struck by the high number of complaints and data breach notifications already received (tens of thousands) across the EU in the past year (are people erring on the side of caution when notifying?); likewise, the number of GDPR related investigations underway and fines issued over the past 12 months. I was also reminded of the eye-watering (€50 million) fine levied against Google in France and the precedent it could set for future transgressions. 

Less obvious was whether and how individual users were being compensated for the unauthorised use of their personal data. After all, it is the user’s personal information that generates value for the data takers and, arguably, the DPAs/governments who hand out - and receive - the fines. Are individual users or consumers entitled to a slice of the cake? One could argue there is an indirect monetary value to society given that the fines levied go into government coffers – but that seems tenuous. I imagine most (adversely) affected individuals would prefer direct compensation (through legal claims if necessary) or perhaps based on a statutory tariff or other pre-set amount like the scheme that operates in the travel industry i.e. where passengers receive a pre-set amount as compensation for flight delays. 

Individuals who suffer more serious breaches may prefer to bring stand-alone claims for higher amounts – for example, where particularly sensitive data such as medical records is taken or where the financial or pecuniary consequences are severe. 

The other question, perhaps for another time, is whether - notwithstanding the flurry of GDPR compliance activity over recent times - our personal data is in fact safer than it was prior to May 2018? At the conference I was assured that it was - or at least will be over time as the various regimes around the world take effect and behavioural changes occur.

Let’s hope that’s right.             

Other Perspectives