Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

EU governments in disagreement over data breach liability rules

EU governments are in disagreement over whether consumers should be able to sue businesses for damage they suffer as a result of a data breach even where those businesses are not responsible for the damage caused.03 Jun 2015

The disagreement is noted in leaked documents authored by the presidency of the Council of Ministers (the presidency).

According to those papers, some EU countries believe new data protection laws should allow consumers to only seek compensation for damage they suffered from non-compliant personal data processing from the businesses responsible for their data, data controllers. However, other countries believe consumers should be able to pursue companies that undertake data processing activities on behalf of data controllers instead if they wish.

The presidency wants EU governments to all get behind one of those positions ahead of a planned meeting of justice ministers on 15 June. It wants the 28 national governments in the EU to agree on a "general approach" on the entire proposed new General Data Protection Regulation at the meeting to allow final talks over the reforms to be opened with the European Parliament and European Commission.

The leaked papers also reveal that there is disagreement about whether data controllers and data processors should share the bill for damages where they are both responsible in part for non-compliant processing of personal data. This would require consumers to sue each of the businesses involved in that processing to recover from them what they each owe for the damage caused.

However, some EU governments believe consumers should be able to recover all of the damages owed to them as a result of a joint breach of data protection rules from just one of the companies involved, according to the documents.

Under both options being considered, it would be possible for businesses pursued by consumers to recover the money they pay out in damages to consumers from the other companies involved in non-compliant processing.

Data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said: "Amongst many other issues, one area of the forthcoming reforms that could have a big impact concerns data processor liability. Data processors do not all seem to have picked how significant the changes are that could be introduced under the Regulation. A lot of their contractual arrangements with data controllers in many industries will need to be renegotiated."

The presidency said in one of the leaked papers seen by Out-Law.com: "A system of a rebuttable presumption of joint and several liability is closer to the 'liability follows fault principle' (advocated by a few delegations) under which any controller or processor can be held liable only for the damage caused by its actions towards the data subject. [This option] is therefore fairer towards the entities involved in the processing as a controller will never be condemned to pay compensation when it bears no responsibility at all for the damage."

"The drawback of such system is that if the controller manages to demonstrate that it bears no responsibility at all for the damage, the data subject will have to sue the processor, which may be difficult if the latter is established in another member state or outside the European Union," it said.

It would be "very data subject friendly" if consumers could "claim compensation for the entire damages from any controller (or processor) involved in the processing, regardless of their responsibility for the event giving rise to the damage", the presidency said.

"Obviously such a system may be very unfair towards the processing entity, especially if it concerns an SME which may not be able to effectively seek compensation from the processor or another controller which was in breach/violation of the Regulation," it said. "That SME will then have been obliged to pay compensation for damage resulting from a data protection violation for which it bears no responsibility at all."

The leaked documents also reveal that the UK government wants planned new rules on 'data portability' to be removed from the planned Regulation even though it "supports the concept of data portability in principle". It believes rules on data portability are "not within scope of data protection, but in consumer or competition law".

The data portability rules would, if introduced, require businesses to hand over the personal data they hold about an individual in a usable transferable format to those people when the request it. The measure has been envisaged to make it easier for consumers to switch between rival providers of services.

However, the UK and other EU governments, including Germany, France and Ireland, have raised reservations about the proposed rules, including concern about how the data portability rights of consumers would impact on intellectual property rights and commercial confidentiality, according to the leaked papers. France said that data portability could endanger health research and services, whilst Germany said it might be difficult or impossible to apply the data portability right "in 'multi-data subject' cases where a single 'copy' would contain data from several data subjects".

The presidency's proposals would also place a greater burden on businesses to justify the processing of personal data without people's consent when those people raise objections to that activity.

According to the leaked papers, EU governments have been asked to support rules which would require businesses to demonstrate "compelling legitimate grounds" for processing personal data despite objections and show that those grounds "override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims". However, when consumers object to processing being conducted for direct marketing purposes, businesses would be forced to stop that processing.

French government proposals would prevent people from raising objections against the processing of their personal data by organisations such as medical research bodies where the processing is "necessary for the performance of a task carried out for reasons of public interest", according to the presidency's leaked documents. Plans for a new single national health database in France are currently under consideration.