Article 82(1) of the General Data Protection Regulation (GDPR) provides that any ‘person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered’. As a consequence, compliance with the GDPR is ensured through a mutually reinforcing combination of public and private enforcement that blends public fines with private damages.
The first part of this article compares and contrasts Article 82(1) GDPR with compensation provisions in other EU Regulations and Directives and with the caselaw of the CJEU on those provisions, and concludes that it is not clear that Article 82(1) GDPR is directly horizontally effective though the Court (eventually, if and when it is asked) is likely to interpret it broadly. This means that the safest course of action at this stage is to provide expressly for a claim for compensation in national law. The second part of this article compares and contrasts the compensation provisions in the Irish government’s General Scheme of the Data Protection Bill 2017 with existing legislation, and concludes that the Heads of the Scheme do not give full effect to Article 82(1) GDPR. Amendments to the Scheme are therefore proposed.
Claims for compensation are an important part of the enforcement architecture of the GDPR. Private enforcement will help to discourage infringements of the rights of data subjects; it will make a significant contribution to the protection of privacy and data protection rights in the European Union; and it will help to ensure that the great promise of the GDPR is fully realised.
O’Dell, Eoin, Compensation for Breach of the General Data Protection Regulation (June 25, 2017).