Are individual rights exercisable through the judicial system or enforced by a regulator or both? When exercisable through the judicial system, does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances? Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury of feelings sufficient?
Data Protection & Cyber Security
As we noted above, individuals are entitled to file a complaint with Roskomnadzor, the State Prosecution Office or Labour Inspections (if processing is in the context of employment relations), as well as to file a claim with a competent court to challenge the actions (or omissions) of the data controller.
In such claim they can ask for compensation of material and moral damages caused by illegal processing of their PII.
Moral damages are physical or moral sufferings and are calculated on case-by-case basis. Material damages include direct damages and loss of profits. The amount of material damages shall be evidenced.
Individual rights are exercisable through both the judicial system and the Data Protection Authority.
Individuals can report any infringement of the Data Protection Law to the Data Protection Authority, which is charged with enforcing its provisions. The Data Protection Authority can impose sanctions and fines (see question 22 below). However, it does not have the authority to award damages or costs.
Additionally, individuals can file civil actions before the courts. The Data Protection Law states that if data controllers fail to comply when data subject exercise their rights (see question 20), they may file an habeas data action before the courts to obtain redress.
Data subjects are also entitled to claim damages before the courts, under general civil law principles contained in the Argentine Civil and Commercial Code. In order to obtain compensation, the data subject will have to prove an effective damage as a result of a breach of the Data Protection Law, and establish a causation relationship with the data controller.
In some cases, an infringement of the Data Protection Law could also constitute a crime to be pursued before the criminal courts. In particular, the Argentine Criminal Code punishes with imprisonment from one month to three years those who: (i) illegally insert information in a database; (ii) illegally gain access to databases; (iii) disclose personal data protected by duty of confidentiality pursuant to law; or (iv) knowingly supply false information stored in a database to a third party.
According to the Federal Constitution, any individual can file a judicial action pursuing compensation for economic and moral damages for violation of privacy or intimacy. Additionally, the Federal Constitution assures Brazilians and foreign nationals the right to rectify their data, and the Consumer Protection Code provides that individuals have the right to access all data stored about themselves, and request changes.
In this regard, individuals affected by breaches of the law are entitled to compensation or monetary damages. Usually actual damage is required and injury of feelings must be proved to justify compensation.
As settled with GDPR (Article 79 GDPR), in Bulgaria individual rights are both exercisable through the judicial system and enforced by the national data protection authority – the CPDP.
Proceedings before the CPDP in relation to the exercise of individual rights are initiated with a complaint filed by the interested party. The CPDP carries out checks, requires documents and has the corrective power to order the controller or the processor to comply with the data subject’s requests for exercise of rights under the GDPR. The order of the CPDP is an administrative measure within the meaning of the Bulgarian Administrative Violations and Penalties Act and may be appealed under the Administrative Procedure Code within 14 days of its receipt. Altarnatively, the PDPC may issue a decision sanctioning the respective behavior of the data controlle or processor and imposing a monetary sanction.
When individual rights are exercised through the judicial system, the general conditions for claims and damages apply. Data subjects may claim damages for the damage suffered as a result of the unauthorised processing of personal data by the controller or the processor.
The individual rights mentioned in Question 20 are generally enforced by way of a civil litigation. Art. 15 FADP sets outs as follows:
- Actions relating to protection of privacy are governed by Articles 28, 28a and 28l of the Civil Code. The plaintiff may in particular request that data processing be stopped, that no data be disclosed to third parties, or that the personal data be corrected or destroyed.
- Where it is impossible to demonstrate that personal data is accurate or inaccurate, the plaintiff may request that a note to this effect be added to the data.
- The plaintiff may request that notification of third parties or the publication of the correction, destruction, blocking, and in particular the prohibition of disclosure to third parties, the marking of the data as disputed or the court judgment.
- Actions on the enforcement of a right to information shall be decided by the courts in a simplified procedure under the Civil Procedure Code of 19 December 20083
Data subjects may claim damages. However, Swiss law requires that the plaintiff substantiate the actual damage. This is generally quite difficult as data privacy breaches do often not result in a direct financial damage. As a consequence, it is not that common to ask for a damage.
The infringement of the data protection provisions is subject to fines, which are enforced by Data Protection Authorities, which in Spain is the AEPD. The GDPR also establishes that such economic penalties may be replaced by warnings, so that the offenders take the corrective measures indicated on them, although this is an exceptional measure. All competent authorities have the discretionary power to graduate the fines, depending on the nature of the facts. However, the decisions of the AEPD may be appealed, in which case, the appellant party must lodge it with the competent courts.
The GDPR also grants the right to claim compensation to any person who has suffered damage (material or moral) as a result of an infringement of the Regulations from the controller or processor. This compensation shall be claimed before the competent courts and it is without prejudice to the right of the data subject to submit a claim to the AEPD for such infringement.
When claiming a compensation for damages, the Spanish judicial system requires that the damage is actual and caused by actual and certain damage.
Yes. The rights included in the Data Privacy Act could be exercised through the judicial system, that is, through a summary procedure established in the Act itself. In the case that the person responsible for the data base, do not give an answer to the data holder within two business days following the respective request (for access, adjustment, deletion or blocking of personal data), or else the data controller rejects the request for reasons other than the national security or the national interest, the holder of the data has the right to initiate the judicial procedure.
Breaches of data protection caused by inappropriate processing of data could eventually lead to fines determined by the Data Privacy Act (fluctuating from US$ 73 to US$ 730 and US$ 730 to US$ 3,615 if the breach comes from financial-data). Fines-Penalties are viewed and determined in a summary judicial process.
The Data Privacy Act states a general rule under which damages (both non-monetary and monetary damages) that result from willful misconduct or negligence in the processing of personal data shall be compensated. The amount of compensation shall be established reasonably by the civil judge, considering the circumstances of the case and the relevance of the facts. There is no criminal liability for non-compliance with the Data Protection Act; Nevertheless, in relation to cybersecurity, the Law No. 19.223, states criminal liability for the actions described therein.
Every person, who has suffered material or non-material damage because of an infringement of the GDPR has the right to receive compensation (Art. 82(1) GDPR). Any controller involved in processing and any processor, who has not complied with the obligations of a processor, is liable according to Art. 82(2) GDPR for this damage. They can be exempt from liability, if they are not responsible in any way for the damage (Art. 82(3) GDPR).
Related to non-material damage, a district court in Germany expressed considerable doubts in its decision in 2018, whether a single undue email without the consent of the data subject causes a right to receive compensation. The court clarified that such a single infringement of the GDPR – the email – does not give the data subject this right if there is no damage which consists of a noticeable disadvantage and is not only a trifle without serious impairment.
Besides, each data subject has the right to an effective judicial remedy against the controller or the processor and has the right to lodge a complaint to the supervisory authority in case of infringements against the GDPR according to Art. 77, 79 GDPR.
Individual rights may be exercisable by seeking remedies before regulators or the judicial system, as applicable.
Typically, the initial step is to raise a complaint before the grievance officer of the body corporate. If they fail to respond or adequately address the issue, other remedies may be sought.
Section 43A of the IT Act mandates that any negligence by a body corporate to protect PII or sensitive PII of a Data Subject in accordance with the IT Act or the Privacy Rules, which causes wrongful loss or gain to any person, will render the corporate liable to pay damages by way of compensation.
The Central Government has appointed adjudicating officers (namely the Secretary of the Department of Information Technology of each State) for conducting inquiry into complaints for breach of Section 43A. For claims up to INR 5 crore, the State Secretaries have exclusive jurisdiction, and their orders can be appealed before the Appellate Tribunal constituted under the IT Act.49 For claims above this threshold, the jurisdiction of civil Courts will apply.
While determining the quantum of compensation, the State Secretary is expected to consider the following: -
(a) quantum of unfair advantage, as a result of the default;
(b) amount of loss caused; and
(c) repetitive nature of the default.
As mentioned above, under the IT Act, the State Secretary will consider amount of loss caused, prior to awarding compensation. In India, Courts are conservative in awarding damages, and it is required that damages must be proved for seeking compensation. In cases where it is not possible to prove the precise quantum of damages, the claimant may be entitled to reasonable damages.
49 - The Telecom Disputes Settlement and Appellate Tribunal is the Appellate Tribunal for the purposes of the IT Act. Appeals from decisions of the Appellate Tribunal, on any question of fact or law, lie with the High Courts.
Both. Affected individuals may also bring tort claims before courts. Since it is a tort claim, the rules of actual damages and injury of feelings in the General Rules of the Civil law the People’s Republic of China57 of and the Tort Law of the People’s Republic of China may apply/58
57 - General Rules of the Civil Law of the People's Republic of China. § 111. The personal information of a natural person shall be protected by the law. Any organization or individual shall legally obtain the personal information of others when necessary and ensure the safety of such personal information, and shall not illegally collect, use, process or transmit the personal information of others, or illegally buy or sell, provide or make public the personal information of others.
58 - As the CSL has been implemented since 1 June 2017, it is hard to ascertain the awarded damages from limited private civil lawsuits.
Both: individual rights are exercisable through the judicial system and enforced by the Regulator (CNPD), according to articles 77, 78 and 79 of the GDPR.
Any person who has suffered material or non-material damage as a result of an infringement of data protection legislation has the right to an effective judicial remedy against a controller or a processor (expressed private right of action) and receive compensation from the controller or processor for the damage suffered (actual damage and injury of feelings) pursuant article 82.1 of the GDPR.
In turn, the controller involved in processing is liable for the damage caused by processing which infringes data protection legislation and the processor is liable for the damage caused by processing only where it has not complied with obligations of data protection legislation, specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller, as prescribed in article 82.2 of the GDPR.
A data subject can bring an action against a controller or processor where they consider their rights have been infringed. Proceedings can be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers. An individual can complain to the Information Commissioner's Office which can take enforcement action along with other relevant supervisory authorities.
Any person who has suffered material or non-material damage as a result of a breach by a controller or processor has the right to receive compensation from the controller or processor for the damage suffered (including for distress).
Yes, individual rights are exercisable both through the judicial system and enforced by the Swedish Data Protection Authority.
Each natural and legal persons have the right to an effective judicial remedy against a decision of a supervisory authority concerning them or for failing to make a decision (article 78 of the GDPR).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (article 79 of the GDPR).
The possibility to bring private claims against controllers and processor appear from article 82(1) of the GDPR which stipulates that any person who has suffered "material or non-material damage" because of a breach of the GDPR have the right to receive compensation from the controller or processor. The inclusion of “non-material” damage means that it is possible to also claim compensation for distress although no financial loss can be proven.
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (article 80 of the GDPR).
Data subjects also enjoy the right to lodge a complaint with a supervisory authority (article 77 of the GDPR). This right is without prejudice to any other administrative or judicial remedy.
Finally, the Swedish Data Protection Authority can also initiate a supervisory matter and within the framework of such matter enforce data subjects’ rights.
Data subjects are entitled to exercise their rights before the data controllers, and they are also entitled to lodge complaints before the HDPA in case a violation takes place. This can further trigger the investigative powers of the Authority -which also acts ex officio- and can consequently lead to the imposition of fines on data controllers or their representatives, along with further administrative sanctions. Violation of respective obligations arising from the existing framework may also entail further criminal sanctions.
Moreover, data subjects are entitled to file before the competent Court a request to immediately suspend or not to execute an act or decision affecting the data subject on the basis of exclusively automated processing, provided that this processing aims at assessing the personality of data subject, or one’s performance at work, financial credibility and behavior in general, according to article 14 of Law 2472/1997. It is worth mentioning that such right can be satisfied, even if the other substantial conditions of temporary judiciary protection are not fulfilled. Additionally, article 23 of the Law 2472/1997 as currently in force stipulates that any natural or legal person of private law causing financial damage, is obliged to pay full compensation. If injury of feelings of the data subject takes place, an obligation for compensation for injury of feelings also arises. Compensation for injury of feelings is awarded to data subjects irrespectively of any potential financial damage requested.
Furthermore, according to Law 3471/2006, data subjects whose rights are violated may ask for compensation for any financial damage caused to them. If injury of feelings takes place, an obligation for compensation for injury of feelings also arises. According to article 14 of Law 3471/2006 and similarly to Law 2472/1997, compensation for injury of feelings is awarded irrespectively of any potential financial damage requested.
This establishes the presumption of civil liability of the data controller when a violation of the legal framework takes place, further leading to compensation of data subjects for injury of feelings. This was very recently confirmed in the Case 415/2019 issued by the District Court of Athens, following the beginning of the implementation of the GDPR (relating however to an unsolicited call made before the GDPR starts applying), where the Court identified that the obligation for compensation for injury of feelings is sufficiently triggered by the violation of the legal provisions concerning data protection on electronic communications, since such action directly undermines the right of privacy and the protection of data subject’s personality.
The same rationale has been echoed in recent judgments of the Greek Supreme Court (C. 252/2018 and C. 1079/2018), where it has been confirmed that the violation of the Law 2472/1997 itself, suffices for compensation of injury of feelings and it is not necessary to prove further harm of the unlawful processing on either the income or any other ramifications on personality aspects, qualifying for legal protection, such as the honor and reputation of the individual. This reasoning accepts that once the unlawful activity against the provisions of the existing national legal framework is proved along with the respective fault of the data controllers for violating the legal framework of Law 2472/1997, then the adverse effects on personality rights, including the information self-determination and right to privacy are established.
It should be noted that in accordance with article 23 of Law 2472/1997 the amount of 6.000 euros is introduced as the minimum compensation for injury of feelings, except if the applicant requested for a lower amount or the violation was the outcome of negligence. Respectively, for violations of the Law 3471/2006 the amount of 10.000 euros is introduced as the minimum compensation for injury of feelings, except if the applicant requested for a lower amount. However, both provisions have been challenged as unconstitutional, on the basis that they do not consider the proportionality principle when framing the minimum amount of the compensation to be awarded to data subjects for injury of feelings.
Individual rights are both exercisable through the judicial system and enforced by a regulator. In all cases, criminal sanctions -which are explained more thoroughly in the following answer- are imposed by criminal courts and the process is subject to provisions regarding general criminal procedure.
The procedure for exercising the rights under Article 11 of the Law No. 6698 is as follows: Firstly, an application to the data controller must be made and the 30-day period for responding should run out for the data subject to be able to form a complaint to the Board within 30 days. However, for processes regarding the right to compensation that will arise in case of unlawful processing of personal data, the data subjects will have to apply to civil courts.
Depending on the nature of the right, the exercise of a data subject's rights can take place before the Data Protection Authority or before the ordinary courts.
In the case of data subjects' rights (see question 20 above), this falls within the competence of the Data Protection Authority.
If, on the other hand, claims for damages are concerned, these are to be raised in the ordinary courts. Both material damages as well as immaterial damages can be claimed. The general provisions of civil law shall apply to these claims for damages.
Rights of individuals are exercisable through the judicial system as well as by the CNIL. However, it is more common that individual directly bring cases before the CNIL rather than before the courts.
The CNIL has developed an online platform accessible from the internet which can be easily reached by any individual to raise a claim if its rights are violated. When a claim is brought before the CNIL, it will contact the data controller and then inform the data subjects on the status of its claim. If the CNIL receives several complaints about a violation committed by the same company, the CNIL may decide to audit such company's compliance with the French DPA 1978.
The data subject will not obtain any monetary compensation by raising a claim before the CNIL but only the enforcement of his or her rights. However, if the company does not comply with the CNIL requests, it may be condemned to an administrative sanction, even if the individual did not suffer any damage as a result of the violation of its rights.
To obtain monetary compensation, a data subject shall bring a civil or criminal action against a controller or processor where they consider their rights have been infringed. To obtain compensation, the data subject shall demonstrate that he or she suffered damage. Proceedings can be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence.
Several data subjects suffering damage as a result of a common cause of a similar breach of the provisions of the French DPA 1978 or GDPR may also decide to bring a collective action before the civil court or the competent administrative court. This action may be brought either to put an end to the breach or to obtain compensation for the material and moral damage suffered, or for both purposes.
Most privacy-specific laws in the U.S. are enforced by a designated government agency or other regulatory body, and/or by state attorneys general. For example, COPPA may be enforced by the FTC or any state attorney general. In general, individuals or groups may lodge complaints regarding potential privacy or data security violations with the appropriate regulator and request that the regulator investigate the allegedly infringing practices to bring an enforcement action.
Some privacy-specific laws, such as the federal TCPA and the Illinois BIPA, include a private right of action to permit individuals to seek damages in court even where the alleged violation is not pursued by a government enforcement authority. In addition, certain laws that are not privacy-specific, such as those regulating unfair and deceptive business practices generally, may be used by an individual as a vehicle to pursue privacy-related violations in court. For example, an entity’s misuse of personal information, or a failure to maintain adequate security safeguards for personal information after having made public representations that such safeguards were in place, may be deemed an “unfair” or “deceptive” trade practice in violation of applicable consumer protection laws. In addition, many states have private attorney general acts and/or unfair and deceptive practices acts that permit citizens to file suit, sometimes on a classwide basis, if they are affected by any party’s violation of any law.
Although individuals in the U.S. may in some instances avail themselves of a statutory private right of action to file suit, they still must meet certain thresholds for their case to survive. Among other requirements, a plaintiff in federal court must have Article III constitutional standing, which typically requires demonstrating that the plaintiff has suffered an injury due to the violation of the law in question. A majority of state courts apply a similar standard. The U.S. Supreme Court has ruled that such an injury can be “intangible” but must constitute “concrete harm,” leaving lower courts grappling with varying interpretations of that concept – for example, whether misuse of personal information must result in a specific monetary loss in order to be “concrete” or if anticipatory or imminent harm suffices. Depending on the law, the types of damages individuals can seek may be limited. For example, some laws enable individuals to pursue injunctive relief but not restitution or punitive damages. However, the new CCPA does away with such standards and allows for minimum statutory damages regardless of any economic harm. The federal TCPA takes a similar approach and has created a cottage industry of plaintiff’s lawyers in search of errors and omissions related to telemarketing.
Both the Commissioner and the judicial system are involved in upholding individual rights in the event of breaches of the PDPA.
Section 104 of the PDPA prescribes for aggrieved data subjects to make a written complaint to the Commissioner should they be affected by breaches of the PDPA, its subsidiary legislations and codes of practice. Any aggrieved person may also appeal to the Appeal Tribunal against the decision of data users, such as refusing data access request or data correction request, as stipulated in Section 93(1) (c) of the PDPA. However, there is no express civil right of action for the aggrieved data subjects under the PDPA against data users for breaches under the Act.
Violations of the PDPA and certain provisions of the Personal Data Protection Regulations 2013 are punishable with criminal liability. However, the PDPA does not provide for a specific right to claim for damages, and the Commissioner does not have power to order compensation for damages.
Individuals’ rights are enforced by the GRA and can also be exercised through the judicial system. An individual can claim compensation for breach of their rights under the DPA. Whilst damage must have been caused, it can be “non-material damage” which includes distress.
A data subject can bring an action against a controller or processor where they consider their rights have been infringed. Proceedings can be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers. An individual can complain to the DPC which can take enforcement action along with other relevant supervisory authorities.
Any person who has suffered material or non-material damage as a result of a breach by a controller or processor has the right to receive compensation from the controller or processor for the damage suffered (including for distress).