Private enforcement Flashcards
(27 cards)
PRIVATE ENFORCEMENT
Civil liability rules:
Art. 82 GDPR → Right to compensation and liability
Former provision:
- Art. 23 Directive 95/46/EC →
Implemented by Art. 15 cod. privacy - (d. lgs. n. 196/2003)
Art. 82 GDPR →
Right to compensation and liability
- Any person who has suffered material or non-material damage
- Any controller involved in processing liable for the damage caused
A processor liable only where
- it has not complied with obligations
- acted outside or contrary to lawful instructions of the controller. - A controller or processor exempt from liability if it proves that it is not in any way responsible for the event
4.
Where more than one controller or processor each controller or processor shall be held liable for the entire damage
- Where a controller or processor has paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved part of the compensation corresponding to their part of responsibility for the damage
- Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State
Previous regime of civil liability
Art. 23 Directive 95/46/EC →
Liability
- Member States shall provide that any person who has suffered damage as a result of an unawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered
- The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage.
Previous regime of civil liability
Italian personal data personal data protection code
(d. lgs. n. 196/2003)
Art. 15 [Repealed]
Damage Caused on Account of the Processing
1) Whoever causes damage to another as a consequence of the processing of personal data shall be liable to pay damages pursuant to Article 2050 of the Civil Code.
2) Compensation for non-pecuniary damage shall be also due upon infringement of Art. 11.
Civil liability under Italian private law
- Contractual liability (Art. 1218 cod. civ.)
- Non-contractual liability (tort) (Art. 2043 cod. civ.)
Civil liability under Italian private law
TORT
ART. 2043 COD. CIV.
Article 2043.
Compensation for unlawful acts:
Any intentional or negligent act that causes an unjustified injury to another obliges the person who has committed the act to pay damages
IF-THEN STRUCTURE
Civil liability under Italian private law
TORT
ART. 2043 COD. CIV.
IF-THEN STRUCTURE
IF
- an act attributable to a natural or legal person this act was committed intentionally or at least negligently
- this act caused legally relevant prejudice (legally relevant damage + causal link)
THEN
- The obligation to pay damages arises
(tort is a source of obligations →
tort law is part of civil law of obligations)
Civil liability under Italian private law
DAMAGES (1223 COD. CIV. – 2059 COD. CIV.)
Article 1223:
Damages to be paid by the wrongdoer can be both ECONOMIC and NON- ECONOMIC
→ Economic damages (Danno patrimoniale)
- Actual losses suffered (damnum emergens)
- Lost profits (lucrum cessans)
→ Non economic damages (danno non patrimoniale)
Non-patrimonial damages shall be awarded only in cases provided for by law.
(Article 2059)
Civil liability under Italian private law
Special liability rules in the Italian codice civile
Art. 2050 cod. civ.
→ Strict liability (Liability regardless of fault)
→ Fault Liability with a reversal of the burden of proof
One of these special rules concerns liability arising from the exercise of dangerous activities:
Art. 2050 cod. civ.
Whoever causes injury to another in the performance of an activity dangerous
- by its nature or
- by reason of the instrumentalities employed,
is liable for damages.
→ Unless he proves that he has taken all suitable measures to avoid the injury.
→ Data processing activities have been considered “dangerous activities” by the law. Therefore the special rule laid down in Art. 2050 cod. civ. applies
→ Art. 15 cod. privacy - d. lgs. n. 196/2003 (2)
non-patrimonial damages shall be awarded in this case (=when an infringement of data protection law occurs)
Principles to bear in mind when interpreting the new EU rules on civil liability
→ The principle of the primacy [principe de primauté] and uniform application of European Union law
→ The principle of accountability of the controller (Art. 24 GDPR)
→ The twofold purpose of the GDPR (Art. 1):
1) The protection of natural persons in relation to the processing of personal data (par. 2)
2) Facilitating the free flow of personal data within the internal market (par. 3)
RECITAL NO. 146 (OVERVIEW)
The controller or processor
- should compensate any damage as a result of processing that infringes this Regulation.
- should be exempt from liability if it proves that it is not in any way responsible for the damage.
- if involved in the same processing, each controller or processor should be held liable for the entire damage and compensation may be apportioned according to the responsibility
- Any controller or processor which has paid full compensation may subsequently institute recourse proceedings against other involved in the same processing.
The concept of damage should
- be interpreted in the light of the case-law of the Court of Justice which fully reflects the objectives of this Regulation.
- without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law.
Processing that infringes this Regulation also includes processing that infringes
- this Regulation and
- Member State law specifying rules of this Regulation.
Data subjects should receive:
- full
- effective
compensation for the damage they have suffered.
SUBJECTS:
VICTIMS CONSIDERED BY ART. 82 GDPR
Art. 82 (1). Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
→ Any person:
individuals other than the data subject as well, if the existence of a sufficient casual link is proved
→ Any natural person:
Art. 1(1). This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
→ Legal persons may ask for compensation for damages according to national law (cf. Recital 146 “without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law”)
SUBJECTS:
TORTFEASORS CONSIDERED BY ART. 82 GDPR
Art. 82 (1). Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
≠
Art. 15 (1) legislative decree no. 196/2003 [Repealed]. Whoever causes damage to another as a consequence of the processing of personal data shall be liable to pay damages pursuant to Article 2050 of the Civil Code.
→ People other than the data controller and the data processor who infringe data subjects’ rights can be held liable under national law (Art. 2043 civil code)
[cf. Recital No. 146: “without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law”]
SCOPE OF CONTROLLER’S AND PROCESSOR’S LIABILITIES: 82 (2) GDPR
«Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation».
«A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller».
→ A graduated liability system
THE CONTROLLER’S LIABILITY
Recital 74
The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.
→ A general liability of the controller
THE PROCESSOR’S LIABILITY
«A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller».
→ An important novelty of the GDPR: direct liability of the processor (Art. 23 Directive 95/46/EC provided only for the liability of the controller);
→ A limited liability: the processor is liable only for damages occurred as a result of infringing:
- obligations of this Regulation specifically directed to processors (e.g. art. 28) lawful instructions of the controller
THE CONTROLLER’S LIABILITY FOR THE PROCESSOR’S FAULT
→ A controller can not be exempted from liability under Art. 82 by proving that he has diligently chosen a processor who appeared to be trustworthy
→ This rule is similar to the one laid down by Art. 2049 Civil Code
Liability of masters and employers
Masters and employers are liable for the damage caused by an unlawful act of their servants and employees in the exercise of the functions to which they are assigned
Strict vicarious liability:
the defendant can be held liable regardless of his fault, if the requirements of the special liability rule are met (the relationship between the tortfeasor and the person who is legally liable and the relationship between the tort committed and the functions assigned to the author)
When the processor determines the purposes and means of processing he shall be considered a controller as well (Art. 28 [10] GDPR)
BUT
Art. 28 (10 ) GDPR states:“ Without prejudice to Articles 82, 83 and 84…”
IT MEANS
The original controller is not be exempted from civil liability
JOINT AND SEVERAL LIABILITY: ART. 82 (4)AND (5) GDPR
- Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
- Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
THE PRINCIPLE OF JOINT AND SEVERAL LIABILITY
More persons shall be held liable for the same damages that occurred to the plaintiff
→ The plaintiff is entitled to claim full compensation from just one of these persons
→ Who pays can claim restitution from the other liable parties for the amount exceeding its share of responsibility (azione di regresso)
- This rule ensures more chances for the plaintiff to have full compensation for damages
- Comparison with Art. 2055 Civil Code
THE BURDEN OF PROOF
THE GENERAL RULE IN ITALIAN TORT LAW
Art. 2043 Civil code - Compensation for unlawful acts
Any intentional or negligent act that causes an unjustified injury to another obliges the person who has committed the act to pay damages.
The plaintiff must prove:
→ the act committed by the damaging party
→ the culpability of the damaging party
→ the damage occurred
→ the causal link between the act committed and the damage occurred
In some areas, the plaintiff doesn’t have to prove the culpability of the defendant
→ Strict liability (Liability regardless of fault)
→ Fault Liability with a reversal of the burden of proof
E.g. 1 Art. 2049 Civil code - Liability of masters and employers (the fault of the vicarious is irrelevant)
E.g. II Art. 2048 Civil code - Liability of parents, guardians, teachers, and masters of apprentices for damages caused by children, pupils and apprentices under their supervision (They are only relieved of liability if they prove that they were unable to prevent the damaging action of the person under surveillance)
THE BURDEN OF PROOF
IN THE PREVIOUS REGIME
Some civil law provisions are ambiguous since is not clear whether they belong to one group or the other (e.g. Artt. 2050, 2051, 2052, 2053 Civil code).
Art. 15 (1) leg. Decree no. 196/2003 referred to one of these:
- Whoever causes damage to another as a consequence of the processing of personal data shall be liable to pay damages pursuant to Article 2050 of the Civil Code.
→ Liability arising from the exercise of dangerous activities:
Whoever causes injury to another in the performance of an activity dangerous by its nature or by reason of the means employed, is liable for damages, unless he proves that he has taken all suitable measures to avoid the injury.
THE BURDEN OF PROOF
ACCORDING TO ART. 82 (3) GDPR
- A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
The European provision wording is also ambiguous.
It should be interpreted by searching for its autonomous meaning in European law (without conditionings that derive from national law categories).
EXEMPTION OF LIABILITY
If the controller/processor doesn’t fulfill his/her obligations under GDPR, he/she shall not benefit from the exemption
What if he/she does?
Art. 32 GDPR – Security of processing
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
TWO DIFFERENT OPINIONS
- The controller/processor carries the risk that the technical and organisational measures adopted are not adequate to prevent damage from occurring. Exemption only in case of unforeseeable circumstances and force majeure [STRICT LIABILITY]
- The controller/processor can demonstrate that his/her obligations under GDPR have been fulfilled and, therefore, that there were no technical measures available to mitigate the risk or that the costs of preventive measures were excessive compared to a low probability and/or severity of the risk. [FAULT LIABILITY WITH A REVERSED BURDEN OF PROOF]
DAMAGE AS A RESULT OF AN INFRINGEMENT OF THE REGULATION
→ According to general national rules on the burden of proof, the plaintiff has to prove the unlawfulness of the defendant’s conduct (Art. 2043 c.c.)
→ GDPR: PRINCIPLE OF ACCOUNTABILITY
Art. 24 (1)
Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
→ The plaintiff doesn’t have to prove the infringement occurred.
→ it is up to the controller to demonstrate the lawfulness of her/his processing ( Art. 24 (1)).
→ Recital no. 146 (…) Processing that infringes this Regulation also includes processing that infringes delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation (…)
