Data privacy and GDPR litigation trends in Germany and beyond

March 2024  |  SPECIAL REPORT: DATA PRIVACY & CYBER SECURITY

Financier Worldwide Magazine

March 2024 Issue


As data becomes the digital currency of the information age and pervades every aspect of our everyday lives, the vast troves of data collected have become not only the object of various business ideas and nefarious activities, but are also subject to the diligence and care of those who have to protect such data.

The breach of about 40 million accounts globally in 2023 shows how difficult this has become. Data breaches can result in immense financial aftershocks for the companies involved. In 2023, the average total cost of a data breach reached a record high – $4.45m. Companies operating in the healthcare and financial sector suffer higher costs, at $10.93m and $5.90m respectively.

In addition, companies face financial consequences that go well beyond the cost of redressing the breach, including possible reputational harm to their brands and potential declines in share price. For example, 57 percent of businesses have been compelled to increase the price of their services or products because of a data breach.

With the introduction of the General Data Protection Regulation (GDPR) in Europe in 2018, the regulatory and liability framework for the protection of data privacy became much more dense. As always when fast paced technological developments meet new regulatory frameworks, this has resulted in a remarkable increase in litigation that can be roughly divided into three categories: consumer litigation against companies that violate data privacy rights, regulatory enforcement of the GDPR by data protection authorities, and business versus business litigation in a wide range of contexts.

In this article we discuss recent trends with respect to all three categories, focusing on risks for companies handling data.

Consumer litigation

Data related consumer litigation in Europe is characterised first and foremost by the sheer number of cases that can result from a single data breach or potential other violation of GDPR rules. While in the US, data privacy-related class actions against well-known companies have resulted in large settlements, including Facebook’s (now Meta) fine of $650m in Facebook Biometric Info. Privacy Litig. and a $380.5m penalty against Equifax in Equifax, Inc. Customer Data Sec. Breach Litig. Cases in Europe mostly involve a large number of individuals each bringing a single low-value claim.

Similar to the US, however, these individuals are often represented by specialised plaintiff law firms responsible for a multitude of individual cases, mostly based on article 82 of the GDPR. This provision allows for damages claims by any individual who suffered damage resulting from an infringement of the GDPR against the controller or processor of personal data.

Although plaintiffs have, so far, often had a hard time substantiating their claims for compensation, defending against hundreds or even thousands of individual cases incurs significant administrative costs on the defendant’s side, even without the risks and costs involved in US litigation (because the European legal systems allow only very limited or no discovery). As a result, the ability to handle a large number of parallel cases efficiently is now of paramount importance.

Legal uncertainties regarding the interpretation of ‘damage’ according to article 82 of the GDPR has allowed plaintiffs to apply creative theories both on the liability side and for calculating such damages. The May 2023 decision of the Court of Justice of the European Union (CJEU) in UI/Österreichische Post AG exemplifies the effect of the uncertainties that plaintiffs exploit for their cases.

On the one hand, the CJEU clarified the key concepts of liability under the GDPR and pointed out that mere infringement of its provisions is not sufficient to confer a right to compensation. On the other hand, it stated that compensation and particularly non-material damages cannot be subject to the condition that the damage suffered has reached a certain degree of seriousness.

A clear de minimis rule would have stopped a substantial number of cases in their tracks, even if the plaintiffs had been able to demonstrate that the negative consequences of a GDPR infringement resulted in minimal non-material damage. Now, the latter is generally sufficient. Harmonisation of European case law is even more difficult since the exact value of damage has to be determined by national courts through application of their domestic rules.

Further clarification, in particular regarding the concept of ‘non-material damage’, is greatly needed, which is why the German Federal Court of Justice (GFCJ), in September 2023, requested a ruling by the CJEU as to whether negative feelings such as anger, displeasure, dissatisfaction, worry and fear are sufficient to qualify as non-material damage, or whether harm that goes beyond these feelings is necessary.

If the CJEU finds that plaintiffs can claim damages for any emotional distress suffered as a consequence of a GDPR violation, private plaintiffs’ chances of success would increase significantly. In January 2024, however, the CJEU stated that a purely hypothetical risk of misuse by an unauthorised third party cannot give rise to compensation, in particular when no third party became aware of the personal data at issue.

In addition to private plaintiffs, consumer protection associations have made it their goal to enforce the GDPR and other data protection rules. As these cases often come with publicity, they should not be underestimated and can cause significant disruption. The CJEU has already sanctioned member state rules that allow such associations to litigate even when there is no concrete mandate by an individual – irrespective of whether specific rights of individuals are violated.

There are also civil rights activist plaintiffs like Maximilian Schrems who, supported by non-governmental organisations, address fundamental issues of data privacy law and reiterated constitutional rights through targeted litigation against companies. These cases, too, can have significant effects on the marketplace, as the CJEU’s judgments in Schrems I and Schrems II, both cases originally filed against Facebook (Meta), demonstrate. In both cases, the rules governing data transfers between the European Union (EU) and the US had to be rewritten and past data transfers under the old rules have become highly questionable. Maybe unsurprisingly, the European Center for Digital Rights announced that Schrems III is already in the works.

Regulatory enforcement

While the damages awarded in consumer litigation cases have yet to grab headlines, the fines set by European data protection authorities have. As such, the GDPR has resulted in significant regulatory risk for companies.

European data protection authorities actively enforce the GDPR, imposing fines running into hundreds of millions of euros. The GDPR allows for a fine of up to €20m or 4 percent of a company’s annual revenue of the preceding year for serious violations. Ireland’s Data Protection Commission issued the largest fine so far, at €1.2bn, against Meta for transferring its user data to the US without sufficient protection from US intelligence agencies.

Significant fines have also been issued to other companies operating in the EU, such as €345m to TikTok and €40m to Criteo. Given the GDPR’s scope and complexity, and its wide range of possible financial penalties, it is advisable for companies to implement an internal framework for continuously monitoring compliance with data protection laws.

It is also important to document any measures taken and why they have been chosen. Such documentation can be relevant to demonstrate that data breaches and other violations could not have been avoided, as the CJEU recently clarified that a fine may be imposed only where it is established that an infringement of the GDPR has been committed intentionally or negligently.

Business vs. business litigation

Litigation between companies for data breaches and, in particular, GDPR violations, is still rare. Disputes can be based on contractual obligations, for example in the context of data storage, outsourcing or cloud computing projects. Depending on the agreed data protection standards, GDPR violations could form a basis for contractual claims. Other potential claims could result from trade secret law and corresponding contractual obligations if the relevant data also fulfils the criteria of a trade secret.

However, private companies could also more generally enforce GDPR compliance against their competitors in the context of competition law. It has been disputed whether and to what extent companies may warn or even sue their competitors under the German law of unfair competition in the event of a data breach. In its decision allowing consumer protection associations to sue, the CJEU left this question open.

In a recent decision, the GFCJ turned to the CJEU to clarify that question. If the CJEU confirms the companies’ standing to sue vis-à-vis competitors, this could lead to a significant increase of litigation between companies based on data protection laws.

 

Jerome Kommer is a partner, Felix Trumpke is counsel and Holger Hiss is an associate at Quinn Emanuel Urquhart & Sullivan, LLP. Mr Kommer can be contacted on +49 89 20608 3000 or by email: jeromekommer@quinnemanuel.com. Mr Trumpke can be contacted on +49 621 43298 6000 or by email: felixtrumpke@quinnemanuel.com. Mr Hiss can be contacted on +49 711 1856 9000 or by email: holgerhiss@quinnemanuel.com.

© Financier Worldwide


©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.