In the US, it is quite common to sign a waiver for almost everything from parking at your local baker shop to the garden where children play. The disclaimer indicates that you assume the risk of any activity and agree not to sue the facilitating company it in the case of any damage. Americans have an appetite for suing, and participate in the class-action suits when damage occurs.
Probably in a few years, the prosecuting landscape in Europe will change, as interactions with the regulator will be similar to the types of interactions businesses have with financial regulators.
High cost to the organisation
Still, Europe has not experienced the same conditions that that American courts have. However the EU GDPR steers an increased private right of action for violations of the law, both for material or non-material damage by the Board, Management and Data Controllers.
The Data subject can sue for compensation based on the damage suffered and the alleged grievance that will take place, often as a “follow-on” to data protection authorities’ investigations. The court can decide on the damages, depending on the sympathy (if a child is involved, always settle), for the apparent use, misuse, abuse, and the size of the breach.
From how the data is processed to monetary compensation
In Europe, courts do not compensate for immaterial, emotional damages except for under extreme circumstances., and even then the amounts are substantially lower than in the US. However, suppose the Data subject can convince the court that my data was processed unlawfully, causing damage for life. In that case, the GDPR mandates the data Subject to be compensated for immaterial damages. This precedence can be litigation feast for consumer protection lawyers.
Scenario I: If there is a case of unlawful data processing, involving a data breach where thousands or even millions of individuals are potentially affected, lawyers can assemble a class of people to file a case. Litigation funders are available in Europe to advertise the breach on websites to seek out individuals be a part of the affected group and get a share of the cashout.
Scenario II: The other trend is the “follow-on” claims — claims brought based mainly on a regulatory finding and seeking private damages. That has changed both the organization’s risk appetite in its decision to accept or appeal a DPA’s fine, as well as the relationship between organization and DPA in talks leading up to a fine. Organizations will look in the regulatory text that could provide the basis for civil litigation. The result is to appeal even if the fine is comparatively low, due to the follow on damages
Scenario III: Before a regulator decides for a potential fine, the authority takes the trouble of investigating, getting together the disclosure, discovery, interviewing witnesses and collecting the evidence. The case is then “liability ready-baked” as a follow on the case.
Document and Demonstrate compliance for adequate measures
GDPR article 5, Paragraph 2 of the GDPR states the data controller must be in a position to document and prove it processed personal data in a manner that is compliant with the GDPR, which essentially shifts the burden of proof from the Data Subject to the wrongdoer. GDPR shifts the burden of proof in procedures and processes.