Liability of private parties for data protection breaches

by Tobias Jacquemain
//The data protection law provides those affected a right to compensation. In practice, however, this right rarely applies. Criteria for assessing damages are problem areas that can reduce the existing sanction deficit in data protection.

I. Regulatory mechanisms are only complementary

The applicable data protection law is based on the idea of protecting individuals from risks in connection with data processing. If no consequences are to be expected for the party responsible in the event of unlawful action, the mandatory character of the provisions will be rendered null and void. For this reason, both European law and German data protection law provide for legal remedies, liability and sanctions.

Two trends can be identified in the amendment of data protection law and the drafting of the GDPR regarding the legal consequences: Penalties increase enormously and the individual whose rights have been violated is strengthened. The instruments for law enforcement have become more extensive, but from a private law point of view they have only grown gradually. The fine for administrative offences is and remains the classic sanction.

II. No compensation without damage

Data protection creates an even greater level of protection by protecting the privacy of individuals. The idea of self-determination represents the necessary link between the ideological and commercial sides of data protection law as a general right of personality.1

1. What is the damage that can be compensated for?

For a long time now, the protective purpose of data protection law has no longer been limited to the protection of ideological values but is also directed towards the balancing of economic interests. The same applies to the right of informational self-determination as it does to the general right of personality, which now encompasses the individual’s financial interests as well as his ideal interests.2

When dealing with personal data, financial interests are often even at the forefront. Due to the development of the digital world, in which personal data represent a kind of currency and thus an economic object of exchange, the individual no longer acts only as a “person”, but also as a market participant, especially when it comes to data disclosure.

a) Material damage

In the case of financial losses, the person negatively affected can claim this compensation in the form of an ascertainable amount of money under civil law. Negative changes in the fictitious property status as a result of unlawful personal data are conceivable. For example, the banking industry, since it already brings with it a pecuniary determinability from its business model.

b) Intangible losses

aa) Missing assessment criteria in data protection law

In most cases of non-compliance with data protection obligations, a violation of a fundamental right remains the sole case. The greatest difficulty lies in the pecuniary recording of such damage. The legislative efforts to achieve EU-wide coherence (EC. 8 EC DPD and EC. 10 GDPR) require a handling of the claim for damages in private data protection law that is as uniform as possible. In the interests of a Union-wide uniformity it would be desirable to have concrete requirements in the form of guidelines, communications or even legal acts.

bb) Violation of data protection = unauthorised commercialisation of personal data?

Firstly, intangible damages need to become measurable. Informational self-determination not only protects against the disclosure of one’s own data, but also against their commercialisation by third parties. The unauthorised commercialisation of personal data by a private data-processing body constitutes material damage due to the resulting impairment of the commercial interest of the right to informational self-determination. Consequently, damages resulting from data protection offences can sometimes be recorded as compensable financial losses that can be precisely measured. The pecuniary value of a personal date in a commercially motivated case of infringement is therefore the damage that can be compensated. In addition, the idealistic interests of the data subject’s right to the protection of his personal data may also be violated, leading to a claim for intellectual property damages.

cc) Assessment criteria for violations of privacy resulting from data protection violations

A remaining option is to classify it as a violation of exclusively idealistic interests of the tortuously protected right of personality. The question as to whether every violation of data protection law automatically means a violation of the general right of personality3 is closely related to the question as to whether only serious violations of this kind are eligible for compensation. As only the damaging infringement of the GDPR is sufficient for a claim, the intensity of the impairment is relevant solely for determining the amount of compensation and not for the recognition of a claim for damages. The damage eligible for compensation under the GDPR should exceed a minimum4. Possible criteria for the severity are the scope of those who gain knowledge of the infringement, but also by the duration of the impairment, the fault of the aggrieved party and above all by the context of the data processing.5 The consequence of higher monetary compensation for more serious infringements indicates that an ordinal classification of the infringement is possible with the help of such guidelines. A maximum objective would be the determination by a table of compensation amounts for data protection violations based on case law. Finally, the amount of monetary compensation for immaterial damages must also satisfy preventive claims in accordance with the function of liability in private data protection law.

III. Conclusion

The lack of successfully enforced claims for damages can certainly not be traced back to the complete compliance with all data protection requirements. Individual law enforcement is virtually non-existent in data protection law while official law enforcement is generally considered to be ineffective.

The theoretical achievements of liability law meet with its inadequacies in legal practice. Oftentimes, only infringements in media law meet the criteria for severity. If the value of personal data in the unlawful commercialisation of personal data represents the recoverable material damage, it will still not reach a significant level for the individual which would make enforcement appear economically viable. The further the commercialisation of data progresses, the more the economic value contained in the information will also represent the ideal dimension. A higher valuation of the compensable appears to be necessary. If the antitrust character in the increase of fines, could also be transferred to private law, noticeable amounts of compensation would accrue to private bodies. As a result, individual legal protection can only have a modest preventive effect. Therefore, the enforcement of private law usually fails because of the effort required, but at the latest because of the costs incurred.

Dr. Tobias Jacquemain, LL.M.
– Lawyer
– Research Assistant at the German Association for Data Protection and Data Security (GDD)
– Assistant lecturer at the University of Cologne and at the University of Applied Sciences Cologne
– Expert of the Landtag NRW on the adaptation of the national data protection law to the European data protection law (2018)
– Winner of the GDD Science Award 2017
– Publications on different aspects of data protection law and data protection practice


1 Graf von Westerholt, Wettbewerbsrecht und Datenschutzrecht – Ein ungeklärtes Verhältnis, in: Straus (Hrsg.), Aktuelle Herausforderungen des geistigen Eigentums: FS für Beier, 1996, 561 (567).

2 Dualism of the right to private life to eqully protect idealistic as well as financial interests: Söder, in: Gersdorf; Paal (Hrsg.), Beck’scher OK Informations- und Medienrecht, 2015, § 823 BGB, Rn. 127; Hubmann, Das Persönlichkeitsrecht, 1967, 133f., 283 f. BGH, Urteil v. 20.3.1968, NJW 1968, 1773 (1774) – Mephisto; BGH, Urteil v. 8.5.1956, BGHZ 20, 346 – Paul Dahlke.

3 BGH, Urteil v. 22.5.1984, BGHZ 91, 233 (239 f.) – AEG-Aktionär: „Jede durch das Bundesdatenschutzgesetz nicht gedeckte Übermittlung personenbezogener Daten stellt eine Verletzung dieses Rechts [das allgemeine Persönlichkeitsrecht des Klägers] dar.“ (‘Each data transfer wich is not covered by data protection law is equally an infringement of the general right of personality’)

Different interpretation by Klippel, Deliktsrechtliche Probleme des Datenschutzes, BB 1983, 407 (414); Ehmann, Informationsschutz und Informationsverkehr im Zivilrecht, AcP 188 (1988), 230 (378) referring to BGH, Urteil v. 17.12.1985, NJW 1986, 2505 – Zulässige Speicherung personenbezogener kreditrelevanter Daten über Ein-Mann-GmbH-Gesellschafter.

Weighting of interest required by Buchner, Informationelle Selbstbestimmung im Privatrecht, 2006, 300.

4 Interpretation of damage according to EU law by Oskierski, Schadensersatz im Europäischen Recht, 2010, 385.

5 Criteria to evaluate infringement of the Right to Data Protection by Jacquemain, Der deliktische Schadensersatz im europäischen Datenschutzprivatrecht, 2017, 328 ff.