Types of liability
Now that we have looked at the sources of obligations for GDPR, there are three different forms of liability which can arise, and each of these has to be considered separately:
- First, both Controllers and Processors can now be directly liable for fines for breach of GDPR (whereas previously only Controllers were liable). These fines are in theory limited by reference to turnover (either (i) to 4% of total worldwide turnover or €20 million, whichever is greater, for certain breaches, including breaches of Articles 5 and 7; or (ii) to 2% of turnover or €10 million, whichever is greater, for other breaches including of Article 32). However, in practice, these fines are often viewed as involving large enough sums to be troubling and to need limiting. While many contracts seek to include such fines within the caps/limitations of liability, there is doubt as to how effective that would be in practice, for reasons we will discuss below.
- In addition, both Controllers and Processors can also be subject to direct claims made by data subjects for breaches of GDPR obligations. There is no need for claimants to prove financial loss; mere distress is sufficient. GDPR also makes it easier for group litigation. Group litigation risk is real with the recent Morrisons decision in the UK a notable recent example. There is no limit to such claims, but each party can effectively try to limit its exposure by having the other party indemnify them for loss suffered as a result. We will also consider below how effective these indemnities are.
- Controllers and Processors can also face contractual liability from the other party under the express additional terms of the contract dealing with data protection. Given these obligations are created by the contract, they can also be limited or excluded by other provisions of the contract, and such limitations will generally be effective.
Article 82 and 83 of the GDPR respectively give data subjects the right to receive compensation if they have suffered material or non-material damage as a result of a GDPR infringement and give the Supervisory Authorities the ability to levy fines based on the Controller and Processor’s conduct. This is one of two reasons for addressing each type of liability separately, and for the complexity of the legal position. The second reason is a legal principle which goes by a Latin moniker – “ex turpi causa non oritur action” – which means that someone cannot raise a claim against another based on their own misdeeds. Taken together, this means that while the contractual caps and exclusions will have a bearing on the allocation of liability, they won’t necessarily have the final word.
- In relation to Article 82, this states that persons who have suffered damage as a result of a GDPR infringement can bring a claim to receive compensation from the Controller or Processor. While the primary obligation is on the Controller, the Processor can also be held liable if it has not complied with its specific GDPR obligations or has acted outside the lawful instructions of the Controller (which is why it is particularly important to clearly define such instructions). As, under GDPR, the claim should follow the blame, any indemnity which tries to limit liability or pass it to the other party when the first party was in fact to blame does not sit well with Article 82 and, (if the claim is based on a party’s deliberately or negligently wrongful acts) offends the “ex turpi causa” doctrine, and therefore runs the risk of being unenforceable. This is not to say that such indemnities should not be included, but rather it is an open question as to whether courts would give effect to them other than in circumstances where the claim which is being indemnified has been caused by the indemnifying party or for which the indemnifying party has accepted responsibility elsewhere under the contract.
- Similarly, when it comes to fines pursuant to Article 83, under GDPR these should also be based on conduct. Therefore, it is to be expected that the Supervisory Authority will issue fines which take into account which party has been at fault. In such cases, there will be limited grounds for seeking to recover the fines from the other party – perhaps only where the Controller can claim that it was not at fault and has still been fined, such as where the Controller outsources to the Processor something which is ultimately the Controller’s responsibility under GDPR (e.g. a mechanism for delivering privacy notices). As such, seeking to limit exposure to fines or to expressly include fines as being recoverable from the other party as direct losses may not give the complete comfort it would seem to offer.
Therefore, while caps/exclusions of liability for the discretional obligations are legitimate and likely to be upheld, there is more doubt about exclusions/indemnities for fines and data subject claims levied in relation to breaches of the type 1 or type 2 obligations outlined above. That said, such provisions do no harm and will be applicable in a limited sub-set of scenarios so are worthwhile including, but it would be unwise for someone negotiating these to express confidence that they will apply to limit their liability fully in circumstances where they themselves have been at fault.