Private GDPR legal action: What you need to know

We hear a lot about the fines issued against companies for violating the GDPR. But the law also allows for private legal cases—and not just for data breaches, but for non-compliance with EU cookies rules, transparency obligations, and more.

Here’s what you need to know about private legal claims under the GDPR.

GDPR: Routes to Legal Action

There are two main GDPR provisions that can lead to legal action:

• A private legal case (Article 82)
• Administrative fines brought by a Data Protection Authority (Article 83)

We’ll be focusing on the latter of these two mechanisms.

The GDPR’s right to compensation (damages) imposes liability on controllers who have caused damage by processing personal data in violation of any part of the GDPR.

A processor can also be liable for GDPR-related damage, but only if it fails to comply with the GDPR’s direct obligations on processors, or fails to comply with a data processing agreement.

Material and Non-Material Damage

Article 82 of the GDPR says:

“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

So, under the GDPR, data subjects may sue if they have suffered “material or non-material damage.” But what do these terms mean?

Material damage means a loss of money or property.

Non-material damage normally means distress. However, there are some ongoing cases that will test the definition of “non-material damage” under the GDPR.

A German court, for example, recently referred a case to the Court of Justice of the European Union (CJEU) to find out whether there is a minimum threshold of “non-material damage” required to bring a case under the GDPR.

In the U.K., a case called Lloyd v. Google will soon be decided by the Supreme Court. The case alleges that Google collected the personal data of around 4 million iPhone users without consent. The “non-material damage” in Lloyd is the “loss of control” of personal data in itself. There is no allegation that any of the claimants suffered distress or other losses.

Legal Claims via Non-Profits

Under Article 80 of the GDPR, non-profit groups can bring private GDPR claims—either independently or on behalf of a specific data subject or group of data subjects.

There are several such claims currently taking place across the EU. For example, Digital Rights Ireland is suing Facebook over its 2021 data breach, and the Dutch market research group SOMI filed a case against TikTok in June 2021.

Examples of GDPR Legal Claims

The most high-profile privacy-related legal claims normally relate to data breaches. For example, British Airways is facing a class action from around 16,000 customers who fell victim to a 2018 data breach, seeking around $2,724 each from the airline.

But other GDPR violations are also leading to legal action.

• Rumbul v. Salesforce and Oracle: A class action against tech firms Oracle and Salesforce alleging that the companies failed to earn consent before setting third-party cookies. The two firms face a similar action from non-profit The Privacy Collective in the Netherlands.
• McCann v. YouTube: Campaigner Duncan McCann claims Google has illegally processed the personal data of every YouTube user under 13—and is seeking up to $2.5 billion.
• A Child v. TikTok: A 12-year-old girl is suing TikTok over its alleged failure to verify her age before using the platform.