It’s a big question for organizations: Can we be sued privately for violating the EU’s General Data Protection Regulation (GDPR)?

The short answer is: Yes, the GDPR creates a private right of action for data subjects whose privacy rights were violated. It also specifically allows for people to litigate as a group, similar to a class-action lawsuit in the United States. In many ways it's broader private right of action that’s found in the California Consumer Privacy Act (CCPA), though there is some nuance to the issue. There are also some details that are still being worked out by courts.

The Right to Compensation

The GDPR clearly sets up a private right of action for individuals in the following three articles:

• Article 82 - Creates a right to compensation for data subjects for any “material or non-material damage as a result of an infringement.”
• Article 79 - Data subjects have a right to an effective judicial remedy for an infringement of the rights. Cases can be brought in either the courts of the country where the data subject resides or in a country where the controller or processor has an establishment.
• Article 80 - Data subjects may mandate a nonprofit organization to litigate on their behalf, which opens up the possibility of group litigation. Article 80 also states that member states may allow such nonprofits to file complaints with data protection authorities independent of any mandate from individual data subjects.

The takeaway is that data subjects can sue an organization for violating any of their GDPR rights, and can receive monetary compensation for those violations. However, this compensation is likely limited to actual damages suffered. In most cases that probably won’t be too great an amount, though in some situations such as a data breach, it could rise significantly. Because the costs of litigation would be prohibitive in most circumstances, data subjects can band together and have their case litigated jointly by a nonprofit group.

(Note: The issue of damages is entirely separate from the administrative fines that can be imposed by a country’s data protection authorities, which can go as high as €20 million or 4% of a company’s annual turnover, whichever is higher.)

This setup differs from the CCPA's private right of action in a couple of ways. First, it is much broader. The CCPA only allows consumers to sue businesses for violations related to a data breach; the GDPR allows data subjects to sue for any violation. However, the GDPR right to compensation is limited to actual damages, while the CCPA provides for the recovery of actual damages or statutory damages of up to $750 per consumer per incident.

Issues to Watch

While the GDPR does contain a private right of action, there is still some uncertainty over how it will work. At the root of this uncertainty is the fact that the GDPR is enforced internally by the data protection authorities and courts of each member nation of the European Economic Area and the United Kingdom. That’s 31 different countries with 31 different legal systems. In some of these nations, it is not yet clear if some additional local legislation is required to create a private right of action. Additionally, many important aspects of GDPR class-action lawsuits, such as what constitutes an appropriate forum and what a nonprofit group must show to demonstrate it has the mandate of data subjects, are still being litigated. The courts of different countries may also come to different conclusions, further complicating the issue.

‍