from PART II - STATE OF THE ART
Published online by Cambridge University Press: 26 June 2019
145. OUTLINE – The GDPR has introduced a number of important clarifications and changes when it comes to liability under EU data protection law. The main principles underlying the liability model have, however, essentially remained the same. To provide a comprehensive account of the liability exposure of controllers and processors, both the liability regime of Directive 95/46 and the liability regime GDPR shall be analysed.
146. RELEVANT SOURCES – The main sources used for the analysis are the texts of Directive 95/46 and the GDPR, their preparatory works and the guidance issued by the Article 29 Working Party. Where appropriate, however, reference shall also be made to the preparatory works of national implementations of Directive 95/46 (e.g. the Netherlands, Belgium), as a means to supplement the insights offered by the primary sources. Last but not least, the Principles of European Tort Law (PETL), as well as national tort law, are also considered for issues not addressed explicitly by Directive 95/46 or the GDPR.
DIRECTIVE 95/46: “STRICT” LIABILITY FOR CONTROLLERS
147. BASIC PRINCIPLE – Under Directive 95/46, a controller was, as a matter of principle, liable for any damages caused by the unlawful processing of personal data. Article 23(1) of Directive 95/46 stipulates that Member States must provide that the controller shall be liable towards data subjects for any damages suffered as a result of an unlawful processing operation. A controller could be exempted from liability, however, in whole or in part, if he proved that he was “not responsible for the event giving rise to the damage” (Article 23(2)). Directive 95/46 does not contain any provisions regarding the liability exposure of processors. While Article 16 stipulates that processors may only process the data in accordance with the instructions of the controller, the Directive does not explicitly allocate liability in case of a disregard for instructions.
CONTROLLER LIABILITY
A. The nature of controller obligations
148. “MEANS” OR “RESULT” – To properly understand the liability exposure of controllers, it is necessary to first understand the nature of controller obligations. Directive 95/46 imposes a variety of obligations upon controllers. In certain instances, the obligations specify a result to be achieved (e.g. “personal data must be collected for legitimate purposes and not further processed in a way incompatible with those purposes”). In other instances, the obligations are specified as an obligation to make reasonable eff orts to do something (“obligation of means”).
To save this book to your Kindle, first ensure no-reply@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about saving to your Kindle.
Note you can select to save to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be saved to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.
Find out more about the Kindle Personal Document Service.
To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Dropbox.
To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Google Drive.