The Inadequacy of Current Remedies for Violation of Data Subjects’ Rights and How to Fix it
Abstract
The paper focuses on civil law remedies for violations of data subjects’ rights: claims for damages and claims for compensation of moral harm. Based on an analysis of academic literature, as well as of Russian and international case law, it is argued that, although these remedies are endorsed by the GDPR and other laws, they are inadequate and do not conform to the requirements for an “effective remedy” stipulated by major international legal documents on human rights. The main reasons are: 1) difficulties in proving the fact and the amount of a legally recognized category of damage because the typical consequences of data privacy violations (e.g. the chilling effect caused by dataveillance, negative emotional reactions, etc.) are not considered legally significant by the courts; 2) inability to prove with a substantial degree of certainty a causal link between the violation and the damage incurred because such damage occurs remotely and within complex flows of data. This produces an imbalance in the enforcement of data protection laws so that public law remedies such as administrative fines predominate. This approach is not compatible with the goals of empowering the individual and ensuring control over usage of one’s data because there cannot be effective control without an effective remedy to enforce it. In practice this leads to under enforcement of data protection laws because under-resourced data protection authorities cannot address most of the violations that pertain to data protection. A new type of remedy that would resemble the statutory damages applicable to copyright infringement in some jurisdictions should be introduced. Its punitive and decentralized nature would become an additional incentive for data controllers to invest in compliance with data protection laws. From a long-term perspective, it may facilitate including individuals in management of their personal data, without which it would be impossible to effectively address the risks brought about by massive and ubiquitous data processing and algorithmic decision-making.
Downloads
References
Acquisti A. (2010) The Economics of Personal Data and Economics of Privacy. Paper presented at the OECD Round table, p. 26.
Austin L. (2003) Privacy and the Question of Technology. Law and Philosophy, no 22, pp. 119, 151, 196.
Bogdanova O.V. (2017) Protection of Copyright with Civil Law Remedies. Moscow: Ustitsinform, 211 p. (in Russian) Calo R. (2011) The Boundaries of Privacy Harm. Indiana Law Journal, vol. 86, p. 1132.
Citron D. (2008) Technological Due Process. Washington University Law Review, vol. 85, p. 1249.
Clarke R. (1991) Information Technology and Dataveillance in: Computerization and Controversy: Value conflicts and Social Choices. Academic Press, p. 496.
Bruin B. (2010) The Liberal Value of Privacy. Law and Philosophy, no 29, pp. 505, 514.
Erdelevskiy A. (1999) Compensation of Moral Harm: Analysis and Commentary on the Legislation and Case Law. Moscow: VEK, p. 192 (in Russian)
Fried C. (1984) Privacy (A Moral Analysis) in: Philosophical Dimensions of Privacy. F. Schoeman, ed. Cambridge: University Press, p. 209.
Goldman E. (2005) Data Mining and Attention Consumption in: Privacy and Technologies of Identity. K. Strandburg & D. Raicu, eds. Boston, MA: Springer, p. 228.
Greenleaf G. (2014) Asian Data Privacy Laws: Trade and Human Rights Perspectives. Oxford: University Press, pp. 115, 132, 151, 268, 283, 313, 519.
Kuner C., Bygrave L. et al (2020) The EU General Data Protection Regulation: A Commentary. Oxford: University Press, p. 1135.
Kuner C. (2013) Transborder Data Flows and Data Privacy Law. Oxford: University Press, pp. 30 ff.
Lazaro C., Le Métayer D. (2015) Control over Personal Data: True Remedy or Fairy Tale? SCRIPTed, vol. 1, pp. 10, 32.
Lynskey O. (2015) The Foundations of EU Data Protection Law. Oxford: University Press, pp. 196, 209, 211.
Marchenko S.V. et al (2004) Compensation for moral harm in the mirror of Russian law, Advokatskaya praktika, no 5, pp. 20–23 (in Russian)
O’Dell E. (2017) Compensation for Breach of the General Data Protection Regulation. Dublin University Law Journal, vol. 1, p. 3.
Pasquale F. (2015) Privacy, Autonomy, and Internet Platforms in: Privacy in the Modern Age: The Search for Solutions. M. Rotenberg et al, eds. New York: New Press, pp. 14, 166.
Pasquale F. (2015) The Black Box Society: The Secret Algorithms That Control Money and Information. Cambridge: Harvard University Press, p. 47.
Peel D. (2015) The Future of Health Privacy in: Privacy in the Modern Age: The Search for Solutions, p. 178.
Posner R. (2008) Privacy, Surveillance, and Law. University of Chicago Law Review, vol. 1, p. 254.
Rule J. (2007) Privacy in Peril: How We are Sacrificing a Fundamental Rights in Exchange for Security and Convenience. Oxford: University Press, p. 192.
Samuelson P. et al (2013) Statutory Damages: A Rarity in Copyright Laws Internationally, But for How Long? Berkeley Public Law Research Paper No. 2240569, pp. 191–198, 530.
Solove D. (2013) Privacy Self-Management and the Consent Dilemma. Harvard Law Review, no 126, pp. 1881, 1888, 1900.
Starzhenetskiy V. (2015) Statutory Damages in the Intellectual Property Law of the Russian Federation. Vestnik ekonomicheskogo pravosudia, no 10, pp. 116–147 (in Russian)
Tabunschikov A.T. (2017) Compensation of Moral Harm. Moscow: Prospect, p. 29 (in Russian)
Tene O. (2013) Privacy Law’s Midlife Crisis: A Critical Assessment of the Second Wave of Global Privacy Laws. Ohio State Law Journal, no 74, p. 1246.
Truli E. (2017) The General Data Protection Regulation and Civil Liability in: M. Bakhoum et al , eds. Personal Data in Competition, Consumer Protection and Intellectual Property Law — Towards a Holistic Approach? New York: Springer, p. 312.
Von Bar C., Clive E., et al (2009) Principles, Definitions and Model Rules of European Private Law. Draft Common Frame of Reference. Munich, pp. 3040, 3052.
Westin A. (1967) Privacy and Freedom. Toronto: McClelland and Stewart, p. 7.
Ylan Q. Mui (2011) Little-Known Firms Tracking Data Used in Credit Scores. Washington Post, July 16.
Authors who publish with this journal agree to the Copyright Notice.
