'Compensation for Breach of the General Data Protection Regulation' by Eoin O'Dell
comments
Article 82(1) of the General Data Protection Regulation (GDPR) provides that any "person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered". As a consequence, compliance with the GDPR is ensured through a mutually reinforcing combination of public and private enforcement that blends public fines with private damages.
The first part of this article compares and contrasts Article 82(1) GDPR with compensation provisions in other EU Regulations and Directives and with the caselaw of the CJEU on those provisions, and concludes that it is not clear that Article 82(1) GDPR is directly horizontally effective though the Court (eventually, if and when it is asked) is likely to interpret it broadly. This means that the safest course of action at this stage is to provide expressly for a claim for compensation in national law. The second part of this article compares and contrasts the compensation provisions in the Irish government's General Scheme of the Data Protection Bill 2017 with existing legislation, and concludes that the Heads of the Scheme do not give full effect to Article 82(1) GDPR. Amendments to the Scheme are therefore proposed.
Claims for compensation are an important part of the enforcement architecture of the GDPR. Private enforcement will help to discourage infringements of the rights of data subjects; it will make a significant contribution to the protection of privacy and data protection rights in the European Union; and it will help to ensure that the great promise of the GDPR is fully realised.
'The Dynamic Effect of Information Privacy Law' by Ignacio Cofone in (2017) 18
Minnesota Journal of Law, Science and Technology 517
argues
Discussions of information privacy typically rely on the idea that there is a tradeoff between privacy and availability of information. But privacy, under some circumstances, can lead to creation of more information. In this article, I identify such circumstances by exploring the ex ante incentives created by entitlements to personal data and evaluating the long-term effects of privacy. In so doing, I introduce an economic justification of information privacy law.
Under the standard law and economics account, as long as property rights are defined and transaction costs are low, initial right allocations should be irrelevant for social welfare. But initial allocations matter when either of these two conditions is absent. Allocations also matter for production of goods that do not yet exist. Personal information has these characteristics. While the costs of disseminating information are low, transaction costs to transfer an entitlement over it are not. In addition, availability of information requires disclosure – and thereby imposes costs. This analysis challenges the traditional economic objection to information privacy and provides a new justification for privacy rules by casting them as entitlements over personal information.
The approach I develop here provides a framework to identify which types of information ought to be protected and how privacy law should protect them. To do so, it analyzes the placement and optimal protection of personal information entitlements while also examining the commonalities between information privacy and intellectual property. At a more abstract level, it sheds light on the desirability of a sectoral versus an omnibus information privacy law.
