Liability under EU Data Protection Law: From Directive 95/46 to the General Data Protection Regulation

Author:Brendan Van Alsenoy
Liability under EU Data Protection Law
Liability under EU Data Protection Law
From Directive 95/46 to the General Data Protection
by Brendan Van Alsenoy*
© 2016 Brendan Van Alsenoy
Everybody may disseminate this ar ticle by electronic m eans and make it available for downloa d under the terms and
conditions of the Digital P eer Publishing Licence (DPPL). A copy of the license text may be obtain ed at http://nbn-resolving.
Recommended citation: Bren dan Van Alsenoy, Liability under EU Data Protection Law: From Dir ective 95/46 to the General
Data Protection Re gulation, 7 (2016) JIPITEC 271 para 1.
Keywords: Data protection; controller; processor; Directive 95/46; General Data Protection Regulation; GDPR;
Principles of European Tort Law; PETL; liability
ceeds to highlight the main changes brought about
by the General Data Protection Regulation. Through-
out the article, special consideration is given to the
nature of the liability exposure of controllers and pro-
cessors, the burden of proof incumbent upon data
subjects, as well as the defences available to both
controllers and processors.
Abstract: This article analyses the liability ex-
posure of organisations involved in the processing of
personal data under European data protection law.
It contends that the liability model of EU data pro-
tection law is in line with the Principles of European
Tort Law (PETL), provided one takes into account the
“strict” nature of controller liability. After analysing
the liability regime of Directive 95/46, the article pro-
A. Introduction
Practically every organisation in the world processes
personal data. In fact, it is difcult to imagine a
single organisation which does not collect or store
information about individuals.1 European data
protection law imposes a series of requirements
designed to protect individuals when their data are
1 Under EU data protection law, “personal data” is dened
as “any information relating to an identied or identiable
natural person (‘data subject’) […]” (see art. 2(a) Directive
95/46; art. 4(1) GDPR). “Processing“ is dened as “any
operation or set of operations which is performed upon
personal data, whether or not by automatic means, such
as collection, recording, organization, storage, adaptation
or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available,
alignment or combination, blocking, erasure or destruction”
(art. 2(b) Directive 95/46; art. 4(2) GDPR).
being processed.
European data protection law also
distinguishes among different types of actors who
may be involved in the processing. As far as liability
is concerned, the most important distinction is the
distinction between “controllers” and “processors”.
The controller is dened as the entity who alone, or
jointly with others, “determines the purposes and
means” of the processing.3 A “processor”, on the
other hand, is dened as an entity who processes
personal data “on behalf of” a controller.4 Together,
these concepts provide the very basis upon which
2 P. De Hert and S. Gutwirth, “Privacy, data protection and law
enforcement. Opacity of the individual and transparency of
power”, in Claes, Duff and Gutwirth (eds.), Privacy and the
Criminal Law (Intersentia, 2006), p. 76. See also R. Gellert,
“Understanding data protection as risk regulation”, Journal
of Internet Law 2015, p. 3-16.
3 Art. 2(d) Directive 95/46; art. 4(7) GDPR.
4 Art. 2(e) Directive 95/46; art. 4(8) GDPR.
Brendan Van Alsenoy
responsibility for compliance is allocated. As a result,
both concepts play a decisive role in determining the
liability exposure of an organisation under EU data
protection law.5
2 For almost 15 years, Directive 95/46 stood strong as
the central instrument of data protection regulation
in the EU.6 In 2010, however, the Commission
announced that the time for revisions had come.7
The Commission considered that while the objectives
and principles underlying Directive 95/46 remained
sound, revisions were necessary in order to meet
the challenges of technological developments and
globalisation.8 A public consultation conducted in
2009, revealed concerns regarding the impact of
new technologies, as well as a desire for a more
comprehensive and coherent approach to data
protection.9 During the consultation, several
stakeholders also raised concerns regarding the
concepts of controller and processor.10 Various
solutions were put forward, ranging from minor
revision to outright abolition of the concepts. In the
end, the EU legislature opted to retain the existing
concepts of controller and processor in the General
Data Protection Regulation (GDPR).11 Notable
5 Unfortunately, the distinction between controllers and
processors is not always easy to apply in practice. For a
more detailed discussion see B. Van Alsenoy, “Allocating
responsibility among controllers, processors, and
“everything in between”: the denition of actors and roles
in Directive 95/46/EC”, Computer Law & Security Review 2012,
Vol. 28, p. 25-43.
6 The European Commission assessed its implementation
in 2003 and 2007, both times concluding there was no
need for revisions. See COM (2003) 265, “Report from
the Commission - First Report on the implementation of
the Data Protection Directive 95/46/EC)”, at 7 and COM
(2007)87, “Communication on the follow-up of the Work
programme for a better implementation of the Data
Protection Directive”, p. 9.
7 COM(2010) 609, “A comprehensive approach on personal
data protection in the European Union”, p. 2.
8 Ibid, p. 3.
9 COM(2010) 609, “A comprehensive approach on personal
data protection in the European Union”, p. 4.
10 See e.g. Information Commissioner’s Ofce (ICO), “The
Information Commissioner’s response to the European
Commission’s consultation on the legal framework for the
fundamental right to protection of personal data” (2009),
p. 2-3; International Chamber of Commerce (ICC), ICC
Commission on E-business, IT and Telecoms, “ICC Response
to the European Commission Consultation on the Legal
Framework for the Fundamental Right to Protection
of Personal Data” (2009), p. 4; Bird & Bird, “Response to
European Commission Consultation on the Legal Framework
for the Fundamental Right to Protection of Personal Data”
(2009), at paragraph 19 and European Privacy Ofcers
Forum (EPOF), “Comments on the Review of European Data
Protection Framework” (2009), p. 5.
11 The denitions of controller and processor contained in
the GDPR are quasi identical to the denitions contained
in Directive 95/46. Only minor linguistic edits were made,
none of which brought about a substantive change to the
changes were made however, with regards to the
allocation of responsibility and liability among the
two types of actors.
The aim of this article is two-fold. First, it seeks
to clarify the liability exposure of controllers and
processors under EU data protection law. Second,
it seeks to highlight the main differences between
Directive 95/46 and the GDPR regarding liability
allocation. The article begins by analysing the
liability regime of Directive 95/46. The primary
sources of analysis shall be the text of the Directive
itself, its preparatory works, and the guidance issued
by the Article 29 Working Party. Where appropriate,
reference shall also be made to the preparatory works
of national implementations of the Directive (e.g. the
Netherlands, Belgium), as a means to supplement the
insights offered by the primary sources. Last but not
least, the Principles of European Tort Law (PETL), as
well as national tort law, will be considered for issues
not addressed explicitly by Directive 95/46.
second part of this article will analyse the liability
regime of the GDPR. Here too, the analysis shall be
based primarily on the text of the GDPR itself, its
preparatory works, and the Principles of European
Tort Law.
B. Directive 95/46: a “strict”
liability regime for controllers
Under Directive 95/46, a controller is, as a matter
of principle, liable for any damages caused by the
unlawful processing of personal data. Article 23(1)
stipulates that Member States must provide that
the controller shall be liable towards data subjects
for any damages suffered as a result of an unlawful
processing operation. A controller may be exempted
from liability, however, in whole or in part, “if he
proves that he is not responsible for the event
giving rise to the damage” (article 23[2]). Directive
95/46 does not contain any provisions regarding
the liability exposure of processors. While article 16
stipulates that processors may only process the data
in accordance with the instructions of the controller,
the Directive does not explicitly allocate liability in
case of a disregard for instructions.
12 It should be noted that, as an academic piece, the PETL do
not enjoy legal authority as such. Nevertheless, the PETL
offer an interesting frame of reference when assessing any
regulation of liability at European level, as they reect what
leading scholars have distilled as “common principles” for
European tort law liability. For additional information see

To continue reading

Request your trial