145. OUTLINE – The GDPR has introduced a number of important clarifications and changes when it comes to liability under EU data protection law. The main principles underlying the liability model have, however, essentially remained the same. To provide a comprehensive account of the liability exposure of controllers and processors, both the liability regime of Directive 95/46 and the liability regime GDPR shall be analysed.
146. RELEVANT SOURCES – The main sources used for the analysis are the texts of Directive 95/46 and the GDPR, their preparatory works and the guidance issued by the Article 29 Working Party. Where appropriate, however, reference shall also be made to the preparatory works of national implementations of Directive 95/46 (e.g. the Netherlands, Belgium), as a means to supplement the insights offered by the primary sources. Last but not least, the Principles of European Tort Law (PETL), as well as national tort law, are also considered for issues not addressed explicitly by Directive 95/46 or the GDPR.
DIRECTIVE 95/46: “STRICT” LIABILITY FOR CONTROLLERS
147. BASIC PRINCIPLE – Under Directive 95/46, a controller was, as a matter of principle, liable for any damages caused by the unlawful processing of personal data. Article 23(1) of Directive 95/46 stipulates that Member States must provide that the controller shall be liable towards data subjects for any damages suffered as a result of an unlawful processing operation. A controller could be exempted from liability, however, in whole or in part, if he proved that he was “not responsible for the event giving rise to the damage” (Article 23(2)). Directive 95/46 does not contain any provisions regarding the liability exposure of processors. While Article 16 stipulates that processors may only process the data in accordance with the instructions of the controller, the Directive does not explicitly allocate liability in case of a disregard for instructions.
A. The nature of controller obligations
148. “MEANS” OR “RESULT” – To properly understand the liability exposure of controllers, it is necessary to first understand the nature of controller obligations. Directive 95/46 imposes a variety of obligations upon controllers. In certain instances, the obligations specify a result to be achieved (e.g. “personal data must be collected for legitimate purposes and not further processed in a way incompatible with those purposes”). In other instances, the obligations are specified as an obligation to make reasonable eff orts to do something (“obligation of means”).