The GDPR does purport to allow data subjects to bring private rights of action. Likewise, certain implementations of the ePrivacy Directive, like the Privacy and Electronic Communications Regulations, allow for private rights of action under certain circumstances.1 That said, there is some debate about whether certain Member State’s national systems require the enactment of domestic legislation to officially create or grant the ability of a private individual to enforce the GDPR within the national court system. In any event, any private action based on failure to comply will likely be limited to “compensation for the damages suffered,” since administrative fines (including fines based on percentages of revenue under the GDPR) may only be sought by supervisory authorities.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. See https://ico.org.uk/for-organisations/guide-to-pecr/complaints/ (“If someone suffers damage because you breached PECR, they can also make a claim against you in court for compensation under regulation 30, without involving the ICO.”).