RGPD: Beware of damages claimed in court

NOYB (none of your business), an NGO that is behind the action against Facebook and the Privacy Shield ruling, has just obtained in Belgium the right to represent consumers and citizens in court. It is therefore useful to recall that organizations, SMEs, NPOs, self-employed and here also the public sector, are also at risk of being ordered to pay damages in court for non-compliance with the GDPR.

We often talk about the fines, which can be significant, but we often forget that the risks are not limited to the fines. It is less often mentioned that the publication of the sanction can obviously damage the reputation of the organization. But we forget that it is also possible to obtain damages in court, especially in the context of collective actions. It is therefore necessary to recall the risks faced by ALL organizations, but also by SMEs, self-employed persons and liberal professions.

And these risks are real, because in my professional practice as DPO, trainer for DPO, CEO of GDPRfolder and advising organizations, large and small, in the public and private sectors, I notice that many of them are not yet in compliance and for some of them they have simply decided to do nothing or to do the bare minimum.

However, the risks are important and it is worthwhile to remind them.

We don't talk about it much, but the number of complaints is very important, even in Belgium. Indeed, lodging a complaint is free of charge, does not require the services of a lawyer and can be done in a few minutes by filling in a form on the website of the data protection authority. The complaint will be the basis for a control by the data protection authority, which may lead to a sanction.

Certainly the fines, which are potentially important because they can go up to 20 million € and even exceed this amount for large companies because they can go up to 4% of annual turnover. And if in Europe the amounts are in the hundreds of millions of euros, unfortunately the Belgian authority, for reasons more political than of defense of consumers and citizens, has imposed only very low fines, which is totally counterproductive to the role of the authority which is to convince, by all means, the organizations and independent to comply with the RGPD

Indeed, how can you convince an ASBL, for example, to put itself in order when the highest fine in this sector was 1.000€. How can you not understand that NPOs prefer not to spend money on advice or IT solutions that are often more expensive than the maximum fine? When the gendarme is not scary, why respect the law?

Another surprising Belgian feature is that the fines do not apply to the public sector. This discrimination, condemned by all legal experts for its lack of legal justification, and which is now the subject of an appeal, has obviously not prompted all public sector actors to comply. I even heard a senior official of an administration declare that since there were no sanctions, the RGPD "is not really a priority".

It is obvious that your customers, subscribers, members, prospects, etc. would not be pleased to see you pinned down by the data protection authority. The indirect consequence can be a loss of current or future customers. Moreover, your competitors will not fail to make it known, especially if they have been careful enough to comply with the rules. Not to mention that the press and social networks are fond of this kind of incidents.

It is too often forgotten, but apart from the sanctions of the data protection authority, citizens and consumers can also file a lawsuit and claim damages. Of course, this kind of procedure is rare, because it requires the use of a lawyer and entails costs that could be higher than the amount of damages.

But we must not forget that collective actions are possible, and for example, Test-Achats has started an action of this type against Facebook by representing many consumers. The advantage of these collective actions is that the legal fees are shared by all the consumers who join together, and therefore this type of action will obviously develop.

The recent decision to grant NOYB the right to bring class actions reminded us that this type of action is not only theoretical. And when we know that NOYB has already recently filed a complaint against some Belgian companies that did not respect the decision of the European Court of Justice prohibiting the transfer of personal data to the USA, the risk is real - and they have published this information on their website insisting on the possibilities that this recognition offers them to ask for millions of euros on behalf of the consumers they will defend.

Class actions, which are very numerous in Anglo-Saxon countries, are not well known in Belgium. We can safely bet that if NOYB has requested and obtained the right to file class actions in Belgium, it is to use it.

And while the public sector is temporarily immune from fines, there is no reason why a class action should not be directed at a public sector actor and an award of damages is therefore entirely possible.

What else can you recommend, other than, in the face of these real risks, to get yourselves in order with respect to the RGPD, and as quickly as possible. The risk analysis that consisted in weighing the financial risk against the cost of compliance has changed. The risk has become high, the number of complaints is exploding, and there are cheap and effective solutions that can help you.