Skip to content
BY 4.0 license Open Access Published by De Gruyter August 5, 2022

Comparing Private Enforcement of EU Competition and Data Protection Law

Wolfgang Wurmnest and Merlin Gömann

Abstract

Compared to art 82(1) of the General Data Protection Regulation (GDPR), which since 2018 grants data subjects a claim for damages resulting from the infringement of European data protection law, private enforcement of European competition law looks back on a much longer history. Thus, its concepts and learnings may serve as a model for data protection law. However, any potential transfer from one area to the other must be carefully weighed, as both the factual circumstances and the underlying regulatory framework differ. Against this background, this paper aims at identifying important similarities and differences between the private enforcement of European competition and data protection law. Amongst others, it reaches the conclusion that both fields of law – although for different reasons – share a comparably high level of Europeanisation and that the primary aims of private enforcement generally align. In addition, potential for spill-over effects from the area of competition to data protection law is identified, namely with regard to causation and the European concept of undertaking.

I Introduction

As regards private enforcement, violations of arts 101 and 102 Treaty on the Functioning of the European Union (TFEU) (formerly arts 85 and 86 European Economic Community Treaty, arts 81 and 82 Treaty Establishing the European Community) are remedied in conjunction with the respectively applicable national law.[1] In private antitrust litigation, the European competition rules can be used as a shield (by invoking the nullity of an anti-competitive agreement) or as a sword, ie by claiming injunctive relief[2] and/or damages before national courts.[3] Similar rules exist for violations of national provisions. This paper focuses on the use of private claims as a sword to enforce European competition (antitrust) rules and respective national provisions. Over the last years, there has been a sharp rise in such actions across Europe.[4] A recent study counted around 650 claims for damages pending before German courts alone in 2019.[5] Given that not all EU Member States have to date implemented functioning systems of collective actions, claims are often bundled by assignment and enforced collectively.

Likewise, claims for pecuniary and/or non-pecuniary damages resulting from infringements of data protection law are on the rise.[6] With the entry into application of the General Data Protection Regulation (GDPR)[7] on 25 May 2018, the risk for data controllers and processors to be sued under tort law by data subjects has increased considerably. Essentially, this development is due to the inclusion of art 82 GDPR into the universally applicable EU regulation, granting a right to compensation to ‘[a]ny person who has suffered material or non-material damage as a result of an infringement of this Regulation’ (art 82(1) GDPR).[8] The trend to private enforcement of data protection law is further fuelled by an increasing number of media reports, drawing the attention of a broader public to potential data protection breaches[9] and giving inventive and agile legal service providers the chance to compete for clients.[10]

In the light of progressing digitalisation, legal and factual developments suggest that data controllers and processors will be confronted with even more claims for damages in the future, including via mass proceedings. While at present assignment solutions comparable to those employed in competition law are still favoured to bundle the enforcement of similar claims,[11] the transposition of Directive (EU) 2020/1828 on consumer representative actions (Directive 2020/1828)[12] will require the introduction of national tools allowing for mass litigation also in the field of data protection law (cf Annex I (56) Directive 2020/1828) by the end of 2022. Notably, the remedies available to the designated qualified entities (art 3(4) Directive 2020/1828) include the right to damages (art 9(1) Directive 2020/1828) and must benefit the data subjects without a separate individual action (art 9(6) Directive 2020/1828). In the coming years, private enforcement will thus increasingly complement the traditional public enforcement of data protection law, adding ever more weight to the need for thorough compliance.[13]

Against this background, this paper aims to identify similarities and differences between the private enforcement of European competition and data protection law. In doing so, one needs to bear in mind that the enforcement of EU competition law through private actions for injunctions and damages received an important boost by the Court of Justice of the European Union’s (CJEU) Courage ruling handed down in 2001,[14] while private enforcement of data protection law is still a comparatively young phenomenon that has only gained considerable traction in the last years. Thus, based on a brief overview of the respective frameworks (II), this article shall not stop at shedding light on parallels already existing to date (III). It shall also identify areas in which private enforcement of data protection law may in the future benefit from insights and experiences drawn from competition law (IV) before summarising the results (V).

II The framework of private enforcement

A Competition law

1 Historical development

While private enforcement of competition law as such is not a particularly new phenomenon for most European jurisdictions,[15] claims for damages against horizontal cartels only gained traction after the CJEU’s 2001 Courage judgment.[16] At the same time, this judgment was the starting point of the very strong Europeanisation of antitrust litigation, a process that is still ongoing.

After the foundation of the European Economic Community (EEC), the European Commission focused first on the establishment of a functioning system of public enforcement. An early attempt by the European Commission in the 1960s to harmonise national provisions on private enforcement at least to some degree faced strong opposition by the (then) EEC’s Member States and ultimately failed.[17] In the following decades, private enforcement was not on the Commission’s agenda. The discussion revived at the end of the 1990s as part of the discussion on the modernisation of the European competition law enforcement system. The White Paper on Modernisation of 1999 contained a reference to US law,[18] which had always regarded private actions for damages an important mechanism of competition law enforcement.[19] The decisive stimulus for the strengthening of private enforcement was provided by the CJEU when it held in Courage that ‘actions for damages before the national courts can make a significant contribution to the maintenance of effective competition in the [European] Community’ and that ‘any individual’ must hence be able to claim damages for loss caused by anti-competitive conduct.[20]

In the aftermath of the Courage judgment, several European legislatures amended their national competition acts to foster the private enforcement of competition law.[21] In addition, the Commission proposed the so-called Damages Directive, which, after a long discussion, was adopted in 2014 (Directive 2014/104).[22] This Directive harmonised key features of private enforcement actions such as the disclosure of evidence (arts 5–8 Damages Directive), the binding effect of national authorities’ enforcement decisions for private follow-on claims (art 9 Damages Directive), limitation periods (art 10 Damages Directive), joint and several liability (art 11 Damages Directive), the passing-on defence (arts 12–14 Damages Directive) as well as the rebuttable presumption that cartels cause harm (art 16 Damages Directive).

Moreover, the CJEU has strengthened the private enforcement of the European competition rules in many rulings handed down since Courage.[23]

2 Main body of rules

The legal prohibitions to ensure unfettered competition on the internal market are laid down in arts 101 and 102 TFEU. Article 101(1) TFEU, the provision on the general prohibition of cartels, forbids (horizontal and vertical) agreements and concerted practices between undertakings or decisions by associations of undertakings which have as their object or effect a restriction or distortion of competition on the respective market and thereby potentially affecting trade between Member States. If not exempted under art 101(3) TFEU, such agreements or decisions are declared null and void by art 101(2) TFEU. The prohibition of abusing an undertaking’s dominant position within the internal market or in a substantial part thereof (art 102 TFEU) complements the traditional set of EU antitrust rules. While by definition there cannot be an exemption from art 102 TFEU, the relevant conduct must, however, result from the undertaking’s autonomous initiative, thereby excluding any conduct instigated by public authorities.[24]

In turn, private enforcement itself rests on (national) tort and procedural law, which is increasingly being amended by European law, including the Damages Directive. As from the perspective of EU competition law domestic tort law essentially serves as an instrument for the enforcement of European prohibitions, its concepts must be interpreted in accordance with the principles of effectiveness and equivalence.[25] In the eyes of the CJEU, the full effectiveness of arts 101 and 102 TFEU is, for example, endangered by national concepts of causation requiring a ‘direct’ link between the infringement of competition law and the damage, thereby depriving victims of umbrella prices from claiming damages.[26] Besides these general principles of enforcement, the CJEU has directly derived certain requirements for damages actions from art 101 TFEU. For example, the Court held in Courage that every individual harmed by anti-competitive conduct must be entitled to claim damages.[27]

One instrument linking public and private enforcement of European competition law is the binding effect attributed to both the European Commission’s (art 16(1) Regulation No 1/2003[28]) and the national authorities’ (art 9(1) Damages Directive) final decisions on anti-competitive behaviour for potential follow-on damages claims. According to these rules, national (civil) courts cannot deviate from the substantive findings of the authorities’ decisions as confirmed by the reviewing (administrative) courts when rendering a judgment on damages for the very same anti-competitive conduct. An exception is made for decisions of foreign EU Member States’ competition authorities which, according to art 9(2) Damages Directive, may only have the effect of prima facie evidence for the infringement of competition law before the (civil) courts of another Member State. However, Member States may and some even have[29] transposed art 9(2) Damages Directive excessively to also provide for a binding effect of foreign competition authorities’ decisions as far as they concern the application of domestic law, ie the law of the court that is bound by the decision.

B Data protection law

1 Historical development

The common European history of private enforcement of data protection law had its origin in art 23 of the Data Protection Directive (DPD),[30] which, in its paragraph 1, obliged the Member States to provide for a claim for damages against the data controller for any person who had ‘suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive’. However, the European legislature left some crucial questions open, such as the inclusion of non-pecuniary losses,[31] the liability of processors and rules on a potential majority of debtors. As a result, art 23 DPD was transposed into national law very inconsistently and only had limited practical relevance,[32] notably with regard to compensation of pecuniary damage, such as disadvantages in concluding contracts and loss of profit.

Hence, the actual ‘Courage moment’ for the private enforcement of European data protection law was the entry into force of the universally applicable art 82 GDPR.[33] After some initially unresolved issues, such as the question of which bodies may award damages under art 82 GDPR,[34] have at least been clarified in part by higher national courts, the private enforcement of European data protection law recently gained further traction. Recent case law suggests a relatively broad understanding of what constitutes compensable (non-pecuniary) damage, ranging from discrimination, identity theft and fraud,[35] damage to reputation,[36] loss of control over personal data[37] to mere fear and insecurity. With regard to the amounts due, courts generally agree that the compensation should be comprehensive and effective (cf recital 146(6) GDPR).[38] Additionally, some courts rely on the necessity of a dissuasive effect of the compensation.[39] On this basis, compensation amounts up to € 5,000 per claim have been granted so far for nonpecuniary loss linked to sensitive personal data.[40]

Notwithstanding these emerging lines of case law, core questions of the construction of art 82 GDPR remain unresolved. For example, it remains unclear whether damages can be due merely because data protection law has been violated or whether, beyond this violation, actual damage must be ascertained. Similarly, the question arises as to how, and on the basis of which criteria, the amount of damages due ought to be assessed. To clarify these issues of European law, national courts have initiated preliminary reference proceedings.[41] As more questions will arise, the CJEU will only be able to deliver the necessary answers over time, step by step. If, however, the CJEU were to confirm the broad understanding adopted by many national courts – which in light of its traditionally firm objective to effectively protect personal data[42] does not seem unlikely – the clarifying case law has the potential to set off a wave of further (mass) claims for damages for data protection law infringements, particularly if the forthcoming implementation of Directive (EU) 2020/1828 on consumer representative actions is taken into account.

2 Main body of rules

Data controllers (art 4(7) GDPR) and processors (art 4(8) GDPR) are liable under art 82 GDPR for pecuniary and non-pecuniary losses caused by infringements of the GDPR, unless they can prove to be in no way responsible for the event giving rise to the damage (art 82(3) GDPR). This reversal of the burden of proof significantly upvalues the various formal obligations as well as the GDPR’s general principle of accountability (cf arts 5(2), 24 GDPR),[43] thereby mitigating the claimant’s usual lack of information regarding internal procedures of the defendant. In contrast to the DPD, the GDPR explicitly extends liability to data processors, who, if involved in the same processing operation as other controllers or processors, are jointly and severally liable for the entire damage vis-à-vis the data subject (art 82(4) GDPR, see also recital 146(7)–(8) GDPR). However, while according to art 82(2) GDPR, processors are only liable for infringements of rules specifically directed to them, controllers are liable for any processing that violates the GDPR, regardless of how minor, as long as it caused the damage.[44] As this extends to both substantive requirements and formal provisions, art 82 GDPR envisages comprehensive indemnification of the data subject.

The aims of art 82 GDPR are further specified in recital 146 GDPR, stating in its third sentence that ‘the concept of damage should be broadly interpreted ... in a manner which fully reflects the objectives of [the GDPR]’. As these objectives essentially amount to ensuring a high level of data protection while allowing for the free movement of personal data within the internal market (art 1, recitals 1, 2 and 4 GDPR), it can indeed be assumed that the European legislature envisaged a strengthening of data subjects’ rights vis-à-vis the oftentimes powerful controllers. Furthermore, according to sentence 5 of recital 146 GDPR, ‘processing that infringes [the GDPR]’ in the sense of art 82 GDPR is supposed to encompass violations of Member States’ adaptation laws enacted within the so-called ‘opening clauses’ of the Regulation (cf, for example, arts 6(2), 8(1), 9(4), 23(1), 85 and 88 GDPR).[45] Due to the potentially broad scope and uncertain applicability of Member States’ adaptation law under the GDPR, data controllers and processors may thus be confronted with totally unforeseen damages claims under national data protection law.

III Comparing apples with oranges?

Traditionally, competition and data protection law are very distinct bodies of law with few points of contact. This raises the question of whether a comparison of the respective structures of private enforcement is a fruitless endeavour, akin to comparing apples with oranges.[46] A closer look at the two systems of private enforcement, however, reveals that some similarities but also significant differences can be detected when looking at the objectives of data protection and competition law (A), the relationship between private and public enforcement (B), the level of Europeanisation (C) and issues relating to the damage caused (D).

A General aims of enforcement

1 Effective enforcement and full compensation

In both areas of law, the rules on private enforcement ought to enhance the effectiveness of the respective prohibitions by disclosing and pursuing illegal conduct potentially undisclosed or unpursued by public enforcement, while at the same time compensating the victims thereof.

In essence, the continuous strengthening of the private enforcement of European competition law by both the legislature and the CJEU aims to ensure a more comprehensive enforcement. Since public enforcers cannot take up all cases due to limited resources, private plaintiffs may help to detect and prevent further anti-competitive conduct, thereby protecting competition on the respective market beyond their individual case. Moreover, public enforcers may stop anti-competitive behaviour and disgorge unlawfully gained profits, but cannot ensure their distribution among the victims of the anti-competitive conduct. Thus, private enforcement makes a ‘significant contribution to the maintenance of effective competition in the [European] Community’, as the CJEU has put it.[47] The Damages Directive, however, focuses more on full compensation (cf arts 1(1) and 3(1) Damages Directive), without scaling back the CJEU’s approach significantly, though. To date, most actions for damages in the area of competition law are, however, follow-on actions, brought after public enforcers have detected and sanctioned anti-competitive conduct, namely horizontal cartels violating art 101 TFEU. With regard to violations of art 102 TFEU, stand-alone actions for injunctive relief remain an important tool to address illicit behaviour concealed from, or of lesser priority to, the competent authorities.[48]

Similarly, in the area of data protection law, private enforcement is seen as a tool to strengthen the overall enforcement, rendering the data protection rules more effective.[49] Private plaintiffs may step in to claim both injunctions (art 79(2) GDPR) and damages (art 82 GDPR) if an authority is not capable or willing to stop illicit conduct. In data protection law, the ratio between follow-on/stand-alone actions is, however, different than in competition law. To date, it seems that most actions for damages are stand-alone actions against perceived violations of data protection law, while actions following on from public enforcement decisions are still filed only rarely, if at all.

2 No punitive effect

In both areas of the law, strengthening enforcement through private claims does, however, not amount to an award of punitive damages, ie supra-compensatory damages with the aim of penalising the defendant.

With regard to competition law, the CJEU held in Manfredi that, as a matter of EU law, such damages must not be awarded.[50] In addition, the Damages Directive also excludes ‘overcompensation, whether by means of punitive, multiple or other types of damages’ (art 3(3) Damages Directive).

Likewise, in the area of data protection law, it is widely accepted (at least in Austria and Germany) that the award of damages shall not have a punitive effect.[51] This is because considerable administrative fines of up to 4 % of the total worldwide annual turnover of a data controller or processor as well as criminal penalties can already be imposed under arts 83 and 84 GDPR by public enforcers. However, German courts have acknowledged that damages awarded for nonpecuniary losses must still be high enough to strengthen the deterrent effect of the law (cf recital 146(3) GDPR) in light of the European principle of effectiveness.[52]

In a comparable manner, banning punitive damages from European competition law does not mean that every form of supra-compensatory damages must be avoided when assessing the amount of compensation due. The textbook example for this finding is a claim against a cartel of rail producers, which charged supra-competitive prices for rails supplied to train service providers. Although the train service providers increased the ticket prices for consumers as a consequence, it does not make sense to accept such a ‘passing-on defence’ with regard to the victim’s claim. This is because the overcharge is passed on to very many consumers, so that each of these indirect purchasers would only have a very small claim for damages (the price increase of the ticket(s) bought), which would also be difficult to quantify as price increases often reflect different factors. Against this background, it is very unlikely, on the one hand, that indirect purchasers will sue the cartel for damages. On the other hand, if the cartel members were released from liability vis-à-vis the direct purchasers for the overcharges that were passed on to the indirect purchasers, the cartel could keep parts of the unlawful gains, thereby achieving an unjustified advantage. Based on the law in force prior to the transposition of the Damages Directive, the Bundesgerichtshof (BGH) has therefore not accepted the passing-on defence with regard to the alleged price increases of the train service providers.[53] Such a solution would also make sense under the regime of the Damages Directive, as it ensures full effectiveness of art 101 TFEU.

B Relationship between public and private enforcement

Parallels between European data protection and competition law can also be noted with regard to the relationship between private and public enforcement as, in both areas of law, the mix of administrative measures and private claims aims to achieve an effective enforcement of the law.[54]

In competition law, the optimal relationship between public and private enforcement was – and in part still is – subject to intensive debate. The famous statement in the Courage ruling that private actions can ‘make a significant contribution to the maintenance of effective competition in the Community’[55] was certainly inspired by the US model of antitrust enforcement. Competition authorities feared, however, that private enforcement would hamper public enforcement, especially with regard to the leniency system, which is considered the backbone of cartel detection. The Damages Directive was therefore carefully designed in a manner to safeguard leniency programmes, protecting leniency applicants from an overly broad liability vis-à-vis private plaintiffs. On the other hand, the Directive, as well as national measures, ensure that private plaintiffs can benefit from the work of public enforcers. The Damages Directive therefore synchronises private and public enforcement, for example through the binding effect of authorities’ decisions (art 9 Damages Directive)[56] or the suspension of private limitation periods for the duration of public investigations (art 10(4) Damages Directive). Moreover, public enforcers can assist private plaintiffs by spreading key information about anti-competitive practices pursued by the authorities.[57]

Similarly, public enforcement by the competent national authorities remains the enforcers’ sharpest blade in the area of European data protection law (cf arts 58, 83 and 84 GDPR). Private enforcement is however, supposed to complement the efforts of the authorities, both by disclosing further anti-competitive practices or data protection law violations that might otherwise remain unpursued due to the authorities’ lack of resources or prioritisation. The synchronisation of public and private enforcement is, however, much less advanced than in European competition law. For the time being, there is no elaborated leniency programme in place which would exempt wrongdoers from fines (or reduce their fines considerably) if they disclose infringements of the GDPR to an authority.[58]

Unlike in EU competition law, the GDPR does also not (yet) provide for a binding effect of final decisions by authorities for subsequent follow-on claims of private parties. As a consequence, courts deciding on damages claims may deviate from the findings of a final decision taken by either the respective national or a foreign supervisory authority on the very same alleged infringement of data protection law. It seems worth considering whether the introduction of a binding effect modelled on the example of European competition law might de lege ferenda be a viable option to strengthen the synergies between the two strands of data protection law enforcement. The fact that, for the public strand, the GDPR puts in place a particularly complex system of attribution of competence to the respective supervision authorities (art 55 f GDPR) to avoid conflicting final decisions[59] argues in favour of such a binding effect. In its absence, this regulatory objective is undermined to some extent by the fact that the private strand of enforcement under art 82 GDPR remains largely unaffected by the results of the administrative procedure conducted by the competent authorities.[60]

However, private claimants can still profit in a more limited way from the fruits of public enforcement endeavours by relying on the (factual) results of the administrative investigation for their follow-on claim under art 82 GDPR. Whenever such investigations are not conducted ex officio, potential claimants can, as a first step, lodge a complaint against a certain controller or processor with a supervisory authority under art 77(1) GDPR. As art 78(1)–(2) GDPR grants the complainant the right to an effective judicial remedy against a supervisory authority’s negative decision or inaction, a justified complaint under art 77(1) GDPR may, in principle, not end up unsuccessful. Once the decision on remedies according to arts 58, 83 and 84 GDPR is final, the potential claimants can exercise their rights to information under art 15 GDPR, enabling them to gain access to the results of the administrative decision.[61] Furthermore, information gathered in accordance with the far-reaching documentation obligations flowing from the principle of accountability (arts 5(2), 24 GDPR)[62] may also be subject to disclosure. Hence, public and private enforcement are not totally isolated in the realm of data protection law either.

To date, there is, however, no suspension of limitation periods for private claims in the GDPR for the time that an authority investigates the very same infringement as laid down in art 10(4) Damages Directive. Quite the contrary, issues relating to the limitation of claims under art 82 GDPR seem to remain a matter of national law for the time being.[63] As the example of European competition law shows, further harmonisation in this regard could strengthen the private enforcement of European data protection law considerably.

C Level of ‘Europeanisation’

In both areas of law, although some differences remain in the detail, claims for damages (and injunctive relief) are to a great extent ‘Europeanised’.

With regard to substantive competition law, it can be noted that national legislators started to align their national competition law provisions with EU law at a very early stage. Some Member States did not have a modern, comprehensive set of competition rules at all, so that, when introducing such rules, they took the European rules as points of reference. Even countries with stronger competition law traditions such as Germany had to align their rules with the same objectives as arts 101 and 102 TFEU to a large extent after the adoption of Regulation No 1/2003, given that the application of national competition law may not lead to the prohibition of agreements which may affect trade between Member States but do not restrict competition within the meaning of art 101(1) TFEU or are exempted under art 101(3) TFEU. It is only below the threshold of dominance established by art 102 TFEU that national competition rules retain an independent significance (art 3(2) Regulation No 1/2003).

A strong Europeanisation can also be observed with regard to the tort law ‘shell’ of private enforcement. As a starting point, the legal basis (Anspruchsgrundlage) as well as the different prerequisites of claims for damages or injunctions are in principle (still) governed by the applicable national law.[64] However, as these conditions have to comport with the European principles of effectiveness and equivalence, there is a strong tendency towards Europeanisation through case law. In Manfredi, for example, the CJEU held that victims of competition law violations ‘must be able to seek compensation not only for actual loss (damnum emergens) but also for loss of profit (lucrum cessans) plus interest’.[65] Today, this form of compensation is mirrored in art 3 Damages Directive.

In addition, the CJEU has derived certain findings directly from arts 101 and 102 TFEU, thereby pushing the level of Europeanisation to a much more elaborated level. Since its Courage judgment, in which the CJEU reminded national courts and legislatures that, under EU law, ‘any individual’ must be entitled to claim damages for loss caused to them by anti-competitive conduct,[66] the Court has constantly adapted national concepts of tort law to render the enforcement of competition law more effective. Relying on the effectiveness of art 101 TFEU, the CJEU held that EU law determines the person(s) liable for damages (Skanska, Sumal).[67] Moreover, EU law at least partly shapes the specific scope of the causation requirement, although the precise reach of the European grip on causation is not settled yet.[68] In any case, the CJEU held that victims of cartels can also claim damages for losses caused by umbrella prices (Kone)[69] as well as losses occurring in markets other than the market targeted by the cartel (Otis).[70] In addition, the Damages Directive now (for its major part fully) harmonises further criteria of civil liability for competition law violations such as the limitation period (art 10 Damages Directive), joint and several liability (art 11 Damages Directive) and the passing-on doctrine (art 12 ff Damages Directive).[71]

Similarly, the universally applicable GDPR (cf art 288(2) TFEU) in principle harmonises the fundamental principles and rules of (substantive) European data protection law (cf arts 5 and 6 GDPR). However, due to the ample regulatory leeway the GDPR grants Member States to amend, concretise or deviate from its provisions (so-called ‘opening clauses’),[72] substantive data protection law is even within the Regulation’s scope to a lesser extent harmonised than the field of European competition law. Yet, as for the purpose of private enforcement violations of the resulting national adaptation laws are to be treated like infringements of the GDPR itself (recital 146 GDPR),[73] the level of harmonisation is greater than it appears at first sight.

With regard to the rules of private enforcement, however, the data protection law rules are to a much greater extent specified by EU law than in the area of competition law. Article 82 GDPR not only codifies the right for ‘[a]ny person who has suffered material or non-material damage as a result of an infringement of this Regulation’ to claim compensation from the controller or processor for the damage suffered (1), but also sets forth the basic requirements for such a claim. EU law thus determines certain conditions, such as a European type of responsibility (art 82(3) GDPR)[74] and joint and several liability of several controllers or processors (art 82(4)–(5) GDPR), thereby, from the outset, achieving a state of harmonisation that in the area of competition law had to be built up over the years. Nonetheless, even though the right to claim damages is enshrined in the GDPR, this does not mean that all requirements are governed by EU law. Issues like the amount of interest due, the duration and start of the prescription period and the relationship to other claims based on national tort law[75] are in principle matters governed by national law, insofar as it fully comports with the principles of effectiveness and equivalence. However, it cannot be excluded that the CJEU will transfer its harmonising approach from competition law to data protection, thereby gradually expanding the harmonised scope of art 82 GDPR.

D Damage and amount of damages

Over the course of the years, private antitrust litigation has turned into a field for specialised experts. This is primarily due to the fact that the issue of assessing damages in antitrust cases raises complex legal and economic questions. Plaintiffs face substantial up-front costs, as they usually have to substantiate their claims through an economic expert opinion. Furthermore, the standards for pleading and proof are constantly evolving, which makes it difficult for nonspecialised lawyers to practise successfully in this area.[76] The Damages Directive will not reverse this trend significantly, even though art 17(1) Damages Directive requires Member States to ensure that the (pecuniary) damage incurred may be estimated by the competent courts whenever ‘it is established that a claimant suffered harm but it is practically impossible or excessively difficult precisely to quantify the harm suffered on the basis of the evidence available’. Hence, art 17(1) Damages Directive allows for the estimation of (pecuniary) damage that is in principle measurable. This does not appear revolutionary (at least from a German perspective), as the power to estimate the amount of damage incurred on a certain factual basis is also granted to the judge by German procedural law (§ 287 Zivilprozessordnung [ZPO]). Yet, an estimation as to the quantum of damage in competition cases requires that the judge is convinced that the cartel caused harm at all, which is difficult to assess in practice. For this reason, art 17(2) Damages Directive introduced the general presumption that cartel infringements cause harm, which has to be rebutted by the alleged infringers, resulting in a reversal of the burden of proof.

Member States have transposed art 17(2) Damages Directive quite differently.[77] While most Member States refrained from introducing presumptions regarding the amount of harm incurred, Hungary had – even before the adoption of the Damages Directive – pioneered a (rebuttable) presumption that cartels cause an overcharge of 10 %.[78] Latvia also adopted this approach when transposing the Directive, whereas Romania even increased the presumed overcharge to 20 %.[79]

The problem with such an estimation of the quantum of damage incurred is that cartels operate in very different economic environments and usually align very different parameters of competition. Thus, the textbook example of a steady overcharge resulting from a price fixing conspiracy on simple products is difficult to prove in practice, given that illegal conduct is usually not protocolled by the conspirators. Also, cartel members often pursue much more complex strategies to make detection by competition authorities more burdensome. Consequently, in many countries, economic experts are brought in by the parties to prove the existence and amount of damage. Sometimes courts also resort to simplified methods to calculate damage, based on certain typical percentages of overcharge which are deemed reasonable in the specific case at hand. Such an approach was recently applied by the Landgericht (LG) Dortmund in cases concerning the rails cartel in which the cartel overcharge was estimated at 10 %[80] and 15 %[81] of the net purchase price. The OLG Celle estimated the overcharge from a chipboard cartel at 13 %.[82] Also courts in other countries have awarded damages (based on various assessment methods) within a range from 1 % to 34 % and an average overcharge per cartel of 12 %.[83]

Whereas damage in competition cases merely concerns pecuniary losses, under art 82 GDPR, both pecuniary and non-pecuniary losses can be remedied. In this regard, many issues remain however far from clear to date. This does not only hold true for the question whether every violation of the GDPR justifies a claim for damages,[84] but also for the issue of whether there should be a de minimis threshold for non-pecuniary loss.[85] Moreover, the salient question as to how nonpecuniary damages must be calculated under art 82 GDPR has not yet been resolved.[86] In contrast to pecuniary damage, non-pecuniary loss cannot be measured with precision (only ‘estimated’). In any case, assessing non-pecuniary loss necessarily requires subjective valuations by the judge. To ensure a certain objectivity and uniformity within one jurisdiction, courts often base their calculations on amounts awarded in comparable cases. Given that the GDPR is of rather recent origin, courts are still searching for adequate evaluation criteria. Moreover, looking only at precedents in the same jurisdiction bears the risk that different standards evolve in different EU Member States. Thus, overarching criteria (cf recital 10 GDPR) can only be developed if national courts initiate preliminary references giving the CJEU the possibility to elaborate European standards.

Assuming that a successful claim does require a GDPR infringement as well as the existence of actual damage, the burden of proof for losses incurred under art 82(1) GDPR – as opposed to that for missing ‘responsibility’ (art 82(3) GDPR) – lies with the claimant. This raises the question of whether the European legislature should have introduced a presumption comparable to art 17(2) Damages Directive to support the plaintiff. Scholars have argued that, without such a presumption, considerable difficulties may arise, especially with regard to proving the existence and causation of non-pecuniary damage.[87] It is however doubtful whether art 17(2) Damages Directive should be transferred to data protection law because legal presumptions should be based on a typical course of events. That hard-core cartels predominantly lead to higher prices and thus to harm for buyers is a finding many would share.[88] In turn, violations of data protection law may arise in very different forms and to varying extents so that it seems much more difficult to generally assume that a violation of the law also causes (non-pecuniary) damage (cf recital 146(6) GDPR: ‘the damage [the data subjects] have suffered’). In addition, art 17(2) Damages Directive primarily intends to overcome the difficulty that, in competition cases, it is often the defendant who is in possession of better information and evidence as regards the alleged harm caused by the unlawful conduct. In data protection law, by contrast, both the pecuniary and the non-pecuniary losses arise in the plaintiff’s sphere so that in the normal course of events they should be in a position to prove the damage incurred.[89]

The European legislature could, however, have supported the courts by providing some general criteria for the assessment of non-pecuniary damage in the GDPR or at least in its recitals. Although these criteria would necessarily be rather general, they would give courts some guidance when assessing the amount of damages due and thereby contribute to a more uniform application of the GDPR throughout the EU. As soon as the GDPR undergoes a first reform, it should be thoroughly considered whether such criteria should be integrated, taking into account the experience with the (uniform) application of art 82 GDPR with regard to non-pecuniary damages to date. In the meantime, it will unavoidably be up to the CJEU to develop such criteria under the law as it stands today.

IV Potential for spillover

The CJEU has already had the chance to clarify many basic issues of private competition law enforcement.[90] In the comparably young area of private data protection law enforcement, by contrast, the precise shape of liability is still evolving. This raises the questions of whether and to what extent private competition law enforcement can serve as a model for data protection law.

A Causation

As regards the interpretation of the requirement of causation of the damage incurred by the infringement of EU data protection law, it seems particularly likely that the CJEU will resort to its case law on the enforcement of arts 101 and 102 TFEU.[91] The interests at stake appear comparable to those identified by the CJEU with regard to antitrust damages if, in light of recital 146(3), (6) GDPR, the dissuasive effect of the right to compensation under art 82 GDPR is confirmed.[92] Namely, to achieve full effectiveness of EU data protection law, national tort law concepts have to be interpreted in accordance with the principle of effectiveness.[93]

Thus, if the CJEU’s case law on the causal link between certain behaviour and resulting damage was to be applied to the private enforcement of EU data protection law, courts could only rely on the national concepts of causation as far as effective enforcement of art 82 GDPR is ensured.[94] Hence, no ‘direct’ link between the infringement and the damage would need to be established.[95] It would however not suffice if the damage had simply been caused by a processing operation in the context of which data protection law was also infringed.[96] By contrast, if the entire processing operation were to become unlawful as a result of the infringement, the causation requirement between the infringement and the damage would be fulfilled.[97] Co-causation (ie cumulative causation) would suffice,[98] while an independent intervention by third parties would not necessarily ‘interrupt’ the causal link.[99] To limit the otherwise potentially excessive liability,[100] it would be necessary for the damage incurred to have been foreseeable for the alleged infringer,[101] again following the example of antitrust damages.[102] This would exclude damage resulting from totally atypical and unusual chains of events to which the infringement gave rise.[103]

B The concept of undertaking

The European competition rules apply to undertakings, ie entities ‘engaged in an economic activity, regardless of the[ir] legal status ... and the way in which [they are] financed’.[104] As a consequence, in the area of public enforcement, the EU Commission imposes fines under art 23(2) Regulation No 1/2003 to such undertakings. Over the years, a comprehensive set of rules has been developed by the CJEU to ensure that effective sanctions can be imposed by the Commission.[105] Two implications of the European concept of ‘undertaking’ are of particular importance for public as well as private enforcement proceedings.

First, the CJEU has held that an undertaking can be comprised of more than one natural or legal person.[106] This has an important bearing for the addressee(s) of the sanction. Even though the undertaking as such might not have legal personality under the applicable national law, the Commission is entitled to identify one or more actual entities of the undertaking to be the fine’s addressee(s). As a consequence, the entity fined does not necessarily have to be the natural or legal person that took part in the competition law violation or even knew about the infringement. Since the undertaking as a whole has infringed the law, the Commission has some discretion to choose the legal entity to be fined for the undertaking’s infringement. Thus, the single economic unit (entity) doctrine allows the EU Commission to fine a parent company for the subsidiary’s participation in an unlawful cartel, insofar as the two entities (parent and subsidiary) form an economic unit so that also the parent is part of the undertaking. If the parent company holds close to or even 100 % of the subsidiary’s shares, the existence of an economic entity is rebuttably presumed.[107]

To strengthen private enforcement, this broad concept has been transferred to the addressee(s) of damages claims.[108] Plaintiffs often have an interest in suing the subsidiary company for damage suffered from the anti-competitive behaviour of its parent. Hence, the CJEU held in Sumal that plaintiffs may sue either the parent company fined by the EU Commission for anti-competitive conduct or a subsidiary of that company (even if that latter company had not been addressed in the infringement decision), to the extent that both companies form a single economic unit, ie a single undertaking in the sense of arts 101 and 102 TFEU.[109] However, if the sued subsidiary was not addressed in the infringement decision, the binding effect of the competition authority’s decision (art 16 Regulation No 1/2003, art 9 Damages Directive) does not extend to the subsidiary company. Thus, the subsidiary can defend itself by showing that it was not part of the economic unit forming the undertaking.[110]

The second implication of the concept of undertaking that was developed in the realm of public enforcement[111] and transferred to private enforcement in Skanska[112] concerns restructuring cases. In public enforcement, fines can be imposed on the successor of a former undertaking that has violated the European competition rules, provided that, from an economic perspective, the successor continues the commercial activities of the infringer. The successor is also liable for damage in private enforcement proceedings.

Although the wording of art 82 GDPR does not explicitly mention ‘undertakings’ as addresses of the claim (but controllers and processors), it can be argued that the underlying concept can be transferred to European data protection law.

Recital 150 GDPR refers to the competition law concept of undertaking by stating that, for the purpose of administrative fines, ‘an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU’. The concept is further echoed by the core rules on the amount of administrative fines, namely by art 83(4)–(6) GDPR, underscoring the clear intention of the European legislature to enable data protection authorities to impose fines based on the annual turnover of the ‘undertaking’ in the sense of competition law.[113] The aim of preventing any circumvention of sanctions under art 83(4)–(6) GDPR through special corporate structures or dissolution is further exhibited by recital 37 GDPR, which defines a ‘controlling undertaking [as...] the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented’.[114] In sum, a transfer of the undertaking concept to public enforcement of data protection law is justified.

Less obvious is a transfer to private claims under art 82 GDPR even though it is possible to argue in favour of it. If the liability of controllers and processors under art 83 (4)–(6) GDPR for breach of their obligations explicitly encompasses the entire undertaking in the sense of competition law, there does not seem to be a conclusive reason to interpret the liability of controllers and processors differently under art 82 GDPR. On the contrary, internal systematic coherence speaks in favour of a comprehensive transfer of the undertaking concept also to the private enforcement of data protection law. It can be further argued that, under the GDPR, the need for effective (private) enforcement is by no means less significant than in the realm of competition law, given that it directly protects data subjects’ fundamental rights (cf art 1(2) GDPR).[115] This aim is much better achieved if claimants can choose from various (solvent) defendants, notwithstanding their internal structures and formalities, possibly put in place with an aim to avoid private liability. Thus it would seem somewhat odd if the CJEU made a distinction between public and private enforcement for such a crucial issue.

C Pooling of claims

In the absence of effective collective redress mechanisms for the enforcement of cartel damages claims, service providers have, in several jurisdictions, developed assignment models to bundle similar claims of cartel victims. Generally, a special purpose vehicle is created to which several independent claims are assigned, thereby enabling the assignor to enforce them jointly against the defendants. While in Germany these assignment models are in general admissible, complex models involving service providers and third party litigation funding have so far faced several legal challenges.[116] Some recent decisions from the field of consumer (mass) litigation[117] however seem to strengthen the claimants’ position, although it is still disputed to what extent they can be transferred to the area of competition litigation.[118]

Since violations of data protection law often affect a large number of data subjects simultaneously, pooling their compensation claims may also turn out to be a lucrative business area for modern legal(-tech) service providers.[119] Given that to date four-digit sums awarded for single data protection law infringements remain an exception,[120] mass litigation experience acquired in other fields, such as cartel damages claims, may prove helpful. However, in this context, the question of assignability of non-pecuniary claims for damages arises. Occasionally, their highly personal nature is put forward to deny their assignability.[121] This approach is rooted in German case law, where non-pecuniary damages are awarded in order to compensate infringements of personality rights. However, due to the need for an autonomous interpretation of EU law, this transfer of national case law to art 82 GDPR is methodically flawed. On the contrary, as assignability generally strengthens enforceability (cf recital 146(6) GDPR), it is to be expected that the non-pecuniary damages claims are held to be assignable at the very least by the CJEU.[122]

With the transposition of Directive 2020/1828, consumer protection associations (cf art 4 Directive 2020/1828) will also be entitled to claim compensation for data protection breaches, either on an opt-in or opt-out basis (art 9(1)–(4) Directive 2020/1828). The emerging competition with purely private actors should ensure that data subjects’ rational apathy to enforce their rights under art 82 GDPR is overcome and that each individual case is dealt with in due time and diligence. Fears regarding a merely self-serving data protection ‘claimant industry’ voiced by both (potential) defendants and their legal advisors[123] may thus prove to be unfounded.

V Conclusion

This paper aimed at identifying some important similarities and differences between the private enforcement of European competition and data protection law and the potential for spill-over effects from the former to the latter. That competition law enforcement may serve as a model for data protection law stems from the fact that European rules on private law enforcement have existed for a much longer time in the area of competition law than in data protection law. Any potential transfer from one area to the other must be carefully weighed, as the underlying regulatory frameworks differ.

The comparison has shown that the overall aims of private enforcement are similar in both competition and data protection law. Private actions for damages and/or injunctions shall render enforcement more effective and will prevent further wrongdoings. Punitive damages are not accepted in both areas of law, yet it may occur that supra-compensatory damages are awarded to ensure the deterring effect of the European rules. In both areas of law, private enforcement is primarily seen as an instrument to complement the predominant public enforcement, but deemed indispensable with regard to its indemnifying function.

However, the synchronisation between public and private enforcement to date has been much more sophisticated in the area of competition law than in the field of data protection law. Also, the typical type of private actions varies in both areas. Whereas in data protection law stand-alone actions are currently the rule, such actions are rarely brought in competition law. The bulk of private competition law cases however are follow-on actions for damages against cartels, detected and fined by the EU Commission or national competition authorities.

Broadly speaking, in both areas of law, there is a strong ‘Europeanisation’ of tort claims. This process is constantly evolving. In competition law, the prerequisites for tort claims are in principle laid down in national law, but the CJEU has derived some important criteria directly from EU law. Moreover, the 2014 Damages Directive has harmonised further requirements. In turn, in data protection law, the right to claim damages including its key conditions are already enshrined in the GDPR and only complemented by the applicable national law. With regard to the prerequisites not directly covered by the wording of art 82 GDPR, it is however not excluded that the CJEU will – in a similar manner as in the area of competition law – extend the scope of EU law to harmonise further aspects of the claim and thereby broaden the European influence on matters that are currently still governed by national law.

Regarding the topic of damages, some significant differences are evident in the two areas of law. Whereas in data protection law pecuniary and non-pecuniary loss must be remedied, the latter type of losses does not play a role in competition law. In turn, to support the claimants in proving their case, the Damages Directive lays down a presumption that cartels cause harm, while in data protection law there is – in our view for good reason – no similar rule. As a result – and although this may complicate the enforcement of claims considerably – the burden of proof for losses incurred lies on the claimant in data protection law, while, under the Damages Directive, it is the defendant’s task to rebut the presumption.

By contrast, a spill-over effect from competition to data protection law can be expected with regard to the requirement of causation, at least in part. Arguably, this element is, under art 82 GDPR, still governed by national law but could – in a comparable manner to competition law – be shaped by the CJEU by recourse to the principle of effectiveness or even by deriving certain doctrines directly from the GDPR. Thus, while national rules may require the damage incurred to have been foreseeable to the infringer, requiring a ‘direct’ link that limits the circle of potential plaintiffs will most likely be deemed unlawful in light of the effective enforcement of the GDPR.

Similarly, a transfer of the CJEU’s concept of undertaking from the private enforcement of European competition law to data protection law seems at least likely. The broad concept of undertaking has enabled the EU Commission in the realm of public enforcement of competition law to fine parent companies with high turnovers, a concern that may equally apply to the public enforcement of the GDPR by national data protection authorities. Transferring this concept to private enforcement of competition law has also amplified the possibilities of claimants to sue suitable respondents, thereby strengthening the effectiveness of private enforcement considerably. Although art 82 GDPR itself does not mention the undertaking as a potential debtor, it is to be expected that the CJEU will adopt a similar approach for the sake of effectively enforcing data subjects’ right to damages.

On a more practical note, the private enforcement of GDPR violations currently may only prove economical if several claims are bundled and enforced together. Based on the assignment of (petty) claims, such actions appear to be an indispensable tool to overcome rational apathy and establish a decentralised private enforcement, at least until Directive (EU) 2020/1828 on representative actions by consumer protection associations is fully transposed. It is therefore to be expected that, despite some national resistance, such assignment models will eventually be accepted by the CJEU for the realm of European data protection law.

Published Online: 2022-08-05
Published in Print: 2022-08-04

© 2022 Wolfgang Wurmnest and Merlin Gömann, published by Walter de Gruyter GmbH, Berlin/Boston

This work is licensed under the Creative Commons Attribution 4.0 International License.

Downloaded on 29.1.2023 from https://www.degruyter.com/document/doi/10.1515/jetl-2022-0009/html
Scroll Up Arrow