Since 2020, legal practitioners in the UK predicted that data protection litigation would increase in the coming years. Data protection litigation in the EU was quite widespread as data subjects began to lodge claims directly with civil courts (as opposed to their DPA) in respect of GDPR violations by data controllers or processors. Now two years later, we see that the forecast for an increase in data protection litigation was on the money. Litigation has not only increased in Europe, but globally as well.

In this post we will help you to understand how litigation might arise by keeping up to date with global trends in data protection litigation. We also look at a few case studies occurring globally and identify some key learnings for South Africa.

Why you should avoid litigation

We think litigation is:

  • time-consuming,
  • expensive,
  • damaging to your reputation, and
  • something you definitely want to avoid.

There are no real winners when you take a matter to court. Whether you win or lose on the matter, you are still going to experience one or more of the above-mentioned outcomes.

Examples of litigation disputes

Here are some examples of data protection disputes that could land you in court. We’ve also included examples of who you might litigate against.

  • Authorities – You might disagree with authorities like the information regulator, how they have interpreted the law or a decision they have taken against you. You might want to challenge this in court so that the court can make a ruling that differs from the data protection authority’s decision.
  • Data subjects. Data protection has created new rights for data subjects and if you infringe those rights, data subjects might want to enforce their rights by litigating against you.
  • Controllers and processors. As a party to a data processing relationship, you should have an agreement in place to govern that relationship. An agreement creates rights and obligations between the parties. If a party breaches the agreement and infringes the other party’s right, the parties will have a dispute that could result in litigation. You might even disagree with the other party as to which role you play and who is responsible. That might lead to litigation too.

Categories of data protection litigation

Depending on your opponent, there are several ways you could find yourself in court for data protection litigation. These are some of the global scenarios that we have identified:

  • Action – A data subject may accuse you of infringing their rights. The data subject, acting along, may bring a cause of action against you in court.
  • Class Action – A group of data subjects might accuse you of infringing their personal data rights. And, unless you can afford to settle, you may have a class action on your hands.
  • Breach of contract – If your processor or controller breaches their contractual obligations, then you might take them to court for breach of contract (or the other way around).
  • Appeal – You may want to appeal a data protection authority’s decision, particularly if they have awarded a fine against you for non-compliance.
  • Review – Have a court review an authority’s decision.

Global case studies

We’ve explored several case studies to look at trends in data protection litigation. We explore a few of these case studies below.

Fines can lead to litigation

Since the General Data Protection Regulation (GDPR) came into force, Europe’s data protection authorities (DPAs) imposed over 800 administrative fines. These fines were sometimes over €500m. Most of the fines were issued for continuous failure to comply with data protection laws.

Although an authority will issue an order against parties to remedy a violation, they may also issue fines as part of the order.  The purpose of the fine is to curb people and companies from committing data protection violations.

In 2021, companies like Amazon, Google and Fastweb received hefty fines for non-compliance with data protection laws.

  • The Luxemborg DPA fined Amazon EUR746 million. This is the largest data protection fine that has been recorded for 2021. Although there was little information about the case online, reports and articles indicate that that the fine was related to a lack of cookie consent.
  • Google was fined EUR50 million because of the way they provided privacy notices to their users, and how they requested users’ consent for personalised advertising and other types of data processing.
  • Fastweb was fined EUR4.5 million for processing the personal data of millions of users for telemarketing purposes without obtaining the data subject’s express consent.

Although the above case studies didn’t involve litigation, they can potentially lead to litigation. For example, if any of these companies want to appeal against these fines or have them reduced, they would have to approach a competent court for relief. These companies could have avoided the fines and litigation if they complied with data protection laws. These case studies demonstrate that companies are responsible for protecting personal data and they will be held accountable if they fail to protect it.

More laws = more compliance obligations

The privacy and data protection landscape is evolving on the pulse. More countries are beginning to either pass new data protection laws; or they are amending their existing data protection laws to boost their compliance efforts and promote best practice in line with global guidelines.

Almost all of the time, parties land up in court for flouting compliance obligations that arise from laws and regulations. Most recently, Google appeared in court again for non-compliance with the GDPR. The Austrian Data Protection Authority ruled that Google’s continuous use of Google Analytics in Europe flouted privacy laws. Privacy activist Max Schrems said that companies can’t use US cloud services in Europe anymore. Schrems said that the Court of Justice confirmed this stance a second time now.

What does this mean for South Africa?

The Information Regulator’s statutory drafting process is largely based on EU data protection trends. Therefore, we think that more courts will be called upon to apply POPIA principles when handing down judgments affecting privacy and data protection.

Privacy judgments have already come into the spotlight early in the year. The matric results matter was the most recent matter to come to the courts. The high court did not hand down a judgment but issued an order declaring that the results should be published. The court missed an opportunity to apply POPIA principles to formulate a judgment.

POPIA complaints

We think that with a functioning POPIA complaints procedure in the works, the regulator is paving the way for courts to apply POPIA to privacy and data protection cases. Some complaints may lead to the regulator serving someone with an information notice or an infringement notice. There is a potential for litigation to arise from both these notices. We’ve written extensive posts about the complaints process and how to resolve them to avoid litigation.

Actions you can take

  • Receive alerts about new POPIA judgments and other regulatory updates from the information regulator by joining our data protection programme.
  • Keep abreast of the latest news in data protection litigation and fines by joining our programme. We summarise the key learnings from data protection cases we come across and update programme frequently.
  • Avoid expensive litigation by implementing a complaints policy on your website. A complaints policy will enable data subjects to lodge complaints with you directly instead of with the regulator. Data subjects may also approach a court for relief. You want to avoid all paths that lead to litigation.
  • Get more insight into the complaints process by reading the POPIA rules of procedure for complaints.