When a data subject’s right to privacy is infringed or someone fails to protect their personal data, and they suffer damages as a result. Who is liable for those damages? Who should the data subject be taking legal action against? Is it the employee or the employer? Is it the individual or the organisation? Can the employer be held strictly liable for the actions of one of their employees or contractors in the context of data protection? Can a controller be held strictly liable for the actions of its processor?
These are all good questions. Some are easier to answer than others and obviously, the answer is often dependant on the specific facts of each case.
Data protection laws allow for a data subject to claim for damages if they have suffered a loss. The important question is who they should claim from. The two important distinctions to make is between the employer and the employee whose actions caused the loss, and the controller and processor of the data.
Vicarious liability for damages suffered by data subjects
Vicarious liability is a common law concept, it means that the employer is held strictly liable for acts committed by the employee. In the context of data protection, it means the employer will be held liable for damages suffered by the data subject which was caused by a wrongful act of an employee.
The employer can be held liable for the breach by the employee.
Data protection laws do not expressly mention that the employer is liable, but it can be inferred. When a data subject suffers a loss they can take civil action against the controller (and in some cases the processor). The controller is the body or natural person who determines the purpose for which the data is processed. A processor means a person or body which processes personal data on behalf of the controller. Although either can be a natural person, it is more likely that the employer, an organisation, will be the controller or the processor. This means that if an employee does anything which breaches data protection law, the data subject who suffers loss can pursue legal action against the employer and not the employee who caused the breach.
This is the case in both the GDPR and POPIA. If you’re interested you can read more about the employers’ statutory vicarious liability in terms of the Protection of Personal Information Act.
Data protection law provides for defences which the controller can use to escape liability. The defences do not, however, remove vicarious liability. If the controller or processor can prove that they were not in any way responsible for the breach, they will not be liable. It does not state that this will not mitigate the liability of the specific person responsible, but rather it removes the liability of the controller or processor.
Is the controller or processor responsible for damages suffered by data subjects?
In general, the controller (or responsible party) is liable to the data subject and can be held liable for the actions of its processors.
The GDPR mentions both the controller and the processor in Article 82 which deals with liability and compensation. This means that the data subject can claim from either. The article also explains when the controller is responsible and when the processor is responsible. The controller will be responsible if the damage was caused by processing that infringes the GDPR as a whole.
The processor will only be liable if the processor has not complied with obligations of the GDPR which are specifically directed towards processors or they have not complied with a lawful instruction from the controller. These instructions from the controller are often contained in a data processing agreement.
However, where POPIA provides circumstances for when a data subject can use civil claims against the controller (aka responsible party) for damages, the section only mentions the controller. There is no mention of the processor (aka operator) in this section. Civil claims can be assumed to only be made against the controller and not the processor under POPIA.
Who should the data subject be taking legal action against?
A data subject who is looking to recover damages from somebody has a choice who to institute action against. These are the possible people they could take action against:
- Controller
- Controller employee
- Processor
- Processor employee
A data subject could take action against the controller for the damages that the controller has caused either through the common law or through data protection law. They could also take action against the controller by holding them vicariously liable for the damages caused by one of their employees either through the common law or through data protection law. In some cases, they could also take action against the controller for damages caused by their processor.
A data subject could take action against the controller employee through the common law but they can’t take action against the employee through data protection law. A data subject can only hold the controller liable through data protection law.
In some cases, the data subject can take action against the processor but only where the processor has breached their specific obligations under law or they have not complied with a lawful instruction from the controller.
A data subject can’t take action against a processor employee through data protection law but they might be able to take action against them in terms of the common law.