UK GDPR: Remedies, Liability and Compensation
Remedies, Liability and Compensation [Art 77-82]
Rule: Data subjects have multiple routes to enforce their rights: complaints to ICO, judicial remedies against controllers/processors, and compensation for damages.
Article 77: Right to Lodge Complaint with ICO
Every data subject has the right to lodge a complaint with the ICO if they believe their data has been processed unlawfully.
| Aspect | Detail |
|---|---|
| Who can complain | Any data subject |
| Against whom | Controller or processor |
| Grounds | Belief that processing infringes UK GDPR |
| Where to complain | ICO (Information Commissioner’s Office) |
| No fee | Free to lodge complaint |
| No prerequisites | Need not exhaust other remedies first |
How to Complain to ICO
- Online: ICO website complaint form
- Phone: ICO helpline 0303 123 1113
- Post: Information Commissioner’s Office, Wycliffe House, Wilmslow, Cheshire SK9 5AF
ICO Response
ICO must:
- Inform complainant of progress and outcome
- Explain outcome of investigation
- Inform of right to judicial remedy (Art 78)
Timeframe: ICO aims to respond within 3 months (complex cases may take longer).
Article 78: Right to Judicial Remedy Against ICO
Data subject has right to judicial remedy if:
- ICO fails to handle complaint
- ICO doesn’t inform of progress within 3 months
- Data subject disagrees with ICO decision
Forum: High Court (judicial review)
Independent of Art 79: Can pursue both ICO complaint AND direct court action against controller.
Article 79: Right to Judicial Remedy Against Controller/Processor
Every data subject has the right to an effective judicial remedy against controller or processor.
Grounds for Court Action
| Situation | Data Subject Can Sue |
|---|---|
| Controller processes data unlawfully | Yes |
| Controller violates any UK GDPR provision | Yes |
| Controller refuses data subject rights request | Yes |
| Processor processes outside controller instructions | Yes (against processor) |
| No need to prove damage | Can seek injunction even without financial loss |
Available Remedies
| Remedy | Purpose |
|---|---|
| Injunction | Stop unlawful processing |
| Specific performance | Force controller to comply (e.g., provide access) |
| Declaration | Court confirms rights were violated |
| Compensation | Damages for material or non-material harm (Art 82) |
Which Court?
| Type of Claim | Court |
|---|---|
| Claims under £10,000 | County Court (small claims track if under £1,000) |
| Claims over £10,000 | County Court or High Court |
| Urgent injunctions | High Court |
Jurisdiction: Courts where controller has establishment OR where data subject habitually resides.
Article 80: Representation by Organisations
Data subjects may mandate not-for-profit bodies to:
- Lodge complaints to ICO on their behalf
- Exercise rights to judicial remedy (Arts 78-79)
- Claim compensation (if mandated by data subject)
Eligible Organisations
Must be:
- Not-for-profit
- Properly constituted under UK law
- Statutory objectives in the public interest
- Active in data protection
Examples: Privacy International, Open Rights Group, Big Brother Watch
Collective Actions
UK allows: Representative actions where organisation acts on behalf of data subject(s).
Not yet in UK law (unlike EU): Ability for organisation to sue WITHOUT individual mandate from affected data subjects.
Article 81: Suspension of Proceedings
If proceedings brought in multiple countries:
- Court may suspend proceedings
- Contact other supervisory authorities
- Wait for consistency mechanism outcome
Practical relevance: Lower in post-Brexit UK — mainly applies to cross-border cases.
Article 82: Right to Compensation
Every person who has suffered material or non-material damage from UK GDPR infringement has right to compensation.
82.1 — Right to Compensation
| Damage Type | Compensable? | Examples |
|---|---|---|
| Material damage | Yes | Financial loss, cost of credit monitoring, therapy costs |
| Non-material damage | Yes | Distress, anxiety, loss of control over data, reputational harm |
| Mere breach (no harm) | No | Must prove some damage, even non-material |
Threshold for Compensation
UK courts: Must prove:
- UK GDPR breach by controller/processor
- Damage (material or non-material) suffered
- Causal link between breach and damage
Non-material damage standard:
- Lloyd v Google (2021): “Mere loss of control” over data insufficient for compensation
- Must show actual distress, anxiety, or harm
- Trivial distress may not be compensable
- Serious distress (e.g., after health data breach) is compensable
82.2 — Controller or Processor Liability
| Party | Liable When… |
|---|---|
| Controller | Involved in processing that caused damage AND did not comply with UK GDPR obligations |
| Processor | Did not comply with UK GDPR obligations specific to processors (Art 28) OR acted outside controller instructions |
Exemption: Not liable if controller/processor proves event causing damage was not in any way responsible for it.
Standard: Strict liability with exemption only if event was entirely beyond their control.
82.3 — Allocation of Liability (Multiple Controllers/Processors)
| Scenario | Liability Rule |
|---|---|
| Multiple controllers | Each liable for entire damage (joint and several) |
| Multiple processors | Each liable for entire damage |
| Controller + processor | Joint and several liability |
Data subject can claim:
- Full amount from any one party
- Party who pays can seek contribution from others (internal matter)
82.4 — Contribution Between Parties
Controller/processor who paid full compensation may recover:
- From other controllers/processors
- Proportionate to their responsibility for damage
- Internal allocation does not affect data subject (can still claim full amount from any party)
82.5 — Processor Limited Liability
Processor is liable only if:
- Failed to comply with obligations specifically directed at processors (Art 28), OR
- Acted outside or contrary to controller’s lawful instructions
NOT liable for: Controller’s breaches of Art 5 (principles), Art 6 (lawful basis), etc. — unless processor contributed to those breaches.
Enforcement by ICO vs. Private Actions
| Mechanism | Initiated By | Remedies Available | Standard of Proof |
|---|---|---|---|
| ICO enforcement | ICO or complaint | Fines, enforcement notices, stop processing | Administrative |
| Private civil action | Data subject | Compensation, injunction, declaration | Balance of probabilities |
| Criminal prosecution | ICO or police | Criminal penalties (rare under UK GDPR) | Beyond reasonable doubt |
Data subjects can pursue both:
- Complaint to ICO for enforcement action
- Court claim for compensation
Time Limits for Claims
| Type of Claim | Limitation Period |
|---|---|
| Compensation claims | 6 years from date of breach (England/Wales), 5 years (Scotland) |
| Judicial review of ICO | 3 months from ICO decision |
Discoverability: Period may run from when data subject discovers (or should have discovered) the breach.
Evidence and Burden of Proof
| Party | Must Prove |
|---|---|
| Data subject (claimant) | Breach occurred, damage suffered, causal link |
| Controller/processor (defendant) | If claiming exemption: not responsible for damage in any way |
Standard: Balance of probabilities (civil standard).
Disclosure: Data subject can request disclosure of controller’s records during litigation.
Costs of Litigation
| Outcome | Costs Typically Awarded To… |
|---|---|
| Data subject wins | Data subject recovers costs from controller |
| Controller wins | Controller recovers costs from data subject (but courts cautious about deterring claims) |
| Small claims | Generally no costs recovery (under £10,000) |
Recent UK Case Law
| Case | Principle |
|---|---|
| Lloyd v Google (2021) | No compensation for “mere loss of control” — must prove distress |
| Rolfe v Veale Wasbrough Vizards (2021) | Modest distress from data breach compensable at ~£10,000 |
| Upp v Nationwide (2022) | Data breach affecting credit rating: £17,000 compensation |
Citation
Related: ICO: How to make a complaint