Europe’s General Data Protection Regulation (GDPR) and various other data protection regulations around the world allow for victims of a data breach to file claims for monetary and non-monetary damages suffered. Damages in early court decisions ranged widely, from zero to thousands of euros per case—with little discernible connection to or explicit analysis of what one might consider the severity of the damage imposed. Given that data breaches can often affect thousands of people at once, relatively small changes to the damages awarded per head can result in multi-million-euro payouts for the affected companies, with little insight into how the damages have been determined.
In this white paper, NERA Associate Director Dominik Hübler, Consultant Dr. Adjmal Sirak, and Research Officer Philipp Hiemann examine the precedent cases as well as the (legal and economic) academic literature on the topic. Grounded in that literature, the authors develop an approach to damages estimation that makes use of scientific methods (conjoint analysis in particular) already established in other areas of the law (e.g., merger control and intangibles valuation) to make damages valuation more transparent, consistent, and robust.
The paper sets out practical tips for ensuring robustness of the data collection and analysis stages. The paper discusses the role of the damages concept in fines proceedings under Art. 83 GDPR. In the authors’ experience, few data protection authorities assess these concepts when determining the size of the fine even though the GDPR explicitly lists damages incurred as one factor. Therefore, the authors consider whether an assessment of damages should be a factor in the administrative proceedings and/or any court challenge to fines issued without regard to the damages incurred.