Liability queries raised by new data protection laws

The new data security and protection regulations being introduced by the EU could cause debate over the potential liability for any breaches in data.

A document written by the Council of Ministers, which has been leaked, suggests that initial agreement has been reached on some areas of the regulations. Work is still ongoing on the actual wording of the new regulations and is expected to be completed before the end of the year. One area in which an initial agreement has been reached is that of compensation rights and liability for the breaches of the new laws.

The initial proposals suggest that compensation could be claimed from either the data processor or the data controller if the subject has suffered either immaterial or material damage due to a breach of the laws. Data controllers that do not process the data in line with the regulations are responsible for any damage that occurs as a result, with processors only liable in certain circumstances. It is believed that there will be some exceptions to the issue of liability for both the processors and controllers.

The provisions so far are for instances where there has been more than one processor or controller and the data has been shared. These proposals would mean that a single processor or controller could be held responsible for breaches; however, they could then make a claim from others they have worked with.

Experts in data security and data protection have said that this could lead to debates on the level of liability for each partner in the process.