Liability under EU Data Protection Law: From Directive 95/46 to the General Data Protection Regulation
This article analyses the liability exposure of organisations involved in the processing of personal data under European data protection law. It contends that the liability model of EU data protection law is in line with the Principles of European Tort Law (PETL), provided one takes into account the “strict” nature of controller liability. After analysing the liability regime of Directive 95/46, the article proceeds to highlight the main changes brought about by the General Data Protection Regulation. Throughout the article, special consideration is given to the nature of the liability exposure of controllers and processors, the burden of proof incumbent upon data subjects, as well as the defences available to both controllers and processors.
General Data Protection Regulation
Principles of European Tort Law