The inadequacy of the current remedies for violation of data subjects’ rights and how to fix it
The paper focuses on civil law remedies for violations of data subjects’ rights: claims for damages and claims for compensation of moral harm. Based on an analysis of academic literature, as well as of Russian and international case law, it is argued that, although these remedies are endorsed by the GDPR and other laws, they are inadequate and do not conform to the requirements for an “effective remedy” stipulated by major international legal documents on human rights. The main reasons are: 1) difficulties in proving the fact and the amount of a legally recognized category of damage because the typical consequences of data privacy violations (e.g. the chilling effect caused by dataveillance, negative emotional reactions, etc.) are not considered legally significant by the courts; 2) inability to prove with a substantial degree of certainty a causal link between the violation and the damage incurred because such damage occurs remotely and within complex flows of data. This produces an imbalance in the enforcement of data protection laws so that public law remedies such as administrative fines predominate. This approach is not compatible with the goals of empowering the individual and ensuring control over usage of one’s data because there cannot be effective control without an effective remedy to enforce it. In practice this leads to under enforcement of data protection laws because under-resourced data protection authorities cannot address most of the violations that pertain to data protection. A new type of remedy that would resemble the statutory damages applicable to copyright infringement in some jurisdictions should be introduced. Its punitive and decentralized nature would become an additional incentive for data controllers to invest in compliance with data protection laws. From a long-term perspective, it may facilitate including individuals in management of their personal data, without which it would be impossible to effectively address the risks brought about by massive and ubiquitous data processing and algorithmic decision-making.