I. Introduction
The nature and primary function of civil liability,Footnote 1 as well as its role as a private enforcement mechanism, have long been debated.Footnote 2 However, the emergence of EU digital regulation – amid the growing relevance of the digital sphere in contemporary societies – has reframed those debates. Recent scholarship has increasingly examined the compliance-policing effects of civil liability under these new regulatory regimes.Footnote 3 Far less attention has been paid to its further governance effects, namely to how the very structure of compensation claims contributes to the specification of regulatory duties and the allocation of regulatory risks.
This article argues that, in fundamental-rights-based regimes characterised by decentralised enforcement – such as EU digital regulationFootnote 4 – compensation claims do more than enforce regulatory duties. It is precisely through, rather than beyond, the conditions of civil liability, namely damage, unlawfulness and a causal link between them,Footnote 5 that such claims generate governance effects for the regulatory framework as a whole, extending beyond compliance-policing.Footnote 6 They do so by specifying the content of regulatory duties and by shaping the allocation of regulatory risks among market actors.Footnote 7 This does not, however, imply that civil liability is primarily a regulatory instrument,Footnote 8 nor that such governance effects are necessarily desirable. On the contrary, the structural role of compensation claims carries significant risks. This article therefore examines how the governance effects of civil liability arise within EU digital regulation and situates them within their broader regulatory context.
The article proceeds as follows: Section II reconstructs the shared premise underlying enforcement-based and compensation-centred accounts of civil liability. Section III moves beyond that premise by introducing the concept of “regulation in the making” and explaining why EU digital regulation provides a particularly salient example. Section IV demonstrates how compensation claims specify regulatory duties and allocate regulatory risks through the conditions of liability: damage, unlawfulness and a causal link between them. Section V addresses the pertinent risks associated with these governance effects. Section VI summarises the argument and reflects on the advantages of the “private law grammar” for analysing the governance effects of enforcement practice.
II. From enforcement and compensation to governance effects
The relationship between civil liability and regulation has long been examined, whether in Micklitz’s concept of regulatory private law,Footnote 9 Collins’s theory of contract as regulationFootnote 10 or Wagner’s emphasis on the behavioural effects of tort law on market actors.Footnote 11 More recent contributions focus specifically on the interaction between EU digital regulation and civil liability. This is particularly evident in data protection law, notably in the debate surrounding Article 82 of the General Data Protection Regulation (GDPR),Footnote 12 and, to a lesser extent, in online platform regulation, including discussions concerning actions for damages under Article 54 of the Digital Services Act (DSA).Footnote 13 Increasing attention has likewise been paid to civil liability in competition law, particularly since the right to compensation resulting from infringements of Articles 101–102 TFEU is now codified in Article 3(1) of the Damages Directive.Footnote 14 It is therefore unsurprising that the Digital Markets Act (DMA),Footnote 15 although it does not contain an explicit framework for private enforcement, despite proposals to that effect,Footnote 16 has been analysed from the perspective of compensatory claims as a mechanism of private enforcement.Footnote 17 This strand of scholarship – emphasising private enforcement through civil liability – will be referred to here as the enforcement-based account of civil liability.
The growing emphasis on the instrumental role of civil liability in relation to public law (and, by extension, regulatory regimes) remains controversial. It may be regarded as challenging the intrinsic orientation of private law. Attributing public functions to civil liability risks moving towards a statist conception of market ordering.Footnote 18 Similarly, theories that conceive civil liability primarily as a mechanism for shaping market behaviour have been criticised for obscuring what is frequently considered its central function: the compensation of damage, with other effects remaining secondary or merely auxiliary.Footnote 19 This perspective will be referred to here as the compensation-centred account of civil liability.
Nevertheless, both positions rest on a shared premise. The enforcement-based account conceives civil liability primarily as an ex post mechanism for policing compliance with predetermined regulatory duties. On this view, the relevant regulatory instrument defines the content of those duties and civil liability merely ensures their observance.Footnote 20 The compensation-centred account, by contrast, regards redress as civil liability’s primary aim. Even this approach, however, often presupposes that regulatory duties are predetermined, with the function of civil liability confined to compensating damage resulting from their breach.Footnote 21 Both accounts therefore assume that the content of regulatory duties is derivative of pre-existing rules: civil liability either enforces those duties or compensates for damage resulting from their infringement.Footnote 22
This shared premise is, however, open to reconsideration. There is no need to reject the compensatory function of civil liability, to endorse a purely enforcement-based account, or to claim that enforcement practice based on actions for damages replaces legislation or that regulation is inherently indeterminate. Rather, the argument is that regulatory instruments, particularly in fundamental-rights-based regimes characterised by decentralised enforcement, provide a framework within which the content of duties is progressively specified through enforcement practice (“regulation in the making”).Footnote 23
III. EU digital regulation and regulatory theory
1. Regulation by enforcement, responsive regulation and experimentalist governance
Unlike the enforcement-based and compensation-centred accounts analysed in the preceding section, regulatory theory proceeds from the premise that regulatory duties cannot be exhaustively predetermined at the moment of enactment. This premise has been most systematically developed in the literature on regulatory governance, notably in discussions of regulation by enforcement, responsive regulation and experimentalist governance.
Developed primarily in the US literature, the concept of “regulation by enforcement” explains how regulatory agencies rely on administrative adjudication, litigation in federal courts or informal settlement negotiations to engage in gap-filling and incremental rule articulation.Footnote 24 Through adjudication, agencies reduce regulatory errors, respond to unforeseen situations or emergencies and signal how regulatory standards will be applied in practice.Footnote 25 At the same time, regulation by enforcement has raised concerns regarding informational limits, case-specific policymaking and broader questions of fairness and legitimacy.Footnote 26
Responsive regulation, on the other hand, advances a broader model of governance centred on the conditions that trigger regulatory intervention and the forms that such intervention may take. Regulation is conceived as adaptive to industry structure, actor motivations and patterns of conduct. Regulatory authority is not confined to public actors; public policy may also be mediated through public interest groups, unregulated competitors, or even regulated firms themselves.Footnote 27 In such a model, private disputes cannot be understood as merely bilateral. They are often embedded in organisational structures and may carry implications that extend beyond the immediate parties, even where legal reasoning simplifies them into doctrinal categories for adjudicative purposes.Footnote 28
Experimentalist governance, developed in the context of EU law, adds a further dimension. It structures regulation around four core elements: the joint establishment of regulatory goals by Member States and EU institutions; the delegation of discretion to lower-level units to pursue those goals; regular reporting and monitoring of performance; and the periodic revision of goals, metrics and procedures in light of (enforcement) experience.Footnote 29 Courts in this framework may generate enforcement innovation, although they may also disrupt coordinated public enforcement where private litigation diverges from collective problem-solving strategies.Footnote 30 All this depends largely on the institutional capacity of civil courts to engage in problem-solving approaches rather than merely performing the traditional function of awarding compensation.Footnote 31
Despite their differences, all three approaches share a central premise: regulatory duties are further specified in enforcement practice. This presupposes a degree of regulatory indeterminacy: whether in the criticised enforcement discretion exercised by agencies through adjudication (regulation by enforcement); in adaptive responses to new market phenomena and in the recognition that private disputes carry systemic consequences, even where doctrinal reasoning reduces them to bilateral categories for adjudicative purposes (responsive regulation); or, in the context of compensation claims, in the discretion exercised by civil courts in pursuing regulatory goals, potentially generating enforcement innovation (experimentalist governance). “Regulation in the making” captures this shared commitment of regulatory theory: that is, the progressive specification of regulatory duties through enforcement practice.Footnote 32
2. EU digital regulation as regulation-in-the-making
EU digital regulation provides a particularly compelling example of regulation in the making for several reasons. First, recent regulatory instruments such as the GDPR, the DSA and the DMA introduce fully harmonised regulatory duties across the European Union.Footnote 33 At the same time, many of these duties are embedded in a fundamental-rights-based regulatory architecture.Footnote 34 The coexistence of fully harmonised duties and their grounding in fundamental rights invites their further specification, particularly through the Court of Justice.Footnote 35
Secondly, although EU digital regulation frequently takes the form of regulations rather than directives and is therefore directly applicable across the Member States,Footnote 36 enforcement remains, with exceptions such as the regime applicable to Very Large Online Platforms (VLOP) and Very Large Online Search Engines (VLOSE) under the DSA or gatekeepers under the DMA, embedded in national institutional contexts.Footnote 37 This means that, notwithstanding fully harmonised duties, national institutional particularities are likely to influence enforcement practice, if not render it path-dependent.
Thirdly, EU digital regulation has been adopted in the context of rapidly evolving technologies and business models: in other words, under conditions of law-fact uncertainty.Footnote 38 In such a setting, what regulation delivers on the ground will often depend on how duties are enforced under conditions different from those prevailing at enactment.Footnote 39
Finally, EU digital regulation operates within a politically sensitive environment shaped by global trade tensions, strategic economic policy and questions of technological sovereignty.Footnote 40 The direction and intensity of enforcement, in particular public enforcement, therefore depend not only on legislative design but also on institutional will and political prioritisation.
The combination of fully harmonised regulatory duties, a rights-based regulatory framework, decentralised enforcement architecture, law-fact uncertainty and a politically sensitive environment demonstrates why EU digital regulation provides a salient illustration of regulation in the making. In such a context, the effects of compensation claims pursued on the basis of these regulatory instruments cannot be reduced either to compliance-policing, as suggested by the enforcement-based account, or to the compensatory function emphasised by the compensation-centred account of civil liability. The shared premise underlying both accounts does not adequately capture the structural features of EU digital regulation, nor does it fully explain the role of civil liability therein. It is rather the concept of regulation in the making that provides the appropriate analytical background for understanding the further governance effects of civil liability. Effects which, as the following section demonstrates, extend beyond compliance-policing to the specification of regulatory duties and the allocation of regulatory risks.
IV. Reflexive interaction between compensation claims and regulatory duties
The governance effects of civil liability are intrinsically linked to the very structure of the compensatory claim. This section examines the three core elements of traditional civil liability doctrine: damage (and compensation), unlawfulness and causation. It analyses how each element operates within regulatory contexts, drawing on examples from data protection, online platform regulation and competition law. In doing so, it demonstrates how civil liability contributes to the progressive specification of regulatory duties in enforcement practice and, conversely, how those regulatory duties shape the internal structure of the liability conditions themselves.
1. Damage: normative construction of protected interests
a. Normative damage
Although national civil codes and EU regulatory instruments typically refrain from defining damage,Footnote 41 it may be understood, in general terms, as a negative modification of the injured party’s legally protected sphere.Footnote 42 Such a formulation implies that damage is not defined in the abstract, but in light of the concrete case and the protected interests at stake.Footnote 43
Where damage is defined by reference to the legally protected sphere, that sphere depends on what the applicable legal framework, including regulatory instruments, prescribes.Footnote 44 A regulatory duty may therefore provide the normative basis for recognising damage in a particular case.Footnote 45 Conversely, the ex post recognition of a negative modification of the injured party’s interests may shape the understanding of what counts as legally protected under the applicable regulatory regime. In this way, the recognition of damage may contribute to the further specification of the regulatory duty upon which that protected interest rests.Footnote 46
Under the GDPR, the evolving concept of damage becomes particularly visible in cases involving non-material damage arising from data protection infringements. Such damage has, so far, been further specified through concepts provided by the GDPR, such as identity theft,Footnote 47 reputational harm,Footnote 48 or fear of loss of control over personal data – even where the consequences are not fully ascertainable at the moment of the wrongful act. In particular, the fear of loss of control has been reconstructed as compensable damage in light of the regulatory objectives of the GDPRFootnote 49 and on the premise that, irrespective of its seriousness, each proven impairment must be compensated in accordance with those objectives.Footnote 50 A similar reliance on regulatory objectives is evident where the Court of Justice has made clear that distinctions between physical injury and non-material damage are incompatible with the objectives of the GDPR, which require that all damage be fully and effectively compensated.Footnote 51
A different configuration emerges in national case law under the DSA. The German Regional Court of Berlin (Landgericht Berlin) considered a case in which a non-governmental organisation sought access to information pursuant to Article 40(12) DSA from a platform designated as a VLOP.Footnote 52 The refusal of the VLOP to provide the requested access to information occurred shortly before federal and European Parliament elections. In order to establish jurisdiction under Article 7(2) of the Brussels Ia Regulation, the court relied on Article 54 DSA and recognised that the failure to provide regulatory access to information could constitute damage. Crucially, the absence of a prima facie quantifiable economic loss did not preclude recognition of damage suffered by the recipients of the service – in this case, a group of researchers.Footnote 53
The concept of damage under Article 82 GDPR, as well as under Article 54 DSA, demonstrates how regulatory duties of data controllers or processors, including compliance measures designed to prevent such non-material damage, and of VLOPs, such as the obligation to provide access to information, are further specified by reference to the concepts employed in the respective regulatory instruments. In determining what counts as damage, courts delineate the scope of the legally protected sphere. In this sense, the concept of damage under EU digital regulation may be described as “normative damage”:Footnote 54 it does not merely consist in a factual negative modification of an interest; rather, it is defined through the regulatory objectives that structure the protected interest.Footnote 55
The governance effects in the form of regulatory specification via the concept of damage depend on their transferability – for instance through repeated case law. This is particularly likely in the context of the case law of the Court of Justice, especially since damage under the GDPR has been recognised as an autonomous concept of EU law and reaffirmed in subsequent decisions.Footnote 56
Recent developments in national case law nevertheless point to a different approach. The case law of the German Federal Court of Justice (BGH), subsequently followed by lower courts, can be interpreted as an expansive reading of the Court’s case law on the autonomous concept of damage, adopted without seeking further guidance through a preliminary reference.Footnote 57 Whereas the Court of Justice requires proof of damage,Footnote 58 the BGH has considered a proven loss of control over personal data sufficient in itself to constitute damage, without requiring additional proof of non-material damage such as fear or distress.Footnote 59 The BGH’s approach both extends and follows the Court’s reasoning. It extends it insofar as the mere loss of control was not the direct subject of the cases decided by the Court of Justice. At the same time, the approach draws support from the Court’s obiter dicta.Footnote 60 Even where the Court’s case law is not straightforwardly transferable to national courts, as illustrated by the BGH judgment, the development reflects the normative character of damage under the GDPR: the loss of control over personal data is treated by national courts as damage in itself, even in the absence of any further identifiable “factual” or “natural” damage.Footnote 61
Whether similar developments will emerge under Article 54 DSA remains uncertain. The wording of the provision – which refers not only to Union law but also to national law and has been described in the literature as an “imperfect liability rule”Footnote 62 – may open the door to diverging interpretations. This possibility is reinforced by the manner in which the Regional Court of Berlin has interpreted the concept of compensation in its recent case law.
b. Compensating normative damage
The concept of normative damage is mirrored in the concept of compensation, particularly where compensation responds to damage that is normatively defined through the regulatory framework.Footnote 63 Whereas compensation-centred accounts of civil liability typically frame compensation in interpersonal terms, within regulatory contexts it cannot be reduced to a purely bilateral corrective mechanism.Footnote 64 From this perspective, compensation is not detached from the regulatory framework that defines the protected interest. Rather, it is shaped by the regulatory objectives underlying the duty whose breach gave rise to liability. Compensation therefore reflects not only the factual damage suffered but also the normative structure of the legally protected interest.
The reliance on the concept of normative damage to determine the appropriate form of compensation does not automatically transform compensation into a deterrence-based instrument in a strong incentive-oriented sense.Footnote 65 In the context of the GDPR, the Court of Justice has clearly emphasised that the calculation of compensation cannot be based on criteria applicable to administrative fines, since compensation remains, by definition, compensatory.Footnote 66 A similar exclusion of a punitive character can be observed in competition law in the context of the Damages Directive, which applies, inter alia, to infringements of Article 102 TFEU and may, as some commentators argue, also become relevant in the context of the DMA.Footnote 67 The Damages Directive expressly rejects overcompensation and punitive damages,Footnote 68 even where the Court of Justice’s case law has not entirely been uniform on this point.Footnote 69 The concept of compensation therefore remains grounded in corrective justice, albeit within a regulatory framework that informs what constitutes full and effective compensation.
The case law further illustrates what it means for compensation to be “full and effective.” The Court has clarified that the assessment of what constitutes full and effective compensation is largely left to national courts, subject to the principles of effectiveness and equivalence.Footnote 70 For example, in the context of data protection infringements, it has indicated that non-pecuniary remedies, such as an apology, may satisfy this requirement.Footnote 71 Similarly instructive is the reasoning of the Regional Court of Berlin, which, without explicitly grounding its analysis in the regulatory objectives of the DSA, stated that natural restitution (namely, the belated provision of access to information) may constitute full and effective compensation.Footnote 72
The form of compensation remains closely connected to the regulatory framework within which the damage is defined. In this respect, case law may generate a distinct governance effect relating to what counts as “full and effective” compensation. Whereas the concept of damage contributes to specifying the content of regulatory duties, the concept of compensation – in particular with regard to its effectiveness – affects the allocation of regulatory risks through the form and extent of redress. It makes a difference whether apologies or belated provision of information suffice as full and effective compensation, or whether a pecuniary award – and, if so, in what amount – is required.
2. Unlawfulness as specification of regulatory duties
The specification of regulatory duties takes place in particular through the determination of unlawfulness.Footnote 73 In regulatory contexts, it is typically established through non-compliance with a prescribed regulatory duty. The assessment of unlawfulness therefore requires the reconstruction of that duty to articulate the applicable standard of conduct. In doing so, adjudication simultaneously clarifies the corresponding right of the injured party that the duty is designed to protect.Footnote 74
In certain legal systems the requirement of fault or negligence constitutes an additional and independent condition of liability, whereas under EU law fault is structurally integrated into the concept of unlawfulness.Footnote 75 In this respect, the Court of Justice has clarified that civil liability under the GDPR is formally fault-based, yet is accompanied by a reversal of the burden of proof: the data controller or processor must demonstrate that it is not in any way responsible for the event giving rise to the damage.Footnote 76 Although this does not amount to strict liability in a formal sense,Footnote 77 the broad formulation (“not in any way responsible”) means that, once a regulatory duty has been breached, unlawfulness will typically be established unless the defendant successfully proves that it bears no responsibility for the infringement at all.Footnote 78
The type of liability under a regulatory regime may itself result in distinct governance effects. By shifting the burden of proof,Footnote 79 the defendant is given the opportunity to demonstrate compliance, and this may shape how courts further specify regulatory duties. The choice between fault-based and strict liability reallocates risk, in particular where the defendant is afforded the opportunity to demonstrate that it is not in any way responsible for the infringement, whereas under strict liability the defendant’s standard of conduct is not decisive.
The determination of unlawfulness provides further specification of regulatory duties. Under data protection law, in assessing whether a data controller acted lawfully, the Court of Justice has meticulously examined whether appropriate technical and organisational measures were implemented in the processing of personal data.Footnote 80 The Court has also clarified the obligations of persons acting under the authority of the controller. Such persons may process personal data only on instructions from the controller, unless required to do so by Union or Member State law. The Court has emphasised that failure on the part of a person acting under the authority of the controller does not automatically exempt the controller from liability.Footnote 81 Likewise, in situations involving cybercriminal conduct or external attacks, the question arises under which conditions such events interrupt responsibility or fall within the controller’s sphere of risk. The assessment cannot rely solely on the views of supervisory authorities but requires judicial determination of compliance with the regulatory framework.Footnote 82 More recently, the Court has further specified the right of access under Article 15 GDPR in the context of a preliminary reference addressing damage arising from an infringement of that right.Footnote 83 National case law likewise reveals instances in which regulatory duties have been further specified, particularly with regard to the requirements of data protection by design and by default, often with explicit reference to the regulatory objectives underlying those duties.Footnote 84
Under the DSA, in proceedings before the Regional Court in Berlin, the court determined what a VLOP was required to provide under Article 40(12) DSA, namely access to information for a group of researchers.Footnote 85 This required clarification of the content and scope of the platform’s regulatory obligations. Notably, the court also assessed the claimant’s conduct in facilitating compliance. The determination of unlawfulness thus depended on reconstructing a standard of regulatory behaviour applicable to both parties. The case therefore illustrates that the specification of regulatory duties may involve relational standards of cooperation, rather than being confined to unilateral obligations of the defendant.Footnote 86
Such developments – namely, the further specification of the required standard of conduct in order to establish unlawfulness – are not unique to EU digital regulation. Comparable dynamics have long been observable in product liability. National courts have interpreted the legislative framework in order to define the threshold of defectiveness and the corresponding standard of safety expected from producers, in some instances articulating a more demanding standard of care than that explicitly prescribed by product safety legislation.Footnote 87 For example, the Austrian Supreme Court developed a judicial threshold of product safety that was not expressly specified in the statutory framework. This is particularly evident in the doctrine of post-market monitoring duties (Produktbeobachtungspflicht),Footnote 88 which entails an obligation to monitor products after they have been placed on the market and, where risks become identifiable, to provide appropriate warnings.Footnote 89 Similarly, regulatory authorisation (e.g., pharmaceutical approval of a medicinal product) does not automatically preclude liability where the accompanying instructions for use prove inadequate.Footnote 90
A broader question therefore arises: do courts merely apply the regulatory instrument as enacted, or do they articulate a standard of care specific to the assessment of civil liability? Put differently, may conduct that is formally permissible under public regulation nevertheless give rise to a right to damages? One possible view is that private law develops standards of conduct that are distinct from and may in practice exceed those provided in public regulation.Footnote 91 Another, more systemic, view is that private law adjudication further specifies the regulatory duties themselves. Although it is true that the determination of unlawfulness is principally grounded in the regulatory framework,Footnote 92 judicial determinations of unlawfulness (particularly where they extend beyond the literal wording of the regulatory provision) may further specify the regulatory duty and thereby influence the regulatory regime as a whole. On this account, civil adjudication does not create a parallel standard, but specifies the content of the regulatory duty itself, and thereby produces the corresponding governance effects beyond compliance-policing.
3. Causation as attribution of regulatory risk
Causation constitutes the third structural element of civil liability. Whereas damage and unlawfulness concern the scope and content of the regulatory duty, causation determines to whom and under what conditions responsibility for regulatory breaches is attributed.Footnote 93
Under data protection law, and in line with the general principles of liability under EU law,Footnote 94 it is firmly established that a causal link must be demonstrated between the damage and the infringement. However, to date, the Court of Justice has not comprehensively developed a doctrine of causation.Footnote 95 The GDPR nevertheless provides for a specific rule of attribution in multi-actor settings, namely the joint liability of controllers and processors (Article 82(4) GDPR). This reflects a legislative choice to facilitate attribution in complex data-processing structures to shift compliance burdens towards those actors better positioned to manage data risks. However, it does not eliminate the need to establish causation in the first place.Footnote 96 Rather, once the conditions of liability are met, it simplifies the claimant’s position by allowing recovery from any responsible actor.Footnote 97 Under the DSA, Article 54 likewise contains no specific rules on causation and, unlike the GDPR, does not regulate joint liability among providers of intermediary services. Responsibility for attribution therefore falls primarily within national law.Footnote 98
The analysis of causation becomes considerably more complex in the context of the DMA and competition law. Although the Damages Directive does not, in principle, apply to the DMA,Footnote 99 the latter appears to follow a competition law logic.Footnote 100 For this reason, it is justified to consider competition law as a reference point. In competition law, the Court of Justice established in Manfredi the requirement of a causal link between the infringement and the damage. At the same time, it left the detailed regulation of causation largely to national law, subject to the principles of effectiveness and equivalence.Footnote 101 With the introduction of the Damages Directive, adopted in response to the limited practical effectiveness of compensation claims in competition law, no comprehensive doctrine of causation was introduced.Footnote 102 However, the Directive contains several structural mechanisms designed to facilitate proof.Footnote 103 These include the right to disclosure of relevant evidence from defendants or third parties, as well as access to evidence contained in the files of competition authorities. Moreover, the Directive introduces a rebuttable presumption that cartel infringements cause harm.Footnote 104 Recent case law on the Damages Directive has, however, further clarified the distinction between evidentiary facilitation and the substantive requirement of proving a causal link. In particular, it has emphasised the plausibility threshold required for the disclosure of evidence, sharply distinguishing it from the requirement of establishing causation.Footnote 105
More generally, causation is not merely a technical requirement linking unlawful conduct and damage. Considered in isolation, it may not specify regulatory duties in the same direct manner as damage or unlawfulness. Nevertheless, whether in the context of controllers and processors, online platforms or gatekeepers, the requirement of causation determines to which regulated entities an infringement will be attributed and who will ultimately bear the consequences of regulatory breaches.
Causation produces governance effects by distributing regulatory risks among market actors. This allocation of risk constitutes the central governance effect of causation. In the absence of specific EU rules in this respect, and subject to the principles of effectiveness and equivalence, these effects are most likely to manifest themselves at the national level – unless and until the Court of Justice engages more directly with questions of causation.
V. The pertinent risks
The preceding analysis has not sought to displace the compensatory function of civil liability or to advocate civil liability as a standalone regulatory instrument. Nor does it deny that civil liability may, in certain contexts, contribute to the enforcement of predetermined regulatory duties. The argument advanced here is structural: it concerns how private law operates within regulatory frameworks and how civil liability participates in shaping rights-based regulatory regimes. Recognising these governance effects, however, requires equal attention to the structural risks of compensation claims.
To begin with, civil adjudication proceeds through case-based reasoning. Courts decide concrete disputes between specific parties, and the specification of regulatory duties emerges incrementally. In legal systems lacking a strong doctrine of precedent, such developments may remain granular and episodic. Interpretative advances may vary across jurisdictions and over time, raising concerns about fragmentation and the absence of coordinated specification of regulatory duties. Governance effects may therefore remain uneven rather than systematic.Footnote 106
Civil proceedings also operate under informational constraints, not only due to increasing technological complexity and the resulting law-fact uncertainty,Footnote 107 but also because courts depend on party presentation and lack the investigative powers typically available to regulatory authorities. Even where disclosure mechanisms exist, as under the Damages Directive, they remain embedded in adversarial procedure: it is for the parties to request, present and substantiate evidence, and the burden of proving damage and causation does not shift to the court. In complex digital markets characterised by significant informational asymmetries, the specification of regulatory duties through private litigation may therefore occur without access to the broader technical and market-wide knowledge available to public enforcers.Footnote 108
A further concern relates to institutional allocation of authority and democratic legitimacy. The articulation of regulatory duties is conventionally understood as the task of the legislator or, where delegated, of regulatory authorities. When civil courts interpret and specify regulatory standards in private disputes, they inevitably participate in shaping their normative content. Although such interpretative activity is intrinsic to adjudication, the governance effects of private litigation may raise questions about the appropriate balance between legislative design and judicial specification of regulatory duties.Footnote 109
Finally, the shape of governance effects depends on who brings damages claims and under what conditions. The justice system is not equally accessible to all affected actors. Litigation costs, informational asymmetries and structural power imbalances may limit the capacity of individuals to pursue claims against major market participants, particularly VLOPs under the DSA and gatekeepers under the DMA. At the same time, well-resourced actors may strategically employ private litigation to advance particular interpretations of regulatory duties.Footnote 110 Enforcement may therefore become selective and asymmetrical, generating compliance pressures that are not necessarily aligned with broader regulatory coordination, as the Google Fonts case illustrates.Footnote 111 Collective redress mechanisms may mitigate some of these concerns, yet their effectiveness remains uncertain, particularly as they are often limited under EU law to consumer claims and not specifically designed to enforce compensation claims.Footnote 112
The risks analysed above do not negate the governance effects of civil liability identified in the preceding sections. Rather, they show that these effects are contingent upon a range of institutional and structural conditions. The paper has thus far advanced only a limited claim: that the governance effects of compensation claims should be considered by legislators and regulatory authorities – particularly when assessing the systemic consequences of policy choices, including impact assessments, the articulation of regulatory objectives and the design of enforcement architecture.
VI. Conclusions
Civil liability in the context of regulatory regimes cannot be reduced to either extreme – neither a pure enforcement mechanism nor a purely interpersonal corrective device. Governance effects beyond compliance-policing emerge from the reflexive interaction between the very structure of compensation claims and the regulatory framework.
The analysis demonstrates that each of the conditions of civil liability carries distinct governance effects. The concept of damage cannot be reduced to a negative modification of a predetermined legally protected interest. Instead, by recognising specific interests as legally protected in light of regulatory objectives, it provides the normative basis for specifying the content of regulatory duties. The concept of compensation, albeit intrinsically linked to that of damage, yields a distinct governance effect. Beyond the mere remedying of individual harm, the manner in which its “full and effective” character is defined affects the allocation of regulatory risk through both the form and the extent of redress. The specification of regulatory duties manifests itself, above all, in the determination of unlawfulness. Unlawfulness requires a reconstruction of the applicable duty to define the relevant standard of conduct, simultaneously clarifying the corresponding rights of the injured party. Finally, the condition of causation goes beyond the mere technical requirement of linking unlawful conduct to damage. Although it may not specify regulatory duties as directly as damage or unlawfulness, it determines which regulated entities must ultimately bear the consequences of regulatory breaches. Consequently, causation influences the allocation of regulatory risk.
The grammar of private law brings more to the regulatory landscape than is often acknowledged.Footnote 113 Concepts such as regulation by enforcement and responsive regulation resonate with the structural features of private law adjudication, which inherently involves contextual specification and principled balancing. Even experimentalist approaches, which emphasise the periodic revision of goals, metrics and procedures in light of enforcement experience, are not conceptually incompatible with private law’s capacity to refine standards through case-based development.
This is particularly significant in the context of EU digital regulation, for the reasons analysed above. The issue is not only enforcement or compensation for regulatory breaches, but also the formation of compliance standards. Recognising the governance effects of civil liability does not transform it into public regulation, nor does it dissolve into pure instrumentalism. Rather, pursuing compensation claims allows for mediation between the abstraction of regulatory instruments, the bird’s-eye perspective of public enforcement authorities and attention to the individual litigant. In doing so, civil liability contributes to the ongoing (re)construction of regulatory regimes in digital markets: regulation in the making.
Acknowledgments
The author would like to thank the participants of the ETL Lecture Series at the Institute for European Tort Law (Vienna, Austria) for their comments and the engaging discussion following the presentation of an earlier version of this article on 27 February 2026. The author is also grateful to Prof. Bernhard Koch (University of Innsbruck) for his helpful feedback on an earlier version of this article, offered during the author’s research stay at the Institute of Civil Law, University of Innsbruck, undertaken as part of a re:constitution Fellowship in March 2026.
Competing interests
The author has no conflicts of interest to declare.