1. Introduction

Patent trolls are not a new phenomenon. They buy patents for the sole purpose of extorting and suing companies. Since patent-related litigation proceedings are complex and time-consuming, the fees for defending a patent claim in court proceedings may exceed one million U.S. dollars. Therefore, many legitimate companies (especially startups) prefer to pay the requested settlement fees instead of defending their rights. According to CNN, just within the period 1990 – 2010, patent trolls cost investors 500 billion U.S. dollars.

Patent trolls can target a limited scope of companies, namely, companies using patented inventions. For example, they cannot target a company that does not use any patented inventions, and its only online presence is a simple website containing an online contact form and information about the company. However, there is a new EU data protection law that will open the door to a new type of trolls. The law is called the General Data Protection Regulation (GDPR), and the new type of trolls can be called GDPR trolls. The GDPR requires organizations collecting and processing personal data to take various organizational and technical security measures to protect such data. It applies to all organizations (also non-EU based) that target EU residents and/or collect personal data of EU residents.

The GDPR trolls can be divided into two categories, namely, GDPR trolls using automatic systems to detect websites that do not comply with the GDPR (see Section 2) and GDPR trolls attacking large companies (see Section 3) and hoping that those companies will agree to pay large settlement fees. These two types of trolls will be examined in more detail below.

2. GDPR trolls using automatic systems

Certainly, even after the widely advertised entry into force of the GDPR (the law become effective on 25th of May 2018), many organizations located all over the world continue operating without complying with the law. GDPR trolls can use automatic scanning technologies that check whether a website has a privacy policy. If the word “privacy” cannot be found on the main page of the website, the automatic checking mechanism will refer the website to a person who is responsible for confirming the finding. Websites that lack privacy policies and collect personal data of EU residents de facto breach the GDPR as the latter requires organizations to ensure that their processing of personal data is transparent. As a result, GDPR trolls can send cease and desist letters to the breaching organizations and request them to pay a compensation to settle the case in a private manner, without informing the relevant data protection authorities. Many organizations will prefer to pay the requested fees instead of appearing in the headlines of the newspapers or risking paying fines of up to EUR 20 million or 4% of the breached organization’s annual global turnover of the previous financial year. Individuals who receive such cease and desist letters from GDPR trolls may develop the so-called legal abuse syndrome, i.e., a form of post-traumatic stress experienced as a result of legal threats.

Ethical Hacking Training – Resources (InfoSec)

3. GDPR trolls attacking large companies

Not long after the GDPR entered into force, various individuals and companies started suing major online giants, such as Facebook and Google. Such large companies have the incentive to quickly settle GDPR-related claims to avoid the tremendous reputational and financial impact a GDPR breach may have. Even though such businesses usually hire experienced privacy professionals who may put their best efforts to comply with the applicable laws, some provisions of the GDPR are very broad, lack further clarification by European courts, and remain open to interpretations by businesses and privacy professionals. The broad provisions can enable the GDPR trolls to find legal grounds for their claims. For example, Article 13(1) of the GDPR requires data controllers to provide the data subject with various information, including, but not limited to, “the identity and the contact details of the controller and, where applicable, of the controller’s representative”. The term contact details is not specified in the law. It is not clear whether it includes a physical address or an email address. It will not be surprising if companies are sanctioned with 4% of their global turnover because they interpreted the term “contact details” to include an email address, not as a physical address. In this regard, it is worth mentioning that, in the past, a European court stated regarding another EU law applying to online businesses (the E-commerce directive) that e-commerce service providers should provide the recipient of their services not only with an email address, but also with other information which will allow the service provider to be contacted rapidly.

4. Conclusion

There is no doubt that the creators of the GDPR had good intentions. The law aims to give data subjects control over their personal data and simplify the data protection framework applying to international businesses. Also, there is no doubt that patents encourage the development of new inventions. However, both the GDPR and patent laws can be used by unscrupulous persons with the aim to extort and sue companies. The GDPR does not contain clauses which prevent such people from doing so. A solution to this problem can be the inclusion of a clause in the GDPR which imposes a sanction on persons abusing the GDPR. Such clauses can be found in many Internet-related procedures. For example, the Uniform Domain-Name Dispute-Resolution Policy (UDRP), a procedure used for resolution of domain name disputes, explicitly states that the arbiter can declare in its decision that the complaint was brought in bad faith and constitutes an abuse of the administrative proceeding. Thus, not only defendants, but also complainants who abuse the proceedings may suffer reputational damage.


1. Goldman, D., ‘Patent trolls cost inventors half a trillion dollars’, CNN Money, 2011. Available at http://money.cnn.com/2011/09/21/technology/patent_troll_cost/index.htm .

2. Judgment of the Court of Justice of the European Union in Case C-298/07. Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62007CJ0298 .

3. Huffer, K., ‘Legal Abuse Syndrome: 8 Steps for avoiding the traumatic stress caused by the justice system’, AuthorHouse, 2013.

4. ICANN’s the Uniform Domain-Name Dispute-Resolution Policy. Available at https://www.icann.org/resources/pages/policy-2012-02-25-en.

5. ITGP Privacy Team, ‘EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide – Second edition’, 2017.

6. Matsuura, J., ‘Jefferson vs. the Patent Trolls: A Populist Vision of Intellectual Property Rights’, University of Virginia Press, 2012.

7. The General Data Protection Regulation (GDPR) is available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG .

8. Voigt, P., ‘The EU General Data Protection Regulation (GDPR): A Practical Guide’, Springer, 2017.

9. Watkins, W., Shughart, W., ‘Patent Trolls: Predatory Litigation and the Smothering of Innovation’, 2013.


Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master’s degree in IP & ICT Law.