With GDPR and the Bill at the forefront of data protection regulatory changes in 2018, data protection and privacy law will continue to be a key part of the litigation landscape. Some of the possible areas of conflict facing controllers/ processors are:
- Failure to erase personal data
This right, often referred to as the ‘right to be forgotten’, will allow individuals to request that their personal data is erased. This right only applies in some circumstances, such as where the personal data is no longer needed for a specific purpose. It clearly has the potential to conflict with an organisation’s record keeping regulatory obligations, which will prevail over a request to erase personal data.
Where organisations refuse a request to erase personal data, we anticipate numerous claims and complaints from individuals who have misunderstood these competing obligations.
- Failure to rectify
The GDPR reinforces the requirement for personal data to be accurate and up to date. Organisations will have one month from receipt of a request to correct any inaccurate data (or three months in complex cases).
Organisations are already facing numerous claims from individuals, who consider that their credit rating has been harmed by incorrect credit reporting. Organisations are likely to see a significant rise in claims of this nature as the implementation of GDPR continues to receive attention from both the media and consumer protection groups.
- Failure to respond to Data Subject Access Requests (DSARs)
DSARs are already a commonly used litigation tool to circumvent pre-action disclosure. As individuals’ awareness of their rights as a result of GDPR coverage has increased, we have noticed a significant rise in the number of DSARs and expect this trend to continue.
Claims and complaints already arise from delayed and/or incomplete responses. With the removal of the £10 fee and reduction in response time from 40 to one month, organisations’ internal processes will be further tested.
- Failure to provide portable information
Data portability is a new right under the GDPR through which organisations will be required to provide a copy of their personal data (subject to certain exemptions) to individuals upon request. Data will need to be provided in a structured, commonly used and machine readable form within one month of a request.
Claims and complaints are likely to arise from individuals testing the scope of this new right, including steps and measures implemented by an organisation to meet the requirements from a technological stand-point and rationale for relying on exemptions under the GDPR.
- Data breaches and the financial consequences
Media attention has focused on data breaches with high-profile companies, including Morrisons and Equifax, being the subject of sustained media coverage. Enshrined within GDPR are two separate forms of financial consequences; (i) an individual’s right to compensation and/or damages and (ii) substantial fines by the Information Commissioners Officer (ICO) of the higher of 4% of an organisation’s annual global turnover or €20m (£17m in the Bill).
Data breaches will therefore be of particular concern to organisations as they hold large amounts of valuable and sensitive personal information. Should a data breach occur, in addition to an ICO fine, organisations could potentially face claims for damages from millions of affected individuals. As has been seen in the Morrisons’ litigation, there is scope for data breaches to result in group litigation. Even modest damages awards per head could lead to substantial pay-outs if a significant number of individuals are impacted.
Remedies and liabilities
As we have highlighted, the ICO will have the ability to impose fines up to the higher of 4% of annual global turnover or £17m. This is perhaps one of the most talked about changes but arguably wrongly so. Elizabeth Denham, the Information Commissioner, has recently commented that ‘Issuing fines has always been and will continue to be, a last resort’ and that ‘Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point’.
Although individuals will have the option to complain to the ICO and a right to judicial remedies against decisions by the ICO, this will not provide individuals with the financial remedy they feel they deserve; i.e. monetary recompense. The power to award compensation will remain with the courts.
Under the DPA, an individual could not claim damages unless these were linked to financial loss. The Court of Appeal’s landmark ruling in Google v Vidal-Hall marked an important change and established that individuals whose data is not handled properly may be entitled to compensation for ‘mere distress’ even if they have not suffered pecuniary loss. This right to compensation for distress is now enshrined in the GDPR.
Although the media attention on GDPR has brought data protection issues to the fore, it has focused on the headline of potential substantial fines that could be awarded.
Perhaps of greater significance to businesses is the potential for wide-scale litigation and claims for damages.
As highlighted, of particular concern for organisations will be the financial consequences arising from data breaches which could affect millions of customers. Although the ICO has re-iterated that fines are a last resort, the ICO will take action against organisations if it is appropriate to do so and furthermore, damages and compensation will remain in the control of the UK courts. A timely example is the judgment in the Morrisons’ group litigation trial which took place in October 2017. On December 1, 2017, Morrisons were found liable for the data breach and they will face a further trial to decide the level of compensation payable to each individual.
Richard Hayllar is a Partner and Jenai Nissim is Legal Director at UK law firm TLT. Emily Black, Associate; Alanna Tregear, Solicitor; and James Tithecott, Solicitor, contributed to this article