In the final countdown to the implementation of the General Data Protection Regulation (GDPR) on 25 May 2018, a few leading commentators offer their thoughts on whether this is big news for dispute resolution lawyers, plus their top tips for practitioners.
Views on the significance of the impact for dispute resolution lawyers of the forthcoming changes to the data protection regime
Jason Rix: Regarding, the day-to-day work of a dispute resolution lawyer (as opposed to those litigating about data protection issues) I think we will see a change of mindset more than anything else. I suspect, historically, not every dispute resolution lawyer has paid the attention they perhaps ought to have done to data protection. The profile of GDPR, its importance to clients, as well as privacy dominating current affairs have all changed that attitude. I don’t see the risks facing dispute resolution lawyers as being of the same order as, say, a company whose business model is dealing in personal data or that suffers a data breach. But to the extent the risks exist, they are most acute, I’d say when data is being transferred from within the European Economic Area (EEA) to a jurisdiction outside the EEA (most often to the US).
As for litigation based on data protection, I think we are likely to see more of this, particularly in relation to data breaches as Various claimants v Wm Morrisons Supermarket PLC foreshadows.
Vince Neicho: First of all, it could be a potentially lucrative workstream! Also, dispute resolution lawyers will have to ensure that not only is their own house in order, but also that of any providers that they engage with in respect of client data. I am thinking in terms of how data is managed, stored, accessed and protected, both whilst it is in use, and after the tasks for which it was collected have been completed. A prudent lawyer and his or her firm will already have stringent processes and procedures in place to look after and work with client data, so they will be less impacted by the changes. Their new focus will be to take responsibility for ensuring that any provider they use to work with the data also has adequate protection processes in place.
Mark Surguy: The GDPR has been likened by some to the Y2K Millennium Bug, the biggest problem that never was.
The GDPR was designed to tighten the standards of personal data processing. Since “processing” amounts to just about anything you can think of, everyone handling personal data is confronted by the regime. Litigators are no exception, particularly if practising in this field. However, there are few “pure” data privacy litigators. Most data privacy practitioners are not litigators and most litigators are not conversant with data privacy law. This separation of specialisms (as with many other specialist areas of law) requires strong collaboration between practitioners. GDPR is unlikely to change this very much.
My favourite area of so-called “e-disclosure” (rather horribly named and what is really nothing other than handling electronic data in the course of litigation) is unlikely to change. The Article 29 Data Protection Working Party (WP29) has not provided any further words of wisdom concerning the difficulties posed by data flows in and (especially) out of the EU in the context of litigation being conducted in common law countries. Litigators will continue to struggle with the conflicts between common law pre-trial discovery and the civil code countries.
Group litigation may be a beneficiary of the changes made by the GDPR. It will be easier to claim damages (although the amount of damages will probably be little different) for breaches of the right to privacy. The formation of groups to make class claims is still somewhat controversial in this jurisdiction, but it is not without precedent (the Morrisons claim being a good, recent example). If data breaches continue at their present rate, there will be a good number more of these groups being formed to claim compensation from organisations who do not keep their personal data secure.
If the GDPR is enforced more strictly by the Information Commissioner’s Office (ICO) than it has been to date (and there is every reason that it should because of the new reporting duty in respect of data breaches and the considerably enhanced level of fines), those who have enforcement practices are likely to find that they become much busier.
Data subjects can be expected to become more aggressive in the knowledge and enforcement of their rights to be forgotten, to portability of their data and rights of access. This will doubtless create more demand for advice from those against whom these rights are asserted. Whether those advising will be “litigators” may be less clear, but there is good scope for litigators to become more involved in data privacy related matters than is perhaps the case at the moment.
ICO prosecutions may become more commonplace and this will generate the need for defendants to be advised or represented. Criminal lawyers, rather than civil litigators, have generally become involved at this level of enforcement, but there is an opportunity for civil litigators to broaden their practice to encompass the criminal aspects of the GDPR.
Robert Allen: There will be a significant impact on dispute resolution lawyers, at least in the short term. I think it’s inevitable that the publicity afforded to GDPR, and an increasing awareness of the value of data, will give rise to a number of disputes arising from allegations that data have been unlawfully processed. However, we may also see data protection claims bolted onto lots of other claims, to shore up primary causes of action. These claims could form part of a kitchen sink pleading, whereby claimants hope that the potential for huge regulatory fines and reputational damage gives weight to the claim and increases the chance of a favourable settlement.
Ben Sigler: Putting aside the work that law firms will have to undertake to ensure that they are compliant with the GDPR themselves, the most significant impacts which I foresee for dispute resolution lawyers are a significant growth in regulatory work and in the volume of data protection litigation.
There will also be practical impacts on the day-to-day management of commercial litigation. For example, there will likely be a significant increase in the volume of subject access requests (SARs). Also, prior to instructing data processors on their clients’ behalf, dispute resolution lawyers acting as data controllers will want to consider carefully whether their contracts with data processors comply with Article 28, GDPR.
These and other issues are explored in more detail in a separate blog.
Top tips for dispute resolution lawyers regarding data protection requirements
Jason Rix: Early this year, I rather flippantly said that almost whatever question I was asked, I was sure there was a data protection angle. What I was getting at was that you need to have data protection in mind at all times so that decisions you take factor it in. For example, in disclosure under the Civil Procedure Rules (CPR) this means: when the client initially gathers documents, whenever a third party is used to assist with the disclosure process, whenever disclosure documents are being transferred, whenever the documents are reviewed, whether it is appropriate to redact documents, right up to decisions about for how long and in what circumstances lawyers should retain documents after a dispute has been resolved.
Vince Neicho: Think about the framing of requests of clients to obtain the data required. Depending on jurisdiction, it may be that under the new requirements, additional, more specific consents and processes need to be obtained/followed when collecting the data in the first place. Contingency plans should also be drawn up in respect of how to deal with the refusal (or, worse still, withdrawal) of any data subject consents.
Mark Surguy: Take some time to grasp the basic definitions in the GDPR afresh. They contain the bulk of what you need to know.
Robert Allen: It sounds glib, but make sure you know the technical requirements. From the perspective of understanding data protection claims that will hit your desk, this will help cut through the spurious and opportunistic litigation. From the perspective of compliance (for example, ensuring lawful cross-border transfer of data during proceedings), this will help avoid an unnecessary misstep that could undermine your case.
Ben Sigler: SARs are an underused tool in commercial litigation. The decision in Dawson-Damer and others v Taylor Wessing LLP suggests that, generally, their usage in support of commercial litigation is acceptable; therefore, all dispute resolution lawyers should carefully consider their tactical deployment in each matter in which they are instructed.