The General Data Protection Regulation (GDPR) comes into force tomorrow, 25 May 2018. Setting aside the work that law firms will have to undertake to ensure that they are compliant with the GDPR themselves, I foresee a number of significant impacts for dispute resolution lawyers.
I have touched upon this already, as part of a collective contribution to yesterday’s blog post. Below, I set out in full what I think these impacts are likely to be.
A significant growth in regulatory work
As matters stand, the maximum fine that the Information Commissioner’s Office (ICO) can levy is capped at £500,000 and reporting data breaches to the ICO or affected data subjects is not mandatory (albeit that it may lead to the sanction levied by the ICO being increased).
As all practitioners are, no doubt, aware:
- Fines arising out of data breaches will increase to a maximum of EUR 20 million or 4% of total worldwide annual turnover pursuant to the GDPR.
- The GDPR imposes strict reporting requirements both on data controllers and processors, requiring notification, in appropriate circumstances, both of relevant regulatory authorities and, in some cases, affected data subjects, breach of which is punishable by a fine of EUR 10 million or 2% of total worldwide annual turnover.
Furthermore, the ICO is also empowered under the GDPR to impose a temporary or permanent ban on processing of data by data controllers and processors, which could be equally devastating.
Accordingly, whereas data controllers may previously have considered that, on balance, they were content to run the risks occasioned by not disclosing data breaches to the ICO or affected data subjects, this seems unlikely to continue.
It therefore seems inevitable that there will be a significant uptick in investigatory and advisory work around data breaches going forward.
The extent to which there will be an increase in enforcement activity arising out of those breaches by the ICO remains to be seen. However, again, this appears inevitable, given that, amongst other things, breaches which might otherwise have gone unreported will be brought to the ICO’s attention. Pursuant to Article 58, GDPR, the ICO has a range of additional investigatory powers, including the right to “obtain access to any premises of the controller and the processor, including to any data processing equipment and means”.
Amongst other things, clients will therefore require advice as to the structuring and management of investigations into data breaches (which will require careful consideration in light of the potential for civil litigation arising out of those breaches, particularly issues of privilege, given the decision in Serious Fraud Office (SFO) v Eurasian Natural Resources Corporation Ltd), their potential liability arising out of such breaches, and how best to communicate those breaches to the ICO or affected data subjects (if at all).
A significant growth in the volume of data protection litigation
The uptick in group litigation (see for example, Various claimants v Wm Morrisons Supermarket PLC) arising out of data breaches following the decision in Vidal-Hall & others v Google Inc, which determined that damages for non-pecuniary loss were, in principle, recoverable for breaches of data protection legislation, is likely to gather pace post-GDPR, particularly given that:
- The obligations on data controllers to disclose data breaches to affected data subjects in certain circumstances.
- Increased regulatory enforcement activity on the part of the ICO (which may be the precipitant for group claims to be pursued).
- The attractiveness of such claims to funders, given the scope for claims arising out of data breaches to be brought as representative actions pursuant to CPR 19.6 (by way of example, a claim of this nature, funded by Therium Capital Management, has recently been commenced by ex-Which director Richard Lloyd as a representative of 5.4 million consumers against Google, on a similar basis to the claims which were successfully brought against Google in Vidal-Hall).
- The inevitability that significant data breaches will occur with ever-increasing regularity.
The court’s precise approach to the quantum of loss recoverable in cases where only non-pecuniary loss is suffered by data subjects is not entirely clear, particularly in light of Mitting J’s comment in TLT and others v Secretary of State for the Home Department and the Home Office that, in order for damages to be recoverable in such circumstances, a “de minimis” threshold must be exceeded.
Given the numbers of affected data subjects in high profile data breaches, in circumstances where the ICO has made it clear that it is minded to adopt a proportionate approach to the sanctions which it levies post-GDPR, the exposure arising out of such claims may even exceed that arising out of regulatory sanctions (of course, a party may be exposed to both).
The volume of group litigation would be increased even further if the UK government was to enact legislation providing for the right of consumer bodies to pursue group claims on behalf of affected data subjects, without their consent (that is, “opt-out” group litigation in line with the provisions under the Consumer Rights Act 2015), in line with Article 80(2), GDPR. However, as matters stand, the Data Protection Bill does not provide for this.
Practical impacts on the day-to-day management of commercial litigation
Amongst other things:
- There is likely to be a significant increase in the volume of subject access requests (SARs), given the reduction in the fee payable under GDPR, and perhaps more importantly, the decision in Dawson-Damer, which suggests that parties are generally entitled to use SARs in order to obtain disclosure of documents in support of existing, or anticipated, proceedings. The jurisprudence around the operation of the various exemptions to disclosure of personal data under SARs is developing, and I expect to see a range of further litigation in this space.
- Data controllers will be liable for enhanced sanctions under the GDPR arising out of the activities of data processors whom they employ, unless they can demonstrate that they were not in “any way responsible for the event giving rise to the damage”. Therefore, prior to instructing data processors on their clients’ behalf (for example, e-disclosure providers), dispute resolution lawyers, who will be acting as data controllers, will want to consider carefully, amongst other things, whether their contracts with those data processors comply with Article 28. They will also want to provide sufficient protection in the event that the data entrusted to the data processor is unlawfully processed (for example, as a result of data breach), and the adequacy of the data processors cybersecurity procedures, and so on. Similar considerations will need to be given to ongoing contracts with data processors.
As I explained in the previous blog, SARs are an underused tool in commercial litigation. As noted above, the decision in Dawson-Damer suggests that, generally, their usage in support of commercial litigation is acceptable; therefore, all dispute resolution lawyers should carefully consider their tactical deployment in each matter in which they are instructed.