Gallons of ink continue to be spilt over the General Data Protection Regulation (GDPR), and its ubiquity has given rise to all sorts of takes, from memes to moans, and the vain cries of practitioners insisting that all those consent emails have got it wrong.
As those emails subside, and the dust begins to settle on implementation and compliance, a new menace emerges: the weaponisation of the GDPR in complaints and litigation. Although many feel that GDPR fatigue has set in, on 25 May 2018 (the date on which the GDPR came into force), the Information Commissioner’s website struggled to cope with huge amounts of traffic; Facebook and Google were the recipients of the first official complaints of non-compliance.
Dispute resolution lawyers can expect a pipeline of disputes and contentious matters to emerge. Some of the causes of action are found within the GDPR. Others were already there, some hiding in plain sight.
Article 79 of the GDPR confers a right to an effective judicial remedy for data subjects against any unlawful processing of their personal data by a data controller or processor, while Article 82 provides any person suffering damage as a result of an infringement of the regulation with the right to receive compensation. This means claims for unauthorised disclosure, restriction of data access, loss of personal data, improper retention of data, processing without consent and denial of data portability, amongst many others.
Outside the GDPR, the febrile environment created by its implementation will mean that data protection litigation will also find new energy through misuse of private information and breach of confidence claims, already a rich seam for privacy disputes. In addition, there are less obvious claims. As an example, for a firm regulated by the Financial Conduct Authority (FCA), a large data breach caused by a malicious cyber attack may well put it in breach of the Senior Management Arrangements, Systems and Controls (SYSC) Rules (SYSC 3.2.6R, for instance). Such a breach would give an individual a private right of action for damages under section 138D of the Financial Services and Markets Act 2000.
There is also a possibility that claims could be brought through consumer protection law. Back in 2015, when the Competition and Markets Authority consulted on the commercial use of consumer data, it noted that privacy notices are subject to the fairness assessment set out in at section 62 of the Consumer Rights Act 2015. Thus an unfair privacy notice could be found not binding, in turn putting a company in breach of GDPR, triggering the right for an individual to bring a claim.
So much for the various types of claim, but how will they be deployed?
To date, the most significant data protection fights have arisen out of Subject Access Requests: Durant, Dawson-Damer and Ittihadieh/Deer. While interesting and destined to continue, this breed of litigation presents a limited sort of threat. Subject access complaints are, by definition, brought by individuals, many of whom have an axe to grind or who believe they have found a smoking gun amongst their data (that said, the Information Commissioner’s Office’s (ICO) publication of its findings in favour of Professor David Carroll in relation to his Cambridge Analytica data subject access request (DSAR) may open some floodgates).
However, the real impact of the GDPR on the disputes landscape will probably be felt in two other key ways.
First, we may see data protection claims tossed into other claims, to shore up primary causes of action: the claim as a kitchen sink pleading, bolted on, perhaps in the hope that the threat of significant fines and reputational damage, might increase the chance of a favourable settlement.
However, claimants and their legal representatives should be wary of this approach following the costs judgment in the Morrisons case in May 2018. While a key reason for the successful claimants only recovering 40% of their legal costs was down to them failing on their primary claim of direct liability, in his judgment, Langstaff J noted (at paragraph 25):
“The Claimants have had the indulgence of pursuing claims which were tenuous, at unnecessary length, pursuing disclosure that was principally related to those claims. The Defendant should not in justice be required to pay for this, but rather be made subject to a costs order which reflects the fact that it succeeded in resisting those claims.”
This suggests that caution should be taken when considering whether to pursue multiple allegations of data protection failings, as the claimants did in Morrisons, and certainly in bolting such allegations on to claims.
Apart from the provisions in the Consumer Rights Act 2015 concerning private actions in competition law, the UK has no opt-out class action mechanism. But, as Morrisons shows (a class of 5,518 claimants was put together), tools in the CPR are sufficient to put together group claims in the context of data protection litigation. Morrisons was the result of a group litigation order (GLO), but an alternative route could be through a representative action (at CPR 19). The GDPR (at Article 82) has codified the ruling in Vidal-Hall that individuals do not need to show pecuniary loss to seek financial compensation for a data-based claim (and therefore effectively superseded the suggestions of a de minimis requirement in TLT and others v Secretary of State for the Home Department and another). Consequently, it’s not hard to see the opportunity that a large public data breach would present for claimant law firms, litigation funders and the not-for-profit organisations mandated to bring claims (under Article 80 of the GDPR).
Consider a likely scenario: if a business fails to keep the data of a million customers secure, and those customers’ names and addresses appear on a website, those customers, despite suffering no financial loss, may claim compensation for distress. If a group around the size of the Morrisons GLO is assembled (just 0.6% of the customer base) and each customer claims £500 each for distress and inconvenience (taking a figure at the bottom of the Financial Ombudsman’s range for such awards as a general indicator), that’s a £3 million claim.
As with so much else concerning the GDPR, time will tell whether it will have a long lasting effect on dispute resolution. However, the above is by no means a comprehensive look at its implications in disputes: when you also consider claims and complaints arising out of enforcement and the mandatory breach reporting requirements, and shareholder claims that data breaches may provoke following a drop in share value (see, for example, the class actions against Facebook in the US following the Cambridge Analytica scandal), litigators should probably make sure they brush up on the more technical aspects of data protection law.