In the run-up to implementation of the EU General Data Protection Regulation (GDPR) on 25 May 2018, much of the focus was on the eye-watering level of fines which data protection regulators can impose, among a variety of other enforcement tools at their disposal, for infringements of the new legislation: up to 2 per cent of annual global turnover or €10 million, whichever is the greater, for violations relating to certain administrative data protection failings; and up to 4 per cent of annual global turnover or €20 million, whichever is the greater, for violations relating to certain more fundamental failings, such as breaches of any of the basic principles for processing personal data and breaches of data subjects’ rights.
In this briefing, Walker Morris’ Heads of Regulatory & Compliance and Commercial Dispute Resolution, Jeanette Burgess and Gwendoline Davies, consider another lurking danger for businesses – the very real prospect of GDPR-related litigation – and offer their practical advice.
GDPR is a game-changer. It delivers new and enhanced rights for individuals in relation to their personal data, including the right of access , the right to rectification, the right to be forgotten, the right to object to or restrict processing, the right to data portability, and rights related to automated decision-making. Not all of these rights are absolute, but deciding when they apply can be complex and decisions will be susceptible to challenge. As with the previous regime under the Data Protection Act 1998, organisations must implement appropriate technical and organisational measures to ensure a level of security that is appropriate to the risks involved in their processing of personal data. For the first time, however, GDPR introduces certain direct obligations on data processors and the requirement for detailed contractual obligations to be implemented between all data controllers and processors. There are also new mandatory notification requirements in relation to data breaches (including informing individuals directly without undue delay, if the breach is likely to result in a high risk to their rights and freedoms), and specific requirements in relation to documentation and record-keeping – part of the universal principle of accountability under the new regime.
There can be little doubt that, aided by the recent bombardment of their inboxes with GDPR-related emails, consumers are becoming increasingly aware of their status as data subjects and emboldened in relation to the exercise of their data protection rights. Add to that the ever-present threat of increasingly sophisticated cyber-attacks, recent high-profile data breaches, and incidents such as the Facebook/Cambridge Analytica scandal, and it is no surprise that individuals want more control over their data, reassurance about how it is used, managed and protected, and the ability to seek appropriate redress when things go wrong. With GDPR placing an increased level of responsibility on those who process personal data, the stakes have never been higher.
The right to compensation
In addition to having the right to complain to the regulator (in the UK, the Information Commissioner) if they consider that the processing of their personal data infringes GDPR, affected data subjects now have the right to apply to the court for a remedy if they think that their rights have been infringed through non-compliant processing, and any person (not just a data subject) has the right to receive compensation for damage suffered as a result of a GDPR infringement. Importantly, this covers material or non-material damage, and so individuals will still be able to make a claim where there has been no monetary loss. This could include, for example, claims for reputational damage, embarrassment, distress, inconvenience or anxiety.
Unlike under the old data protection regime, claims can now be brought against both data controllers and data processors. A data processor will only be liable for the damage caused by processing where it has not complied with GDPR obligations specifically directed at data processors, or where it has acted outside or contrary to lawful instructions of the data controller. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and are responsible for any damage caused by it, each will be held liable for the entire damage. This means that the individual only needs to make a claim against one of them. The controller or processor who pays out in full can then claim back from the others that part of the compensation corresponding to their responsibility for the damage.
A controller or processor will be exempt from liability for the damage caused by processing if it proves that it is “not in any way responsible” for the event giving rise to the damage. It is not yet clear how this will be interpreted in practice, but the wording certainly suggests that there will be a high hurdle to overcome. Being able to demonstrate compliance with GDPR requirements will be key.
Depending on the circumstances and the nature of the infringement, organisations could, in addition or alternatively, find themselves facing other types of claim such as those for misuse of private information or breach of confidence. Directors could also find themselves subject to claims where, for example, a data breach results in a reduction in share value.
The prospect of group litigation
One topic that has received a considerable amount of coverage is the prospect of GDPR opening the floodgates to US-style class actions.
GDPR allows a data subject to authorise a not-for-profit body, organisation or association (for example, a consumer group such as Which?) to exercise certain rights on his or her behalf, including the right to receive compensation (where provided for by member state law). In addition, member states may provide that such a body has the right to lodge a complaint with the regulator or to apply to the court for a remedy, independently of the data subject’s authority, if it considers that the data subject’s GDPR rights have been infringed as a result of the processing.
This issue of collective redress is one of the limited opportunities afforded to member states to decide how GDPR applies domestically. It was the subject of significant debate when the UK’s new Data Protection Act 2018 (the Act) (which came into force on the same day as GDPR, and is to be read alongside it) was passing through the various parliamentary stages as a Bill before it became law. Among other things, campaigners emphasised the difficulties of seeking a positive “opt-in” to proceedings from tens of thousands of affected individuals, and highlighted that those affected by data breaches and other illegal data-related activities are often unaware of what has happened.
In relation to the representation of data subjects with their authority, the Act reflects the requirements of the GDPR, including allowing a data subject to authorise a representative body to exercise his or her right to compensation. It also goes further, providing the Secretary of State with “the power to make regulations enabling representative bodies to bring collective proceedings on behalf of data subjects in England and Wales or Northern Ireland by combining two or more claims in respect of data subjects’ rights, where those data subjects have given their authorisation to the representative body”. This is designed to provide an effective mechanism for a representative body to seek a remedy in the courts on behalf of a large number of data subjects.
Controversially, the Act does not allow representative bodies to exercise data subjects’ rights without their authority. Following pressure from campaigners, however, the Act imposes a duty on the Secretary of State to carry out a review of this position and to report to Parliament within 30 months of 25 May 2018.
While we do not yet have an “opt-out” class action mechanism for breaches of data protection legislation, the threat of group litigation is a real one. In Various Claimants v Wm Morrisons Supermarket plc , a group of more than 5,500 employees brought a civil claim for compensation against Morrisons, using one of the currently available routes for group litigation under the Civil Procedure Rules, after one of its ex-employees deliberately leaked payroll data of thousands of staff online following disciplinary action. Morrisons was not found directly liable, but there was a sufficient connection between the individual’s position of employment and his actions to establish secondary (vicarious) liability. This was despite the disclosure of the data being made outside working hours using the individual’s personal equipment. An appeal of this judgment is currently outstanding.
With recent high-profile data breaches affecting millions of individuals, and in the current climate of increased awareness of data protection rights, group litigation has the potential to result in substantial and damaging exposure, both in terms of value and reputation.
Data protection is a boardroom issue. To reduce the risk of being on the receiving end of a GDPR-related claim, it is essential that organisations take data protection seriously, with robust policies, procedures, systems, safeguards and organisation-wide training in place to ensure GDPR compliance (and, crucially, to be able to demonstrate that compliance). It will be important to keep those measures under review as the business develops and changes.
Contractual arrangements between data controllers and processors should be reviewed to ensure that they address clearly and unambiguously the parties’ respective obligations and liabilities, including in relation to breach reporting and the settling of compensation claims, and include all the ‘boiler plate’ terms which are mandatory under Article 28 of the GDPR.
While it is unlikely that insurance will be available to cover potential regulatory fines, organisations should consider reviewing their insurance cover to help limit the damage, financial and reputational, in the event of a GDPR-related claim.
If a data breach or other infringement does occur, it should be dealt with promptly and effectively, with clear communication to the affected individuals so that they can take any necessary steps to minimise loss. Organisations may wish to consider appropriate redress schemes to help rebuild customer trust and shore up any reputational damage. It will be important to learn from previous incidents and take steps accordingly to limit the likelihood of a similar incident happening again in the future.
Looking beyond issues of pure compliance, GDPR provides organisations with an opportunity to innovate, to review and improve data management, and to maximise the potential of their data assets. It is about good business practice: being accountable, transparent and fair; managing data responsibly; giving individuals greater choice and control over how their personal data is used; building a culture of privacy; and integrating data protection into the heart of the business.
If you require assistance in relation to any of the issues raised in this briefing, please do not hesitate to contact Jeanette or Gwendoline, who will be very happy to help.
 We explained in an earlier briefing how data subject access requests (or DSARs) are increasingly being used tactically, both prior to and alongside the litigation process. GDPR introduces changes to the DSARs regime, including: a shorter time limit to respond, reduced from 40 days to one month (although the deadline can be extended by up to two months where requests are complex or numerous); in most circumstances the information must be provided free of charge; and, where a DSAR is made electronically, the information should be provided in a commonly used electronic format, unless otherwise requested.
  EWHC 3113 (QB)