Inevitably it will transpire that mistakes will have been made by professionals giving (often very expensive) guidance on GDPR compliance. Their clients will want to consider whether a claim for professional negligence can be made. In this article Neil Hext QC, Stephen Innes and Helen Evans of 4 New Square discuss some of the issues which are likely to arise in such claims.
Standard of care
Much of the advice which is being obtained in relation to GDPR is from lawyers. In that situation, the standard of care required is straightforwardly the reasonable care and skill of the solicitor of barrister, although there may be some scope for argument as to the level of specialisation expected: is it the reasonable care and skill of a commercial solicitor, or is it that of the solicitor specialising in information/data protection law?
In many cases it will be the latter, because of the way that advisers have been holding themselves out as specialists: see Jackson & Powell on Professional Liability, 8th edition, §11-101. Sometimes the specialism can be really quite precise, as recently in Agouman v Leigh Day  EWHC 1324 (QB) where it was that of “a reasonably competent firm with a department specialising in group litigation for unsophisticated clients arising from events in a poor and unstable African country”.
The position could be more difficult where the advice has not been given by legal professionals. Many have been advertising their services as “GDPR consultants”. By what standard are they to be judged?
If, although not lawyers, in fact they have strayed into giving legal advice, it is suggested that they will be judged by the standards applicable to the legal profession: Jackson & Powell §2-137.
But if they have not given legal advice, can they be judged by the standard of “the reasonably competent GDPR consultant”? That would entail expert evidence from other GDPR consultants, but as these are not necessarily a part of a homogenous group, and as this specialism has sprung up relatively recently, it may be challenging for such an expert to give the requisite evidence of the accepted standards in the profession, rather than the (inadmissible) evidence of what he/she would have done differently.
Breach of duty
We will have to wait and see what specific errors come to light. Errors are inevitable, because of the length, complexity and opacity of the Regulations.
There may be cases in which the ICO or the courts adopt an unexpected interpretation of a particular provision, in which case it may be possible to argue that although the interpretation placed on it by the adviser, although subsequently shown to have been incorrect, was not in fact negligent.
But equally, the complexity of the Regulations may mean that the adviser has a duty to put forward competing analyses as possible outcomes. The question of when a professional person owes a duty to advise that there is a risk that his or her advice is not right has been a recent hot topic, see:
- Balogun v Boyes Sutton & Perry  PNLR 20 where the Court of Appeal held that although the defendant solicitors had correctly interpreted the provisions of a lease, they had owed a duty to advise about the risk of a court coming to a contrary conclusion to their views;
- Barker v Baxendale-Walker Solicitors  EWCA Civ 2056 where the Court of Appeal held that a firm of solicitors should have warned an investor about the risks of a tax scheme failing. The Court of Appeal stated that a lawyer “as part of the legal advice that he is providing must evaluate the legal position and determine whether in all of the circumstances, he should advise his client that there is a significant risk that the view he has taken…. may be wrong”.
Causation, mitigation and loss
There will be enormous scope for arguments about causation and related principles.
Organisations may have to make decisions between (i) a strategy or policy which is most likely to be GDPR compliant but does not fit at all with their operational model, and (ii) one which suits their business much better but which does not give quite the same certainty on compliance.
If the decision can later be seen to have been the wrong one, will that organisation be able to prove that differently advised it would have taken a different decision?
Where enforcement action is threatened or taken, such as regulatory fines being imposed, we anticipate that many of the same issues will arise as are frequently encountered in claims against accountants and auditors: for example:
- Has the claimant acted suitably to mitigate its loss e.g. by self-reporting at the earliest opportunity and acting if necessary to curtail the damage?
- Has the claimant made suitable efforts to negotiate the size of the fine? Note, though, that a claimant is not normally expected to engage in expensive litigation to mitigate a defendant’s breach.
- Did the regulator only take action because of continuing failures by the claimant, which the professional can say broke the chain of causation?
- If the client has been subject to criminal penalty, is a defence of illegality available to the professional?
- If the problem was raised with the professional, did the professional take appropriate steps to assist? In this context, what actions will a court expect the professional person to have taken to stop data leaks from getting worse, given the requirements to comply with the GDPR?
The sorts of innovative steps that can be taken were illustrated last week in PML v Persons Unknown (responsible for demanding money from the Claimant)  EWHC 838 (QB), where Nicklin J granted an injunction against unnamed hackers, which could then be used to prevent third parties publishing the information.
Issues are likely to arise under to SAAMCo and BPE v Hughes Holland  2 WLR 1029, which raises the familiar distinction between the professional who provides information and the professional who gives advice and is therefore responsible for wider consequences of that advice being wrong. In this area there could be real risks for GDPR professionals: many of the advertisements we have seen do not merely offer information about the requirements, but promise to assist clients in ensuring GDPR compliance, and the consultants may be deemed to be “guiding” the businesses on how to conduct themselves.
It will probably take some time for the problems to start coming to light, as there will be a strain on the resources of bodies such as the ICO taking enforcement action; so too, the first legal cases will take some time to work their way the litigation process. In years to come, limitation arguments will arise.
Claimants will argue that they only suffered damage to found the cause of action in tort for the purposes of section 2 of the Limitation Act 1980 when the ICO imposed the fine on it, or when it had to agree to pay compensation to the client.
But that is a difficult argument because the likelihood is that, following cases such as Forster & Outred  1 WLR 86, the claimant will probably have suffered damage at the time when it put in place practices which have proved to be defective; that is the point at which its potential liability arose.
Of course, as with so many claims against professionals, section 14A may come to the rescue, giving the claimant 3 years to bring a claim from the date of their relevant knowledge.
But one of the features of GDPR so far has been the extent to which the threats and challenges have been well publicised in the national press and through channels such as Linkedin and Twitter. It is to be anticipated that enforcement decisions, successful claims for compensation and so on will be similarly well publicised.
Thus there will be arguments that even if a claimant was not itself the subject of enforcement action at the time, it ought to have been alerted to a potential problem because it should have considered the reports of difficulties encountered by other organisations which had been advised by the same consultants, or which had adopted the same practices.