The European Commission (the “Commission”) published today its draft adequacy decision for the US (the “Draft Decision”). This paves the way for an institutionalized personal data transfer mechanism across the Atlantic to emerge (and already raises the prospects of it being under scrutiny again).
If your pre- holidays’ workload (that also includes the transition of your old SCCs to the new ones, another transfer duty, does not allow you to read the full 134-page Draft Decision, here is a little tour of what you need to know before it becomes final (and this might still take some time).
Before, there stood two…
For those with longer memories, the Commission has been here before – remember the Privacy Shield or even its predecessor, the Safe Harbour? Both were invalidated by the Court of Justice of the European Union (the “CJEU”) after challenges from the privacy activist Maximilian Schrems. In the last chapter of the Schrems saga, the CJEU raised several deficiencies with the Privacy Shield which the Executive Order signed by the US President earlier this year (see our blogpost on the topic) seek to address to provide organizations with a long-lasting personal data transfer framework.
The draft confirms that according to the Commission:
- As expected, necessity and proportionality (principles close to the heart of EU privacy professionals) play a big role. Binding safeguards will limit access to personal data by US intelligence agencies to what is necessary and proportionate to protect national security;
- US intelligence agencies will need to come up with internal procedures to ensure compliance with these rules. For example, they will need to train their employees to ensure that they understand the obligations imposed by the Executive Order;
- A two-stage redress mechanism will be available to data subjects who want to bring complaints against the US intelligence agencies for potential breaches. The first stage will allow data subjects to complain to a Civil Liberties Protection Officer who will determine if there is a breach and make an order for remediation. The second stage will allow data subjects to have complaints reviewed by a Data Protection Review Court. This court will review the decisions from the first stage and issue a binding decision. Where a violation is found, it will also make an order for remediation. Redress was one of the major points addressed by the CJEU in the Schrems II so the effectiveness of the mechanism will be crucial to ensuring that an adequacy decision will remain viable.
- In addition to redresses against US intelligence agencies, the Privacy Shield 2.0 gives Union data subjects multiple redresses options against the certifying organizations processing their personal data;
- Under Privacy Shield 2.0, US companies will need to certify (again) and commit to comply with a (wide range) set of privacy obligations such as purpose limitation. To maintain the principle that “protection travels with the data”, these new obligations will also include commitments when sharing personal data onwards with third parties.
Three strikes, you are out! (maybe)
Whilst the Commission stands strong on its hope (it is that time of the year, after all) the Draft Decision will allay the concerns of privacy campaigners, Max Schrems and the campaign group NOYB made it clear they are going to challenge the revised framework when adopted. Hence, a risk for it being invalidated in the same way as its predecessors.
In relation to the proposed redress mechanisms, Max Schrems has stated: “I think (the proposed redress system) is an upgrade, but it’s still going to be very hard for the CJEU to look at that and say that is a court under Article 47 (of the EU Charter of Fundamental Rights).” Article 47 enshrines the principle that everyone subject to EU law has the right to an effective judicial remedy and a fair trial. If the CJEU finds in a new “Schrems III” that the redress mechanism still fails to adequately fulfil the criteria in Article 47, then we will no doubt find ourselves back to square one. Nevertheless, EU Justice Commissioner Didier Reynders has urged early critics of the mechanism to give it more time, stating “[p]lease test the system before you say it’s inefficient.” This also reflects comments recently made by the European Commission Head of International Data Flows and Protection Bruno Gencarelli, who said of the mechanism: “[t]his is significantly different, even recognized by the most critical voices, from what we had before.” Perhaps forgotten in this never-ending Punch and Judy is the voice of business which will no doubt welcome the momentum that will come with the final adoption.
The US will still not be completely off the hook though. The Commission will review the functioning of the Privacy Shield 2.0 periodically and the first review is set to take place one year after the adequacy decision has entered into force. This short review period might reflective of the Commission’s concerns that what was agreed in the Framework will somehow slip. By comparison, the first review period for the adequacy decision adopted for the Republic of Korea was three years.
In the interim, and just after companies have finalised their legacy SCCs transition project, US data importers should start familiarizing themselves with Privacy Shield 2.0. If you certified to the Privacy Shield, what are the actual consequences of the revised framework and what should be done to be ready by the time the certification process will be available? If you did not certify to the Privacy Shield, should you revise your views considering the privacy enhancing benefits that Privacy Shield 2.0 will be offering? And lastly, if you are still unable to certify because you are outside the scope of Privacy Shield 2.0 (and there are a couple of those instances to consider), what does this mean for your personal data transfers.
Do not plan on reading a book over the holiday season; be ready for another busy year for privacy.
Over the last couple of years, the High Court has been sceptical of low-value compensation claims for minor data breaches (see our previous articles here and here). Such scepticism is illustrated by the High Court:
- criticising the “kitchen sink” approach adopted by claimants who bring overly complex claims with multiple causes of action and narrowing the scope of claims by dismissing misuse of private information and breach of confidence claims as in Warren v DSG Retail Ltd  EWHC 2168 (QB), Johnson v Eastlight Community Homes Ltd  EWHC 3069 (QB) and William Stadler v Currys Group Limited  EWHC 160 (QB);
- transferring straightforward, low-value data breach claims to the County Court as the most appropriate court to hear the claim as in Warren v DSG Retail Ltd, Johnson v Eastlight Community Homes Ltd, Ashley v Amplifon Limited  EWHC 2921 and William Stadler v Currys Group Limited; and
- condemning data breach claims for damages when there is little to no harm or the harm claimed has no prospect of meeting the de minimis threshold for receiving damages as in Rolfe v Veale Wasbrough Vizards LLP  EWHC 2809 (QB).
A recently published case in England and the Opinion of EU Advocate General, Campos Sanchez-Bordona, on UI v Österreichische Post AG in October 2022 have given further support to the approach of the High Court, although the traffic has not been all one way as the High Court decision in Driver v Crown Prosecution Service  EWCH 2500 (KB) departed slightly from this emerging line of judicial thinking.
We take a closer look at these three cases below and provide you with some key takeaways.
The County Court is the best forum for straightforward, low-value data breach claims 
A case heard in November 2021, but only recently published, has provided a further blow to claimants seeking to push simple, low-value data breach claims into the High Court through multiple causes of action.
The facts of this case were common and straightforward. The defendant’s employer inadvertently emailed a letter intended for one of its employees, the claimant, to one of his colleagues.
The claimant subsequently brought a claim against the defendant employer for breach of data protection legislation, misuse of private information and breach of confidence.
Before considering the claimant’s reasons why the claims should be heard in the High Court, the judge questioned a section of the claimant’s original letter of claim. The letter stated that if arguments were put forward by the defendant that the matter should be heard in the small claims track, the claimant reserved the right to claim for aggravated damages.
The judge said that this amounted to “making a threat to attempt to dissuade the Defendant from seeking to have the claim allocated to the small claims track.” The judge lamented this approach as “inappropriate and without foundation.” These obiter comments act as a warning to claimant solicitors that they should not attempt to threaten or discourage defendants from making arguments as to the procedural allocation of a case.
The claimant provided the following reasons why these claims should be heard in the High Court:
- the nature of the data breach claims fell within the scope of the specialist Media and Communications List;
- the equitable breach of confidence claim fell outside the limited equity jurisdiction of the County Court;
- the “highly-specialised nature of the causes of action” requires a specialist judge; and
- the data breach claims related to “a developing area of the law.”
The judge rejected these reasons as he found the case was not complex and did not need a specialist judge. Additionally, in straightforward cases like this, where there was no real factual dispute, the judge emphasised there is little value in the claimant complicating the claim by including additional claims for misuse of private information or breach of confidence. This stance is supported by the High Court decisions in Johnson v Eastlight Community Homes Ltd and William Stadler v Currys Group Limited, which also criticised the “kitchen sink” approach used by claimants in those cases.
The judge was also heavily critical of the claimant’s anticipated legal costs when he said, “no ordinary litigant would incur costs approaching GPB £50,000 in order to recover GBP £3,000. The likely irrecoverable costs would almost certainly exceed the sum that Mr. Cleary was claiming in damages. In that respect, litigation of his claim in the High Court makes no sense for Mr. Cleary.” His comments on costs reinforced the decision in Johnson v Eastlight Community Homes Ltd, where the judge threw out claims for breach of confidence and misuse of private information partly because of the unreasonable costs that had been incurred and budgeted for.
The judge, therefore, concluded that this case should be transferred to the County Court as there was little by way of factual dispute, the legal issues were not complex, so could be considered without the need for a specialist judge and the anticipated costs were disproportionate to the amount of damages claimed. He acknowledged that the effect of the courts routinely allocating small data breach cases to the County Court might mean that claimants might find it difficult to find lawyers to represent them, particularly if cases were allocated to the Small Claims Track, which has limited costs recovery, but considered that this wider policy issue should not ultimately affect the decision as to the proper allocation of a claimant’s claim.
“Mere upset” not enough opined Court of Justice of the EU (“CJEU”) Advocate General – Opinion of Advocate General Campos Sanchez-Bordona on UI v Österreichische Post AG
The Opinion of EU Advocate General Campos Sanchez-Bordona, delivered on 6 October 2022, was welcome news to EU defendants in data breach claims because it firmly placed the onus on claimants to prove data breaches caused harm and that the harm was more than “mere upset.“
In this case, a postal company (the defendant) was collecting party affinity data for the Austrian population (including that of the claimant). An algorithm was utilised by the defendant to define ‘target group addresses’ for election advertising and they extrapolated the party affinity data received to determine the claimant’s classification within the possible target groups.
The claimant had not consented to his personal data being processed and proceeded to make a claim against the defendant for non-material damage under Article 82 General Data Protection Regulation (“GDPR“). He sought compensation of EUR €1,000. The claimant said that the political affinity attributed to him was “insulting and shameful, as well as extremely damaging to his reputation.”
The claim was dismissed by the first-instance court in Austria and the appellate court agreed with the first-instance decision. The claimant appealed to the Austrian Supreme Court of Justice, who referred multiple questions to the Court of Justice of the European Union. The pertinent questions that the Advocate General responded to are as follows:
- “Does the award of compensation under Article 82 of the GDPR also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation? Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?”
In response to question 1, the Advocate General determined that compensation is only available under Article 82 GDPR if the applicant can demonstrate that an infringement of the provisions of the GDPR caused damage. Regarding question 2, the Advocate General differentiated between “mere upset,” which is not eligible for compensation, and “genuine non-material damage,” which is eligible for compensation.
The Advocate General’s opinion aligns with the English decision Rolfe v Veale Wasbrough Vizards LLP, in which the judge summarily dismissed the claim after finding that a minor data breach did not cause credible harm to the claimant nor could the claimant demonstrate the harm claimed was above a de minimis threshold for a damages award.
Damages awarded for a data breach “at the lowest end of the spectrum” – Driver v Crown Prosecution Service  EWCH 2500 (KB)
This October 2022 decision certainly came as a surprise in light of the recent trend of High Court decisions on low-value data breach claims, but the content of the data breach may explain why.
A Crown Prosecution Service (“CPS“) solicitor sent an email to a member of the public in June 2019 about a potential charging decision relating to Operation Sheridan (a high-profile police investigation into alleged misconduct in Lancashire and Liverpool local councils) in which Mr. Driver was a suspect.
Mr. Driver initiated proceedings against the CPS in the High Court for a breach of the UK Data Protection Act 2018 (the “DPA“), a misuse of private information and infringement of his rights under s.8 Human Rights Act 1998 (the “HRA“).
The judge, rather than send the matter to the County Court for determination as had happened in numerous other simple, low-value data breach cases, decided to rule on the matter. He determined that the CPS processed Mr. Driver’s personal data in the email it sent because “it indirectly allowed him to be identified as one of the people in relation to whom a file had been sent to the CPS for a charging decision.” The judge found this breached the DPA and, as such, was unlawful because there was no need to provide this information to a third party.
However, the judge rejected the claims for misuse of private information and breach of s.8 HRA. The judge concluded that Mr. Driver had waived his right to privacy when he identified himself publicly as being “a target of Operation Sheridan” in March 2016.
As the data breach was “at the lowest end of the spectrum” and caused a “modest degree of distress,” the judge awarded damages of GBP £250 to Mr. Driver.
Despite the simplicity of the breach and low damages award, the High Court judge did not explain why he chose not to send this case to the County Court. Nevertheless, the only clear difference between this case and other similar low-value data breach claims appears to be the content of the data breach, which pertained to a high-profile criminal investigation.
- High Court judges remain unimpressed by claimants overcomplicating simple data breach claims and seem likely to either send these claims to the County Court or dismiss them entirely. The approach in Driver v CPS appears to be an anomaly, possibly due to the content of the data breach, which is related to a high-profile criminal investigation.
- Although obiter, defendants have been given some comfort by the fact that they can present arguments as to the appropriate court allocation of a case without the fear that claimants will seek aggravated damages from them if the case is allocated to a lower court.
- The model used by many claimant solicitors of pursuing low-value data breach claims by way of conditional fee agreements and after the event insurance may be under threat if cases become routinely dealt with by the County Court Small Claims Track. If this happens, then it is likely to lead to a reduction in low-value data breach claims generally.
- From an EU perspective, the Advocate General’s Opinion could well reduce the number of vexatious data breach complaints in the EU where there is no damage or where the damage claimed is insignificant, although it remains to be seen whether the CJEU itself will follow the Advocate General’s Opinion.