The General Data Protection Regulation ("GDPR") and incoming Data Protection Bill (UK) ("DP Bill") introduce a range of new liabilities into the data protection landscape. Data controllers, including solicitors, have been warned of a corresponding increase in data protection claims under the new regulatory regime for some time. These warnings have largely focused on the level of fines and new data breach response requirements. However, the brewing perfect storm surrounding compensation claims should also be firmly on solicitors' radars.
The GDPR introduces a number of new mechanisms that are set to inflate data controllers' exposures:
·Compulsory data breach notification – articles 33 and 34 require that data controllers self-report security breaches to regulators within 72 hours, and data subjects without undue delay;
·Group/public interest litigation – article 80 states that not-for-profit and public interest bodies may claim compensation on data subjects' behalf;
·Rights to compensation – article 82 confirms that data subjects may claim compensation for material and non-material harms from both data controllers and data processors;
·Increased regulatory fines – article 83 raises the current cap on regulatory fines from £500,000 to £17m or 4% of total worldwide annual turnover.
Over the course of 18 months, DAC Beachcroft conducted a study into how the GDPR will change compensation and regulatory sanctions regime across Member States, see Personal Data: the new oil and its toxic legacy under the General Data Protection Regulation. Contributions were obtained from data protection experts across all 28 Member States. While the study covered a number of areas, our findings point to an expected increase in compensation claims across Europe. 23 of the 28 contributors anticipate data protection litigation will increase in the next 5 years.
This projected increase should be of concern to solicitors, particularly given the current exposure in this area. Solicitors are, by their very nature and the quantity of personal data they hold, at risk of a data security incident. "Legal" is one of the six industry sectors currently monitored by the ICO in its data security incident trends reporting.
We consider that two factors will particularly spur on claims in the UK, one an odd lacuna in recent costs reform, and the other a recent game-changing decision of the High Court.
The amendments to litigation costs introduced by the Legal Aid and Sentencing and Punishment of Offenders Act 2012 ("LASPO") are well known. LASPO introduced changes to the conditional fee arrangements and success fees accessible to claimants, largely to curb the aggressive litigation culture that had grown in areas such as personal injury.
What readers might find surprising is that LASPO contained a specific exemption for "publication and privacy proceedings". Although no explicit reference is made to data protection legislation, data protection claims are often made alongside such proceedings. Given the large quantity, low value nature of data breaches and data protection claims, coupled with the group litigation mechanism introduced by the GDPR, this exemption may open the door to a new wave of claims farming that was originally targeted by LASPO.
On 6 December 2017, the High Court released its much anticipated decision in the Morrisons case. The case concerned a group claim brought by 5,500 employees of Morrisons following the publication of payroll data by a disgruntled Morrisons employee. The data was published as an act of revenge against Morrisons following what the employee considered to be unjustified disciplinary action. Although the claim was brought by 5,500 employees, the published data set contained personal data relating to almost 100,000 Morrisons employees.
The employee was arrested and convicted of offences relating to the data breach, resulting in a sentence of eight years in prison. It was acknowledged at sentencing that the employee had acted for the specific purpose of damaging Morrisons. In the civil claim, the High Court was invited to conclude that the Morrisons were either directly or vicariously liable for the actions of its employee. While the court declined to find Morrisons directly liable, it did go on to find that it was vicariously liable for the breach via the employee's actions.
This is a concerning outcome for data controllers and processors. An entity can, through no fault of its own, be the victim of a deliberate, malicious breach intended to harm that entity and then subsequently be held liable for the repercussions of that wrongful act. This raises obvious issues for the likes of the legal industry, where employees have access to highly sensitive personal data (as illustrated by the recent Panama Paper and Paradise Paper leaks).
In summary, while data controllers and processors may be tired of hearing about the risks posed by the GDPR and the DP Bill, our own investigations and the surrounding litigation environment suggests that the dangers posed by compensation claims are very real. An increase in litigation is anticipated, the costs regime is favourable to claimants, and the latest position of vicarious liability can expose solicitors in respect of acts which they have little control. A perfect storm for compensation claims is a very real possibility.