- While 2018 was the year of GDPR implementation, 2019 may be the year of GDPR weaponisation.
- In 2019 the UK’s data protection regulator will impose its first post GDPR financial penalties: however, these are unlikely to have a value close to its maximum fining power of £17m of 4% of world-wide turnover.
- It is reasonable to anticipate a continuing uptick in data protection litigation, with increased awareness of data rights and the lack of any requirement to show pecuniary loss likely to appeal to claimants.
- However, the Courts will not tolerate spurious or ill-considered claims, and have shown in 2018 that they are alive to the means by which data protection causes of action can be exploited.
While the ICO has been busy taking action against breaching data controllers in 2018, the majority of its enforcement related back to the pre-GDPR era, where its fining power was limited to £500,000, as opposed to the £17m or 4% of global turnover it has now.
2019 will start to see those data controllers unlucky enough to have been in breach since 25 May 2018 (the GDPR landing date) face the consequences; while the ICO has issued post-GDPR enforcement notices, it has not yet levied a fine. A high-profile example will be British Airways, which in September 2018 revealed that it had been the subject of a massive data breach, where customers’ financial and personal details connected to 380,000 transactions were stolen. However, those hoping to see the regulator start doling out eye-watering fines may be disappointed. In terms of the fines that may be imposed, the ICO has indicated that it anticipates “very significant penalties” to constitute those that are over the threshold of £1m. This suggests that it will not frequently be imposing fines close to its maximum level.
It is also worth noting that the ICO must ensure that its approach to fines is aligned with those adopted by other European supervisory authorities. So far, the fines issued by supervisory authorities (in Germany and Austria) for post-GDPR breaches have been very low. Another point to note is that fining is just one of the tools in the ICO’s toolkit – it enforced against the data science firm AggregateIQ in July 2018 by requiring it to cease processing all data of UK citizens for the purposes of data analytics, political campaigning or any other advertising purposes. Of course, in real terms, this could cost the company much more than a fine would.
As far as businesses also regulated by the FCA are concerned, we may see the FCA, as opposed to the ICO, take the lead in regulatory action where data issues have arisen, as happened with Tesco Bank. Tesco Bank was fined £16.4m by the FCA in October 2018 for failings connected to a cyber-attack in 2016, which compromised its customers’ data (although none was stolen or lost).
Increased public awareness of data rights, along with the broadening of causes of action and the lack of any requirement to show financial loss, suggest that it is reasonable to anticipate an increase in claims. 2018 was witness to some interesting data protection cases in the courts, and the themes in those disputes will continue into 2019, not least the question of collective actions. The prospect of group litigation is a real threat to data controllers and processors following the implementation of GDPR.
Apart from the provisions in the Consumer Rights Act 2015 concerning private actions in competition law, the UK has no opt-out class action mechanism. But, as shown by the case of Various Claimants v WM Morrisons Supermarket plc., where a class of 5,518 claimants was put together, tools in the CPR are sufficient to bring group claims in the context of data protection litigation. As individuals do not need to show pecuniary loss to bring a data-based claim, it is not hard to envisage a situation where a business with a large customer base or payroll faces a huge quasi-class action as a result of a data breach. Judges in the Court of Appeal hearing of Morrisons in October 2018 were alive to this risk, but unsympathetic - referring to “a large number of claims against the relevant company for potentially ruinous amounts” they recommended insurance as “a valid answer to the Doomsday or Armageddon arguments”.
In 2019 we should see courts exercise some understanding of the challenges faced by data controllers. While Morrisons was unsuccessful in defending the claim by data subjects, the costs judgment in the case saw the claimants’ costs award significantly reduced due to its pursuit of tenuous data protection claims (in addition to the one successful one). Meanwhile, in the October 2018 judgment of Richard Lloyd v Google LLC, an attempt to kick off a speculative quasi-class action on behalf of an undefined class of data subjects was met with short shrift. Mr Justice Warby noted, as he threw out the case, that the main beneficiaries would have been “the funders and the lawyers, by a considerable margin”. He added, “It would not be unfair to describe this as officious litigation, embarked upon on behalf of individuals who have not authorised it, and have shown no interest in seeking any remedy for, or even complaining about, the alleged breaches.”
What it means for you
Continuing compliance with GDPR is a must, but don’t rest on your laurels even if your implementation and compliance is perfect. Litigation funders, claimant law firms and claims management companies are considering whether some form of data-based litigation or complaints could constitute “the new PPI”. The High Court and the Court of Appeal have indicated that claimants should show restraint. However, all businesses must be aware of the very real risk of cyber-attacks and other data incidents, and the litigation and regulatory enforcement risk that will naturally flow from these. Morrisons was blameless in relation to the data incident that led to it being sued by 5,518 of its employees, and the ICO decided to take no action against it. However, this didn’t insulate it from vicarious liability in the Courts.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.