In the build-up to the GDPR coming into effect in 2018, the legal consequences of privacy and cyber security risk were dominated by the headline issue of regulatory fines, and the need to avoid them.
The reality is somewhat different. Of course, there have been some groundbreaking fines but they remain rare; the Information Commissioner’s Office (ICO) issued a fine in 0.05% of reported breaches in 2018/19. The same can be said about other privacy and cyber security enforcement: the Financial Conduct Authority has issued relatively few sanctions for cybersecurity breaches and not a single fine has been issued under the Network and Information Systems (NIS) Regulations 2018.
So what is there to worry about? As we and other experienced data practitioners predicted at the time, it is in fact the litigation risk and financial burden of data subject rights that would be the greatest concern.
Compensation claims
GDPR was a perfect wave for compensation claims in privacy and cybersecurity, building on the judiciary’s groundswell of recognition of individual rights compensation.
The perennial challenge for any claimant in bringing a claim had been to demonstrate loss, in the absence of a financial consequence. A number of leading cases over the years had excited the waters in this area.
In Data Protection Act (DPA) 2018 focused cases, the court answered this challenge by awarding £1 for financial damages just to be able to award an additional sum of £750 for distress (Halliday v Creation Consumer Finance Ltd [2013]). The Court of Appeal cut loose from financial damages altogether, allowing claimants to sue for distress alone (Vidal-Hall v Google [2015]).
In parallel, media cases demonstrated courts’ growing willingness to grant large awards (up to £250,000) for ‘loss of control’ over private information, damage to reputation and distress (Gulati v MGN Ltd [2015] and Richard v (i) BBC (ii) SYP [2018]).
While not at the heady awards of the celebrity cases, quantum was increased for your average citizen with TLT v Home Office [2016] endorsing the approach of valuing distress damages in line with personal injury awards – £2,500 and £12,500 akin to minor psychological harm – even without the need for medical evidence for some claimants.
As well as lowering the threshold to claim, those who can claim and the ease of claiming has expanded.
In TLT, the Court of Appeal found that family members whose names were not leaked could still bring claims if they were identifiable via the named family member. While still untested, the GDPR provides that ‘any individual’ affected by a breach can claim compensation, not only the affected data subject. Could we see all residents of a property bring claims because they are impacted by the disclosure of an address of another unrelated resident?
The claims industry is also surging with data protection claims. The industry faced significant change from legal cost reforms preventing claimants recovering the legal success fees from defendant parties. This reform came into being because it placed defendants in the pressured situation of paying small claims regardless of merit because of the disproportionate risk of costs. However privacy litigation was specifically carved out from this reform until April 2019.
Litigation funders have used privacy claims to push the boundaries of investable litigation. In Lloyd v Google [2019], the Court of Appeal has allowed a single claimant to advance claims on behalf of a class of more than four million iPhone users. Notwithstanding the liability risk, the first instance decision revealed an astonishing expected legal bill; the claimants had arranged funding of £15.5m for their costs and £12m of insurance against the defendants costs – a total anticipated legal spend of £27.5m.
This goes to show that the litigation cost of a cybersecurity or privacy breach easily becomes disproportionate to the incident in question. An individual claimant might seek payment of a few hundred or low £1,000s, but the claimant’s legal costs can easily be triple or more. Add ten claims, and that financial exposure becomes sizeable. A breach involving thousands of claimants, create what the Court of Appeal referred to in Various Claimants v Morrisons [2018]as ‘potentially ruinous amounts’. Litigation risk could dwarf even the largest GDPR fine today.
Here are our top tips for addressing litigation risk or privacy and cybersecurity incidents:
- Check your insurance (cyber and liability insurance) for an adequate limit and appropriate excess for data protection claims.
- Work with a firm who specialises in this area, or who is well known to your insurer, in dealing with such claims. The law is changing rapidly as are litigation tactics.
- Embed litigation risk and privilege considerations into your breach response plan.
- Take good advice, early on. Admissions and early Part 36 offers can help parties focus on the key issues, before legal costs become obstructive.
Data subject access requests (DSARs)
We have seen DSAR levels at clients increase by over 50% post-GDPR, despite this right existing under the old regime in largely the same form. Interestingly, we have not seen a corresponding increase in deletion or correction requests which typically follow cybersecurity incidents and data breaches.
Under the GDPR, as for the DPA 2018, the individual’s motive for submitting a DSAR is irrelevant. Data controllers must comply with a DSAR even where the DSAR is made for a collateral purpose. Certainly in our experience, there has been an increased appetite by claimants to use DSARs strategically in employment disputes and following cybersecurity breaches. The additional time can be significant and costs can run into the tens of thousands.
Although DSAR failures can result in a GDPR fine, it is in reality extremely unlikely for employee DSARs to result in a sanction. As for personal data breaches, the ICO deals with thousands of DSAR complaints each year and must prioritise serious breaches, serial offenders and those of public interest.
More likely, the ICO will send a firm letter in respect of the failure or require the data controller to explain its actions and revisit aspects to resolve complaints.
Judicial intervention, while rare, is an additional cost that is to be avoided. In Dawson-Damer v Taylor Wessing [2019], the court ordered that data controllers take appropriate steps to disclose personal data upon request.
The key legal risk, therefore, is dealing with DSARs in a timely and cost proportionate way. Timelines are particularly pertinent given the ICO’s recent clarification that the timescale for response starts from day of receipt (and not the date that any clarification on the DSAR is received).
Here are our top tips for reducing DSAR risk following privacy and cybersecurity incidents:
- Establish a DSAR response protocol and train individuals on how to identify DSARs and respond promptly.
- Any requests for clarification to data subjects must be prompt, within five days.
- Consider the scope of the likely searches as early as possible.
- Carry out reasonable searches, even where the data subject delays/refuses to provide clarification.
- Determine your IT search capability for archived/deleted electronic data to rely on the burdensome and manifestly unreasonable DSAR exceptions.
- Narrow DSAR scope where possible by identifying appropriate search terms, utilising technology and understand the latest GDPR interpretation (eg what constitutes ‘personal data’ in DSARs has been narrowed to not include day-to-day business communications including e-mails and content of meeting minutes).