Litigation and regulatory action over data protection continue to generate real risk for data controllers. The recent announcement by Amazon that Luxembourg’s National Commission for Data Protection (‘CNPD’, their equivalent of the Information Commissioner) has imposed a £636m (€746m) fine caused something of a stir, as the largest regulatory fine since the introduction of the General Data Protection Regulation in 2018. It relates to the processing of customers’ personal data in order to show them advertising, rather than any sort of data breach, though the decision itself has not yet been published. Amazon intends to appeal.
Such a large regulatory fine illustrates the substantial risks that now exist around data protection, both for law firms and their clients. That risk is two-fold: first, as with Amazon, the risk of regulatory action, either following a data breach or a complaint to the regulator, often by pressure groups; secondly, the risks arising from individual private law claims.
Although the UK is now outside the European Union’s GDPR umbrella, it continues to apply the (UK's) GDPR, which for most intents and purposes has the same effects. Certainly the Information Commissioner has been willing to hand down substantial fines for data breaches, with British Airways being fined £20m and Marriott £18m in 2020 (though both fines were very substantially reduced from her initial proposals).
On the regulatory side, the Amazon fine is notable not only for its intended size, but also for its subject matter. Most UK-based fines have been for data breaches and direct marketing contraventions, not other failures to comply with the (UK) GDPR. Beyond those, the Information Commissioner has been slow to intervene in business models that misuse data: its investigation into the adtech industry is still incomplete, despite having begun in February 2019 (and then paused from May 2020 to January 2021 before resuming). Although it has taken action in relation to systematic issues in handling subject access requests, this has not (as of yet) included imposing fines. The Amazon fine, however, goes beyond data breaches, whether accidental or as a result of cyber-attack, and appears to strike at Amazon’s business model itself.
Given the level of regulatory fines seen recently, the former may appear more serious than the latter, but private law claims, each of which might be relatively modest in value, can result in the death of a thousand cuts. If a data breach, for example, affects a hundred thousand individuals, then nominal damages of £500 each would equate to a total liability of £50m. If that seems an extreme example, a hundred thousand is the number of Morrisons’ employees whose personal data was published by a rogue colleague (for whom the Supreme Court held the supermarket was not vicariously liable, on those specific facts), a quarter of the passengers who settled their claim with British Airways, and just 0.02 per cent of the 339 million hotel guests whose data is believed to have been included in the Marriott breach. Even if a firm is unlikely to face that many individual claims, dealing with the contingent liability is likely to be challenging when preparing accounts, seeking insurance or undergoing due diligence.
Moreover, private law challenges to business models built on the use of personal data may slowly be gaining traction in the UK. Lloyd v Google LLC  EWCA Civ 1599, currently awaiting judgment in the Supreme Court, could open the door to representative or group actions with damages due for loss of control rather than distress or any substantive loss. It is also another example of how, in the data protection field, multiple low value claims can stack up to pose a significant risk.
The current position that ‘loss of control’ of personal data is actionable subject only to the de minimis principle, has contributed to a rash of low-value claims: reportedly, one claims management company issued close to 150 data cases in the High Court between January and June 2021.
That said, it is not all one way for claimants at present: in Warren v DSG Retail Ltd  EWHC 2168 (QB), a low-value claim for damages following a cyber-attack on a retailer’s database, Mr Justice Saini struck out claims for misuse of private information, breach of confidence and negligence. The former two causes of action require some positive wrongful conduct by a defendant, and the latter requires a duty of care, which does not exist in respect of conduct covered by the data protection legislation. As well as providing welcome clarity on the relationship between those causes of action and data protection claims, this is also significant because while After The Event insurance premia are still recoverable for misuse of private information claims and breach of confidence claims involving disclosure to the general public, they are not for pure data protection claims. Additionally, breach of confidence claims may only be issued in the High Court. Removing claims of this nature from the High Court and from potential ATE recoverability is likely to make many of them economically unviable for claimants.
In Warren, the data protection claim for breach of the duty to have appropriate technical and organisational measures in place to safeguard against unlawful or unauthorised data processing continues. In that case, that goes ahead as a breach of the seventh data protection principle under the Data Protection Act 1998, but the duty survives as the sixth data protection principle in the (UK) GDPR (and likewise in Part 3 of the Data Protection Act 2018 for law enforcement processing). In M v Chief Constable of Sussex  EWCA Civ 42, it was held that this is a flexible rather than absolute duty: what is appropriate will depend on the nature of the personal data in question, and be assessed on a holistic basis rather than by looking at any particular individual measure.
Overall, what seems to be occurring is a substantial expansion of litigation, centred on data protection and information rights, prompted by GDPR and the Data Protection Act 2018 coming into force. The dual-track enforcement system of regulatory and private law action is generating a substantial degree of complexity, with both strands generating risk for data controllers. The courts (and, to a lesser extent, the tribunal system) are still working out the finer details of applying these mammoth pieces of legislation, and there remain significant areas of doubt, both legal and arising out of changing technology. One obvious example of the former concerns claims based on disputes about subject access requests: under the 1998 Act, the court had the power to look at any material that was withheld from the data subject to determine whether or not the decision to withhold it was correct. There is no equivalent provision under the 2018 Act or the UK GDPR, and the common law presumption against closed material procedures is a strong one. An example of the latter is the extent to which emerging technologies such as automatic facial recognition and artificial intelligence may be used lawfully, both by public authorities including law enforcement, in the retail sector, and more generally: the Court of Appeal’s decision in Bridges v Chief Constable of South Wales Police  EWCA Civ 1058 is unlikely to be the last word on this topic.
What remains to be seen is how this evolving situation plays out. Not only are there domestic political mutterings about stripping back UK GDPR, but the broader debate about regulation of data is set to continue both in the UK and in Europe. That means that litigation will continue as well, as everyone strives to adapt to a brave new world where data has value, and a price that is not paid to those who own it.
John Goss and Aaron Moss are barristers specialising in data protection and information law at 5 Essex Court. Together they write a monthly bulletin, The Data Brief: 5essexcourt.co.uk & www.DataBrief.co.uk...