Data protection: reading future trends
The predicted flood of GDPR-related litigation is yet to materialise but several issues are already emerging, says Ricky Cella
The main provisions of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) came into effect on 25 May 2018.
In the preceding weeks and months there was a considerable amount of speculation regarding the impact that the GDPR would have on civil litigation in England & Wales.
Almost a year on, have any of these predictions have come to fruition, and what key points should practitioners take from the developments witnessed so far?
Group litigation and data breaches
Even before the advent of the GDPR there was increasing interest in group litigation relating to data breaches. In particular, in Various Claimants v WM Morrisons  EWHC 3133 (QB), the High Court found that a supermarket was vicariously liable for a rogue employee’s breach of the Data Protection Act 1998.
That decision was subsequently upheld in the Court of Appeal in 2018. The Morrisons case was the first employee class action in England & Wales relating to a data breach.
The claimants’ success raised the prospect of similar group litigation claims being brought in the future.
It was therefore predicted that the advent of GDPR, combined with increasing awareness of individuals’ data protection rights, would result in claims of this nature becoming more prevalent.
There were good grounds to believe this would be the case. For example, the GDPR contains more detailed requirements surrounding data security and introduces mandatory notifications for data breaches.
The GDPR also includes provision for data subjects to mandate a consumer protection body to bring claims on their behalf for breaches of GDPR.
Since May 2018 there have been a number of high-profile data breaches affecting individuals in England & Wales. In September 2018, British Airways warned that it had been the victim of a cyber-attack that compromised the payment card details of up to 380,000 customers.
Following BA’s announcement a number of law firms issued statements saying that they intended to launch a group action against the company, and that they would seek compensation for victims of the data breach for “non-material damage”.
The right to compensation for non-material damage is provided for in Article 82 of the GDPR, and expressly includes compensation for “distress” under section 168 of the DPA 2018.
A month later, in October 2018, Cathay Pacific announced that there had been a “data security event”, which had potentially compromised the personal details of some 9.4 million passengers.
More recently there have been a number of other data breaches disclosed to the public, including the breach affecting parenting site Mumsnet in February 2019.
Given the new notification requirements under the GDPR, and the increasing risk of cyber threats, it is unlikely that the pipeline of potential group data breach litigation will diminish in the near future.
However, there is a word of caution for prospective claimants in the High Court’s decision in Richard Lloyd v Google LLC  EWHC 2599 (QB).
The judgment contains several remarks which suggest that courts are alert to the risk that speculative group data protection actions could be brought by opportunistic claimant law firms and litigation funders.
For example, the court noted that “the main beneficiaries of any award at the end of [the] litigation would be the funders and the lawyers, by a considerable margin”.
Speculation around the potential impact on the GDPR on parties’ disclosure obligations is understandable.
Parties in litigation often disclose documents obtained from third-party sources containing information relating to individuals not directly involved in the case.
Practitioners have generally been content to rely on the exemptions under the DPA 2018 that apply if disclosure of personal data is: (i) required by a rule of law or an order of a court or tribunal (paragraph 5(2), Part 1 of Schedule 2); or (ii) necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings) (paragraph 5(3), Part 1 of Schedule 2).
The second of these exemptions is of course relevant for preaction disclosure applications.
It is yet to be seen whether the application of these exemptions will lead to substantial satellite litigation about parties’ disclosure obligations.
In any event, practitioners should be mindful of the requirements of the data protection regime when conducting disclosure exercises, particularly when dealing with the personal data of non-clients.
The exemptions referred to above have already been considered in the context of an application for a non-party disclosure order in Juul Labs Inc v Quick Juul Ltd  EWHC 3350 (IPEC).
In this case, the court found that the DPA 2018 provided no basis on which it should refuse an order for disclosure to be given by a non-party.
In particular, the court noted that although the respondent was not persuaded that the exemption in paragraph 5(3), Part 1 of Schedule 2 applied, if the court made the order requested then the exemption in paragraph 5(2) of the same schedule would clearly apply (as it would clearly constitute “an order of a court or tribunal”).
The non-party respondent’s unwillingness to give disclosure without a court order is understandable in the context of the heightened sensitivity to data protection issues following the GDPR.
Practitioners seeking non-party disclosure orders on behalf of their clients should therefore be prepared for third parties to adopt similar stances.
Use of external providers
Many firms will view their role as that of a data controller. Accordingly, the DPA 2018 requires firms to ensure that any data processor it engages provides sufficient guarantees to ensure that the processing of the data carried out on the firm’s behalf is secure.
If a firm engages an external document management consultant, or outsources document review functions, the third party is likely to be considered a data processor given that it too will likely process individuals’ personal data
Similarly, if a firm appoints an expert witness to give evidence in the course of litigation, the expert witness could be classed as a data processor.
Under the GDPR data processors are subject to direct compliance obligations and may be liable to fines or penalties for breaches.
The GDPR also specifies the contractual terms that data controllers must include in their data processing contracts.
In order to mitigate the risk of falling foul of these requirements, firms should carefully review their contractual arrangements with external providers, particularly when outsourcing document-review functions, and be prepared to negotiate issues relating to the allocation of liability arising from potential data breaches.
Advise and mitigate
At present, the impact of the GDPR on the conduct of, and trends in, litigation in England & Wales has been limited.
Given the relatively short time that has elapsed since the GDPR came into force, this is not surprising.
However, even at this relatively early stage, a number of trends and issues have started to emerge. Practitioners should endeavour to keep abreast of these developments to ensure they are able to properly advise their clients, and to mitigate the risk of being in breach of the new legislation.
Brexit also has a potential impact on data protection law in England & Wales. The official line from the Information Commissioner’s Office is that the UK government intends to incorporate the GDPR into UK data protection law when the UK exits the EU.
Therefore, in practice, there will be little change from the core data protection principles, rights and obligations found in the GDPR.
Even if the UK leaves without a deal, the DPA 2018 will continue to apply. In any event, it appears highly unlikely that the UK would entirely abandon the current regime or adopt something drastically different.
Ricky Cella is an associate at Russell-Cooke russell-cooke.co.uk