GDPR - waiting for the flood

When the GDPR entered into force in May 2018 it was expected to unleash a torrent of group litigation as individuals became more aware of  their greater rights as ‘data subjects’ against organisations that process their personal data, including enhanced rights to obtain financial compensation from such organisations when they breach the law and representative bodies were empowered to lodge complaints, bring claims and obtain compensation on behalf of data subjects. No such torrent has materialized yet, leading us to question why.

In the first place, much of the law surrounding the GDPR still needs to be put to the test. To date the Information Commissioner’s Office (ICO) has had relatively little time to try out the legal ground with the test cases that might embolden claimants to file other class action suits. The ICO’s work on the Cambridge Analytica case has been of major significance, so it will be interesting to see what happens as more such investigations get an airing in court. At present the ICO admits that it is spending a lot of time dealing with over-reporting of breaches by understandably nervous controllers, holding up other work. There is good reason to speculate that as businesses get more used to what they do and do not need to do when a data breach happens, we will see an increase in the type of ICO activity that litigators are waiting to watch.

Secondly, it’s not yet clear what types of organisation can bring actions and claim compensation on behalf of data subjects. The GDPR sets out some rules on this, but the detail of some of those rules is still open to interpretation, especially where they relate to the funding of litigation. A funder of litigation may be essential to an action getting off the starting blocks but will, in many cases, need to see a way to make a profit in the event of a win. The GDPR’s insistence that only not-for-profit organisations can act in this capacity is a definite problem in need of clarification where litigation funders are concerned. This too may be delaying suits.

The issue is further complicated by the UK government’s having decided against allowing bodies automatically to represent every data subject affected by an action. Unlike in the US, where people must specifically opt out, in the UK people must specifically opt in. So, any organisation managing to qualify to represent data subjects must, at present, obtain signatures from every single person who they intend to represent. Where a small number of people are involved this may not be asking much, but in breaches involving the data of thousands of individuals it is an enormously time-consuming and laborious task.

At present UK law does not permit a single claimant to file a collective action on behalf of a group, therefore at least two but ideally more claimants are necessary. This presents administrative challenges in an already costly area of the law. Group actions are necessarily expensive undertakings, hence the need in many instances for a professional funder to provide finance for the litigation. However, as stated above, that funder’s need to make a profit is potentially problematic with GDPR rules so is a significant stumbling block at present. Another is that funders will avoid any actions that they think may be losable for fear of liability for the defendant’s costs. When the relatively low damages awarded to successful claimants to date are added to these considerations it is not difficult to see how there may be very valid claims out there that are merely struggling to gain traction at present.

So, what does the future hold and has the torrent merely been delayed? The evidence suggests that the latter is the case. There are signs that law firms are readying themselves. Advertisements have been run recently for claimants to sign up to a proposed class action against British Airways; the court ruling of vicarious liability against supermarket chain Morrisons, even after the ICO had concluded that the supermarket itself was not at fault for its data breach, has sent shockwaves far and wide; there is the high profile of the ongoing Facebook investigation and the knock-on awareness that GDPR covers far more than outright data breaches; and finally the UK government has pledged to review the requirement to opt in to group actions in 2020, with the potential to switch to the US-style opt out alternative. All of these factors suggest strongly that what we are experiencing at present is merely a delay of the inevitable.

So now is no time for data controllers and processors to relax. Businesses need to be ever more vigilant to compliance with GDPR, ever more careful and courteous when dealing with complaints and ever more determined to learn the lessons that complaints teach. At the first suggestion that a complaint may have a GDPR element the sensible business will take legal advice on how to proceed, but at the same time businesses need to be wary that requests from data subjects may be fishing for information on which to base an action. Again, legal advice will be a sound investment. Above all, keep a close eye on the work of the ICO and any of its decisions or penalties. This will be one of the best indicators of all as to the direction in which things are moving.