Facing a future of more privacy and group action claims
We mentioned, in a number of our previous posts, that the coming GDPR changes present an increased risk of privacy litigation and ‘group actions’. The focus, to date, has tended to be on the significant fines, for non-compliance. However, the increased risk of litigation presents an equal concern for companies, come May 2018.
The headlines you need to know about:
The recent Court of Appeal decision in Vidal-Hall v Google (the first group action in the UK based on data protection law) found that damages for distress could be claimed against data controllers, for contravention of the Data Protection Act 1998, even if there was no financial loss.
This is important. Prior to this it was often challenging to prove that a specific data breach had caused financial loss. However, this ruling allow a claim to be brought in relation to distress caused, which is far easier to prove.
The decision in Vidal-Hall v Google has since been relied on in successful claims for damages for distress including TLT & others v Secretary of State for the Home Department and the Home Office and Gulati v MGN Ltd.
What makes this particularly important for businesses is that the Vidal-Hall v Google proceedings are not carrying on, as part of a much larger ‘representative action’. In this case this is a claim by an individual on behalf of the ‘Google You Owe Us’ group, led by Richard Lloyd (the former executive director of Which?)
Under Article 87 the GDPR makes it easier for consumers to claim compensation as part of a wider group and to mandate any damages to a not-for-profit body, organisation or association.
The GDPR also makes it more likely that consumers will be made aware of breaches, and therefore potential clients, because data controllers will be required to notify regulators (and in the case of high risk breaches, individuals affected).
All of this suggests that we’re likely to see an increased number group action claims in the coming months.
For more information on preparing for GDPR take a look at some of our other articles and our guides. In particular you might want to take a look at other GDPR-related news, such as:
- Morrisons ruled as vicariously liable for employee’s data breach
- Website privacy notices 'too vague and generally inadequate'
- What challenges does GDPR pose to the marketing list industry
- How to write a GDPR compliance ‘white paper’ as marketing collateral