GDPR - What does it mean for civil litigation?

Posted by Brabners

Tue 04th, Jul

As Brexit negotiations begin to get underway, and the country takes stock of the announcements made during the Queen’s Speech on 21 June, one topic that is at the forefront of discussion in many businesses is data protection.

The EU’s General Data Protection Regulation (GDPR), set to come into force on 25 May 2018, spells big change for businesses globally and introduces a new framework of rules that has received a mixed reception.

Whilst many companies are already taking steps to ensure that the ways in which they handle personal data will comply with the GDPR in time, there has been some uncertainty as to whether or not this is actually necessary in light of the outcome of last year’s Brexit referendum. The announcement of a new Data Protection Bill during the Queen’s Speech has provided some clarity in this respect, as the government’s ‘associated background briefing’ to the speech stated, in no uncertain terms, that the GDPR will indeed be implemented into national legislation.

This announcement does not, in fact, change the position of the UK in relation to the GDPR coming into effect. The UK will still be a member of the EU on 25 May 2018, which means that, in any event, we will be bound by the provisions of the GDPR on that date. However, we can now be certain that the rules imposed by the GDPR will, for the most part, remain in place once we leave the EU, as the government’s intention is to harmonise national legislation with the GDPR.

With less than a year to go, the realisation is now dawning on many organisations which deal with personal data that they may have to radically transform their processes, and entirely re-think their attitudes towards privacy, if they are to comply with the GDPR by next May. The challenges facing those businesses over the next 11 months are clear - but what impact will the new regulations have on the world of civil litigation?

Increased claims by individuals for data privacy breaches

The GDPR introduces new rights for individuals and tougher penalties for businesses when it comes to breaches of data privacy. Many expect that, at the end of May 2018, there will be a flood of requests to companies’ data controllers for rights of access or portability of data, or to exercise the right to be forgotten. Such requests will inevitably result in a large number of complaints to the Information Commissioner’s Office, and, in turn, a number of those complaints may ultimately end up before the courts.

Further, there is speculation surrounding the potential for large-scale ‘class action’ style claims where data security breaches affect a large number of individuals. There are mechanisms already in place for such actions; the courts can make Group Litigation Orders, allowing claims arising from common issues to be managed collectively. It is also possible that a collective action regime (similar to that which was recently adopted for competition law breaches) may be rolled out or extended to cover data protection, whereby all affected individuals are automatically part of the ‘class’ of people bringing the action unless they choose to opt out.

The GDPR represents a tipping of the balance of data protection law, favouring the protection of the individual over the commercial needs of businesses. However, it should be noted that, even in the absence of the GDPR, data protection in the UK seems to be heading in that direction. Recent years have seen a rise in the number of claims for data privacy breaches, as well as an increase in the compensation payable for such claims, and individuals may now claim compensation for damage caused purely by distress (without any financial loss) following the Court of Appeal’s decision in Google v Vidal-Hall [2015] EWCA Civ 311.

Detailed exploration of the legal grounds for processing data

Under the GDPR, the consent of a data subject subsists as a legal ground for the processing of personal data, but it will be much more difficult to show that consent has been obtained than under the existing law (based on the Data Protection Act 1998). It is therefore likely that the other lawful grounds for processing data, such as necessity for the performance of a contract or the compliance with a legal obligation, will need to be considered in more detail than ever before, as parties to litigation will not be able to rely on consent as readily as they have done in the past.

There are also concerns that the tightened regulations on processing personal data may impact on the process of disclosure in litigation. Litigating parties (and their lawyers) may need to consider whether consent is required (and correctly obtained) when undertaking disclosure during proceedings if the relevant documents in the case contain personal data. If a party to litigation is based outside the jurisdiction, it will also be necessary to consider the lawful grounds for the cross-border transfer of personal data.

There has been some discussion around Article 48 of the GDPR and its impact on disclosure. Article 48 provides that any judgment of the courts of a non-EU country, requiring a data controller to transfer or disclose personal data relating to EU data subjects, shall not be recognised or enforceable unless it is based upon an international agreement between the requesting state and the EU. In the absence of such agreements, parties may refuse to provide disclosure on the basis that doing so would conflict with their general obligations under the GDPR. It remains to be seen what scope there might be for parties to use this to their tactical advantage, by feigning caution over data privacy to delay or prevent the disclosure of certain information.

Uncertainty

The GDPR makes substantial changes to an area of law that affects a vast number of companies and individuals. As with any such reform, the big word on the tip of everyone’s tongue is “uncertainty”; until the new regulations come into force, and we begin to see the courts delve down into the details of the GDPR’s provisions, we cannot know for certain exactly how those provisions will be interpreted or what the practical implications might be.

What we can say for certain, however, is that the notion of data privacy is becoming more and more pervasive. Few businesses will escape the onerous requirements of the GDPR and other developments in data protection law. From a lawyer’s perspective, the impact is two-fold; not only will law firms have to ensure that their own processes are compliant with the new rules, but data privacy is also likely to become a primary consideration for lawyers in all practice areas – a far cry from what was once considered to be a niche area in commercial law.

Author: William Eggleston, Trainee Solicitor at Brabners LLP. To contact William please call him on 0161 836 8831 or send an email on william.eggleston@brabners.com.

Leave a comment

Why now is the right time to take IoT seriously

Mon 27th, Jul

Guest blog by Alan Nunn – Communications Subject Matter Expert at CGI

How IoT can create a sustainable future for water

Mon 27th, Jul

Guest blog by Graham Hainsworth – Director Consulting in CGI’s Water Sector Business

Happy 9th Birthday 6th Door Ltd

Tue 19th, May

As I’m leaning on the stand-up desk in my makeshift home office, that over the weeks has been turned into a video and podcast recording studio

How to take back control of your water costs

Fri 13th, Mar

While most businesses already have a comprehensive strategy in place for their electricity and gas consumption, water management is often overlooked.

How to choose an energy consultancy

Fri 13th, Mar

Most business owners recognise the advantages of shopping around for the best energy deal, but without the time, resource and expertise to find the best tariff, it can be an almost impossible task.

Business energy: Don’t get caught out by rollover rates

Fri 13th, Mar

As a busy business owner, you may feel there are not enough hours in the day to secure your next energy contract. You know you’ll get around to it, but when you’ll get around to it is another matter.

Business water matters – Top 3 water saving tips

Fri 13th, Mar

Water is often referred to as ‘the forgotten utility’. While many large businesses are clearly focussed on their comprehensive energy strategies, it seems many are yet to implement a strategy around managing their water usage.

Know where your cloud data is stored or risk a GDPR fine

Thu 27th, Feb

For businesses who have chosen cloud-based data hosting services there’s a temptation to relax and think “great, we’re paying someone else to take care of our data, we don’t need to worry about it any more.”

Transparency plans could slow down region’s business growth

Thu 27th, Feb

Efforts by regional start-up initiatives that have led to Merseyside outperforming the rest of the UK when it comes to business growth could be hampered by new government proposals, a leading legal expert has claimed.

Backup or risk losing your business

Thu 13th, Feb

Maintaining a robust backup is hard work, it’s important to not only build the correct solution for your business and trust your IT support provider to look after it, but to also maintain a sense of urgency as a business owner to...