James McGachie: Get ready for GDPR or you may suffer consequences

Even before GDPR comes into effect, group actions on personal data breaches are already under way in England, often backed by third-party funders who offer to pay the group’s legal fees, before splitting compensation in a no-win, no-fee agreement.

So far, the GDPR spotlight has largely been on revenue-based fines that can be imposed for non-compliance with the new law, which provide for penalties of up €20 million or 4 per cent of annual turnover. However, group action litigation risk is potentially an equally significant hazard for organisations. Having processes in place to respond to and mitigate such risks should not be overlooked in GDPR readiness programmes.

It is often hard for claimants to prove specific data breaches caused particular financial losses whereas evidencing distress in relation to personal data having been compromised through a particular personal data breach is less onerous.

However, the recent high-profile Vidal-Hall v Google litigation confirmed that damages for distress could be claimed against data controllers for contravention of the Data Protection Act 1998, even where there was no financial loss. This right is now enshrined within Article 82 of the GDPR, which provides a legislative basis for the right to compensation for both “material” and “non-material” damage caused by infringement.

Two developments last year relating to Google and Morrisons Supermarkets signalled that group actions are likely to be encountered on a more regular basis in future, particularly as GDPR comes into force. In November, campaign group ‘Google You Owe Us’ announced a representative action that effectively continues the Vidal-Hall proceedings on a larger scale.

The group claims between June 2011 and February 2012, Google obtained personal information by bypassing default privacy settings on the iPhone to install cookies in Safari. It is alleged that collecting personal data in this manner in respect of individuals’ browsing histories to target adverts at them – known as the “Safari Workaround” – was in breach of the data subjects’ rights under section 4 of the Data Protection Act 1998. The group’s website says the action is funded by a “third party funder”, an organisation which agrees to cover the costs of bringing the action in return for a share of damages.

The ability to raise proceedings while relying on third party funding and insurance, coupled with the new statutory rights introduced by the GDPR as described above, is likely to fuel the trend of group actions based on breach of data protection laws.

Elsewhere, the High Court decision in the Morrisons litigation, issued on 1 December 2017, provides a precedent in this area. Over 5,500 claimants joined a group action raised on the basis that Morrisons was either directly liable or had vicarious liability for the acts of an employee in leaking the personal data of employees. The court determined that Morrisons was vicariously liable for such acts and it remains to be seen whether the dispute will reach the Court of Appeal or be settled.

With the Civil Litigation (Expenses and Group Proceedings) (Scotland) Bill making its way through Holyrood, group actions of this nature could soon be heard before Scottish courts too. Organisations should therefore prepare for increased privacy litigation risk, and how to address the risks posed by both internal and external threats in the run up to May and beyond. Brexit has required the UK government to introduce the Data Protection Bill, which, while intended to ensure UK domestic law mirrors the GDPR following March 2019, may ultimately implement certain subtle changes in some areas

What amounts to appropriate defensive controls will vary and specialist legal and insurance advice should be obtained to ensure that there is sufficient coverage for the higher losses likely to arise under GDPR.

James McGachie is legal director, DLA Piper, Edinburgh