Steve Kuncewicz

Steve Kuncewicz

Partner at BLM

Lawyer and prolific media commentator Steve Kuncewicz revisits the thorny issue of data just over a year on since the Data Protection Act came into effect

If there’s any acronym that engenders either a sight or a sense of abject panic in many of the meetings I’m attending these days, it’s GDPR. Actually, it’s not GDPR, it’s Data Protection and Privacy. I was very lucky early in my career to work with some of the best lawyers I’ve ever come across, including Peter Budd at Gateley and Susan Hall at Cobbetts (now Clarke Willmott). Peter and Susan specialised in Data Protection before it became either a punchline or an immediate business risk; although in their view and my own, it’s always been the latter.  It’s been the best part of 16 months since the 25 May 2018, when the new Data Protection Act came into effect and brought the EU’s General Data Protection Regulation into UK law. Surely by now, we’d have seen the predicted raft of crippling fines issued by the ICO all across the UK for the most minor infraction, alongside a tidal wave of “class action” civil claims that could be “ruinous” to UK businesses?

If you’ve failed to notice them, it’s not because you haven’t been paying attention. Each and every one of us was, around May last year, drowning under the weight of an inbox full of e-mails from any number of senders who we may not even have realised had access to our personal data imploring us to either check our privacy settings or reply otherwise we’d never be able to hear from them again. The more cynical amongst you may note that this was, in fact, the best way to find yourselves unsubscribed from nuisance e-mail since… well, e-mail. Since then, although there have been some notable fines issued by regulators across the EU for serious privacy breaches and some very significant court decisions, it’s probably fair to say that most are suffering from various stages of “GDPR fatigue”. Even in the wake of the Cambridge Analytica scandal, many businesses and individuals may well be more conscious of the power and consequence of the misuse of personal data and impact upon their lives, but the uneasy peace of the last 12 months is unlikely to last too much longer.

Whilst the GDPR didn’t reinvent privacy and data protection law, it did turn up its volume and introduce and strengthen both the regulatory regime and the potential sanctions which could be brought to bear by regulators when they need to intervene. It also made it easier for individuals to being civil claims as a result of a data breach, codifying the entitlement to an “effective judicial remedy” and damages for” non-material” losses following a number of previous decisions which saw the existing law beaten into shape to deal with new technological challenges and previously-unforeseen exploitation of personal data by businesses, eager to set up their own derrick and drill for the “new oil”.

It’s true that the new maximum monetary regulatory penalties of 4% of a business’ global financial turnover (or the Sterling equivalent of 20 million Euros) for the financial year preceding the breach is  terrifying, but many of the fines levied since 25 May such as the action taken against Facebook were based on the old law and (even though in some cases at the maximum previous level of £500,000) a mere drop in the ocean when taken against the revenue they’ve generated as a direct result of the personal data of their users. Google was fined 50 million Euros by the CNIL, France’s Privacy Regulator, over a lack of transparency and user consent relating to personalisation of online ads, but to date there have only been two indications of intent by the ICO to issue major fines against British Airways as a result of its consumer app being hacked and Marriott after its guest reservation database was compromised. Both will get their chance to make representations and bring down the “record level” currently set at well over £100 million.

And the onslaught of civil claims? Well, the landmark Morrisons data breach claim is headed for the Supreme Court in November and the appeal in the Google Group Litigation is due to be heard at around the same time. The former saw Morrisons found vicariously liable for a data breach caused intentionally by a rogue employee but without any decision on quantum and the latter confirmed that not every data breach would automatically lead to an easy claim. Damages awards in civil data breach claims remain modest, but the economies of scale offered by fighting a viable group action remain attractive to claimant firms. The real fighting hasn’t even begun, and several group claims underway against Ticketmaster and others, along with the new Pre-action Protocol for media & communications claims will at least help to streamline what can be unwieldy and imprecise disputes.

Where do we go from here? What we can say is that individual data subjects are more aware of their rights relating to personal data and potentially more likely to rely on them and hold businesses to account when it’s misused. The number of complaints to the ICO has risen dramatically (to say the least) and the number of Data Subject Access Requests is also increasing. Data protection and privacy is no longer a fringe issue practiced by only a few specialists. It’s becoming a fundamental legal issue for practitioners and their clients, many only one “great hack” away from being the next example of when the misuse if big data leads to exponentially bigger risk.