William Eggleston, trainee solicitor at Brabners, looks at what GDPR means for civil litigation.
As Brexit negotiations begin to get underway, and the country takes stock of the announcements made during the Queen’s Speech on 21 June, one topic that is at the forefront of discussion in many businesses is data protection.
The EU’s General Data Protection Regulation (GDPR), set to come into force on 25 May 2018, spells big change for businesses globally and introduces a new framework of rules that has received a mixed reception.
Whilst many companies are already taking steps to ensure that the ways in which they handle personal data will comply with the GDPR in time, there has been some uncertainty as to whether or not this is actually necessary in light of the outcome of last year’s Brexit referendum. The announcement of a new Data Protection Bill during the Queen’s Speech has provided some clarity in this respect, as the government’s ‘associated background briefing’ to the speech stated, in no uncertain terms, that the GDPR will indeed be implemented into national legislation.
This announcement does not, in fact, change the position of the UK in relation to the GDPR coming into effect. The UK will still be a member of the EU on 25 May 2018, which means that, in any event, we will be bound by the provisions of the GDPR on that date. However, we can now be certain that the rules imposed by the GDPR will, for the most part, remain in place once we leave the EU, as the government’s intention is to harmonise national legislation with the GDPR.
With less than a year to go, the realisation is now dawning on many organisations which deal with personal data that they may have to radically transform their processes, and entirely re-think their attitudes towards privacy, if they are to comply with the GDPR by next May. The challenges facing those businesses over the next 11 months are clear - but what impact will the new regulations have on the world of civil litigation?
The GDPR introduces new rights for individuals and tougher penalties for businesses when it comes to breaches of data privacy. Many expect that, at the end of May 2018, there will be a flood of requests to companies’ data controllers for rights of access or portability of data, or to exercise the right to be forgotten. Such requests will inevitably result in a large number of complaints to the Information Commissioner’s Office, and, in turn, a number of those complaints may ultimately end up before the courts.
Further, there is speculation surrounding the potential for large-scale ‘class action’ style claims where data security breaches affect a large number of individuals. There are mechanisms already in place for such actions; the courts can make Group Litigation Orders, allowing claims arising from common issues to be managed collectively. It is also possible that a collective action regime (similar to that which was recently adopted for competition law breaches) may be rolled out or extended to cover data protection, whereby all affected individuals are automatically part of the ‘class’ of people bringing the action unless they choose to opt out.
The GDPR represents a tipping of the balance of data protection law, favouring the protection of the individual over the commercial needs of businesses. However, it should be noted that, even in the absence of the GDPR, data protection in the UK seems to be heading in that direction. Recent years have seen a rise in the number of claims for data privacy breaches, as well as an increase in the compensation payable for such claims, and individuals may now claim compensation for damage caused purely by distress (without any financial loss) following the Court of Appeal’s decision in Google v Vidal-Hall  EWCA Civ 311.
Under the GDPR, the consent of a data subject subsists as a legal ground for the processing of personal data, but it will be much more difficult to show that consent has been obtained than under the existing law (based on the Data Protection Act 1998). It is therefore likely that the other lawful grounds for processing data, such as necessity for the performance of a contract or the compliance with a legal obligation, will need to be considered in more detail than ever before, as parties to litigation will not be able to rely on consent as readily as they have done in the past.
There are also concerns that the tightened regulations on processing personal data may impact on the process of disclosure in litigation. Litigating parties (and their lawyers) may need to consider whether consent is required (and correctly obtained) when undertaking disclosure during proceedings if the relevant documents in the case contain personal data. If a party to litigation is based outside the jurisdiction, it will also be necessary to consider the lawful grounds for the cross-border transfer of personal data.
There has been some discussion around Article 48 of the GDPR and its impact on disclosure. Article 48 provides that any judgment of the courts of a non-EU country, requiring a data controller to transfer or disclose personal data relating to EU data subjects, shall not be recognised or enforceable unless it is based upon an international agreement between the requesting state and the EU. In the absence of such agreements, parties may refuse to provide disclosure on the basis that doing so would conflict with their general obligations under the GDPR. It remains to be seen what scope there might be for parties to use this to their tactical advantage, by feigning caution over data privacy to delay or prevent the disclosure of certain information.
The GDPR makes substantial changes to an area of law that affects a vast number of companies and individuals. As with any such reform, the big word on the tip of everyone’s tongue is “uncertainty”; until the new regulations come into force, and we begin to see the courts delve down into the details of the GDPR’s provisions, we cannot know for certain exactly how those provisions will be interpreted or what the practical implications might be.
What we can say for certain, however, is that the notion of data privacy is becoming more and more pervasive. Few businesses will escape the onerous requirements of the GDPR and other developments in data protection law. From a lawyer’s perspective, the impact is two-fold; not only will law firms have to ensure that their own processes are compliant with the new rules, but data privacy is also likely to become a primary consideration for lawyers in all practice areas – a far cry from what was once considered to be a niche area in commercial law.
This article was republished with permission of the author. It was first published by Brabners.