The General Data Protection Regulation (GDPR) is arguably one of the most publicised pieces of legislation in recent years, and is due to take effect on 25 May 2018.
The draft UK Data Protection Bill 2017 (the Bill) is intended to implement the GDPR while closely following the principles of the Data Protection Act 1998 (DPA). However, there has been little focus to date on the specific challenges and potential litigation for financial services organisations as a result of this. In this article, we consider the consumer rights contained in the GDPR and their potential impact on litigation for financial services providers.
With the GDPR and Bill at the forefront of data protection regulatory changes in 2018, data protection and privacy law will continue to be a key part of the litigation and disputes landscape. The media coverage of the implementation of the GDPR and the numerous comments on the increased fines have focused consumers on the new or extended rights and remedies available to them under the new regime. Those rights and the potential for litigation include:
• Failure to erase personal data
This right, often referred to as the “right to be forgotten”, will allow individuals to request that their personal data is erased. The right to erasure however does not provide an absolute 'right to be forgotten' and the right will only apply in specific circumstances, such as where the personal data is no longer needed for a specific purpose or the personal data was unlawfully processed.
Organisations will be able to refuse requests to erase data in certain cases, where, for example, it is required to comply with a legal obligation for the performance of a public interest task or for the exercise or defence of legal claims.
The principle underpinning the right is to enable individuals to request the deletion or removal of personal data where there is no compelling reason for its continued processing. However, given the competing interests and the circumstances where an organisation can refuse to deal with a request, there is clear potential for conflict.
The Credit Reference Agencies (CRAs) say it is likely they will receive numerous requests for erasure of data. However, they anticipate that in the majority of cases it will not be consistent with the GDPR for these requests to be upheld. With the wide scope for potential confusion and misunderstanding of the right by consumers, we anticipate numerous claims and complaints from individuals who have had their request refused. The Information Commissioner's Office (ICO) has made it clear that each request must be considered on an individual basis.
• Failure to rectify
The GDPR reinforces the requirement for personal data to be accurate and up to date. Individuals can request their personal data be rectified if it is inaccurate or incomplete. Organisations will have one month from receipt of a request to correct any inaccurate data (which can be extended by a further two months in complex cases).
Organisations are already facing numerous claims from individuals who consider their credit rating has been harmed by incorrect credit reporting. The CRAs are again anticipating numerous requests from consumers for rectification as the media attention around the GDPR raises awareness of the rights.
There is an additional risk that incorrect data held on an organisation's system can lead to further breaches, including data breaches, leading to more serious consequences. Imagine, for example, an incorrect address being recorded for a consumer meaning that sensitive information or personal data is sent to the wrong individual, causing embarrassment or harm to the customer. Aside from complaints to the ICO, this could lead to complaints to the Financial Ombudsman Service or claims against the organisation for damages.
As set out below, while compensation is unlikely to be significant, organisations will need to be conscious of the costs involved in defending a claim and the possibility of facing multiple claims if incorrect records have affected a number of their customers.
One of the most talked about changes is the ability of the ICO to impose fines up to the higher of 4% of annual global turnover or £17m. However, Elizabeth Denham, the Information Commissioner, has recently commented that "Issuing fines has always been and will continue to be, a last resort" and that "Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point".
Although individuals will have the option to complain to the ICO and a right to judicial remedies against decisions by the ICO, this will not provide individuals with the financial remedy they feel they deserve; i.e. monetary recompense. The power to award compensation will remain with the courts and the Financial Ombudsman Service.
Under the DPA, an individual could not claim damages unless these were linked to financial loss. The Court of Appeal's landmark ruling in Google v Vidal-Hall marked an important change and established that individuals whose data is not handled properly may be entitled to compensation for "mere distress" even if they have not suffered pecuniary loss. This right to compensation for distress is now enshrined in the GDPR.
Although the media attention on the GDPR has brought data protection issues to the fore, it has focused on the headline of the potential substantial fines that could be awarded.
Perhaps of greater significance to businesses is the potential for wide-scale litigation and claims for damages. Organisations are likely to see a significant rise in claims of this nature as the implementation of the GDPR continues to receive attention from both the media and consumer protection groups.
Article by Richard Hayllar, partner. Contributions by Emily Black, associate, Alanna Tregear, solicitor and James Tithecott, solicitor.
This article was originally published by Compliance Matters, and is the first in a series of articles on GDPR litigation risks.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at December 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.