18 months after the introduction of the General Data Protection Regulation (the GDPR), the dust has not yet settled. Gargantuan data breach penalties available to the Information Commissioner's Office (the ICO) are yet to materialise and we have not seen a flood of colossal group action claims yet. However these types of events, which were hotly anticipated in the wake of the GDPR, are now starting to take shape.

2019 was more evolutionary than revolutionary, but a number of significant developments have taken place that will change the face of data litigation in 2020 and beyond. 

Data litigation in 2019

Representative action can proceed against Google…

2019 saw the most significant data claim decision since Vidal Hall v Google in 2014. The Court of Appeal ruling in Lloyd v Google [2019] EWCA Civ 1599 centred around a feature in the iPhone's safari browser, used to track and gather information about users' browser history without consent in 2011-12.

The High Court had refused permission for the action to proceed as the members of the representative group did not have the same interest in the proceedings. In October 2019 the Court of Appeal took a different view and concluded that the class members had their data taken by Google without their consent in the same circumstances and during the same period. The Court noted that the pleaded claim did not rely on any personal circumstances affecting any individual claimant and sought the same flat rate of compensation whatever the actual distress or volume of data concerned. The class members' interests were therefore the same and the appeal succeeded. The substantive action can now move forward in the months ahead.

This seems to open the doors for data subject group actions where an incident affects many data subjects in the same way. In a representative action the named claimant acts for all class members without input from them, unless they specifically opt out. Such actions will be on a larger scale than anything we have seen in data litigation to date and are precisely the types of claims that caught the imagination following the outcome of Vidal Hall some five years ago.

…but alternative route for BA class action

The alternative to a representative action is a group litigation order (a GLO). GLO claimants can seek their individual losses but have to issue separate claims and then opt in to join the GLO. In October 2019 a GLO was made in respect of the 500,000 potential victims of the autumn 2018 British Airways data breach. Individual claimants have until January 2021 to join the group action. 

Is facial recognition technology lawful? The Court's view

2019 saw a world first in a challenge that had been brought in respect of the use of automated facial recognition technology. In R (Bridges) v Chief Constable of South Wales Police and Others [2019] EWHC 2341 a man was scanned by a vehicle-mounted automatic facial recognition camera while shopping and sought a judicial review. The High Court found that the technology did impact on human rights and amounted to the processing of sensitive biometric personal data. However, judicial review was refused because the rights concerned were not absolute and the use of the technology was for a legitimate purpose and was being carried out in a balanced and proportionate way.

…but the ICO's view

In a follow up to the judgment, Information Commissioner Elizabeth Denham issued her first Opinion under the Data Protection Act 2018, stating that police forces need to slow down and justify their use of live facial recognition (LFR) technology. The Commissioner stated that R (Bridges) v Chief Constable of South Wales Police and Others"should not be seen as a blanket authorisation for police forces to use LFR systems in all circumstances." 

Morrisons in the Supreme Court checkout queue

At the time of writing we are awaiting the outcome of the latest appeal in the supermarket Morrisons' data breach group action. The claim stems from the actions of a disgruntled employee, who took home and published online personal data relating to around 100,000 Morrisons employees. The first instance Court and the Court of Appeal held that Morrisons was not in breach of data protection legislation however it was still vicariously liable for its employee's actions. The appeal went up to the Supreme Court in November 2019 and will have significant implications for the risk of being liable for the actions of rogue employees in data cases. 

The ICO in 2019

Over the last 12 months the ICO has been active in refining the way notifications are dealt with and in pushing developments in key areas of data protection.

ICO Annual Report 2019

The ICO's Annual Report was published on 31 March 2019. This provided evidence of the increased awareness of the duty to protect personal data, with four times as many reports of data breaches in 2018-2019 compared to the previous year. Apparently most notifications to the ICO are made after the 72 hour notification period in law. While organisations are more alive to the risk presented by data breaches, nearly a third of incidents take more than 50 days to detect. 

Age Appropriate Design Code of Practice

In the last 12 months the ICO has launched a consultation with a view to developing a code of practice to keep children safe online. The code has since been submitted to the Secretary of State, and its publication is awaited. Once published, organisations will have a period of one year to comply.

Data Sharing Code of Practice

Elsewhere, the ICO launched a consultation about updating the 2011 Data Sharing Code of Practice. The intention of the code is to update advice for data controllers sharing data with each other. Specific focus was given to updating issues of transparency, accountability, the basis of sharing data and the requirement to record processing activities. The revised code is awaited.

Artificial intelligence and biometric data under scrutiny

Following a dispute surrounding HMRC's voice ID service the ICO has also focused attention on the increased use of biometric data, warning that the users of new and innovative technologies that involve personal data must consider a Data Protection Impact Assessment, remembering that biometric data is special category data under the GDPR. Continuing on the theme the ICO has also delivered a series of articles addressing the relationship between AI and privacy, detailing the importance of an auditing framework for AI and where using AI can require trade-offs between different data protection principles.

Subject Access Request time limit cut - by a day!

2019 also saw the ICO redefine its guidance for the time limits for compliance with Subject Access Requests (SARs). The historic interpretation of Article 12 of the GDPR was that organisations should calculate the time limit from the day after they receive the request until the corresponding date in the next month. The revised interpretation states that organisations should, instead, calculate the time limit from the day they receive the request.

Monetary penalties

Interestingly, and counter to many expectations, the number of monetary penalties issued by the ICO fell significantly in 2019. Only 17 monetary penalties were issued in 2019, down from 38 in 2018. However December 2019 saw the first penalty levied under the GDPR rather than the pre-2018 regime.

On 20 December 2019 the ICO issued pharmacy supplies company Doorstep Dispensaree Ltd with a penalty for leaving 500,000 paper documents in unsecured waste containers outside its premises. These documents contained the personal information, some of it medical, of an unknown number of people. Originally the penalty was to be £400,000 but after representations by Doorstep around the inadvertent nature of the data breach, the fact that the data was not accessed by third parties, and its financial position, a penalty of £275,000 was issued. The ICO did not set out how the penalty was calculated but stated that it was intended to be "effective, proportionate and dissuasive". 

The highest monetary penalty issued by the ICO in 2019 was to Bounty (UK) Ltd for the sum of £400,000. Bounty was found to have been unlawfully sharing personal data of over 14 million individuals to a number of organisations, including credit reference and marketing agencies. The data collected by Bounty included for both parents and children: names, dates of birth, email and home addresses, and the mother's pregnancy status. As the activities took place pre-GDPR the ICO's jurisdiction was capped at £500,000 and so a £400,000 penalty was significant.

Our 2020 vision

Growing use of GDPR monetary penalties following data breaches

This year will see further ICO monetary penalties issued under the GDPR. The ICO issued a notice of intention to penalise Marriott International £99m for alleged infringements of the GDPR relating to a data breach in November 2018 affecting around 339 million guest records globally, including seven million UK residents. A similar notice of intention to penalise British Airways £183m was issued for a data breach affecting approximately 500,000 customers between June and September 2018. Both organisations have been able to make representations to the ICO in response, and publication of the final sanctions is awaited. 

…and SAR related penalties

Over the next year we expect to see the ICO issue further enforcement notices for failure to deal with SARs adequately. The ICO has already issued enforcement notices on the Metropolitan Police Service for failing to deal with a backlog of 1,100 open SARs, 680 of which were over three months old. Where other organisations similarly appear to struggle to keep on top of SARs, we would expect the ICO to intervene. 

Data litigation ready to flood the courts?

Finally, it feels like we've been gearing up for the first of the major data breach group actions for years now. However, in the wake of the Lloyd v Google appeal and the British Airways GLO we expect to see more data breach cases brought pre-action and as litigation.

Data breach claims, both large and small, have been gathering momentum in the background and as with many new avenues for recovery (PPI and holiday sickness claims to name two), once claimant lawyers have a grasp of the steps to take we expect the floodgates to burst in 2020.