Cyber claims in the worldwide wake of the GDPR?
18 months after the introduction of the General Data Protection Regulation (the GDPR), the dust has not yet settled. The gargantuan data breach penalties available to the Information Commissioner's Office (the ICO) are yet to materialise and we have not seen the flood of colossal group action claims. However these types of events, which were hotly anticipated in the wake of the GDPR, are now starting to take shape.
2019 was more evolutionary than revolutionary, but a number of significant developments have taken place that will change the face of data litigation in 2020 and beyond.
In this review we will look at a variety of significant data breaches in 2019, the key data litigation in the last year as well as a review of the ICO's activity and a look at what lies ahead in 2020.
Significant data breaches in 2019
As ever there have been a number of data incidents which have caught the headlines over the last year and here are some of the highlights:
- Mumsnet: February 2019 - A glitch in a software update led to accounts becoming mixed up if two users logged onto the parenting site at the same time. User's email addresses, account details and personal messages were accessed by other users over a three day period.
- Kent County Council: February 2019 - Kent County Council experienced a data breach when an email mistakenly openly copied rather than blind copied around 300 adoptive parents and support workers – exposing their names and email addresses to recipients.
- Capital One: March 2019 - One of the largest data breaches in the banking sector to date went undetected for nearly four months, until the hacker boasted about the breach online. The personal details of around 106 million individuals in the US and Canada were accessed - including names, addresses and credit scores.
- The Police Federation for England and Wales: March 2019 - A ransomware attack left a number of systems and databases inaccessible at the organisation's HQ. In addition to encrypting databases and servers, backup data was also deleted as part of the attack.
- Facebook: September 2019 - Social media giant Facebook suffered another data breach affecting 419 million users worldwide, including 18 million UK users, when a security researcher found phone numbers, Facebook identifications, gender and location details on an unsecured server.
- The Home Group: October 2019 - One of the UK's largest housing associations suffered a hack affecting over 4,000 customers across England. The Home Group were alerted by a third-party cyber security consultant that customers' names, addresses and contact details may have been compromised.
These instances are just a small sample but illustrate the varying scale, types of data, cause of breach and profile of data controller affected.
Data litigation in 2019
Representative action can proceed against Google…
2019 has seen the most significant case in respect of data claims since Vidal Hall v Google in 2014. The Court of Appeal ruling in Lloyd v Google  EWCA Civ 1599, centred around a feature in the iPhone's safari browser, used to track and gather information about users' browser history without consent in 2011-12.
In late 2018 Mr Lloyd sought to bring a representative action on behalf of 4 million iPhone users. However claimants in a representative action all need to have the same interest in its outcome. Warby J refused to grant permission for the action to proceed as in his view there was the need by each potential claimant to prove their pecuniary loss or level of distress and so the members of the representative action did not have the same interest in the proceedings.
In October 2019 the Court of Appeal took a different view on these issues. The Court of Appeal concluded that the class members had their data taken by Google without their consent in the same circumstances and during the same period. The Court noted that the claim as pleaded did not seek to rely on any personal circumstances affecting any individual claimant and sought the same flat rate compensation whatever the actual distress or volume of data concerned. The class members' interests were therefore the same and the appeal succeeded. The substantive action could now move forward in the months ahead.
This seems to open the doors for data subject group actions where an incident affects many data subjects in the same way. In a representative action the named claimant acts for all class members without input from them, unless they specifically opt out. Such actions will be on a larger scale than anything we have seen in data litigation to date and are precisely the types of claims that caught the imagination following the outcome of Vidal Hall some five years ago.
….but alternative route for BA class action
The alternative to a representative action is a group litigation order (a GLO). GLO claimants can seek their individual losses but have to issue separate claims and then opt in to join the GLO. In October 2019 a GLO was made in respect of the 500,000 potential victims of the autumn 2018 British Airways data breach. Individual claimants have until January 2021 to join the group action.
Is facial recognition technology lawful? The Court's view
2019 saw a world first in a challenge which had been brought in respect of the use of automated facial recognition technology. Facial recognition cameras are used to check passers-by against a database of offenders at public locations. Where a suspect is identified they can be stopped while other individuals, who are not of interest, will have their data discarded.
In R (Bridges) v Chief Constable of South Wales Police and Others  EWHC 2341 a man was scanned by a vehicle-mounted automatic facial recognition camera, whilst shopping in 2017. He sought a judicial review, assisted by civil rights group Liberty. The High Court found that the technology did impact on human rights and amounted to the processing of sensitive biometric personal data. However the judicial review was refused. The rights concerned were not absolute and the use of the technology was for a legitimate purpose and was being carried out in a balanced and proportionate way.
Is facial recognition technology lawful? The ICO's view
In a follow up to the judgment, Information Commissioner Elizabeth Denham issued her first Opinion under the Data Protection Act 2018, stating that police forces need to slow down and justify their use of live facial recognition technology. Ms Denham acknowledged that appropriately governed, targeted and intelligence led deployment of the technology may meet the threshold of strict necessity for law enforcement purposes, and set out a range of practical steps police forces must take to show legal compliance. The Commissioner stated that R (Bridges) v The Chief Constable of South Wales, "should not be seen as a blanket authorisation for police forces to use LFR systems in all circumstances."
Morrisons in the Supreme Court checkout queue
At the time of writing we are awaiting the outcome of the latest appeal in the supermarket Morrisons' data breach group action. The claim stems from the actions of a disgruntled employee, who took home and published online personal data relating to around 100,000 Morrisons employees. The first instance Court and the Court of Appeal held that Morrisons was not in breach of data protection legislation as it had not been data controller of the data after it was taken away from its premises. However Morrisons was still vicariously liable for the employee's actions despite these being unauthorised and almost impossible to prevent. The Courts' rationale being that the employee was meant to have the data for legitimate work purposes and the risk of him misusing it was Morrisons'. The Court held that despite the data protection regime clearly defining responsibility for data this did not displace the general principle of employers' vicarious liability for employees' actions.
The appeal went up to the Supreme Court in November 2019 and the outcome, which is awaited, will have significant implications for organisations, with regards to the risk of being liable for data breaches arising from the actions of rogue employees.
The ICO in 2019
Over the last 12 months the ICO has been active in refining the way notifications are dealt with and in pushing developments in key areas of data protection.
ICO Annual Report 2019
The ICO's Annual Report was published on 31 March 2019. This provided evidence of the increased awareness of the duty to protect personal data, with four times as many reports of data breaches in 2018-2019 compared to the previous year. Apparently most notifications to the ICO are made after the 72 hour notification period in law. While organisations are more alive to the risk presented by data breaches nearly a third of incidents take more than 50 days to detect.
Age Appropriate Design Code of Practice
In the last 12 months the ICO has launched a consultation with a view to developing a code of practice to keep children safe online. In discussing the Age Appropriate Design Code of Practice Information Commissioner Elizabeth Denham noted that:
"We do not want to see an age-gated internet, where visiting any digital service requires people to prove how old they are. Our aim has never been to keep children from online services, but to protect them within it. We want providers to set their privacy settings to 'high' as a default, and to have strategies in place for how children's data are handled."
The code has since been submitted to the Secretary of State, and its publication is awaited. Once published, organisations will have a period of one year to comply.
Data Sharing Code of Practice
Elsewhere, the ICO launched a consultation about updating the 2011 Data Sharing Code of Practice. The intention of the code is to update advice for data controllers sharing data with each other. Specific focus was given to updating issues of transparency, accountability, the basis of sharing data and the requirement to record processing activities. The revised code is awaited.
Biometric data under scrutiny
The ICO has also focused attention on the increased use of biometric data, to ensure that it is used in a fair and compliant manner. Following a dispute surrounding the HMRC's Voice ID service, Deputy Commissioner Steve Wood warned that, where an organisation planned to use new and innovative technologies that involve personal data, including biometric data, they must first consider certain key points, including completing a Data Protection Impact Assessment, and remembering that biometric data is classed as special category data under the GDPR.
Artificial Intelligence attracting attention
Continuing on the theme of developing technologies, the ICO has delivered a series of articles addressing the relationship between AI and privacy. These include a blog from Simon Reader, Senior Policy Officer at the ICO, detailing the importance of carrying out a Data Protection Impact Assessment for AI systems that will process personal data, an auditing framework for AI and where using AI can require trade-offs and balancing between different data protection principles.
Interestingly, and counter to many expectations, the number of monetary penalties issued by the ICO fell significantly in 2019. Only 17 monetary penalties were issued in 2019, down from 38 in 2018 and 55 in 2017. However December 2019 saw the first penalty levied under the GDPR rather than the pre 2018 regime.
On 20 December 2019 the ICO issued pharmacy supplies company Doorstep Dispensaree Ltd with a £275,000 penalty for leaving 500,000 paper documents in unsecured waste containers outside its premises. These documents contained the personal information, some of it medical, of an unknown number of people.
The ICO issued a notice of intent to levy a penalty of £400,000 but after representations by Doorstep around the inadvertent nature of the data breach, the fact that the data was not accessed by third parties, and its financial position, a penalty of £275,000 was issued. The ICO did not set out how the penalty was calculated but that it was intended to be "effective, proportionate and dissuasive".
Only seven monetary penalties in 2019 exceeded £100,000, and just two cases exceeded a £160,000 penalty.
Level of ICO fine and number of cases 2017 - 2019
The highest monetary penalty issued by the ICO in 2019 was to Bounty (UK) Limited for the sum of £400,000.
Bounty was found to have been unlawfully sharing personal data of over 14 million individuals to a number of organisations, including credit reference and marketing agencies. The data collected by Bounty included names and dates of birth of both parents and children, parents' email and home addresses, and the pregnancy status of mothers. As the activities took place pre-GDPR the monetary penalty was capped at £500,000 and so a £400,000 penalty was significant.
Elsewhere, the ICO has prosecuted a number of individuals, ranging from administration assistants, company directors and a government officer where data was unlawfully obtained and disseminated to third parties.
Developments in data procedures in 2019
New Court list and pre-action protocol for data claims
In 2019 the process for pursuing data litigation was refined. From 1 October 2019 High Court data litigation claims are to be issued in the new, formal, Media and Communications List of the High Court. A new Media and Communications Pre-Action Protocol has also been developed introducing specific requirements for raising data claims in correspondence.
The changes will affect all data protection claims, misuse of private information claims, defamation claims and claims of harassment by publication.
The moves to form a clear and more specialist path for data claims are welcome and appear to come at a time where many anticipate seeing an influx of data litigation in the year ahead.
Subject Access Request time limit cut - by a day!
2019 also saw the ICO redefine its guidance for the time limits for compliance with Subject Access Requests (SARs). The historic interpretation of Article 12 of the GDPR was that organisations should calculate the time limit from the day after they receive the request until the corresponding date in the next month. The revised interpretation states that organisations should, instead, calculate the time limit from the day they receive the request.
Our 2020 vision
Europe leading the world in data protection legislation?
Straight out of the gates January 2020 will see the California Consumer Privacy Act (CCPA) coming into effect. Compared by many to the GDPR and an example of European data practice leading the world, the CCPA is intended to give Californian consumers greater control over their personal data. The CCPA is an acknowledgement of the global market in which consumers and organisations operate and is a move towards a more uniform system of control and governance of personal data.
We anticipate that the effect of the CCPA will extend beyond California and will influence many other US States' data legislation. We then expect to see other nations adopting similar regulations in the months and years ahead.
Growing use of GDPR monetary penalties following data breaches
Post Doorstep Dispensaree 2020 will also see further ICO monetary penalties issued under the GDPR. The ICO issued a notice of intention to penalise Marriott International £99 million for alleged infringements of the GDPR relating to a data breach in November 2018 affecting around 339 million guest records globally including 7 million UK residents. A similar notice of intention to penalise British Airways £183 million was issued for a data breach affecting approximately 500,000 customers in between June and September 2018. Both organisations have been able to make representations to the ICO in response and publication of the final sanctions is awaited.
…and SAR related penalties
Over the next year we expect to see the ICO issue further enforcement notices for failure to deal with SARs adequately. The ICO has already issued enforcement notices on the Metropolitan Police Service for failing to deal with a backlog of 1,100 open SARs, 680 of which were over three months old. Where other organisations similarly appear to struggle to keep on top of SARs, we would expect the ICO to intervene.
Data litigation ready to flood the courts?
Finally, it feels like we've been gearing up for the first of the major data breach group actions for years now. However, in the wake of the Lloyd v Google appeal and the British Airways GLO we expect to see more data breach cases brought pre-action and as litigation.
Data breach claims, both large and small, have been gathering momentum in the background and as with many new avenues for recovery (PPI and Holiday Sickness claims to name two) once claimant lawyers have a grasp on the steps to take we would expect the much vaunted 'floodgates' will burst in 2020.