The new General Data Protection Regulations come into effect on 25 May 2018, replacing all existing national data protection laws in the UK.
The new regime will see a shake-up in privacy rules and data protection regulation with the new laws set to introduce a number of measures that will tighten up the need for an individual’s consent for their data to be used and/or retained. This, coupled with stricter sanctions for breach of the new rules, may see individuals given more power to claim compensation if they are the victim of a breach of the new regulations.
The new rules increase the responsibility of those handling data to seek positive consent from individuals for their information to be used or kept. In the event that a breach of the rules has occurred, the individual who is the victim of the breach must be notified without undue delay.
Under Article 82 of the new GDPR, there is a right to compensation for an individual who has been the victim of a breach of the rules. The right to compensation extends to material or non-material breaches. Effectively, this means that an individual can claim compensation for a breach leading to a financial loss, but also for a breach from which no actual loss is sustained. This means that there is the potential to claim for things like distress, anxiety and damage to reputation.
The new legislation comes at a time when the English courts are already showing an increased willingness to consider claims in respect of data protection breaches. The recent case against Morrisons highlights this change in attitude. This case was brought by 5,500 Morrisons employees who had been the subject of data protection breaches. The data was published by a disgruntled employee who was the subject of what they considered to be unjustified disciplinary action. In this case, the High Court found Morrisons to be responsible for the actions of the employee. This decision has repercussions for those responsible for handling data meaning that, even though they may be the victim of a deliberate breach, they can still be held liable to others affected by the breach.
As yet, there have not been any claims before the Court under the GDPR and therefore the levels of compensation that victims are likely to expect are not known. However, given that breaches will often affect multiple claimants the liability could be significant.
The amendments to the litigation costs introduced by the Legal Aid and Sentencing and Punishments of Offenders Act 2012 (“LASPO”) are well publicised and were introduced to attempt to curb what was perceived to be a growth in the litigation culture in some areas, such as personal injury. However LASPO contained a specific exemption to these cost reforms for “publication and privacy proceedings”. There is no specific mention of data protection in the legislation but any proceedings commenced under the GDPR will be likely to involve such an action.
*No-win/No-fee terms may be available. It may be possible to recover 100% of legal costs without deduction from damages.