GDPR and Litigation
As most shall know on 25 May 2018 GDPR became enforceable in the United Kingdom. This article looks at the impact of GDPR on the process of civil litigation in the United Kingdom and particularly on the process of disclosure.
GDPR was introduced to update existing Data Protection Law and created stricter regulations for Data Controllers and Data Processors. Further, anyone processing personal data must do so in accordance with the principles set out in Article 5 of the GDPR including that data must be lawfully and fairly processed and in a transparent manner. Further, anyone processing personal data must set out the grounds upon which they are entitled to do so in accordance with Article 6. That new framework creates certain challenges for Litigators in terms of how cases are going to operate.
Litigation cases often involve significant levels of disclosure of information from third party sources which will be disclosed and potentially form part of the evidence in determining the case.
Within the new data protection regime, there is a principle of minimisation which sets out that a Data Processor must only process personal data to the extent that it is necessary to do so.
The Civil Procedure Rules govern the disclosure obligation in civil cases. The Rules provide that in Standard Disclosure parties must disclose only a) the documents on which he relies; and b) the documents which adversely affect his own case or another party’s case or support his own case or another party’s case. Traditionally in litigation, parties tend to take a relatively wide approach and disclose any personal data which may be relevant to the dispute which may include peripheral data with only a minimal relevance. There is a question mark as to whether such the ambit of such a search would be too wide and whether it will have to be narrowed to some degree. It has been suggested that a party may redact personal details for personal data which may be on the cusp of being relevant to the case. However, in practice that may be difficult to satisfy and there could be a potential conflict between obligations under the GDPR and obligation to the Court and the parties in relation to any litigation.
The GDPR provides significant scope for companies to be fined for data breaches and the fines can be up to 20 million euro for a serious breach. In addition there have also been predictions that GDPR will pave the way for significant levels of civil damages claims by individuals whose data has been mishandled. It will be interesting to see how litigation by private individuals develops under the GDPR. There is a very interesting question of how you assess the financial damage to a data subject whose data has been handled in a way that breaches the GDPR. An interesting case is that of various Claimants -v- WM Morrisons which dealt with the potential vicarious liability of Morrison Supermarket for a rogue employee breach of the Data Protection Act 1998. Whilst this relates to the previous Act, it may provide interesting guidance on damages under GDPR. In this case the employee of Morrisons in question intentionally disclosed personal data of approximately 100,000 Morrison employees in or around 2014. As a result the employee was convicted of criminal offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 and received a significant prison sentence. A litigation case was brought by the employees in which they sought compensation for distress. The High Court found that although the employee had been the data controller at the time of the breach, Morrisons, as the employer was vicariously liable for the breach. That was the case despite the fact that the breach took place outside of normal working hours. In this case, the data was payroll data and the Court found that the employees were exposed to the risk of identity theft and potential financial loss and that therefore Morrisons were responsible for breaches of privacy, confidence and data protection law. At this stage damages were not awarded and we await the decision as to the appropriate sum that would be awarded in relation to damages including distress and inconvenience.
We shall await a decision which gives guidance on the interplay of disclosure requirements in Civil cases with the GDPR. We shall also await with interest the development of litigation for breaches of GDPR particularly for private individuals. it would appear likely that in certain cases there will group litigation actions where there is a high risk that an individual’s data may be compromised.
If you require any further assistance in this area, please do not hesitate to contact the writer, Mr David Riordan firstname.lastname@example.org or on 01227 643270.