Search HR Portal Login

Freeths Data Protection Update: Winter 2021

Will Richmond-Coggan Image

Author

Will Richmond-Coggan

Partner

Mona Schroedel Image

Author

Mona Schroedel

Managing Associate

 

Welcome to the Winter edition of the Freeths Data Protection Update.

In this edition we report on the long-awaited Supreme Court judgment in Lloyd v Google and the implications for group data breach claims, consider potential changes to the UK regulatory regime, as well as looking at whether the widely-reported case relating to Ring doorbells is as significant as the mainstream media might suggest.

 

Lloyd v Google: group actions and damages for loss of control (Mona Schroedel)

Our readers are likely to have seen this Supreme Court decision in the news in November. It was a long awaited and important decision which clarified some basic principles after the High Court and the Court of Appeal had disagreed on the correct interpretation.  However, it needs to be borne in mind that the applicable law predated the UK GDPR coming into force, and the claim was heavily hampered by the mechanism in which it was advanced.

Background

By way of brief summary, this claim involves a complaint about Google covertly collecting data between 2011 and 2012 from apple iPhone users.  The data collected was used for targeted advertising and also sold.  Google was fined in the US and paid compensation to US users.  It also settled separate claims under Vidal-Hall v Google a few years ago, which was a case where the claimants had suffered specific distress as a result of the targeted advertising.Mr Lloyd, an activist for consumer rights, issued the claim against Google on the basis that (a) all affected iPhone users could opt in at some stage and (b) the mere fact that the iPhone users suffered a “loss of control” when the data was collected should result in damages payment. He then sought permission to serve the claim on Google in the US and it is that application for permission to appeal which the Courts considered. The Supreme Court looked in detail at the two aspects in contention, ie whether a group litigation could proceed on an “opt out basis” and whether the mere loss of control over data was sufficient to warrant damages.

Group Litigation

 The Supreme Court held that it was not possible under the existing rules to advance an “opt out“ type group claim (which assumes that every single affected person will receive compensation, and doesn’t require them to consciously choose to be part of the claim).  It suggested that the correct way of bringing a claim would have been a two-stage process:

  • A claim to determine liability in general; followed by

  • Opt in group claims for damages thereafter (provided that a group could be identified that had the same interest in the claim, because the damage that they had suffered was the same, for example).

The Court acknowledged that this was a riskier and costlier approach and was therefore less likely to attract litigation funding. Nevertheless, the Court was clear that opt out group claims were not available even having regard to those challenges.

Data Protection

There is now a clear distinction between claims in Misuse of Private Information (where damages for loss of control may be available) and Data Protection Act breaches where loss of control is not recognised as a head of damage.  The Court went on to say that even if loss of control was an accepted head of damage then it would still have to be accompanied by an analysis of the individual harm suffered, which would have to be subject to a de minimis threshold in order for financial compensation to arise.

Current Mood

There seems to be a general sentiment from the Courts at present that in the 21st century most individuals understand that their data is accessed and exchanged for convenience. The Court was reluctant to find damages for the mere loss of control over data.  However, it needs to be borne in mind that in Vidal-Hall the claimants were successful in relation to the exact same breach; the difference being that the claimants were able to show individual harm.This decision has been heralded as good news for controllers and has seemingly closed the door on spurious claims based on technical breaches only.  However, the Court has not ruled out future group claims where claimants are genuinely affected by breaches. It is, therefore, important for data controllers and processors to stay vigilant in relation to compliance and the way in which such compliance is communicated to customers. In the event that you have any concerns over your own compliance or risk in relation to claims, Freeths is always happy to help review and assess any such risks. 

UK Government Proposes Raft of Post-Brexit Data Protection Measures and Reforms (Luke Dixon)

The UK Government has launched a package of data protection measures with the intention of reforming the UK’s approach to data protection in a post-Brexit world. The Department of Culture, Media and Sport (“DCMS”) announced its new plans on 26 August 2021.  In making its announcement, it acknowledged the importance of data to innovation and the global digital economy, in addition to the tackling of crime, the delivery of critical public services and health and scientific research. The Government announced John Edwards as its preferred candidate to be the UK’s new Information Commissioner and issued a mission statement setting out the UK’s approach to adequacy assessments and international transfers.

UK Government Consultation on Data Protection Reforms

The UK Government also kicked-off a consultation on 9 September 2021 on further reforms to the UK data protection regime.  The DCMS intends this consultation to be a first step towards delivering a pro-growth and trusted data regime.The proposed reforms cover several areas, including:

  • reducing barriers to responsible innovation in sectors such as AI/machine learning and scientific research;

  • reducing barriers on businesses and delivering better outcomes for people, such as new thresholds for data subject access requests and liberalising the regulation of cookies;

  • boosting trade and reducing barriers to data flows, including the measures described under “International Data Partnerships” above, permitting the repetitive use of derogations for data transfers and an exemption for “reverse transfers” between the UK and the origin territory of that data;

  • delivering better public services; and

  • reform of the UK ICO, to include new objectives and a clearer strategic vision for the regulator; improving accountability mechanisms, and refocusing its commitments away from handling a high volume of low-level complaints and towards addressing the most serious threats to public trust and inappropriate barriers to responsible data use.

UK ICO’s Consultation on International Data Transfers

Meanwhile, following the ICO’s announcement earlier in the year that it would be producing its own equivalent of the EU standard contractual clauses (which are a tool to legitimise international data transfers under EU GDPR), it published its own model International Data Transfer Agreement (“IDTA”) in draft form in August as part of a new ICO consultation. Our initial review suggests that the IDTA has been designed to be user-friendly, with a tabular approach suited for the non-lawyer, and is intended to cover a number of scenarios including cross-referencing linked agreements (such as a services agreement) and multi-party arrangements. The consultation also covers a number of questions including on the interpretation of the territorial scope of GDPR when dealing with international transfers, and seeks views on the draft IDTA as well as a proposed risk assessment tool (the “TRA”) for use in assessing international transfers.

What is this all likely to mean for UK data protection going forward?

Business will welcome the UK Government’s plans to re-balance UK data protection law towards trade and innovation.  However, the reforms are still at an early stage and are subject to consultation. It is therefore unclear to what extent (and in what form) these reforms will find their way into UK data protection law.There is also the question of the UK’s adequacy status with the EU.  The EU recently granted the UK adequacy status to receive frictionless data transfers on the basis that the UK would remain aligned to EU data standards. We have previously reported on the EU’s grant of adequacy status to the UK here.The UK is therefore walking a tightrope between creating a more business-friendly domestic data regime on the one hand and retaining sufficiently EU-aligned data laws to preserve the UK’s data adequacy status with the EU on the other.We can be sure that both UK businesses and the EU will be monitoring developments in this area with interest over the coming months and years. 

Online Safety Bill Makes its Journey through Parliament (Luke Dixon)

What is the Online Safety Bill about?

The UK Government has proposed a new Online Safety Bill (“OSB”) that will impose a duty of care on companies to prevent the proliferation of illegal content and activity online. It is also designed to ensure that children and adults who use their services are not exposed to content that is “harmful”, although not illegal.

What will the OSB require in-scope Businesses to Do?

To meet the duty of care, companies will have to put in place systems and processes to improve user safety. The intention is to impose different levels of obligations depending on the size, functionality and features of the service involved.

What Types of Business are In-scope?

The OSB will apply to “user-to-user” services and to search engines. User to user services are those that do one or both of the following:

  • host UGC that can be accessed by users in the UK; and

  • facilitate public or private online interaction between service users, one or more of whom is in the UK.

It will not apply to the following:

  • Business-to-business services.

  • Internet service providers. However, they will have to co-operate with Ofcom on business disruption measures.

  • Low-risk businesses, for example businesses with limited functionality like retailers who offer product and service reviews.

  • Content published by a news publisher on its own website including user comments on that content. There will be protections for journalistic content shared on services that fall within scope.

  • The sending of emails or text messages.

What about Enforcement and Regulation?

Ofcom will be the online safety regulator. Ofcom's work in this area will be funded by regulatory fees. The OSB will require Ofcom to prepare codes of practice to assist providers in complying with their duties of care. Ofcom will be able to issue fines of £18 million or 10% of global annual turnover, whichever is higher, for breaches of the OSB. It will be able to consider taking enforcement action, which may include business disruption measures, against any in-scope company worldwide that provides services to UK users. Ofcom is expected to take a proportionate approach to enforcement. The Government will establish a statutory appeals route.

Where is the OSB on its Journey towards Enactment?

The OSB has spent the autumn working its way through the Parliamentary scrutiny stage, where a specialist Committee has been reviewing it. The Committee is expected to report back with its findings by 10 December 2021.When it does, the Government will review the report to see if it needs to make any changes to the draft. Once the Bill gets over that hurdle, it will be formally introduced to Parliament and will make its way through to law via the Commons and the Lords.

Comment

The OSB aims to regulate material that, although harmful, is also legal. This has raised concerns about how to deal with the harmful material in a way that does not have a “chilling effect” on freedom of speech online.The proposed legislation tries to square this circle by requiring regulated businesses to specify how they deal with harmful material in their terms and conditions of service.  Ofcom may intervene to ensure they enforce those provisions. That said, even this approach is regarded by some as problematic, because it will permit businesses to read private messages on messaging services. 

Claim for distress with no tangible harm or loss given short shrift

Over recent years the general public have become considerably more aware of their rights under data protection laws, not least as a result of both the publicity around GDPR and the tightening of laws on website cookies.  However, a recent case suggests that those rights are not so strong as individuals may think, and that the courts are unwilling to deal with trivial complaints.In Rolfe v Veale Wasbrough Vizards LLP, a law firm was acting for a school attended by Mr and Mrs Rolfe’s child.  When the law firm wrote to the Rolfes to demand payment of overdue school fees, a single-character error was made in Mrs Rolfe’s e-mail address, and the letter was sent to a different person.  That person promptly informed the law firm and deleted the message.Mr and Mrs Rolfe subsequently claimed against the law firm for damages for misuse of confidential information, breach of confidence, negligence and breach of GDPR and the Data Protection Act, as well as seeking other remedies including an injunction.  They claimed that they had “lost sleep worrying about the possible consequences of the data breach” and that it had “made them feel ill”.The offending e-mail, although containing names, addresses, and the outstanding amount owed, did not contain any bank, income or other financial information, any reference to the child’s location other than her home and school address, and no information about locations of school trips or details relating to her school bus.  Importantly, the letter did not contain any information about why the Rolfes had not paid, or any suggestion that they were unable to pay.  In addition, the court highlighted that the disclosure had been accidental, and notified to the law firm and deleted within 3 hours.In short, the court gave the claim short shrift, granting summary judgment in favour of the law firm (a decision that, effectively, says that there is no realistic prospect of the claim succeeding).  The court said that there was no tangible harm or loss, and that effectively the claim was not sufficiently serious.  It added that Mr Rolfe’s claim that he had spent more than 45 hours dealing with the incident was “simply not plausible”.  It went on to say that “courts should, in the absence of special facts, generally expect people to adopt a reasonably robust and realistic approach to living in the 21st century”, said that “no person of ordinary fortitude would reasonably suffer the distress claimed”.This case should provide a degree of reassurance for businesses that, despite the rise in data claims, the courts will take a pragmatic approach and not allow claims where no credible harm has been suffered. 

The Ring Doorbell case, aka Fairhurst v Woodward (Mona Schroedel)

This was a widely reported case in October with quite some sensationalist headlines making the rounds claiming that the Defendant was due to pay £100,000 in damages for having a Ring doorbell surveillance system installed around his property. The reporting on this should be taken with a pinch of salt and it is worth bearing in mind that the case included not only data protection breaches but also a successful harassment element.

So what exactly was the case about?

In short, this was a neighbour dispute about the audio and visual surveillance equipment (ie a Ring doorbell) the Defendant had installed.  There are two points to bear in mind here:

  1. The surveillance equipment was quite extensive and monitored not only the Defendant’s drive, but various public spaces and his neighbour’s property, including by way of audio recordings; and

  2. The Claimant had asked the Defendant to modify the surveillance equipment, but instead of reaching some middle ground the matter appears to have escalated between the parties to the point where the Claimant moved out of her property and a 2 day trial took place.

Although the Court held that the Defendant had breached data protection regulations (see further below), this is likely to be an extreme case and sensibly installed surveillance equipment is unlikely to cause issues.

Data protection issues in this case

 The Court considered that the Defendant had breached data protection principles in the way he had installed the surveillance equipment. It is important to note that where the cameras were trained on the Defendant’s own property the Court accepted that there was a legitimate interest, ie to prevent crime, for processing data.  However, where the cameras were capturing the public street and/or his neighbour’s property the Court concluded that the data captured had not been processed in a fair and transparent manner and, secondly, the data had not been collected for a specified and explicit purpose. It is important to note that the Court took into account that the Defendant had misled the Claimant about the focus of cameras. In relation to the audio data collection, the Court concluded that this also breached the third data protection, ie data minimisation. The argument was that crime prevention could be achieved through less invasive means.

Things to take away from this case:

  1. Not all home surveillance necessarily breaches data protection law;

  2. When setting up domestic surveillance equipment, it is important to bear in mind the competing interests of crime prevention with those of neighbouring properties and/or passers-by; and

  3. If you are an equipment provider/developer, it is important to ensure that the development of equipment or tools is done with compliance in mind and for instructions to end customers to be clear.

As always, we are happy to provide further information about this case, if of interest.

 

The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.