WordPress + Bootstrap

 

A spectre is haunting data controllers – the spectre of group liability for data breach.

In Vidal-Hall v Google [2015] EWCA Civ 311 the Court of Appeal held that damages claims under section 13 of the Data Protection Act 1998 (DPA) can be brought on the basis of distress alone, without monetary loss.  Since that decision there has much speculation that a major data breach could lead to distress-based claims against the data controller by a large class of individuals.  Even if each individual claim was modest (in the hundreds or low thousands of pounds) the aggregate liability could be substantial.

Cases of this nature may give rise to important questions of public policy.  Often the data controller will themselves be the victim of malicious or criminal conduct, involving a hack by outsiders or a data leak by insiders. In such situations, should the data controller be required to compensate data subjects?  What if the very purpose of the hack or leak was to damage the data controller, so that by imposing civil liability on the controller the Courts would help further that purpose?

The recent decision of the High Court in Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 is the first significant case to grapple with these issues post Vidal-Hall.  The case involves a group claim brought by some 5,500 Morrisons’ employees in connection with the criminal misuse of a significant quantity of payroll data by a rogue employee.  In a lengthy judgment handed down on 1^st December 2017, Langstaff J found that Morrisons were not directly liable to the claimants in respect of the criminal misuse of the data, whether under the DPA or at common law, but that they were nevertheless vicariously liable.  The trial dealt only with liability: quantum remains to be determined.

11KBW’s Anya Proops QC and Rupert Paines acted for Morrisons. Continue reading →

The High Court (Langstaff J) has today handed down an almost 200 paragraph judgment in the first ever group litigation data breach case to come before the courts. The issue for the court was whether the defendant data controller, Morrisons, was in principle either directly or vicariously liable for the actions of a rogue employee who had, as an act of malice directed at his employer, taken payroll data relating to some 100,000 employees and published it online. The court concluded that, despite itself having been entirely innocent of the misuse, Morrisons was in principle liable to compensate all the claimants in the group, some 5,500 individuals, on the basis of the application of common law (no fault) vicarious liability principles. Continue reading →

It’s as if everyone has their head down preparing for the GDPR. Recent weeks have produced very little by way of judgments in the data protection area. They have, however, produced an Advocate General’s opinion in a case about the data controllers of Facebook fan pages. That opinion is worth noting because (rightly or wrongly) it casts the net very widely, bringing multiple entities within the definition of data controllers. Continue reading →

Time for a few data protection-related updates which don’t merit a full post of their own (or at least, not one I can be bothered to write) but which readers may or may not have missed. Continue reading →

Al-Ko Kober Ltd and Paul Jones v Balvinder Sambhi [2017] EWHC 2474 (QB) is, rather improbably, a DPA case about caravan tow-bars and braking systems. A commercial operator used Youtube videos to malign a competitor business and its marketing manager, until the High Court (Mrs Justice Whipple) granted injunctions last week. Continue reading →

The Data Protection Bill contains some wonderful provisions. For example: “Chapter 2 of this Part applies for the purposes of the applied GDPR as it applies for the purposes of the GDPR. In this Chapter, “the applied Chapter 2” means Chapter 2 of this Part as applied by this Chapter.” And suchlike.

It is just possible that there are some of you who need to get your head around the Bill, but haven’t yet had the time or stomach for it. You are probably thinking “surely some data protection obsessive has read it and summarised it for me somewhere?”. As ever, Panopticon is the proud home of data protection obsessives. Here is a link to an overview of the Bill which I did for Practical Law. Enjoy!

Robin Hopkins @hopkinsrobin