Prince Charles, in giving the Queen’s Speech on 11 May 2022, announced the government’s intention to reform UK data protection laws. The purpose of the reforms is to:
Take advantage of the benefits of Brexit to create a “world class data rights regime” that will allow us to create a new pro-growth and trusted UK data protection framework that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK.
Modernise the Information Commissioner’s Office, making sure it has the capabilities and powers to take stronger action against organisations who breach data rules while requiring it to be more accountable to Parliament and the public.
Increase industry participation in Smart Data Schemes, which will give citizens and small businesses more control of their data. The Bill will also help those who need health care treatments, by helping improve appropriate access to data in health and social care contexts.
The main elements of the Bill are:
Ensuring that UK citizens’ personal data is protected to a gold standard while enabling public bodies to share data to improve the delivery of services.
Using data and reforming regulations to improve the everyday lives of people in the UK, for example, by enabling data to be shared more efficiently between public bodies, so that delivery of services can be improved for people.
Designing a more flexible, outcomes-focused approach to data protection that helps create a culture of data protection, rather than “tick box” exercises.
The government sees the GDPR as a highly complex and prescriptive piece of legislation which encourages excessive paperwork, and creates burdens on businesses with little benefit to citizens. As the UK has now left the EU, the data protection framework can be reformed in order to reduce burdens on businesses.
The contents of the Bill are not yet available and it remains to be seen quite how far these reforms will go. It is one thing (for example) to reduce paperwork, and remove the need for irritating cookie banners (a couple of the potential targets of the Bill), but another to go too far and put at risk the UK’s adequacy ruling that allows the free flow of data from the EU. In the end, the reforms may be helpful but relatively modest.
The European Data Protection Board has welcomed the announcement of a political agreement in principle between the European Commission and the United States of a new Trans-Atlantic Data Privacy Framework.
The proposed Trans-Atlantic Data Privacy Framework seeks to address the concerns which led to the Privacy Shield framework being found by the European Court to be invalid. The proposed new Framework will include:
Safeguards to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security.
A new two-tier redress system to investigate and resolve complaints from Europeans about access to data by US intelligence authorities. This includes a Data Protection Review Court.
Strong obligations for companies processing data transferred from the EU. This will include the requirement to self-certify their adherence to the US Department of Commerce.
Specific monitoring and review mechanisms.
When implemented, the Framework will provide a legal basis for personal data flows from the EU to the US.
However, it may be some time before organisations can rely on the new Framework as it has to be approved by the European Commission. At this stage, therefore, the Framework cannot be used for data transfers from the EU to the US and data exporters must continue to use Standard Contractual Clauses and to take the steps required to comply with the Schrems II decision of 16 July 2020.
And even when it is adopted, it will, like its predecessors (Safe Harbor and Privacy Shield) be open to legal challenge by privacy groups.
In any event, the Framework will not apply to transfers from the UK to the US, and the UK has previously indicated that the US is a priority for an “adequacy” partnership.
On 2 February 2022 the UK Government’s Department for Culture, Media and Sport put before Parliament the International Data Transfer Agreement (IDTA), an addendum to the new EU standard contractual clauses (New EU SCCs) (Addendum) and various transitional provisions. The documents can be accessed here.
The IDTA has been created as the UK equivalent to the New EU SCCs for international data transfers. The EU commission modernised the EU SCCs on 4 June 2021. The New EU SCCs can be used by parties to incorporate standardised clauses into their contracts. These clauses deal with different sections, for instance for data controllers and processors. The IDTA is a standalone agreement that will apply to all transfers of personal data outside of the UK regardless of whether a party is a data controller or processor. Whilst there are a few exceptions, this includes data importers who are subject to the rules of the UK GDPR.
When the New EU SCCs were published on 4 June 2021, they didn’t apply in the UK due to Brexit. The IDTA and the Addendum have been created to replace the current SCCs used in the UK. The IDTA will take the binding effects of the European Court of Justice Schrems II decision into account.
By addressing the necessary UK legal requirements, the Addendum will allow data exporters who continue to operate in the EU and UK to rely on the New EU SCCs without the need for an IDTA. The intent is to simplify the process for data exporters and will be supported by further guidance from the ICO on the risk protection steps that data exporters will need to undertake when transferring data.
The introduction of the IDTA and Addendum has been welcomed by the ICO, they have stated that “The IDTA and Addendum will also help to support the UK’s digital economy, by enabling the global flow of people’s personal data in order to deliver goods and services.”
The ICO will continue to develop the following guidance to provide help and support for businesses:
Clause by clause guidance to the IDTA and Addendum.
Guidance on how to use the IDTA.
Guidance on transfer risk assessments.
Further clarifications to the international transfers guidance.
The ICO have stated that the IDTA and the Addendum “are immediately of use to organisations transferring personal data outside of the UK“. The ICO hopes, subject to Parliamentary approval, that these changes will grant parties more confidence when entering into data transfer agreements. The ICO have confirmed that if approved, the IDTA, Addendum and transitional provisions will come into force on 21 March 2022.
 Previously EU to US transfer of data was permitted under the Privacy Shield Decision. This was ruled to be illegal and stricter requirement for data transfer were expected based on the SCCs.
As of 4 January, John Edwards became the new UK Information Commissioner for a five-year term. Mr. Edwards spent the past eight years as New Zealand Privacy Commissioner, and before that worked as a barrister. He succeeds Elizabeth Denham CBE.
Looking ahead to 2022, Mr Edwards will be working on the proposed reforms to the Data Protection Act and the introduction of the Online Safety Bill. He will also prioritise the protection of children online, through the Age Appropriate Design Code, which has already prompted international tech companies to make changes to better respect children’s rights online.
One little known fact: In 1986 – 1987 Mr. Edwards worked as a mountaineer in the Search and Rescue Team at Mount Cook National Park. These skills may come in handy navigating the complex data protection landscape!
The Supreme Court has issued its long-awaited ruling in the Lloyd v Google case, overturning the Court of Appeal’s 2019 ruling which granted permission for ‘opt-out class action’ proceedings relating to Google’s alleged breach of the (old) Data Protection Act 1998 (“DPA”) to be served on Google in the USA.
The Supreme Court ruled that the claim had no likely prospect of success, reversing the grant of permission to serve. The decision will likely be well received by businesses but disappoint privacy activists and consumer rights groups.
The case is not only important from a data protection perspective, as it clarifies the circumstances in which damages for data protection breaches under the DPA can be obtained; but also helps clarify the situations in which “opt-out” class action legal proceedings can be brought in England and Wales under the Civil Procedure Rules (CPR).
Although the decision appears to stem a potential tide of “opt-out” data breach class actions, importantly, the Supreme Court does point to other formulations of claims which would have been successful. Data controllers should, therefore, continue to be mindful of their obligations under the DPA and the General Data Protection Regulation (GDPR) to avoid unnecessary litigation risk.
The facts in brief, relate to Google’s use of advertising cookies to collect data on iPhone users’ internet browsing habits between 2011 and 2012 without those individuals having any knowledge of the cookies being used.
Google subsequently sold the data collected through use of the cookies (some of which is alleged to have been sensitive in nature) to third parties for advertising purposes.
The case against Google was brought by Richard Lloyd, a well-known consumer rights activist, as a representative action under CPR 19.6 claiming damages on behalf of all four million iPhone users whose data were obtained by Google during this time.
The claim was unique; it purported to be akin to an ‘opt-out’ consumer class action (something which is not expressly provided for under English law, except in relation to certain competition claims).
Mr Lloyd sought permission from the court to serve Google outside the jurisdiction. Google responded by seeking to strike out the claim on the basis that it had no real prospect of success. The case made its way all the way to the UK Supreme Court, with Google successful at first instance and Mr Lloyd successful before the Court of Appeal.
Supreme Court decision
The Supreme Court’s decision centred around two key issues:
Whether the claim could be brought as a representative action.
Whether damages could be awarded to the class under the DPA for Google’s breach of the DPA.
Appropriateness of the representative action
The Supreme Court ruled that it was not acceptable for Lloyd to bring a representative action claiming damages on behalf of the class.
The only requirement for a representative action to be brought is that the representative has the same interest in bringing the claim as the persons represented. Here, the Supreme Court considered it conceivable that the class members could have the same interests as Lloyd.
However, the issue stemmed from the fact that Lloyd was seeking damages on behalf of the class members on a uniform, lowest common denominator ‘tariff’ basis (£750 per person, for loss of control of personal data).
The purpose of damages under common law is to put the individual in the same position in which they would have been if the wrong had not been committed. Similarly, section 13 of the DPA gives an individual who suffers damage “by reason of any contravention by a data controller of any of the requirements of this Act” a right to compensation from the data controller for that damage.
The extent of the harm suffered by members of the class would ultimately depend on a range of factors, such as the extent of the tracking carried out by Google in relation to each user, and the sensitivity of the information obtained by Google. This would require each class member having their claim for damages assessed on an individual basis. Lloyd had therefore failed to meet the ‘same interest’ requirement under CPR 19.6.
Damages under the DPA
Lloyd argued that the class members were entitled to compensation under the DPA on the basis that Google’s breach had resulted in them incurring a “loss of control” of their personal data.
The Supreme Court rejected Lloyd’s argument on the basis that individuals must have suffered material damage (i.e. financial loss or distress) to be entitled to compensation under section 13 of the DPA. It was not possible to construe section 13 of the DPA as providing individuals with a right to obtain compensation on the basis of a controller’s breach of the DPA alone.
Whilst certain members of the class may indeed have suffered material damage as a result of Google’s breach, entitling them to obtain compensation, the way in which the claim was structured (i.e. on a lowest common denominator basis) made it impossible for damages to be awarded under it.
Ongoing litigation risk – what now for data breach class actions?
Although the Supreme Court decision might appear to protect data controllers from litigation risk, we do not consider this to be the case. While Lloyd’s claim failed to meet the ‘same interest’ test, the court highlighted other formulations which would have satisfied the CPR 19.6 requirements.
It pointed to bifurcated or “split” proceedings, where common issues (such as the data controller’s liability) are considered first, with individual issues (such as damages suffered) being considered at a later stage/second trial.
In addition, it is important to note that the Supreme Court’s decision focussed on the DPA 1998, which has been replaced by the GDPR and Data Protection Act 2018. Article 82 of the GDPR introduced an individual’s right to seek compensation for material/non-material damage (including financial loss and distress) from organisations breaching the data protection rules.
Given that Lloyd’s claim focused on the loss of control of class members’ data (which is ‘non-material’), it may have succeeded had it (i) related to breaches of the GDPR and (ii) proceeded on a bifurcated basis.
Data controllers should, therefore, continue to be mindful of their exposure to potential consumer litigation for breaches under the amended DPA and under the GDPR.
Ultimately, the Supreme Court did not say that Google or other data controllers could not be liable for damage caused to groups of consumers; just that the particular way in which Lloyd sought to bring this particular claim could not work, because of the combination of the terms of the DPA and the CPR.
In other words, it is business as usual for data controllers, and for claimant lawyers investigating and prosecuting group actions on behalf of the victims of data privacy breaches.
The orthodox way to bring a consumer ‘class’ action for data breach – as an ‘opt-in’ group action subject to a Group Litigation Order if necessary – remains perfectly valid. While the orthodox ‘opt-in’ group action is inferior from an access to justice perspective – because of the upfront ‘book-building’ effort required for an ‘opt-in’ group action – it can still be effective, as shown by the group action case brought against British Airways which settled in July 2021.
Take home points
Data controllers now have more clarity around how damages can be obtained for data protection breaches under the DPA and this will be welcomed.
This does not eliminate their risk from being subject to a class action as the Supreme Court’s decision was based solely on the facts of this specific case.
Despite the Supreme Court’s decision a class action still remains a fully viable way of claiming damages in relation to data protection breaches – but the focus must be on how to bring a case.
If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.