Hello and welcome to this Webinar entitle Compensation claims the greatest threat to organizations under the genie PR. We shall see my name is you can see is Keith Market. My back is I am a qualified solicitor with many years experience in this particular area now, spending much of my time as a freelance training consultant. I'm gonna speak discussing this. Stop it with you today. Let's have a look straight away as our agenda. We're going to begin by looking at a summary of the key provisions off first of the GDP are and then the Data Protection Act 2018. So I begin with going through those in a little bit of detail. Well, then go on to talk about various key cases. We'll see. Actually, at the moment we do not have a specific decided case. It has been circuiting the provisions of the GDP are or indeed the dates protection at 2018. Therefore, we need to rely on cases that do with the previous regime, albeit there like to be incredibly influential on very much This follow similar lines I expect of the new regime. It says how the old regime is interpreted so look at a number of those particular got famous cases will be Morrison supermarkets, and I suspect you will, quite possibly how heard about at the end of this, I'll be talking about what and do practical steps that you need to take to make sure that you are complying or at least reducing your risk in the circumstances. So let's begin, then, by looking at Article 82 off the General Data Protection Regulation. As we know, Jeannie PR is remaining in force. Whatever the outcome on Brexit happens to be, let's have a look on the screen at the particular contents of this. So Article 80 to 1 talks about this. Any person who has suffered I was going to read this out to material or non material damage. Perhaps note those two words material means financial non material means classically. The word is distress. He's making notes in that. If that's a new idea to you as a result of an infringement of this regulation to have the right to receive compensation again, note from the controller or the process and as we'll see in a minute, is likely to sit with the controller and in this particular session. We're not having a big discussion about control was, frankly versus processes. But general, the controller is like to be mainly responsible, have we the process of as well and that they are responsible for paying some form of compensation for the damage suffered. Now the 2nd 1 goes on to any controller. Will it be liable for the damage caused by processing? However, it then goes on to say a process that can be liable for the damage caused only where it's a not complied with the obligations of the regulation that applied to its on. You'll find that the GDP are has certain regulations that do apply specifically to processes. But secondly, where has acted outside or countries and lawful instructions of the control run again without getting into detail. Today, what should be in place between any controller and process or organizations is a days processing agreement that says thes I'll off instructions and therefore, if the process er departs from the miners of the left or the right, then ultimately they will potentially be liable in place off the controller. What else does articulation to all the GDP? I have to say whatever Look number three control processes shall be exempt from liability if they can prove they're not in any way responsible for the event. Fair enough. Logical number four. However. Interestingly, it says where more than one controller or process er or both the controller and processes are involved in the same processing on their both responsible, they'll both be held liable up to the full amount. Now that may seem a little harsh, but they were going to the next slide and look at Subsection five, which says, in this case where they pay full compensation, they will be entitled to claim back from the other involved in the same processing that part that corresponds to their parts of responsibility. So very both of them are fully liable. But there is a mechanism whereby that is subsequently adjusted so that they end up paying a proportionate amount on the final points on there. Obviously, court proceedings how to be brought before a court that's competent in the member states. And so we need to note, though, is that GDP are sets out these sorts of ideas in articulated to, but it gives no guidance whatsoever as to how the idea of distrust would be interpreted on further August. No idea is the likely amounts. Obviously, it sets out amounts as we are well aware in respect off sanctions, which we could talk about another occasion, but not in respect of compensation. And that's what we're going to have to look at in respects off various cases that have already been decided or on the waste being decided under the old Reggie. Now that's GPR. What about the Data Protection Act 2018 prisoners overlooking this piece of legislation, although it largely regurgitates a lot of GDP, are realities. It is significant. So have a look on here. I'm not reproduce the whole sections because there's only really 1.2 out on top off GDP. Are is the fact that first, where you can see if there's a breach of GDP, are Section 168 off the Data Protection Act 2018 makes it clear again you can recover for a non material damage on specifically says that that includes distress and that word distresses hugely significant in this area because it opens a whole Pandora's box in terms of the extent to which agreed data subjects may recover if you lose their days that will do something nefarious with their data underneath that, you see, there are other examples of data protection legislation apart from the GDP are that could be the Data Protection Act 2018 itself, or indecently called the Privacy and Electronic Communications Regulations 2003 that we're not talking about in this particular session today. Again, the key phrases damage includes financial loss Andi damage not involving financial loss such as distress every state they wouldn't distress and indelibly imprinted on your mind because it's about to form the basis of the discussion of a number of cases under the old regime that are highly influential in terms of how the new regime will be interpreted. Of that, I have little doubt so three particular cases we're gonna talk about a couple of others were referred to as well. It says a how this might be interpreted, how this might actually work in practice. Now the legendary cases, about three or four years old, is a case called Vidal Hall on the Google. And, of course, wherever Gougar involved the background to this case is, typically will the English courts grunts jurisdiction. Will their greeter. Given all that for service out of the jurisdiction, clearly, Google don't want to be tried here. They'd rather be tried back in the States. However, the reality is against the backdrop of that jurisdictional dispute. We then see a whole lot of other issues about the correct interpretation off the rules around those protection and compensation. Does the backgrounds of this case well, this is to do with the use off Safari on that? The fact that people at the time a group of people as we'll see Judith Vidal Hall on others, thought that if they access Google's search engine using Apple's Safari browser, and I can just about cope with this so you can as well, Then they thought that Google would not be able to track them on their four. Target them with advertising. They were wrong. Google had actually created something unbeknown to the vast majority of people that was called the safari work around that allowed them, as you can see on the slide here, too, target advertising to hit them with ads, the effects of disclosed information about them. Some extent they may have been viewed by all this a little 10 benches, Perhaps, but that was the argument, and therefore they claimed damages for acute distress and anxiety. But note no claim for financial or special damages. Now the specifics of the claim is set out in the next life, where you've got an extract from the particulars of claim in the case that was brought by Judith Vidal Hall and indeed others by reason off the defendant's misuse of the claimants. Private information on breaching confidences set out above the claimants on each of them have suffered damage to personal dignity or Ptolemy and integrity that have been caused anxiety and distress. And then a bit We're actually interested in over above that. Further or alternatively, the claimers were caused damage and distress in respect off which each claims compensation pursuant to what the provision was at the time. Section 13 off the Boats Protection Act 1998. And what was this? Section 13. How does it work on what lessons can we draw from the ways interpreting well, he's seeing the next slide sex Subsection one is relatively straightforward, an individual who suffers damage by reason of any contravention by a data controller off any of the requirements off the day's protection Act 1998 is entitled to compensation for that damage. That's not controversial. Levies argued about that, but it's number two that matters. You see our friend the word distress. An individual who suffers distress by reason of any contravention off a data controller off any of the requirements off the 1998 axe isn't over the compensation for that distress. But here's the twist in the tale. If the individual also suffers damage by reason of the contravention, and the big issue in this particular case is what is meant by the word damage talking, financial loss. Nonfinancial lost, what's included, and the Court of Appeal was asked to decide in a model of the other issues in this case, whether the interpretation off Section 13 to in previous cases that have suggested that distress could only be claimed for alongside of financial element was the correct interpretation or not. Now, to do that, they go back on again. This gives a bit of a flavors to how the courts will play with these issues. They go back to Article 23 off the European Data Protection Directive 1995. That's a long way back isn't, however, that formed the basis of our Days Protection Act 1998. So if actually they're looking at Section 13 to the Data Protection Act 1998 through the prison, first of all, off the original directive on also, as we'll see on the next slide through something called the You Chelsea off fundamental rights. So also, 20 says this member states shall provide the any person who has suffered damage is the result of any unlawful processing operation or of any acts incompatible with the national provision adopted pursuant to this directive, is entitled to receive compensation for the damage suffered now. The key point that the Court of Appeal makes in this case is to say there is no distinction there between pecuniary financial loss on long pecuniary loss. Essentially, we're not saying that it's got to be. You can only claim for distress if you've also got financial loss. Obviously, that is contrasted immediately and strongly by the court with what Section 13 to says. We says distress must go hand in hand with damage, suggesting distress is not recoverable in his own right. They then go on to underline that further by looking on the next to slide. You see extracts from the e. U charter off Fundamental Rights. Article seven talks about respect for private and family life. Everyone has the right to respect for these things, but also noted the end on communications, hence his extension to this particular area and then return to Article eight off the U Charter of Fundamental Rights. On this is to do with protection of personal data. As we can't see, everyone has the right to the protection of personal data concerning him or her must be processed fairly etcetera, etcetera, etcetera and compliant with the rules controlled by an independent authority. Again, the view is that ultimately the inability to claim compensation for distress in the absence of financial loss effectively contradicts those two articles off the huge doctor Fundamental rights. So the Court of Appeals decision in this particular case is you go back to the source material Of all of this, there is no distinction between pecuniary and non pecuniary loss Section 13 to is therefore incompatible on this very complicated you legislation, but it's still applying at the time should be dis applied. Therefore, the key thing that we note from this Vidal Hall cases to, say claims with the stress off perfectly valid on they do not require a claim for pecuniary loss. Now, that point, this matter, comes to an end. That's the particular ruling. The court will what the court said, that they would give leave to Google to appeal that to the Supreme Court. They wish he would decline. They were settled this matter out of court. The amount of any compensation is completely unknown, but this effectively is the key decision in terms of making it clear distress could be recovered in respect of in his own rice. And also the question, though, is how much that will be now what impact does not have with regard to the new regime. Or first of all, if there's a dispute about the correct interpretation of all of this office of the GDP are will be of the source material. Often, instead of just the articles in the GDP are we go back to the recitals at the beginning on, therefore, they would take a similar approach again. It's quite possible if there's an argument about this and the court may have recourse back to the EU Charter of Fundamental Rights. However, given that as we have already seen, articulated to talks about distress and sections 168169 talk about distress. This should no longer really pretty much of an issue. But the key things I noticed in Algeria addiction because I made it absolutely clear even price of GDP are that people can recover for distress and we're gonna see what the consequences of that are in just a moment now. After that particular case was decided in 2015 there are then two other cases which I mentioned very briefly before I talk about some more significant developments. So it's as a compensation of wars. We have very, very, very few examples of this in this jurisdiction. Maybe you speak have never really so. The possibility that the awards typically been very low. It's not worth going to court. No one's been just getting involved and so on and so forth. So two cases that we do have with decisions with awards of compensation are as follows. So TLT and the Home Office what happened serious? A total of six individuals had their personal information, including quite sensitive personal information accidentally published on. Ultimately, those were very, very sensitive details or three. The Home Office agreed to pay them compensation for breach of obligations under the Old Days Protection Act 1998 the largest amount was 12.5 £1000. It doesn't mean that all six got 12.5 1000 or that the 12.5 1000 is divided among them. One person got 12 in all 1000 of the goal. The others got number of thousands each. So that's one example we have. We have this Scottish case of William Akbar from 2017 here. A couple were awarded £17,268. Now why was that? Because their neighbor who run a business has installed a highly intrusive CCTV system that looked into their particular property on also recorded them in terms of their conversations of various of the things at the view of the court in there in Edinburgh Waas. Ultimately, that this had caused an enormous amount of stress. It, of course, great distress. Therefore, they were entitled about a war. But apart from those two cases, we really have very, very few examples of this whatsoever to discuss this issue then off. The amount of compensation has been addressed further in another case that draws on that particular case of Vidal Hall and Google. So we look with melted. The next line will now go on to talk about the case of Richard Lloyd on Google, which is quite a significant case in its own right. So Richard Lloyd is, by the way, a former executive director of the organization, which he was backed in this particular case by litigation from there, up to the June of £15 million on was seeking to bring a class action against Google in respect of similar issues to those set out in the Vidal Hall case. So again arguing about safari work around drawing on the Vidal Hall on Google ruling, saying, We've got issues with the goal to Section 13 1 of Indian section 13 to all the Data Protection Act 1998 and saying that ultimately because of the safari, work around distress have been caused to a class, believe it or not, as by his estimation, off 4.4 million people. And he reckoned. Or he argued that every single one of those 4.4 million people, and we'll see how it defines them in a minute. On the next slide, we're entitled £750 each. You can do them at potentials to claiming the billions if Google have found to be responsible, and it's agreed that that figure is acceptable now again, at the back of all of this, we have a jurisdiction elements you got disputing that this math should be over before the English courts on. Therefore, there was a contest this very strongly. Let's have a look at 12 lessons that we can draw from this particular case. The first of all, what were the what was the nature of the class of persons who potentially could bring this? Kleber, on whose behalf Mr Lloyd said he was acting when you see here on the next slide is incredibly broad. Everybody who were to date between ninth of August 2011 and 15th of every 2012 whilst present in England and Wales had an apple dying I d owned or were in lawful profession profession. Often iPhone three G or subscript model used apple safari on didn't change the default security set security settings. I did not obtain a double click at. That's always sending me, and they will be you incredibly broad. However, if you then look at what the high court's view was about this, we'll see that they were somewhat skeptical about whether this class truly exists and various other things. So, you know, in the next life, you'll see the judge in this particular case, Mr Justice, Worby said it is not easy to estimate the quantum of costs that this particular litigation would generate. Be wrong to assume that the vast. But they give some indication of the worst cost case scenario considerable amounts of courts. I would undoubtedly be consumed, but note this is the key phrase, in his view, that damage sustained and the compensation recoverable are modest at best. So he's already skeptical about this pie in the sky figure of £750 he goes on to make the following comments the main beneficiaries of any such award, with the forgiveness under lawyers. By a considerable margin, he's key phrase Denny's In the five or six years since the safari work around was identified and publicized, none of the millions of such individuals in this jurisdiction has demonstrated any interest in the common sense of the term by coming forward to claim or complain or identify themselves as victims other than Miss Be Down Hall her co claimants on Mr Loi, End of Story. And on that basis, if you look down on the next life, if actually dismisses this case in fairly summary fashion by saying I'm not going to grant in order for service out of the jurisdiction, there is a lack of on identifiable class of claimants. You've not played actual damage on the level of damage. Is is so low that, frankly, this isn't worth it. So that is a little bit of a corrective to what I'm going to go on to talk about in a minute whereby there is a case that suggests that significant payouts maybe do. But until we know the outcome of the case, I'm about to tell you about all we can look back on. Particularly all the two shorter cases I discussed on the Richard Lloyd case were also in the court was quite dismissive and also took the view. The use of your personal data in this way was fairly low level, and therefore any award for the stress, albeit technically possible, is likely to be extremely modest. Let's look, then, finally at all one major case which you may well have heard off is on. It's way now to the Supreme Court. The time of recording it has been heard by the Court of Appeal. This is to do with, as you can see, the Catch me entitled Case off various claimants and William Morrisons supermarkets. Could you come up with a catchy A title? Perhaps No. Originally heard by the high court. Now let me just sketch in the background for you because this is quite significant, causing Porter a total of 5.5 1000. Morrison's employees brought a class action. So here we've got a better defined group of people. Hence why this has got some legs. So 5.5 1000 Morrison employees alleged direct liability or vicarious liability on the part of their employer in respect of the criminal activity of the gentleman mains of the bottom of the screen. Andrew Skelton, a senior I t audited now the whole time line, then looks like what you could see on the next slide. So 13 of March, There's a poster of incident. Well, what was that? Well, what happens is this. Mr Skelton, in his spare time, has a sideline. He produces a dietary supplement which is basically banks of white powder. Now these white powder banks are entirely legitimate. That is a look like and indeed taste like a proudly amphetamine personal story. So what he normally does is he posts this out just using the normal post office from his own address. Occasionally, though, he decides to cut corners and used Morrisons internal poster. I think you know where this may just be, Eddie. So one day what happens is this one of these bikes bursts open in Morrisons. Posters of white powder in poster is not a good look. I think you would agree, also has got his name all over it cause this kind of a return label, which, when he suspended for several months from working returns to work. As you could see in July, there's a formal verbal warning. Also in July, he appeals it. The appearance rejected A. Which point appears to develop the kind of Olympic sized grudge against his employer, decides toe have his revenge. 14th of November. As part of his role, he's asked a copy certain information onto a memory stick on provided to KPMG at the same time, a very shortly afterwards, he copies that information onto a personal memory stick. He then up close the details not just a 5.5 1000 employees but 100,000 Morrison employees onto a file sharing website. When nobody really notices this, he then decides to send the CD with this information to various local newspapers. You immediately report Mr Morrison's and his court on at the Minute is in the midst of an eight year stretch Her Majesty's pleasure, nor for a breach in today's protection rules but because of a breach of something called the computer missus uses. Now 5.5 1000 of the effects of employees argues, you consumed the next slide. And again, this is all over the old legislation that Morrisons are in breach of their statutory duty. On the Section four Subsection four off the Data Protection Act 1998 you see the juicy their juicy today's control to comply with the principles and soul that is the basis of the two claims that they follow the allegations that Morrison's air either primarily liable or vicariously liable. Now, if you look on the next idea will see, various arguments were raised about primary liability. Ultimately, those argument thrown out by the court, I'm surprisingly, just so we're clear the allegations that Morrisons were liable for breaches by Mr Skelton of the 1st 6 principles of the old rules that called Throws that out. They say that Mr Skelton himself was data controller. Morrison's not involved, however. It says a security the way their skeletons have to get its hands on this. They say that potentially Morrisons have a case to answer for. Having reviewed all of this, they say that it was reasonable to allow them to access the dangerous part of his role. The use of USB was necessary for his role. They did monitor is Internet activities in the same way they monitored everything else. The only criticism is they didn't follow through and make sure he deleted the data when it was no longer necessary. However, they did not feel the court that this was causative of the breach and therefore Morrisons were not primarily liable. However, they were found to be, as we'll see in a minute, vicariously liable. Now, what were the arguments brought forward? Well, the claimants effectively to make three key submissions. They say that ultimately this happened in the field of activities of this gentleman's particular employment. The reach of Rose during the operation of task that have been interested to him as an employee was a sufficient connection between his position and his work on the actual wrongful conduct. And his criminal motivation was relevance. Now defendant Morrisons council out fairly strongly and surprisingly, they say that when he did this, he was temporarily or temporary, rather and physically disengaged from his role. So although he obtained in the course of his role when he posted it on the Internet, he was outside of the workplace and therefore he wasn't acting as their employees. They say that at that time they were not data control. This not all the aspects of his behavior within his employment, and it's necessary for all of them to be within the ambit of his employment for vicarious liability to be established, they said the criminal motivation was significant. The court effectively is making itself an accessory to his criminal behavior if they rule in favor off the claimants. Finally, they say, by Carris liability should be applied strictly and not easily extended. Now, what did the High Court have to say that well, First, although said, clearly, this is deliberate and criminal activity bus, that is not the bill. In the end all, and it's important to note that the motivation of the employee's behavior here is an irrelevance. Then ask the question. Who is best place? Toe bear? The loss in terms of what's happened. Is it the individual employee? Was it the employer who may well benefit from insurance? They came down on the high court, came down on the side off the employer is best place to do this, and then we'll talk a little bit more about this in a minute. But they took the view that ultimately he did act in the course of his employment, and therefore they ruled that Morrisons were vicariously liable. However, they were troubled by this, as you can see at the bottom of the page, and they allowed an appeal almost immediately in reaching these conclusions, submission that the wrongful acts of skeletal, deliberately end of the party in the claimants eat a whole responsible such that to reach the conclusion I may have seen to render the court and accessory in furthering his criminal apes. Therefore, the high court gave leave to appeal immediately because of appeal. However upheld the decision off the hard court. They were happy that ultimately this was part within the field of activities that there wasa sufficient connection. The motivation waas irrelevant. And again they touched on the availability of insurance and therefore found again that Morrisons were liable. Now the key things emoting all of this is nobody yet knows what the precise figure for compensation. Maybe, As I've said, there has been no permission given by the Court of Appeal on the Supreme Court of Appeal to the Supreme Court and therefore we wait to see the outcome of that. I think it's highly likely personally, they will uphold the various line but the vicarious liability points and therefore we need to be thinking about the sort of practical steps that we need to take, but also all of it then comes down to what the Supreme Court does with the issue of amount. So how serious was this bridge, while personal data was displayed on the Internet for a bit and was censored newspapers? Is that modest? As we saw in the Richard Lloyd case or not, we wait to see with bated breath. Now that means some What can you do about this as we begin to wrap up this particular session? Well, five things to think about that. Reduce your risk, train your staff, make sure they know what their obligations are. Don't just have policies. Make sure you tell them exactly what they need to do. Make sure they've got clear roles and responsibility, since as of who's allowed access to what supervised effectively, yeah, rather surprises me to this day that they allowed this particular gentleman back in such a senior role when clearly there was quite a lot of bad blood that had emerged between the parties. Carry out risk assessments in, says, um, who needs to see information. How long will keep this information for in Seoul and finally look at the possibility of insurance or encourage clients to look at the possibility of insurance in these particular cases, right? We wait with bated breath is just summarize all of this and bringing to a close. So we've seen Article 82 sections 168 on 169 are the relevant provisions they draw on the previous case law. They draw on the previous directive. Quite clearly, distress is here to stay, and there is no need for a financial element. And that's clear from most particular cases we saw. But the key thing to notice the extent off the particular clay, how broad a class will be tolerated. Well, the Morrisons case suggests quite a broad class. We usually find that, well, often up didn't happen in the Richard Lloyd case. Of course, the other issue that we don't know simply is the amount we really could do with a couple of decisions now post GDP are or even in respect of the cases that we've got going through, that the old regime still doesn't the actual physical amount. But the other thing to note in all of this is the same well worth considering insurance and also thinking about your security procedures and some of those practical things that I mentioned right well, as always, that's all I've got to say. So thank you very much for your kind Attention, I hope speech again of the time. Thank you. And good day to you
Webinar
Slides
Quiz 
1119 Users
19 Courses
16 Reviews
