This year has so far seen two significant developments which potentially increase the risk of regulatory action and/or litigation against companies that process personal information. European data protection law reform took a step forward on 1st June with the publication of the latest draft General Data Protection Regulation (GDPR), while in March the Court of Appeal accepted the concept of misuse of private information as a tort and that individuals who have suffered distress without any financial loss may be entitled to compensation. Organisations should be aware that in Europe, regulators and lawmakers are 'turning up the heat' on those who fail to treat personal information appropriately, and address this risk.

The draft General Data Protection Regulation

Directive 95/46/EC regulates organisations that use information about individuals and imposes obligations upon them. Virtually every corporate or government body and charity is affected, since each will process information about its employees, customers and suppliers.

The Directive predates technology such as smartphones and tablet computers and the widespread use of the internet, and the need for its reform has been recognised in Europe for some time. In response to calls for reform, the European Commission published the draft GDPR in January 2012, which has since been the subject of protracted negotiations.

1st June saw the latest draft GDPR published by the European Council, along with a timetable for finalising the text. The final text is scheduled to be agreed in 2015, which would see the GDPR take effect in 2017. The draft GDPR would introduce these key changes:

  1. Extra-territorial scope: The GDPR could apply to operators outside Europe
  2. Mandatory data breach reporting: To the data protection authority (DPA) and affected individuals
  3. 'One stop shop' applicable DPA mechanism for multinationals
  4. Significant changes to the use of consent
  5. A 'right to be forgotten' or right to erasure for data subjects
  6. Mandatory privacy impact assessments and privacy by design and default
  7. Enhanced DPA rights including a right of access to premises and audit
  8. Penalties of up to 2% - 5% worldwide annual turnover (€1m – €100m)

Google Inc v Vidal-Hall

Google Inc v Vidal-Hall & Ors1 concerns Google's collection of information about sites visited by internet users. Google collected information about internet users' interests, without their knowledge or consent and sold it to internet advertisers. Tailored advertisements then appeared on the users' screens, revealing their sensitive information and causing them distress.

For reasons specific to the facts, the court accepted that misuse of private information is a tort, but acknowledged that this will have wider-reaching consequences. The court also found that individuals whose data has been misused may claim compensation for distress alone, without having suffered financial loss.

This will inevitably affect how companies manage personal information about their employees, customers and suppliers. Aside from regulatory action by the DPA, organisations face the new risk of claims for damages for misuse of individuals' private information. This could be for pure distress, without financial loss. To date, privacy cases have mostly concerned wealthy celebrities. However, this development could allow for example, an employee sue a heavy-handed employer that decides to closely scrutinise that employee's use of the company IT system to send personal emails.

Who will be affected?

The changes will affect organisations that handle information about people, whether employees, customers or suppliers. The risk is greatest for those organisations that handle a large volume of personal information, and those that deal with sensitive information. For example, information about individuals' financial circumstances or health. Sharing data between affiliates, business partners and sub-contractors may also be problematic, particularly across national boundaries.

What should companies do?

Organisations that may have previously considered data protection compliance to be a low priority should consider revisiting the subject as the law becomes more stringent, to avoid potentially heavy penalties. It is essential that they 'grasp the nettle' and evaluate their compliance with data protection and privacy laws, or face ever-more serious consequences. 

Footnote

1.The Court of Appeal decision in Google Inc v Vidal-Hall & Ors [2015] EWCA Civ 311 (27th March 2015) is available at http://www.bailii.org/ew/cases/EWCA/Civ/2015/311.html

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.