We increasingly live in a digitised world with many of our transactions, processes and even our relationships taking place entirely online. As a consequence, personal data has become a resource to be commodified, sold and used. In the wake of various data breaches and scandals involving the misuse of personal data, two linked but separate movements can be identified:
(i) consumers who are taking a more proactive role through group litigations, and
(ii) regulators who are considering whether to apply a more preventative approach to “data monopolies” from a competition law perspective.
• Consumer-led power: group litigation
Recently, there have been two high profile English cases in connection with personal data, including a Court of Appeal case borne from the consumer campaign “Google You Owe Us.” In Lloyd v Google, the Court of Appeal has reversed the decision dismissing Mr Lloyd’s case. Importantly, the Court said that a claimant can recover damages for loss of control of their data under section 13 of the DPA without proving pecuniary loss or distress.
The other case is the decision of the High Court on 4 October 2019 to grant of a Group Litigation Order. This allows up to 500,000 customers of British Airways to join a claim for compensation in connection with the company’s 2018 data breach. A window of 15 months has been allowed for affected customers to join this group litigation. It is clear from these recent cases that there is growing appetite among consumers for compensation following a breach of their personal data by controllers and processors. They should also serve as a warning to data controllers to ensure appropriate procedures are in place to maintain the integrity of their IT systems lest they are hit by both a fine from the Information Commissioner’s Office and a claim for compensation.
• Regulatory power: increasing remit of competition authorities
Recently, there has been an increasing awareness of the role that regulators can play in the digital market. Various competition authorities, including the Australian competition authority, have discussed their potential future role. Overall, there appears to be a move towards a more preventative regulatory approach with regulators protecting consumers against data monopolies.
In September 2019, Jeremy Godfrey, the chair of Berec, stated that platforms such as Google and Facebook have “significant market power” due to the information they have acquired on their customers. This becomes a barrier to new entrants to the market. Godfrey suggested that data protection issues could therefore fall within the remit of telecoms’ regulators as a competition issue.
In the UK, the Competition and Markets Authority (CMA) is currently undertaking a market study into online platforms and digital advertising. Through this, they hope to better understand whether there are any competition issues. The CMA is expected to decide by January 2020 whether to start an investigation into this sector. While the UK is currently assessing whether the digital market is within the CMA’s regulatory remit, other jurisdictions have already taken a significant decision in this regard. For example, Germany’s national competition authority have, under their current competition laws, ordered Facebook to restrict its data collection in Germany. While a Dusseldorf court had suspended the regulator’s decision, this is being appealed to Germany’s highest court. Keep an eye on our website for a future update on the outcome of this case.
• The Future
Looking forward, it will be interesting to see whether group litigation by consumers or action taken by regulators will have the knock-on effect of reducing the likelihood of data breaches and, thus, ensuring the protection of personal data.
However, over the coming years, technology will advance and more unprecedented issues with the use of personal data will arise. For example, the increasing use of Blockchain technology and so-called ‘smart’ contracts brings unique data protection concerns for both consumers and the regulators. Therefore, consumers and regulators will be required to stay pro-active and to continue to re-define their roles in the evolving digital market.