The GDPR has been trumpeted in many quarters as a so-called “gold standard” for data protection rights - *eyeroll* - and sometimes you may feel like a bit of a heretic for calling out its deficiencies, because the wall of fandom is just so strong. Take the international transfers issue and the state of play after two landmark legal implosions: “US non-adequate”, we cry, “Europe good”.
You cannot distil complex problems down to straplines, dualities and dichotomies. The US is both good and bad. So is Europe and the UK outside of the EU. Some elements of data protection rights are better in Europe, compared to the US, but truth be said, the US sometimes beats Europe hands down. Indeed, we can take the GDPR’s own position in support of this argument: the GDPR introduced mandatory breach notification, right? Well, guess what, that was invented in California in 2003. No ifs, no buts. So the GDPR has recognised the superiority of US law on one of its landmark components. Do you want more examples? Check out the origins of the accountability principle. Or, if you want to take a wider North American view, do the same for data protection by design and default.
Just $30? More than you'll get here, guv
An interesting case caught my eye the other day, triggering this blog. Reported by engadget, it concerns a business I’d never heard of before, Crunchyroll, an anime streaming service. This case, which I doubt was ever going to be more than a footnote in security law history, deserves more attention, in my opinion. According to the report, Crunchyroll will pay $16M into a “class action” fund, on a non-admissions basis, due to having shared user data with third parties without their permission, in contravention of the Video Piracy Protection Act. This will net the victims of the contravention $30 dollars each, if they register with the class.
Small beer you may scoff. Maybe, but how are people doing in Europe? And what will be the effect of the $16M settlement on Crunchyroll’s behaviours going forward? They’re not going to get worse on data handling, surely? In my view, it’s all upside for consumers in the US.
Last week, I was on a panel at a litigation conference with some very eminent lawyers in the “class action” space, when (some of us) expressed the view that representative actions for data breaches are all but dead in this country, thanks to the judgments in Lloyd and Prismall et al. Adding to the calamity, my view is that group litigation isn't doing too well either - actually, it's on the gurney and it needs to be rushed into surgery, as an emergency. Likewise, if we recall what happened to data protection in the CAT in March, in Gormsen - ouch - we have to conclude that competition law isn’t going to come to the consumer’s rescue on data breaches any time soon (and I mean breaches in the widest sense – AdTech as well as cyber). Check out the TikTok judgment, too, if you really like legal gore and spectacle.
Claimants trapped in a Legal Bermuda Triangle
We have a massive access to justice problem for victims of data breaches in the UK. They are trapped in a legal Bermuda Triangle between a legal rules system that is fully against them, claimant lawyers and litigation funders who cannot make the cases stick and defendants who play the rules and the claimant lawyers with aplomb. Mostly, it comes down to money: those with the deepest pockets, i.e., the organisations that suffer cybersecurity breaches that impact third parties’ data that they are holding, get the cream of the legal profession and consumers run headfirst into that obstacle, which is reinforced by a judiciary that seems incapable of understanding or conceptualising the often extremely bad quality of the security that is breached, or the advantages that the organisation has taken from consumer data or cutting corners with security, or the extent of the harm that is actually suffered. This has led us to the position where I believe that the consumer is essentially vilified as a claimant for seeking justice: they haven’t suffered real distress; they’re on the make; let’s deal with this in the small claims court because the litigation is too expensive for the defendants to cope with etc..
In the UK, if an organisation behaves in the way alleged against Crunchyroll, or is bad at security and loses your data when its hacked, you are likely to get nothing. Not even $30. Nada.
Tell me again, where’s can I find this so-called gold standard for data protection? I’m genuinely struggling to locate it. I’m certainly not going to find it in the UK anytime soon – at least, not without legislative change, or a different judicial mindset, or a different approach by claimants lawyers/funders themselves.
Stop posturing and get the cases in court. Oops, there's a costs problem ...
On the latter point, that would involve stopping the posturing around class actions and costs building and getting cases into court to examine the real issues, which are the nature and extent of the breach of duty and the harm suffered as a result – build the case law and precedents. The problem with this idea as a remedy is litigation funding and costs, of course: the claimant needs insulation from a negative costs consequence and that needs insurance, but insurance is massively expensive in these cases, so you have to build a class action to spread the load and so the merry-go-round continues its perpetual cycle on a journey to nowhere.
There is a fix and anyone who cares about rights and justice should shout about it
There is one chink of light. That is section 189 of the Data Protection Act 2018, which requires the Government to review the provision for representatives of data subjects. The current government undertook that review in 2020-21 and preserved the status quo. A new government will have the opportunity to build a scheme that works to deliver access to justice for data breaches. In my view, that can be fully aligned with the wider goals to make the UK a regional hub for tech, data and AI, because the current legal status quo does not aid our resilience.