Since the introduction of the GDPR, we have seen a marked increase not only in data protection litigation, but in data protection issues arising in the context of more general litigation and disputes.
Data Subject Access Requests ("DSARs")
DSARs are increasingly used in the context of general litigation and disputes. The basis for a DSAR is set out in Article 15 of the GDPR. It is a request by a data subject for confirmation as to whether or not a data controller is processing personal data relating to him / her. Importantly, it also gives the data subject a right of access to that personal data. In short, Personal Data is any information relating to an identified or identifiable natural person, for example, a name, an identification number, location data or an online identifier.
DSARs are increasingly used by potential litigants to obtain early disclosure of information, often long before discovery. Litigants are generally looking for a "smoking gun" to ground their claim. Data subjects are not precluded from submitting a DSAR even if the request is being used as an alternative or a supplement to discovery. However, it is important to note that, unlike discovery, the right of access under a DSAR is a right of access to data not necessarily entire documents.
Matters to consider when responding to a DSAR in the context of actual or potential litigation
When a data controller receives a DSAR, the first thing he / she should be mindful of is the time limit. There is a tight, one-month time limit to comply with a DSAR. An extension of time of a further two months is available in exceptional circumstances. Data controllers should also note that a DSAR does not have to be in any particular form. It can be verbal or written. DSARs are usually a general request for all personal data of the data subject, however, you can seek to limit the scope of the DSAR by engaging with the data subject to narrow the scope of the request.
Although a data subject's right of access is key to the GDPR, it is not absolute and there are a number of exemptions that may apply. In particular, data controllers should take legal advice to ensure that they do not inadvertently disclose privileged documentation or data in the context of a DSAR. If privileged data is disclosed, that privilege will be lost and the data subject can then use that privileged data in a subsequent legal claim. It would also be useful to have your legal team review the data disclosed in compliance with a DSAR, in order to consider any possible litigation angles.
Consequences of Non-Compliance with a DSAR
It is important that data controllers comply with a DSAR because of the potential consequences of non-compliance. A data subject may make a complaint to the data protection commissioner. Although this has not been addressed in the Irish Courts, there is a possibility that a claim for non-material damage could arise out of a non-compliance with a DSAR, if an individual can show that he or she suffered distress as a result of that non-compliance. Further information in relation to civil claims for non-material damage is set out below.
Data Protection Actions
The introduction of the GDPR and the Data Protection Act 2018, saw far greater rights available to data subjects in civil litigation. Section 117 of the Data Protection Act 2018 introduced the concept of a data protection action in Ireland. This section empowers a data subjects to bring civil actions against data controllers or data processors if they believe that their rights have been infringed as a result of the way in which controllers have processed their personal data.
This is quite a wide-reaching provision and the variety of actions which we have seen come to the fore illustrates this. With this provision it is now open to the Irish Courts to award Plaintiffs financial compensation for damage suffered by a Plaintiff as a result of an infringement of the GDPR. Crucial in this is the inclusion of compensation for non-material damage to a Plaintiff.
To explain this further, material damage is quantifiable and usually financial damage such as a loss of money, wages or a loss of assets. Non-material damage typically relates to pain and suffering or stress, for example, caused by a loss of control over personal data as a result of a breach. Non-material damage is a new concept to Irish law and was not available under previous data protection legislation.
We have seen an increase of these types of claims in Ireland. We have seen a trend where claims for other issues are now including an "add-on" claim for breach of data protection legislation. This shows a far greater need than ever before for companies to be extra vigilant in complying with the GDPR guiding principles. These claims generally arise because claimants and plaintiffs are aggrieved because companies have not complied with principles of GDPR.
Conclusion & Resources
What have we learned from recent data protection litigation issues? In the first instance, data controllers should review their practices surrounding the storage and processing of personal data by reference to some general principles which we call the GDPR building blocks. More information in relation to the GDPR building blocks is available in the additional videos linked below, please note you will need to register to watch the videos):
- Video: Data Protection Litigation: A New Era (Part 1)
- Video: Data Protection Litigation: A New Era (Part 2)
- Article: Into The Breach: Morrisons Not Vicariously Liable For Rogue Employee's Deliberate Data Breach
In addition, data controllers may benefit from some legal advice when dealing with a DSAR, particularly in relation to any applicable exemptions and privilege. Finally, it is important to be aware of the potential consequences of any breaches of GDPR, given the increase in these civil claims for non-material damage.
If you have any queries, please do not hesitate to contact Michelle, Adele or your usual William Fry contact.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.