The Supreme Court in England has two issues to consider in the appeal which opens today. First, should the company be held to be vicariously liable for the acts of its employee in this case? It concerns, after all, a rogue employee, who took payroll data with which he was entrusted home on a USB stick and uploaded it onto a file sharing website. The company was a victim; the employee motivated by a grudge against it. He was convicted of crimes and sentenced to 8 years imprisonment. If the answer to this question is yes, business says it places a huge burden on it, at a time when the cyber incident insurance market is still developing. What are the consequences in practice for how business should monitor and carry out surveillance of employees? Should employers never let employees handle special types of personal data alone? Should employers monitor employees’ laptops routinely, or only if they suspect misuse of personal data?
The second issue is the extent to which data protection law “owns” the field in terms of remedies. Can claimants rely on other causes of action in data breach cases? Does the Data Protection Act 1998 prevent the application of vicarious liability to a breach of the Act? Does it exclude the application of the tort of misuse of private information or the equitable doctrine of breach of confidence to breaches of that Act?
If the claim against Morrisons is ultimately successful, there will be a further hearing to consider the quantum of damages, and the all-important question of what damages should be awarded for the distress associated with a data breach where there is no other tangible loss.
Andrew Moir, head of Herbert Smith Freehills’ global cyber security practice commented: “If the Court of Appeal’s decision stands it will likely pave the way for future data breach related class actions – even if the individual quantum is modest, the numbers of individuals affected by data breaches is often significant enough to make such claims viable”.
The judges hearing the case are: Lady Hale, Lord Reed, Lord Kerr, Lord Hodge, Lord Lloyd-Jones.
Kate Macmillan, a consultant in our cyber security team, is attending the Supreme Court today and will be reporting live on the submissions. You can follow her here.
The ICO has fined EE £100,000 under the Data Protection Act 1998 (“DPA“) for sending text messages to customers without their consent, in breach of the Privacy and Electronic Communications Regulations 2003 (“PECR“).
In February and March 2018 EE sent direct marketing text message to customers informing them that they would soon be eligible for a handset upgrade, and that they could “countdown” to their upgrade date using the “My EE” app. The text message also promoted other features of the My EE app.
In March 2018, EE sent a second batch of messages to customers who had not downloaded or interacted with the My EE app following the first message. Continue reading
On 3 July 2017 the Information Commissioner’s Office (“ICO“) determined that the Royal Free NHS Foundation Trust (the “Trust“) had breached the Data Protection Act 1998 (the “Act”) when it provided patient details to Google’s DeepMind.
The Trust provided personal data of approximately 1.6 million patients to Google’s Deep Mind as part of clinical safety tests of a new application ‘Streams’. The application is designed to provide an alert, diagnosis and detection system for acute kidney injury. However an ICO investigation found several issues with the way in which the personal data was handled, including that patients were not adequately informed of how their data would be used (i.e. as part of the clinical safety tests). These shortcomings amounted to non-compliance with at least four of the eight data protection principles under the Act. Continue reading
The Financial Times recently referred to Big Data as “a vague term for a massive phenomenon that has rapidly become an obsession with entrepreneurs, scientists, governments and the media“. And it does seem to appear from the headlines that there isn’t a real world situation that Big Data cannot be applied to – for example, in the aftermath of the recent US General Election, questions have been asked to whether there was a failure of Big Data to accurately predict the result.
The reference to a “vague term” also seems to be in keeping with the various different definitions of Big Data quoted in the market. The data protection regulator in the UK refers to Big Data as “a way of analysing data that typically uses massive datasets, brings together data from different sources and can analyse the data in real time. It often uses personal data, be that looking at broad trends in aggregated sets of data or creating detailed profiles in relation to individuals, for example lending or insurance decisions“.
But however it is defined, it seems that there is a Big Data opportunity for business not just in how much data an organisation has, but in how it can use that data to save time and money, develop new products, manage risk and make smarter strategic decisions. This opportunity is only likely to increase as more activity is conducted online, and technology solutions such as the internet of things further increases the amount of data being collected.
The meteoric rise of Big Data has not however only presented opportunities for business. Perhaps unsurprisingly, it has also caught the attention of various sectoral and cross-sector regulators, looking to ensure that the use of Big Data technology does not negatively impact consumers or otherwise circumnavigate existing legal protections and regulations. In this article, we will look at a few of the different regulators examining the Big Data phenomenon to investigate the theory that Big Data technology has created a perfect storm of regulatory activity for business. Continue reading
The UK Digital Minister Matt Hancock has confirmed in a written statement that the General Data Protection Regulation (the “GDPR“) will come into force in the UK in May 2018 despite the UK’s move towards Brexit. Continue reading