The dispute between Austrian law student Max Schrems and social networking giant Facebook represents an emerging type of risk for businesses that process personal information, and should set alarm bells ringing for in-house lawyers, compliance departments and risk managers responsible for data protection.
The widely reported 'Europe versus Facebook' litigation is an example of 'citizen action' against organisations, which to date have only had to consider the risk of enforcement action by data protection authorities. The result is that firms now face the increasing risk of regulatory penalties and claims for damages from disgruntled data subjects.
The reform of European data protection rules has been widely publicised since the draft EU General Data Protection Regulation was first leaked in December 2011. The Regulation will update data protection rules across Europe. It has been heavily negotiated and subject to a record 3,000 amendments. If, as expected, it is finalised later this year, the Regulation will take effect in 2017.
The latest draft was published on 1 June, and enhances data protection authorities' powers significantly. The heavy penalties envisaged by the Regulation (up to two percent of worldwide annual turnover, potentially up to five percent or €100,000,000) have been widely discussed, and have been a wake-up call for many businesses.
Supervisory authorities' powers would be further enhanced with a new right to audit and access data controllers' and data processors' premises, a right to impose limitations on processing activities and the power to suspend transfers to third countries. These powers may not have captured attention to the same extent as the potentially enormous fines. However, any company that has been subject to a mandatory audit or suspension of its processing activities will know the crippling effect these powers can have on running a business.
In Europe, some member states appear to have taken steps to pre-empt the long-awaited Regulation. For example, the Netherlands recently introduced a new data protection law that will make breach reporting mandatory and enable the Dutch data protection authority to issue fines of up to €810,000 for non-compliance. The new law will take effect in January 2016, and Belgium appears likely to follow suit with similar legislation and penalties.
In parallel to European regulatory developments, the concept of privacy has been steadily taking shape. In the UK, the most recent decision in the Vidal-Hall v Google line of cases has significant implications. Google Inc v Vidal-Hall and Ors  EWCA Civ 311 (27 March 2015) establishes the misuse of personal information as a tort (i.e. a civil wrong), and enables individuals to claim for compensation for pure distress under the Data Protection Act (DPA) 1998.
Existing privacy case law has tended to focus on high-profile celebrities, and section 13 of the DPA had been interpreted as permitting claims for pure distress only in a narrow set of circumstances, namely where the processing was for journalistic, artistic or literary purposes. Effectively, the right to privacy and the remedy under the DPA were irrelevant to most people. However, Vidal-Hall could enable individuals to claim for compensation from organisations that have misused personal data causing them distress, significantly widening the scope of potential claimants.
The much-publicised cyber attack on the Ashley Madison extra-marital dating site provides an example of pure distress arising from the misuse of personal information. Personal information relating to users of the site was revealed by a hacker and posted on the internet. Ashley Madison is alleged to have failed to delete members' personal information, despite having charged them a $19 erasure fee. Given that membership of the site alone could reasonably be interpreted as proof of guilt, disclosure of users' membership is likely to be a cause of significant distress.
Ashley Madison potentially risks enforcement action from data protection authorities across Europe if it is found not to have implemented appropriate security measures, and compensation claims from users of the site who have suffered distress from the belief that their information may have been revealed.
What can companies do?
Data protection has become a more significant risk for companies over a relatively short period of time. Not that long ago, the maximum fine for breaches of the DPA was £5,000, and there was little in the way of enforcement. Many companies took a pragmatic view, focusing on more pressing compliance issues, where the risk of penalties was perceived to be higher.
However, in 2010 the Information Commissioner's Office, which enforces the DPA, was awarded powers to fine up to £500,000. This trend looks set to continue with the introduction of yet higher fines under the Regulation and widening powers as explained above.
On a separate track, a right to privacy is emerging in case law, which could enable members of the general public to claim compensation for distress where their data has been misused. The Mirror Group phone hacking scandal may provide an example of damages for breaches of privacy - the actress Sadie Frost was awarded damages of £260,000 and the Mirror Group has set aside a fund of £16m to deal with further claims.
Given the relatively recent escalation in the severity of data protection rules, it is understandable why over-stretched legal and compliance departments may not yet have turned their attention to addressing the issue. However, given the likely extension and reinforcement of data protection authorities' powers, and the ability of individuals to take action, organisations should address the issue now.
James Castro-Edwards is a partner and head of data protection at Wedlake Bell LLP
Applications from some member states were down more than 40 per cent
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams