Nick McAleenan, partner, media and communication law, JMW Solicitors
Nick McAleenan, partner, media and communication law, JMW Solicitors

It might seem peculiar to acknowledge the contribution made by reality TV contestants to increasing the legal rights and responsibilities of every citizen and business in the UK.

However, it's worth pointing out that they have unconsciously played their part in developing the case analysis undertaken by lawyers in data breach cases.

The legal checklist for such cases has been influenced and refined in recent years by various different factors, including, for example, a belated readiness to employ a near 20-year-old data protection law.

High-profile data leaks have brought the issue of data management to a point of critical digital mass and legal requirements are obliging companies to muster an extremely robust response to ward off reputational, regulatory and financial damage.

Whilst a lot of attention has been focused on the implications of the EU data protection reforms (which are still set to come into force in 18 months' time despite Brexit), an important driver has arguably been the development of privacy law through court cases, something which has been thrown into especially sharp relief in the UK.

Significant legislation governing data protection (Data Protection Act) and privacy (Human Rights Act) was introduced in 1998. Even so, data protection case law has developed far more slowly, principally because of the historic requirement to prove that infringement had resulted in financial loss.

Privacy law has evolved more quickly through a succession of judgements, many of which have related to celebrities and football stars. Furthermore, the long-standing damages standard - set by News of the World allegations about a motor racing official involved in a Nazi-themed orgy - has been raised still higher by ‘phone hacking' judgements. The potential consequences for organisations considered at fault have also escalated.

Data protection law, on the other hand, is certainly not toothless. If anything, I believe that the DPA provides a far wider range of rights than privacy laws, including the ability to find out what information is held - via a Subject Access Request - and influence both the type of data held and what happens to it.

Even though some individuals have suggested that the DPA is an analogue law applied to the digital age, I disagree. Were it as prescriptive as some would have it, it would be inflexible and need to be constantly updated to take account of fresh security threats.

It may have been introduced before mass adoption of Web 2.0 and associated technology impacted on how we do business but the DPA is now being applied to meet changing circumstances.

A recent claim that Google's tracking of online searches amounted to a legal breach came to a close as recently as last summer after a Court of Appeal ruling. Critically, it removed the hurdle of demonstrating ‘financial loss' which had previously proven difficult to overcome in data protection cases.

Claimants in that case were confronted with familiar issues, whether they involve one person or business or - as in the case of the Morrisons supermarket data leak – many thousands of individuals.

Initially, it can be problematic trying to ascertain what exactly has happened in a specific data leak case. Companies frequently take time to discover the root cause for themselves and, along with police and the Information Commissioner (ICO), will regard investigation and containment as greater priorities than communication with lawyers working on behalf of a potential claimant.

Often, key evidence comes from clients themselves, who will describe what they may have been told at that stage as well as whether, for example, they have experienced theft of cash, identity or other negative repercussions as a result.

The next step is to establish whether the organisation responsible for looking after data has done what it should. Has it followed regulators' guidelines or its own privacy policy? Has it taken the sort of appropriate steps to protect the information as required by law or its own promises to those affected? If an employee was to blame, what was their role and what are the circumstances?

Depending on how a company responds, a legal complaint might proceed to a trial involving large numbers of affected individuals. Although a group action might seem daunting, running litigation in this way is actually more efficient than a large number of related cases all proceeding independently.

One important point for companies who suffer a breach is the nature of a response to a claim. Those who adopt a confrontational attitude or treat the case as a standard commercial dispute are usually regarded by the victims as only inflaming matters –something which usually has a bearing on the size of compensation due.

Having advised both companies and private individuals, it seems that more enlightened organisations do not just embed data security in all of their firm's decision-making but, in the aftermath of a data breach, they are actually able to rebuild trust and confidence in their brand because of the manner in which they react.

The EU has proclaimed that its reforms will be “good for citizens and good for businesses”. If they encourage the safe and responsible use of the sort of data on which we all rely, we will no doubt regard Brussels as wholly correct.

Contributed by Nick McAleenan, partner, media and communication law, JMW Solicitors