UK Ministry of Justice Announces Changes Regarding Privacy and Data Protection Claims
This summer the ICO has issued significant fines in relation to high profile data breaches since acquiring its new “GDPR charged” powers. With less publicity, but nonetheless important given the increasing awareness of the rights of data subjects to claim damages for breaches of data protection legislation, the Ministry of Justice has recently announced that there are going to be some changes to the Civil Procedure Rules (“CPR”) from 1 October 2019 onwards as regards privacy and data protection claims. Court Rules dealing with defamation cases (CPR Part 53 and the related pre-action protocol) will be amended such that they will also become applicable to any case that includes a claim for misuse of private information, data protection or harassment by publication.
Pre-action letters of claim for data protection claims will need to include:
- The identity of the data subject;
- The data controller to which the claim is addressed;
- The information claimed to constitute personal data;
- Details of the relevant processing;
- Identification of the duty(ies) breached and details of the manner in which they have been breached;
- Why the data ought not to be processed;
- Nature and details of damage caused; and
- The basis of any group claim if one is being made.
This means that the initial letters of claim will need to have more detail in than data subject claimants have perhaps been getting away with in the past. There is also a specific obligation on the parties to act reasonably to keep costs proportionate to the nature and gravity of the case and the stage the complaint has reached.
That in itself seems positive news. However, the Rule changes also designate the Media and Communications List as a specialist List of the High Court in which any claim for data protection and misuse of private information must be brought and provide rules about what the statements of case must contain and deal with transfers in and out of that List. This means that any High Court claims will have to be issued in the High Court in London and claims issued in courts elsewhere in the country will be transferred to London (potentially increasing costs for both sides). If cases are relatively straightforward and obviously low value then it would still be possible to issue proceedings in the County Court rather than High Court but there could well be scope for procedural battles between Claimants, who want to issue in the High Court to get a better chance at cost recovery, and Defendants, who want to get cases transferred to the County/Small Claims Court to limit costs. These arguments could well lead to an increase in costs and drag out the length of time cases take further.
There has not been much commentary about the impact of these changes yet. They are likely to be seen as a good thing for cases with substance but could add costs for the smaller, straightforward cases. Whether that acts as a disincentive to data subjects in bringing claims for damages data breaches remains to be seen.