Breaking the link between GDPR breach transparency and pain

March 11, 2021

The data breach notification and transparency requirements of the General Data Protection Requirement are fuelling “micro-claims” for compensation, in addition to high-profile class action lawsuits. Stewart Room, preparing for his session at PrivSec Global, suggests the current system is creating perverse incentives and argues for a better solution

“What the General Data Protection Regulation (GDPR) has done is to create transparency obligations and this is an oxygen, a fuel for the fires we are talking about,” says Stewart Room.

Room, an experienced data protection lawyer and familiar face to privacy and security audiences, is explaining how several factors are leading to more compensation claims for data breaches. He believes this is ultimately leading to changes in behaviour from organisations, not all of them positive.

The Global Head of Data Protection, Privacy and Cyber Security Legal, Strategy and Consulting Services at law firm DWF is better placed than most to critique systems for security and data handling.

For more than 20 years Room has worked in the data protection field, from designing, building and operating data protection programmes to appearing in court to defend organisations accused of breaches.

As you would expect he has strong views on how current regulatory systems should change in the light of compensation claims for breach notifications.

Before we come to suggested remedies though, we ask Room to explain why there appears to be an increase in claims for data breaches.

Room says there are four key factors.

First, is simply because GDPR requires transparency for personal data breaches.

“That therefore creates an inevitability of claims, because there’s a correlation between the number of people that you tell about a breach, and the number of claims you’re going to receive,” says Room.

Data breach notifications appear to be on the rise across Europe. Law firm DLA Piper published research showing there were 331 notifications per day across Europe in 2020, an annual increase of 19%. It is therefore self-evident that more people will have the opportunity to claim compensation.

The second factor, says Room, concerns the visibility of operational failure. When something goes wrong the details will “inevitably leak out” even if the company doesn’t want them to. This in part has contributed to the third factor, which is an increase in awareness of data protection rights and people being aware they can claim compensation. This is fuelling large numbers of small claims, says Room, in addition to the group actions against the likes of Facebook that have made the headlines recently.

And the fourth inter-linked factor is the emergence of a whole industry around helping people claim. “Claims as an industry is becoming industrialised, it is similar to the Payment Protection Insurance (PPI) mis-selling industry. Where there is blame there is a claim.”

So what impact is all of this having on companies?

If you think you are going to be fined, and it’s a significant worry to you, the natural human reaction is to be less transparent

Firstly, says Room there is a great deal more caution in the way that breach notifications and communications are being drafted due to fear of liability and admission of guilt. Previously Room organisations would “wear sackcloth and ashes” in their notifications, it would be a “self-flagellation of apology”.

Now that has changed and organisations often fear, wrongly sometimes, that an apology would leave them open to liabilities, says Room.

“In the basic manifestation of personal data breach notification we’ve seen a change in style and how those things are written” he says.

Another major change has seen organisations looking to move liability across their supply chain, via legal arguments, mechanisms and contracts. Due to the potential for huge fines under GDPR, Room advises his clients to take this seriously.

Room says: “Five years ago, passing on liability across the supply chain wasn’t a principal conversation, this is now one of the very first issues you look at.”

Does this matter? Room argues that all of this runs the risk of being a distraction.

“A culture of litigation and legal risk is not compatible with the goals of instant response, which should be purely operational” says Room.

A more fundamental problem with the system, as Room sees it, concerns the perverse incentives it creates. “The most perverse incentive is to cover up. If you think you are going to be fined, and it’s a significant worry to you, the natural human reaction is to be less transparent”

And this is where Room’s suggested remedy comes in.

I think we can create legal systems that operate in a better way, Brexit gives us the chance to look at the GDPR again and it is defective in so many ways

He believes there this “link between instant pain (fines) and transparency” needs to be broken.

He suggests that in some circumstances organisations should be rewarded for their transparency by not being fined.

“It is not to say that pain should never be meted out it is that we’ve got to stop it being the instant reaction and what does that look like? If an organisation is fully transparent and co-operates with the regulator’s reasonable requests, that could be set of conditions under which as a matter of law there shall no fine,” says Room.

The fines instead would be for those that “truly deserve it”, by not being transparent about breaches or being co-operative.

This Room suggests, would at a stroke, incentivise transparency as it would reduce risk of penalties for breaches.

“I think we can create legal systems that operate in a better way, Brexit gives us the chance to look at the GDPR again and it is defective in so many ways,” says Room.

Whether these changes will be made remain to be seen, but they certainly provide plenty of food for thought.

Stewart Room will be speaking at Growing Trend: Class Action Cases at 4.30pm on 24 March at PrivSec Global