In this article we consider the rights that the upcoming European General Data Protection Regulation will bestow on consumers and the consequent litigation that might bedevil financial institutions.

The General Data Protection Regulation is one of the most publicised pieces of legislation in recent years and is due to take effect on 25 May next year. In the run-up to this, the British Government has drafted a Data Protection Bill with the intention of following the principles of the Data Protection Act 1998 closely. So far, few financial firms have been concentrating on the dangers that litigation might bring.

The potential for litigation

The media coverage of the GDPR's provisions, along with numerous comments in the press about the swingeing fines that it is going to impose, have alerted consumers to the rights and remedies that the new regime is going to give them. In this article we explore two of those rights and the potential for litigation or complaint that will spring from them.  

Failure to erase personal data  

This right, often referred to as the 'right to be forgotten,' will allow people to ask private banks and other financial firms to erase their personal data. The right to erasure is not the same as an absolute 'right to be forgotten' and will only apply in certain circumstances, for example at times when the bank no longer needs to keep a piece of personal data for a specific purpose or when is processing it unlawfully.
 
Organisations will be able to refuse requests to erase data in certain cases, such as when they are required to comply with legal obligations to perform "public interest tasks" or for the exercise or defence of legal claims. The legislative desire that underpins the right is to enable individuals to ask firms to delete or remove personal data when there is no compelling reason for its continued processing. However, given the competing interests and the circumstances in which an organisation can refuse to deal with a request, there is clear potential for court action.

Credit reference agencies (such as Fitch, Moody's and Standard & Poor's) think it likely that they will receive numerous requests for the erasure of data, but they believe that in most cases the GDPR will not permit or compel them to uphold these requests. With the wide scope for potential confusion and misunderstanding of the right by consumers, we anticipate numerous claims and complaints from individuals who have had their request refused. The Information Commissioner's Office has made it clear that each request must be considered on its own merits.

Failure to rectify

The GDPR will reinforce the old Data Protection Directive's rule that calls for personal data to be accurate and up-to-date. People will be able to ask firms to revise or 'rectify' their personal data if it is inaccurate or incomplete. Each firm will have one month from the moment it receives a request in which to correct an inaccuracy. It might be allowed to extend this by a further two months if the case is complex.

Financial institutions are already facing many claims from people who think that incorrect credit reporting has harmed their credit ratings. Again, the rating agencies are anticipating a surge in requests from consumers who are being emboldened by the daily coverage of their rights in the media.

When an organisation holds incorrect data on its systems it might find itself committing further transgressions as a consequence. If, for example, it gets a consumer's address wrong, it may subsequently send sensitive information or personal data to the wrong person, thereby causing embarrassment or harm to the actual customer. That customer might then claim damages or complain to the ICO or to the Financial Ombudsman Service.

Compensation in each case is unlikely to be significant, but each firm ought to be wary of the costs involved in defending itself against a claim and the chance that that claim might expose other mistakes it has made, leading to other claims.
 
Remedies and liabilities

One of the most talked-about changes is the ICO's power to impose fines up to the higher of 4% of annual global turnover or £17 million, but Elizabeth Denham, the Information Commissioner, has recently commented that "issuing fines has always been and will continue to be, a last resort' and that 'focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point."

Although individuals will have the option of complaining to the ICO and the right to challenge its decisions in court, this will not give them the financial remedies that they feel they deserve; i.e. monetary recompense. The power to award compensation will remain with the courts and the Financial Ombudsman Service.

Under the Data Protection Act, nobody can claim damages unless they are linked to financial loss. The Court of Appeal's landmark ruling in Google v Vidal-Hall marked an important change and established that individuals whose data is not handled properly may be entitled to compensation for "mere distress" even if they have not suffered pecuniary loss. This right to compensation for distress is now enshrined in the GDPR.

Fines or litigation?

Although the press in the UK has talked a lot recently about data protection in general and the GDPR in particular, it has concentrated mainly on the sharp increase in fines. Perhaps of greater significance to the business world is the possibility that the GDPR will cause wide-ranging litigation and claims for damages. Organisations are likely to see a rise in claims of this nature, especially as the GDPR will continue to receive attention from both the media and consumer protection groups.

In the next in our series of articles about litigation in accordance with the GDPR, we shall cover data breaches and the right to compensation.

* Richard Hayllar can be reached on +44 (0)333 006 0436 or at richard.hayllar@TLTsolicitors.com. His co-authors are associate Emily Black and solicitors Alanna Tregear and James Tithecott.