Is consumer protection legislation fit for purpose?
Simply sign up to the Cyber Security myFT Digest -- delivered directly to your inbox.
When the UK’s Court of Appeal last month allowed a class action against Google to proceed, data protection campaigners said it marked a watershed moment for consumers.
Not only did it cement the ability for individuals to collectively challenge tech giants using US-style litigation in European courts, but it reinforced the idea that the loss of data security and control is a fundamental harm done to consumers.
The activists and legal experts behind the “Google You Owe Us” case — which accuses Google of unauthorised collection of user data — say that data protection law and regulatory enforcement falls short both in practice and design.
“When it comes to data loss, there is a big gap around people’s ability to hold companies to account,” says Richard Lloyd, a consumer rights champion who brought the Google You Owe Us case. “The government has failed to equip consumers with that right to work together collectively in a meaningful way, so we are trying to fill a gap in the law.”
Under the EU’s General Data Protection Regulation (GDPR) and the UK’s Data Protection Act, companies can be fined for failing to comply with rules for data usage and protection, and consumers are entitled to information and control over how their personal data are used and protected. However, experts say enforcement agencies are overstretched, and there is no explicit provision for individual consumers to hold companies accountable.
Google did not respond to a request for comment. In a statement in October the company said the case had “no merit and should be dismissed”.
James Oldnall, a partner at law firm Mishcon de Reya advising on the Google You Owe Us claim, says that GDPR’s penalties have forced businesses to consider their data protection obligations, and the focus on data ownership has prompted consumers to consider the value of their personal data.
“We are still struggling to determine the economic value of personal data,” he says. “Historically there has been limited protection for personal data, which has led to it being undervalued and effectively bought in a ‘Wild West’ environment where it has been obtained illegally or very cheaply. There’s got to be an economic reckoning.”
Europe’s data protection legislation treats loss of control over personal data as a fundamental harm done to consumers, and even offers a right to collective action and compensation, although this is left to the discretion of each member state.
By recognising that data loss and privacy violations as a fundamental harm — alongside more typical harms such as financial loss or emotional distress — the Google case is an important development for other data leak cases. One such example are the claims against British Airways for a 2018 breach in which hackers stole the data of 500,000 of its customers.
Aman Johal, director of consumer rights law firm Your Lawyers, which is representing consumers in a claim against the airline, says class action cases are required because GDPR is not improving cyber security practices nor effectively protecting consumers from data loss, as highlighted by regular data breaches.
The regulation — along with lessons learnt from widely publicised breaches against credit rating agency Equifax and telecoms group TalkTalk — should prompt companies to assess their vulnerabilities and bolster their defences, Ms Johal says. BA fell victim to a cyber attack that was already known to have breached Ticketmaster, the ticketing website.
“British Airways’ breach was totally avoidable, and it is criminal that a large company like [BA’s parent company] IAG allowed it to happen,” she says. “Despite the huge awareness campaign ahead of GDPR, it’s disappointing that IAG, a company with millions of customers, was so easily hacked with unsophisticated methods.”
BA has defended its security practices and attributed the breach to a “sophisticated, malicious, criminal attack”.
NOYB, the European digital rights organisation based in Vienna, has submitted more than 20 data breach complaints to authorities in different jurisdictions to test the efficacy of GDPR.
Initially, the group operated under the assumption that Europe’s new regulation would accelerate the process of investigating and responding to data breaches, but NOYB says the handling of its first four complaints filed in May 2018 has failed to live up to the promise of swift and efficient enforcement.
Gaëtan Goldberg, NOYB data protection lawyer, says GDPR’s mandated cross-border collaboration between enforcement agencies should, in principle, empower consumers to hold multinational companies accountable.
But this mechanism, Mr Goldberg believes, is delaying authorities as data protection agencies follow their own procedural rules. Cross-border complaints require local authorities to grapple with and interpret complexities in national laws outside their jurisdictions, a prospect that Mr Goldberg calls “highly unrealistic”.
Ambiguities in GDPR itself are likely also causing delays, he adds. Some cases will have to be passed to the Court of Justice of the EU (CJEU), Mr Goldberg says. An academic analysis of recent cases before the CJEU also found that “there is an enormous gap between legislation and practice”, due to cross-border issues and regulatory ambiguities.
In July, the UK’s Information Commissioner’s Office stated its intention to fine BA £183.4m and Marriott, the hotel group, £99.2m for substandard cyber security practices that led to data breaches. Both companies are contesting the fines. Mr Goldberg is concerned that these penalties have yet to materialise.
“These long delays could cause a chilling effect on [consumers] when trying to enforce their fundamental right to data protection,” he says.