Standard of care
Much of the advice which is being obtained in relation to
GDPR is from lawyers. In that situation, the standard of care required is
straightforward: the reasonable care and skill of the solicitor or barrister,
although there may be some scope for argument as to the level of specialisation
expected. Is it the reasonable care and skill of a commercial solicitor, or is it
that of the solicitor specialising in information/data protection law?
In many cases it will be the latter, because of the way that
advisers have been holding themselves out as specialists: see Jackson & Powell on Professional
Liability, 8th edition, §11-101. Sometimes the specialism can be really
quite precise, as recently in Agouman v
Leigh Day [2016]
EWHC 1324 (QB) where it was that of ‘a reasonably competent firm with a
department specialising in group litigation for unsophisticated clients arising
from events in a poor and unstable African country’.
The position could be more difficult where the advice has
not been given by legal professionals. Many have been advertising their
services as ‘GDPR consultants’. By what standard are they to be judged?
If, although not lawyers, in fact they have strayed into
giving legal advice, it is suggested that they will be judged by the standards
applicable to the legal profession: Jackson
& Powell, §2-137.
But if they have not given legal advice, can they be judged
by the standard of ‘the reasonably competent GDPR consultant’? That would
entail expert evidence from other GDPR consultants, but as these are not
necessarily a part of a homogenous group, and as this specialism has sprung up
relatively recently, it may be challenging for such an expert to give the
requisite evidence of the accepted standards in the profession, rather than the
(inadmissible) evidence of what he/she would have done differently.
Breach of duty
We will have to wait and see what specific errors come to
light. Errors are inevitable, because of the length, complexity and opacity of
the Regulation.
There may be cases in which the ICO or the courts adopt an
unexpected interpretation of a particular provision, in which case it may be
possible to argue that the interpretation placed on it by the adviser, although
subsequently shown to have been incorrect, was not in fact negligent.
But equally, the complexity of the Regulation may mean that
the adviser has a duty to put forward competing analyses as possible outcomes.
The question of when a professional person owes a duty to advise that there is
a risk that his or her advice is not right has been a recent hot topic, see:
- Balogun v Boyes Sutton
& Perry [2017]
EWCA Civ 75, where the Court of Appeal held that, although the defendant
solicitors had correctly interpreted the provisions of a lease, they had owed a
duty to advise about the risk of a court coming to a contrary conclusion to
their views; - Barker v
Baxendale-Walker Solicitors [2017] EWCA Civ
2056, where the Court of Appeal held that a firm of solicitors should have
warned an investor about the risks of a tax scheme failing. The Court of Appeal
stated that a lawyer ‘as part of the
legal advice that he is providing must evaluate the legal position and
determine whether in all of the circumstances, he should advise his client that
there is a significant risk that the view he has taken…. may be wrong’.
Causation, mitigation
and loss
There will be enormous scope for arguments about causation
and related principles.
Organisations may have to make decisions between (i) a
strategy or policy which is most likely to be GDPR compliant but does not fit
at all with their operational model, and (ii) one which suits their business
much better but which does not give quite the same certainty on compliance.
If the decision can later be seen to have been the wrong
one, will that organisation be able to prove that differently advised it would
have taken a different decision?
Where enforcement action is threatened or taken, such as
regulatory fines being imposed, we anticipate that many of the same issues will
arise as are frequently encountered in claims against accountants and auditors.
For example:
- Has the claimant acted suitably to mitigate its loss, eg by
self-reporting at the earliest opportunity and acting if necessary to curtail
the damage? - Has the claimant made suitable efforts to negotiate the size
of the fine? Note, though, that a claimant is not normally expected to engage
in expensive litigation to mitigate a defendant’s breach. - Did the regulator only take action because of continuing
failures by the claimant, which the professional can say broke the chain of
causation? - If the client has been subject to criminal penalty, is a
defence of illegality available to the professional? - If the problem was raised with the professional, did the
professional take appropriate steps to assist? In this context, what actions
will a court expect the professional person to have taken to stop data leaks
from getting worse, given the requirements to comply with the GDPR?
The sorts of innovative steps that can be taken were
illustrated recently in PML v Persons
Unknown (responsible for demanding money from the Claimant) [2018] EWHC 838
(QB), where Nicklin J granted an injunction against unnamed hackers, which
could then be used to prevent third parties publishing the information.
Issues are likely to arise too under South Australia Asset Management Corpn v
York Montague Ltd [1997] AC 191 and BPE v Hughes Holland [2017] UKSC 21,
which raises the familiar distinction between the professional who provides
information and the professional who gives advice and is therefore responsible
for wider consequences of that advice being wrong. In this area there could be
real risks for GDPR professionals: many of the advertisements we have seen do
not merely offer information about the requirements, but promise to assist
clients in ensuring GDPR compliance, and the consultants may be deemed to be ‘guiding’
the businesses on how to conduct themselves.
Limitation
It will probably take some time for the problems to start
coming to light, as there will be a strain on the resources of bodies such as
the ICO in taking enforcement action; so the first legal cases will take some
time to work their way through the litigation process. In years to come, limitation
arguments will arise.
Claimants will argue that they only suffered damage to found
the cause of action in tort for the purposes of s 2 of the Limitation Act 1980
when the ICO imposed the fine on it, or when it had to agree to pay
compensation to the client.
But that is a difficult argument because the likelihood is
that, following cases such as Forster v
Outred & Co [1982] 1 WLR 86, the claimant will probably have suffered
damage at the time when it put in place practices which have proved to be
defective; that is the point at which its potential liability arose.
Of course, as with so many claims against professionals, s
14A of the Limitation Act 1980 may come to the rescue, giving the claimant
three years to bring a claim from the date of their relevant knowledge.
But one of the features of GDPR so far has been the extent
to which the threats and challenges have been well publicised in the national
press and through channels such as LinkedIn and Twitter. It is to be anticipated
that enforcement decisions, successful claims for compensation and so on will
be similarly well publicised.
Thus there will be arguments that even if a claimant was not
itself the subject of enforcement action at the time, it ought to have been alerted
to a potential problem because it should have considered the reports of
difficulties encountered by other organisations which had been advised by the
same consultants, or which had adopted the same practices.
Neil Hext QC, Stephen Innes and Helen Evans are barristers
at 4 New Square: n.hext@4newsquare.com, s.innes@4newsquare.com, hm.evans@4newsquare.com