Data Protection and the Rights of the Ordinary Individual
“If men will have multiple injuries, actions must be multiplied too; for every man that is injured ought to have his recompense” (Chief Justice Holt, 1704)
The predictions of flood gates opening and US class actions coming to the English courts following the implementation of the General Data Protection Regulation (GDPR) have been exaggerated; there has not yet been one.
The GDPR was expected to empower the individual and demand greater transparency from data controllers. Following the availability of group remedies with the Consumer Rights Act 2015 and the rise in litigation funding there appeared to be a receptive environment for potential group actions. However, UK representative actions are subject to restrictions under the Rules of Court, which means that they cannot develop into anything resembling the nature and scale of US class actions.
In the US the class action is a social institution. It regulates conduct, it is a deterrent, it rewards lawyers who act as gate keepers, and it compensates the public. Culturally the UK has not shown acceptance of US Court practices, particularly the class action. “Compensation culture” has not been viewed with universal approbation in the UK, by the public or the courts. The popular reaction to PPI exemplifies this; huge efforts by claims management companies have only resulted in 12 million claims being brought even though regulators estimate there are some 64 million miss-sold policies. The British public is reluctant to pursue compensation.
The UK government’s decision not to adopt the opt-out option in the GDPR Article 80(2) reflects the lack of enthusiasm. Opting-in requires any qualifying representative body to collect signatories with all parties choosing to opt-in. The criteria to qualify as a representative body include that they must be not-for-profit, have “statutory objectives which are in the public interest” and be “active in the field of the protection of data subjects’ rights and freedoms”. In the US a single claimant can represent an entire group, resulting in a large class action as claimants have to opt-out.
English common law requires that damages should be limited to compensation for an actual loss. The US operates a punitive damages regime; juries hear the case and set the damages, which can then be trebled if the judge considers the defendant should be punished. None of this applies in the UK.
There is a commercial barrier in the UK, as small amounts historically awarded in this jurisdiction for data breaches are insufficient to support a group action. The prospect of scant financial reward means there is little incentive for claimants to opt-in to a group action. Even if sufficient claimants can be identified, their reticence means that trial lawyers would not have a critical mass of claimants to represent.
There are no successful test cases and no financial incentives to make such costly and time consuming cases appealing for claimant firms or litigation funders. There is little to entice lawyers to build a case. Also, ironically, the unsolicited direct communications that the GDPR seeks to limit actually hinder the ability of claimant lawyers to find signatories for group actions and the chances of one happening.
In the RBS Rights Issue Litigation last year, the court ordered the funder to pay £7.5 million security on account of soaring costs. This shows a court can take into account the fact that a party is funding litigation on a commercial basis and seeking to profit from it. The costs order caused the funder to re-evaluate the risks of continuing the litigation, which had an influence on the final settlement reached in June 2017.
The structure of group actions and the funding mean that proceeds go into the pockets of litigation funders and claimant lawyers, not to the claimants themselves. Lloyd v Google case was the first time a data misuse representative action was brought in the UK. The cause of action was for misuse of confidential information and damages under section 13(1) of the Data Protection Act 1998. It concerned a “cookie” attached to the Safari app used in Apple iPhones, which, without the user’s knowledge or consent tracked “visits by the device to any website displaying an advertisement from [Google’s] vast advertising network, and to collect considerable amounts of information.” In the US, there had been a substantial regulatory penalty and payments in consumer based claims brought by the Attorney-Generals of 37 States. In England there had not even been a regulatory penalty.
The claim for damages was negotiated, based on what would be a reasonable price for a license to use the data. Mr Justice Warby (Warby J) held that this was not available under English Law for the collecting and misuse of data.
Warby J stated that the claimant was seeking to represent individuals who “have not authorised the pursuit of the claim, nor indicated any concern about the matters to be litigated”. Even though Google’s actions were potentially a breach of duty, “the main beneficiaries of any award by the end of this litigation would be the funders and the lawyers by a considerable margin” and that the case would consume a “considerable amount of court time”. The claimant claimed to be a “representative claimant” under CPR 19.6 alleging a group with a shared grievance. However, loss would have to be assessed on an individual basis and there was not a “shared interest” between the individuals, a requirement for a representative action. The judge did not allow the case to proceed.
There is no track record for data abuse group claims being successful in the UK, no financial inducements for lawyers or funders, and nothing to whet the appetite for individual claimants to become involved. When the Consumer Rights Act 2015 was introduced with its opt-out clause relating to damages actions, there were similar predictions that there would be a wave of US-style class actions. Collective proceeding orders under section 47B of the Competition Act 1998 (which allows opt-out proceedings) were not granted by the Competition Appeal Tribunal on the facts in Dorothy Gibson v Pride Mobility Products Limited (mobility scooters) and Walter Hugh Merricks v MasterCard Incorporated (Credit Card charges). The GDPR does not provide as much scope as section 47B, as in the UK it is opt-in only.
The Morrisons data breach case might indicate that there could be certain group actions. Mr Justice Langstaffe held that although the supermarket was not the data controller and had no personal liability for a data leak affecting some 100,000 employees, it was vicariously liable for the data controller. The case provided employees with the opportunity to claim compensation against their employer for distress: Various Claimants v Wm Morrisons Supermarket Plc  3 W.L.R. 691. There is a strong policy argument for protecting employees and giving them an effective remedy against their employer for data leakage. Employees should receive compensation when the data controller, a person given that role and funded by the employer, is liable for data leakage.
Culturally, economically and legally the UK is not yet receptive to group actions on the scale of US class actions. Regulatory bodies can impose fines. The EU directive offered member states the opportunity to provide redress to individuals damaged through data abuse, on an opt out basis. That opportunity has not been taken, at least until 2020 when there is the opportunity for the UK Government to review implementation of Article 80. Roman law set the bar with its principle of ‘Ubi jus ibi remedium’ (where there is a right there is a remedy). This is a fundamental principle of the English common law; Chief Justice Holt said in 1704, “…It is no objection to say that it will occasion multiplicity of actions; for if men will have multiple injuries, actions must be multiplied too; for every man that is injured ought to have his recompense.” Data misuse is an area where the rights of the ordinary member of the public are yet to be protected with an effective remedy.
Offshore Structures and Onward Gifts
The so-called “onward gift” tax anti-avoidance rules were introduced by the Finance Act 2018 to complement the changes brought in the previous year aimed at restricting the UK tax privileges afforded to non-UK domiciled individuals. The rules were designed to close some perceived loopholes in relation to the taxation of non-UK resident structures (including but not limited to non-UK trusts). With effect from 6 April 2018, it would no longer be possible for an individual to receive a gift without questioning its providence, particularly where family trusts are involved.
The rules were designed to prevent non-UK structures from using non-chargeable beneficiaries as conduits through which to pass payments in order to avoid tax charges. Gone are the days of “washing out” any trust gains that could be matched to offshore income or gains by prefacing a payment to a UK-resident taxable beneficiary with a non-taxable primary payment to a non-UK resident beneficiary.
“It is notoriously challenging to prove a negative (especially to HMRC) and even more tricky where the taxpayer must speak to someone’s intention other than their own.”
Note that the new rules will apply where funds are received from non-UK resident structures before 6 April 2018 to the extent that they are subsequently gifted after that date.
Increased Investment in Personal Tax Compliance in the UK
Changes in public opinion, advances in technology and increased international fiscal co-operation have made global personal tax compliance initiatives pop up in abundance in recent years. In addition, the Russian invasion of Ukraine and the corresponding economic fallout have prompted governments to increase transparency in relation to investments by wealthy foreign individuals in their countries.
The UK’s HMRC is one of the most sophisticated tax collection authorities in the world and the department is making significant investments in technology in the field of compliance work.
It should therefore be well placed to take advantage of new international efforts to increase tax compliance, particularly against the backdrop of the already extensive network of bilateral tax treaties in the UK, and not forgetting that the UK was a founding member of the OECD’s Joint International Taskforce on Shared Intelligence and Collaboration (JITSIC) forum.
This article discusses the main developments in support of the increased focus on international transparency and tax compliance in the UK. There are other international fiscal initiatives, particularly in the field of corporate taxation, but such initiatives are beyond the scope of this article.
Case note: Lynton Exports (Alsager) Ltd v Revenue and Customs Commissioners  UKFTT 00224 (TC)
As HMRC continue to apply the Kittel principle to increasing numbers of industries and businesses, taxpayers need to be vigilant about evidential requirements that HMRC must fulfil in order to discharge their burden of proof. Read JHA’s latest insight into the First-tier Tribunal’s decision in Lynton Exports (Alsager) Ltd v Revenue and Customs Commissioners  UKFTT 00224 (TC).
If you require any further information about the Kittel, Mecsek, and Ablessio principles, or any other allegations by HMRC of fraud or fraudulent abuse, please contact Iain MacWhannell (email@example.com).
Preparing for the Possibility of a Domicile Enquiry
Helen McGhee, a director and chartered tax advisor at Joseph Hague Aaronson, explores who might be vulnerable to an HMRC enquiry on domicile and how best to deal with such enquiries.
The Kittel Principle - Sweet Sixteen
The following is an article written by David Bedenham about HMRC’s wide-ranging application of the ‘Kittel principle’. The current focus appears to very much be on the labour supply industry and the allegation of ‘Mini Umbrella Company Fraud’ (or ‘MUC Fraud’). This article highlights the need for taxpayers to get specialist advice at an early stage when faced with a Kittel decision. If you have any queries about Kittel-related issues or similar denials of input VAT or assessments to VAT, please contact Iain MacWhannell (firstname.lastname@example.org).