Data Protection and the Rights of the Ordinary Individual
“If men will have multiple injuries, actions must be multiplied too; for every man that is injured ought to have his recompense” (Chief Justice Holt, 1704)
The predictions of flood gates opening and US class actions coming to the English courts following the implementation of the General Data Protection Regulation (GDPR) have been exaggerated; there has not yet been one.
The GDPR was expected to empower the individual and demand greater transparency from data controllers. Following the availability of group remedies with the Consumer Rights Act 2015 and the rise in litigation funding there appeared to be a receptive environment for potential group actions. However, UK representative actions are subject to restrictions under the Rules of Court, which means that they cannot develop into anything resembling the nature and scale of US class actions.
In the US the class action is a social institution. It regulates conduct, it is a deterrent, it rewards lawyers who act as gate keepers, and it compensates the public. Culturally the UK has not shown acceptance of US Court practices, particularly the class action. “Compensation culture” has not been viewed with universal approbation in the UK, by the public or the courts. The popular reaction to PPI exemplifies this; huge efforts by claims management companies have only resulted in 12 million claims being brought even though regulators estimate there are some 64 million miss-sold policies. The British public is reluctant to pursue compensation.
The UK government’s decision not to adopt the opt-out option in the GDPR Article 80(2) reflects the lack of enthusiasm. Opting-in requires any qualifying representative body to collect signatories with all parties choosing to opt-in. The criteria to qualify as a representative body include that they must be not-for-profit, have “statutory objectives which are in the public interest” and be “active in the field of the protection of data subjects’ rights and freedoms”. In the US a single claimant can represent an entire group, resulting in a large class action as claimants have to opt-out.
English common law requires that damages should be limited to compensation for an actual loss. The US operates a punitive damages regime; juries hear the case and set the damages, which can then be trebled if the judge considers the defendant should be punished. None of this applies in the UK.
There is a commercial barrier in the UK, as small amounts historically awarded in this jurisdiction for data breaches are insufficient to support a group action. The prospect of scant financial reward means there is little incentive for claimants to opt-in to a group action. Even if sufficient claimants can be identified, their reticence means that trial lawyers would not have a critical mass of claimants to represent.
There are no successful test cases and no financial incentives to make such costly and time consuming cases appealing for claimant firms or litigation funders. There is little to entice lawyers to build a case. Also, ironically, the unsolicited direct communications that the GDPR seeks to limit actually hinder the ability of claimant lawyers to find signatories for group actions and the chances of one happening.
In the RBS Rights Issue Litigation last year, the court ordered the funder to pay £7.5 million security on account of soaring costs. This shows a court can take into account the fact that a party is funding litigation on a commercial basis and seeking to profit from it. The costs order caused the funder to re-evaluate the risks of continuing the litigation, which had an influence on the final settlement reached in June 2017.
The structure of group actions and the funding mean that proceeds go into the pockets of litigation funders and claimant lawyers, not to the claimants themselves. Lloyd v Google case was the first time a data misuse representative action was brought in the UK. The cause of action was for misuse of confidential information and damages under section 13(1) of the Data Protection Act 1998. It concerned a “cookie” attached to the Safari app used in Apple iPhones, which, without the user’s knowledge or consent tracked “visits by the device to any website displaying an advertisement from [Google’s] vast advertising network, and to collect considerable amounts of information.” In the US, there had been a substantial regulatory penalty and payments in consumer based claims brought by the Attorney-Generals of 37 States. In England there had not even been a regulatory penalty.
The claim for damages was negotiated, based on what would be a reasonable price for a license to use the data. Mr Justice Warby (Warby J) held that this was not available under English Law for the collecting and misuse of data.
Warby J stated that the claimant was seeking to represent individuals who “have not authorised the pursuit of the claim, nor indicated any concern about the matters to be litigated”. Even though Google’s actions were potentially a breach of duty, “the main beneficiaries of any award by the end of this litigation would be the funders and the lawyers by a considerable margin” and that the case would consume a “considerable amount of court time”. The claimant claimed to be a “representative claimant” under CPR 19.6 alleging a group with a shared grievance. However, loss would have to be assessed on an individual basis and there was not a “shared interest” between the individuals, a requirement for a representative action. The judge did not allow the case to proceed.
There is no track record for data abuse group claims being successful in the UK, no financial inducements for lawyers or funders, and nothing to whet the appetite for individual claimants to become involved. When the Consumer Rights Act 2015 was introduced with its opt-out clause relating to damages actions, there were similar predictions that there would be a wave of US-style class actions. Collective proceeding orders under section 47B of the Competition Act 1998 (which allows opt-out proceedings) were not granted by the Competition Appeal Tribunal on the facts in Dorothy Gibson v Pride Mobility Products Limited (mobility scooters) and Walter Hugh Merricks v MasterCard Incorporated (Credit Card charges). The GDPR does not provide as much scope as section 47B, as in the UK it is opt-in only.
The Morrisons data breach case might indicate that there could be certain group actions. Mr Justice Langstaffe held that although the supermarket was not the data controller and had no personal liability for a data leak affecting some 100,000 employees, it was vicariously liable for the data controller. The case provided employees with the opportunity to claim compensation against their employer for distress: Various Claimants v Wm Morrisons Supermarket Plc  3 W.L.R. 691. There is a strong policy argument for protecting employees and giving them an effective remedy against their employer for data leakage. Employees should receive compensation when the data controller, a person given that role and funded by the employer, is liable for data leakage.
Culturally, economically and legally the UK is not yet receptive to group actions on the scale of US class actions. Regulatory bodies can impose fines. The EU directive offered member states the opportunity to provide redress to individuals damaged through data abuse, on an opt out basis. That opportunity has not been taken, at least until 2020 when there is the opportunity for the UK Government to review implementation of Article 80. Roman law set the bar with its principle of ‘Ubi jus ibi remedium’ (where there is a right there is a remedy). This is a fundamental principle of the English common law; Chief Justice Holt said in 1704, “…It is no objection to say that it will occasion multiplicity of actions; for if men will have multiple injuries, actions must be multiplied too; for every man that is injured ought to have his recompense.” Data misuse is an area where the rights of the ordinary member of the public are yet to be protected with an effective remedy.
The End is Nigh for the Non-Dom Regime
Published in ThoughtLeaders4 Private Client Magazine, Helen McGhee expert analysis of the current state of non-dom tax regime and it's future.
HMRC Makes Changes to COP9
On 14 June 2023, HMRC published a substantially rewritten Code of Practice 9 (“COP9”). Helen McGhee and Megan Durnford set out the key changes implemented as a result of this publication.
Pandora Papers: HMRC issues nudge letters
The Pandora Papers leak of almost 12m documents back in 2021 purportedly exposed the secret accounts and dealings (including potential tax evasion/ avoidance and money laundering) of 35 world leaders (including the late HM Elizabeth II), as well as many politicians and billionaires. The data was obtained by the International Consortium of Investigative Journalists in Washington DC and led to one of the biggest ever global financial investigations.
Increased Investment in Personal Tax Compliance in the UK (Published in Thought Leaders 4 Private Client)
Advances in technology and increased international fiscal co-operation have made global personal tax compliance initiatives pop up in abundance in recent years. To compound the issue, the Russian invasion of Ukraine and the corresponding economic fallout prompted domestic governments to increase transparency in relation to investments held by wealthy foreign individuals (with a focus on oligarchs).
In the UK, in the context of the cost-of-living crisis, public opinion certainly seems to be in favour of increased accountability for high-net-worth individuals (eg, on 9 October 2022, 63% of Britons surveyed thought that “the rich are not paying enough and their taxes should be increased”).1
HMRC is one of the most sophisticated tax collection authorities in the world and the department is making significant investments in technology in the field of compliance work; they are well placed to take advantage of new international efforts to increase tax compliance, particularly considering the already extensive network of 130 bilateral tax treaties in the UK (the largest in the world).2 The UK was also a founding member of the OECD’s Joint International Taskforce on Shared Intelligence and Collaboration (JITSIC) forum.
This article discusses the main developments in support of the increased focus on international transparency and personal tax compliance in the UK. There are other international fiscal initiatives, particularly in the field of corporate taxation, but such initiatives are beyond the scope of this article.
It should be noted that a somewhat piecemeal approach, with constant tinkering makes compliance difficult for the taxpayer and is often criticised for lacking the certainty that a stable tax system needs to thrive.
This article was first published with ThoughtLeaders4 Private Client Magazine
Tax-Related Measures in the Autumn Statement 2022
On 17 November 2022, the Rt Hon Jeremy Hunt MP, the Chancellor of the Exchequer, unveiled the contents of the Autumn Budget 2022. This comes after the International Monetary Fund (IMF) published its world economic forecast on 11 October 2022. The IMF expects the British economy to grow 3.6% in 2022 and 0.3% in 2023. Other major developed economies are also expected to stagnate next year, namely Spain (1.2%), the US (1.0%), France (0.7%), Italy (-0.2%) and Germany (-0.3%).
This note focuses on tax measures included as part of that statement.