By Colin Hutton, partner and cyber security specialist at law firm CMS
WHILE the SNP would have been pleased with its strong performance in May’s European elections, the party’s campaign got off to an unfortunate start when thousands of personalised letters (part of a mailshot to more than 400,000 Scottish voters) were sent to the wrong people. It was widely reported at the time how this error had caused some distress among mainly elderly recipients who were concerned their address was being targeted by fraudsters. The SNP, quite properly, reported itself to the Information Commissioner (ICO) and an investigation is now under way with the party facing potential regulatory fines.
The need to exercise care with mass communications – whether to the electorate or to another audience such as business’s customer base – is not, however, only about potential ICO fines. Under GDPR, individuals have the right to seek damages for data breaches including for distress. While each individual claim may not be a major issue, the potential for class actions, most certainly is –and if Scotland adopts the US-style opt-out class action procedure, this will have a significant impact.
The UK civil justice system does not presently support opt-out class action procedures (other than in the Competition Appeal Tribunal). Instead, group claims currently proceed on an opt-in basis, requiring active participation by each individual claimant. If the opt-out procedure is adopted in Scotland all potential claimants in the class would automatically be included without the need for individual participation. Under this model, a data breach that occurred in the context of an electoral mailshot that was being sent to all of Scotland’s 4.11 million registered voters could have severe consequences. Even if each individual claim was valued at just £10, the automatic inclusion of all claimants would create a significant damages liability.
The primary legislation is already in place to support the introduction of the new group procedure in Scotland, with provision for both opt-in and opt-out processes, however, it remains to be decided which types of claim will be identified as suitable for opt-out. If that approach is made available for data breach claims, the risk associated with significant data breaches will increase.
With an ever-growing public awareness of personal data rights there is clearly a growing appetite for streamlined group claims which will allow individuals to access remedies in data breach cases more easily. Last year’s data breach class action against Wm Morrisons Supermarket plc, which is currently pending appeal, was the first successful case of its kind in the UK and in March, a further class action was launched against Ticketmaster for a 2018 data breach. However, these cases are being pursued under opt-in procedures which limits the claimant numbers. If Scotland adopts the more radical opt-out approach that would be a major game-changer for data breach mass claims
These developments should serve as a stark early warning to politicians, businesses and all other organisations handling personal data. They should focus on taking steps to minimise the chances of breaches occurring, identify steps to manage and mitigate risks and ensure they have adequate contracts and insurance in place to cover the potential exposure arising from class action claims.
Opt-out class actions have long been available to American consumers. The prospect of Scottish courts adopting these procedures means political parties must tread more carefully in future when seeking to interact with the electorate. A serious data breach could prove a costly mistake overshadowing any positive outcomes in future elections, no matter how well they perform.
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules here