DATA PROTECTION CLASS ACTIONS
CD: To what extent do data privacy and protection issues continue to present increasing risks for companies? How would you summarise the evolution of related laws and compliance obligations in recent years?
Collins: Data privacy and protection issues pose an ever-increasing risk, with cyber security breaches becoming a ‘when, not if’ conversation among chief information security officers (CISOs) and company executives. Lawmakers and government agencies in the US have responded to these risks with the continued adoption of fragmented data privacy laws and regulations. The patchwork of laws and regulations imposed by state and federal agencies has presented the opportunity for more government enforcement and claims by private parties but has also created compliance issues for companies.
Hadwin: Data privacy and protection issues continue to present new and increased risks to companies. Much has been written about the potential for large fines being imposed against data controllers for a failure to comply with their obligations under the General Data Protection Regulation (GDPR). While recent fines imposed by the Information Commissioner’s Office (ICO) and other European data protection authorities have made this a reality, significant fines have been relatively rare – with only 14 fines in excess of €1m having been imposed across Europe since the GDPR came into force. Of perhaps greater concern here in the UK is the growth in litigation being brought post-data-breach by affected data subjects, particularly in respect of breaches material in size and sensitivity. While the per-claimant value of claims in this area tends to be low unless financial loss is alleged, controllers do face a risk of material costs and potential liabilities in the event that claims are brought by a large number of data subjects.
Jan-Mar 2021 issue
Cleary Gottlieb
CMS
Norton Rose Fulbright LLP
Shook, Hardy & Bacon L.L.P.