Ravi Naik and Shirin Marker from ITN Solicitors discuss your rights to your data and what to be aware of if considering how to bring a case against a tech giant.
Facebook has sought to pivot to privacy. Will Mr Zuckerberg and his company really be trusted by the public to contain and respect our personal information? Given that the Digital, Culture, Media and Sport Committee (pdf) recently called the company "digital gangsters", this may seem unlikely.
Indeed, barely a day goes by without a story concerning Facebook's data practices. At the time of writing, the Wall Street Journal revealed that Facebook can receive information from numerous apps even if, in some cases, the user does not have a Facebook account. These included applications which reportedly shared with Facebook when users were having their periods or were trying to become pregnant. It was also revealed that the company allowed advertisers to directly target people interested in "Nazis" and to spread misinformation about vaccinations.
Such revelations continue to arise at a concerning speed and scale. The reactions to these stories may be the spark of a data rights revolution that will gather pace in the coming years. As Edward Snowden was to government surveillance, Mark Zuckerburg may unwittingly be to personal data protection. The introduction of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) have also alerted tech companies and the wider public to a growing trend in the power of data rights as human rights.
As a result, we are likely to see an increase in cases as individuals seek to assert their rights against tech giants. Such claims are likely to occupy caseloads as well as headlines, what issues should individuals be aware of when considering whether and how to bring a case against a tech giant.
Jurisdiction: Data flows v legal blows
The first issue is what to do when a tech giant has numerous entities across the globe, often with their main headquarters in the US. How is jurisdiction to apply to data, which can flow across states instantaneously and without restriction? The data protection regime provides some answers.
Under the regime before the GDPR, the Data Protection Directive 1995 (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ), jurisdiction was to apply whenever data processing was carried out "in the context of the activities of an establishment in the territory of a Member State".
How does this work in practice? In our case on behalf of American Professor David Carroll against the now notorious Cambridge Analytica and its parent companies, they sought to reject this jurisdictional position outright, saying that it would be "territorially extravagant" for Professor Carroll to have jurisdiction over his data. Based on this belief, they told the Information Commissioner's Office (ICO) – the regulator of their very business – that as an American, Professor Carroll had no more rights to his data "than a member of the Taliban sitting in a cave in the remotest corner of Afghanistan."
The ICO disagreed. In May 2018, it issued an Enforcement Notice, directing the firm to give Professor Carroll his data. Cambridge Analytica's parent company did not comply and the company pled guilty to the criminal offence of breaching an Enforcement Notice in January 2019.
By prosecuting the company, the ICO emphasised that people outside the UK had data rights and they would be enforceable. "This prosecution, the first against Cambridge Analytica, is a warning that there are consequences for ignoring the law," the information commissioner, Elizabeth Denham, said in a statement following the hearing. "Wherever you live in the world, if your data is being processed by a UK company, UK data protection laws apply."
The GDPR takes matters further, with Article 3 extending jurisdiction to "the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not." That is a broad and sweeping jurisdictional clause. Jurisdiction is not tied to the territory of a state but to the sovereignty of data processing. Whether the data subject is abroad may be irrelevant. Establishment is key.
Data controllers: who controls wins?
A further matter is the question of who is responsible for infringements of the GDPR? The key term under the GDPR is "data controllers".
The Court of Justice of the European Union (CJEU) has held that a "broad definition" should be given to the term "data controller" and confirmed that the concept of "controller of the processing of personal data" may concern several actors taking part in the processing. The CJEU has also found that there can be joint responsibility between numerous controllers even if they do not all have access to the personal data.
The CJEU's desire to maintain a broad definition of "data controller" is an important practice point for those seeking to bring claims for data protection infringements.
Where are we going?
The remedies available for data infringements under the GDPR have been strengthened. For example, the ICO has been given increased scope to fine data abusers, from less than €1 million under the old regime, to 4% of worldwide turnover or €20 million under the GDPR (whichever is greater).
However, there are limitations. For example, in the absence of a "controller" or "processor", individuals may be left without a remedy. Furthermore, the lack of international harmony over data protection may lead to data piracy, as those that would not seek to respect the law may seek to "offshore" their companies in an attempt to evade accountability. The internationalisation of data rights may become necessary to ensure adequate protection over these fundamental human rights.
Views expressed in our blogs are those of the authors and do not necessarily reflect those of the Law Society.
Ravi is speaking at our half-day conference, Data protection in transition: GDPR and DPA compliance for law firms. Keep up-to-date with evolving data protection laws, the ePrivacy regulation, cybersecurity, and much more. Expert speakers include: Frank Maher partner Legal Risk LLP, and Peter Wright managing director DigitalLawUK. Tuesday 2 April, 13:00 – 17:10, from £175 + VAT
Nominate yourself, your firm, a colleague, for the new category Excellence in Access to Justice, or Human Rights Solicitor of the Year for our 2019 Excellence Awards. There is no limit on how many free entries you can submit
Our new Lawtech Report highlights key developments and what this means for the work of the profession and the business of law
Sign up for our weekly GDPR and cybersecurity newsletter to keep yourself up to date
Explore our advice and guidance on GDPR compliance
Explore our cybersecurity resources