This week in data/cyber/tech: DSAR damages and is this the end of the road for the UK's new data protection law?

Viewpoints
February 16, 2024
5 minutes

There's rarely a quiet week in data protection — and this one was no exception.  Below are two developments from the past seven days that caught my eye.

Story #1: End of the road for the UK's new data protection law?

The DPDIB is dead; long live the DPDIB?

On Wednesday 7 February 2024, the UK’s Parliament approved what is known as a carry-over motion in respect of the Data Protection and Digital Information Bill.

A carry-over motion allows a proposed law that doesn’t receive royal assent (i.e., pass) during one parliamentary session to be carried to the next session — meaning that debate on the Bill doesn’t need to start again from scratch.

Last week’s motion gives the Government until 12 December 2024 to pass the DPDIB — a proposed law to replace the GDPR that has been on the stocks, in various forms, for nearly two years.  But the Conservative Party also has the small matter of having to hold a general election by 28 January 2025, which would mean dissolving Parliament on 17 December 2024 at the latest.

Most signs point to Prime Minister Rishi Sunak calling the election sooner than January 2025 — probably by autumn of this year at the latest.  And although data protection will always have my vote, I accept that it isn’t a priority for most people or a government that — if current polls are any indication — is facing the end of its nearly 15 years in power.

Still, why would the Government be letting the air of out a Bill that, if not a central pillar of its manifesto, was one of the ways that it hoped to show people how it was cutting Brussels red tape?  The DPDIB had little opposition in the House of Commons and likely could be pushed through to completion — even if that means seeking an extension to the current Parliamentary term, which ends in March.

… and perhaps that’s what will happen …

But the DPDIB also needs to pass through the House of Lords.  For those who aren’t familiar with British politics, the Lords scrutinise the Government’s proposed laws — and, although they can’t technically stop them from passing, they can in practice do just that (i.e., by kicking up such a fuss that it becomes impossible for the Government to proceed).

Members of the Lords from across the political spectrum have raised concerns about some of the DPDIB’s key provisions.  The Information Commissioner, John Edwards, has also criticised the Government’s approach to one particularly controversial aspect of the Bill — allowing access to people’s bank accounts for welfare fraud detection purposes.

Does the Government think that addressing these concerns would be more hassle than it’s worth when its energy is better spent elsewhere?  Quite possibly — and in any event we’ll find out soon enough.

So, for now, it’s a case of as you were for the UK’s post-Brexit data protection regime. Is that a bad place to be?  Absolutely not.  But is the whole thing an exercise in frustration? I’ll leave that for you to decide.

*****

T.S. Eliot: “We shall not cease from exploration, and the end of all our exploring will be to arrive where we started, and know the place for the first time.”

Story #2: DSAR damages for a delayed response?

"They say it was a minor infringement, but the law’s the law.  You can’t go around choosing which law you don’t abide by, or else society would go into chaos — it’s just not fair.”

I recently read about a London man who sued his local council for failing to respond in time to a DSAR.  That’s his quote above.  The council responded to what it called a “wide-ranging” access request 40 days late (i.e., after the three-month maximum allowed under English law) and the man sued, seeking £5,000 for “stress and mental injury”.

The judge rejected his claim, on the basis that he couldn’t provide sufficient evidence of harm.  But despite calling the council’s breach “fairly technical”, the judge didn’t make the man pay its legal costs.

Are there lessons here for businesses?  Yes, there are.  Because there genuinely are — but also because, if there weren't, this post would stop here.  Which it doesn’t.

As often with these stories, the parties had a long and difficult history.  Here, the man had made multiple DSARs and FOIA requests — which is, of course, his legal right.  But many companies will have dealt with repeat requesters and professional complainers, and until their requests tip into manifestly unfounded or excessive territory, you don’t always have a choice but to engage.

  • If your organisation is struggling to deal with a DSAR (due to staffing, volume of data, etc.), as the council said that it was, don't bury your head in the sand.  It costs nothing to communicate with the requester and set their expectations about what you will do and when.
  • This obviously doesn't remove your legal obligations, including to respond within the statutory timeline — but if you’re going to miss that timeline, it’s reasonable to think that the likelihood is higher of an individual complaining to the regulator or court if you’ve been radio silent for three months.
  • This becomes more important when dealing with a requestor that is known to the organisation.  It’s not always so, but disputes often escalate due to (i) a lack of communication and/or (ii) an individual who feels that they are not being listened to — or ignored.
  • There will also be cases where the complainant feels that they have nothing to lose (for example, in a redundancy), as well as other unique situations, and that’s where it can help to have outside counsel on hand.
  • The question of what type of non-material harm an individual must suffer to receive damages under the GDPR is in its infancy in the EU.  The position in the UK is much the same.  But we are increasingly seeing cases being brought on both sides of the English Channel — mostly unsuccessfully, it has to be said, but that doesn’t account for settlements and similar arrangements.  It’s a trend that’s unlikely to disappear.

In conclusion: it’s true that every DSAR is a potential complaint — but most can be avoided, and that starts (and hopefully ends) with good communication.

Subscribe to Ropes & Gray Viewpoints by topic here.