In this chapter of our Annual Insurance Review 2021, we look at the main developments in 2020 and expected issues in 2021 for technology.
Key developments in 2020
The ICO continues to demonstrate its willingness to impose heavy fines (theoretically up to €20m or 4% of a company’s global turnover, whichever is higher) for data breaches but has also shown moderation, having reduced intended fines of £183M to £20M and from £99.2M to £18.4M on British Airways and Marriott Hotels respectively .
Further, the ICO has for the first time provided insight into its approach to regulation and enforcement action, including fines, by way of draft statutory guidance in the UK. This, along with the Regulatory Action Policy (which is under review) will shape the way the ICO will operate. Most notably, in the context of ongoing COVID-19 concerns, is the inclusion in the criteria that the ICO must consider the financial means of the fined entity as well as any economic impact on the sector as a whole, or related regulatory impact of the proposed penalty beyond the organisation or individuals which the penalty is imposed upon. Whilst there is no confirmation that this was the main reason for the reduction of the fine on British Airways and Marriott Hotels, it remains to be seen what the interplay between the effects of COVID and the final version of the statutory guidance will mean for fines and enforcement action going into 2021.
The long awaited decision in WM Morrison Supermarkets plc v Various Claimants involving an ex-employee of the supermarket chain maliciously uploading payroll data to a file sharing website and sharing it with various newspapers came as a relief to businesses as the Supreme Court reaffirmed that wrongful disclosure of the data in that manner was held not to be so closely connected with the employee's job as senior IT auditor that it could fairly and properly be regarded as made by the employee while acting in the ordinary course of his employment.
Data subject litigation following a breach is also growing along with the proliferation of claimant law firms and litigation funders suggests that this is a growing risk for corporates both financially and reputationally.
What to look out for in 2021
The UK Supreme Court’s decision in the case of Lloyd v Google early next year will be seminal in confirming whether opt-out class action is to be permitted for mass data privacy claims under Civil Procedure Rule 19.6 as opposed to Group Litigation Orders (GLOs). The case stems from a "workaround" whereby Google was able to bypass default privacy settings in iPhones to sell information about the user to advertisers.
The backdrop show a slow but steady progress towards establishing a class action regime in England and Wales: the Civil Litigation (Expenses and Group Proceedings) (Scotland) Act 2018 came into force on 31 July 2020 and allows group proceedings to be brought in Scotland for all claims and the Consumer Rights Act 2015 permits opt-out collective redress for breaches of competition law. Post-Brexit, if the English system is to remain relevant and at the forefront of legal developments, there appears to be some pressure to permit class actions even if not on the wholesale basis adopted in Scotland.
The wider context is that if victims of mass data incidents have no means of redress as part of a larger group, then, because these claims are typically low value in each individual case, (in the absence of demonstrable and specific financial loss or distress), it is unlikely that victims will go to the effort of seeking compensation.
Whatever the outcome, it will be interesting to observe how the insurance market reacts to the judgement.
Authored by Ridvan Canbilen.
Download our full Annual Insurance Review 2021 for more insights.