23/10/20

Data protection litigation: preparing to defend yourself – or attack

If people were to look, they would probably conclude that you do not fully comply with data protection rules. Top of the line security always fails somewhere, typically at the human level, and the same reasoning applies to data protection compliance: even if you build your processes, systems and procedures with data protection rules in mind, you cannot prevent every mistake.

However mature your organisation may be in data protection terms, there is always a weakness – and non-compliance is then a likely consequence.

This provides regulators, competitors and data subjects with opportunities to attack you. Conversely, there may be cases where you wish to use weaknesses of a competitor or adversary against them.

Either way, you need to give careful thought to data protection litigation, both as a risk you have to manage and as an opportunity on which you can capitalise.

We will examine below practical considerations based on our own experience in cases before the Belgian Data Protection Authority (BDPA), the case law of the BDPA’s Litigation Chamber (and appeals before the Market Court) and commercial disputes in which the General Data Protection Regulation (GDPR) and other data protection rules come into play.

1.Data subjects requests as a prelude to regulatory proceedings

By overwhelming majority, the cases decided by the Litigation Chamber stem from a complaint by a data subject. In other words, the reason for most cases was not that the BDPA had decided to investigate an organisation but because one data subject felt that his or her rights were not complied with. A similar pattern emerges from the practice of other supervisory authorities (i.e. data protection authorities) throughout the European Union.

It is therefore important to treat each data subject request as a pre-litigation communication and not a mere information request. If the request is straightforward and you have a response you deem satisfactory, go ahead – but always consider the possibility that this response might be forwarded to the supervisory authority.

For practical reasons, it is likely that the supervisory authority will have one “case handler” for cases relating to your organisation (for instance, at the BDPA, this appears to be the case within the BDPA’s Inspection Service, where we have been able to identify case handlers for some of our clients).

Consistency of responses is then key: if you respond one way to person X for a request and another way to person Y for a similar question, there is always a chance of the case handler spotting the difference – and concluding that an investigation is required.

Similarly, if you receive several requests that relate to a similar issue, you should consider the very real possibility of the case handler learning of their existence (by way of complaints) and considering that this reveals a wider and structural problem (not limited to an individual case).

2.Regulatory proceedings

In Belgium, proceedings before the Litigation Chamber can seem very efficient compared to judicial proceedings. After considering that a case can be handled on the merits, the Litigation Chamber sets a strict timetable for exchanging written submissions (nowadays six weeks for the controller/processor, three weeks for the data subject to respond and then three more weeks for the controller/processor). Still, those initial six weeks may sometimes feel restrictive if your lawyers are insufficiently familiar with data protection rules and the Litigation Chamber’s own case law or if they do not know your processing activities that well. For this reason, even if you wish to handle data subject requests on your own, it is important to involve external counsel as soon as a data subject request appears likely to give rise to a complaint.

In any event, involve specialised external counsel, as it is obvious from Litigation Chamber decisions when organisations chose to defend themselves or to involve lawyers without a keen data protection knowledge. Moreover, if your lawyers are already familiar with the practice of the Litigation Chamber and of the Market Court, they can help you make the most of the procedural opportunities (responses to “fine proposals”, deciding whether to request an oral hearing or not, etc.) and navigate procedural risks.

Anticipate also the fallout of proceedings before supervisory authorities.

In Belgium, the Litigation Chamber generally publishes its decisions online within a matter of days, although it is sometimes possible to obtain anonymisation of the decision prior to publication. While a fine can hurt financially, the reputational harm through widespread knowledge of the fine can hurt even more.

Finally, do not hesitate to be creative – not creative in the sense of “making things up”, but creative in the sense of trying untested arguments or requests. Because the Litigation Chamber is still a relatively new authority, the cases in which we have been involved have already become precedents in Belgium and abroad on a range of questions, from the resolution of procedural questions (e.g. whether the Market Court can suspend enforceability of Litigation Chamber decisions) to arguments on the merits (e.g. what are the limits to data subject access rights). If a novel argument or request makes sense, and there is no legal basis contradicting it flatly, it is entirely possible that the supervisory authority will agree with you.

3.Complaints by competitors or adversaries

Data subjects who are adversaries (e.g. ex-employees, freelancers, representatives of an organisation whose personal data you process) can file a complaint before a supervisory authority. However, the right to file a complaint as foreseen by the GDPR does not extend to natural persons whose personal data you do not process (unless the non-processing is precisely the issue) or to legal entities.

The BDPA has already handled complaints by adversaries (e.g. cases regarding ex-spouses, electoral opponents and even former contractual partners) and has generally considered that using data protection rules in the context of broader disputes is not a misuse thereof. 

Moreover, a competitor who, as controller, considers that you obtained “its” personal data unlawfully can easily file a data breach notification mentioning you explicitly. This could in turn lead to an investigation by the BDPA (at its own initiative).

Non-compliance with legal obligations can also justify cease-and-desist proceedings before the Belgian courts, in accordance with the rules on unfair market practices (on top of a “class action” mechanism for data subjects and consumer organisations that will likely grow in use). Even competitors are entitled to do so, given that when an organisation does not abide by the rules, this can create an advantage for it that harms the interests of competitors in an unfair manner. A typical example concerns client listings and employee poaching scenarios where the personal data was obtained or used in violation of the GDPR.

In addition, in commercial disputes, some use non-compliance as an argument to bring into question the admissibility or evidentiary value of evidence their opponent uses, where that non-compliance affected the evidence itself (i.e. evidence obtained in breach of data protection rules). This approach is regularly used in relation to e.g. e-mails and photographic evidence, although the data protection aspects are often combined with other arguments based on the confidentiality of communications (see Art. 5(1) and (2) of the e-Privacy Directive and, in Belgium, Art. 124-125 of the Act of 13 June 2005 on Electronic Communications), rules regarding the role of private detectives, rules on cybercrime, etc.

Finally, where a competitor or adversary can prove loss or damage resulting from non-compliance, the liability rules under Art. 82 GDPR create a possibility to claim damages before the courts (in a way, a specific version of the general liability rule of Art. 1382 of the Belgian Civil Code). We have not yet seen many instances of this approach. 

Other than actual compliance, there is no way to stop the above actions in their tracks. Put differently, whenever you are processing personal data regarding a potential adversary, you have to assess the risk of your processing being used against you.

While the general rule in judicial proceedings is that the party claiming something has to prove its claim, there are arguments to hold that the “accountability” principle (Art. 5(2) GDPR) increases the evidentiary burden for the party alleged to be in violation of the GDPR. In practice, therefore, you may be required to produce your own documentation showing compliance.

In this context, document clearly what processing activities you carry out, what information you provide to data subjects, instructions to employees on what they can and cannot do with personal data, etc., as this may be your best shield against such actions (and fines).

To illustrate, if you have collected data that is potentially identical to client or employee lists of a competitor, maintain documentation to demonstrate the lawful collection of the data in question. This will help you counter any suspicion that you copied it or obtained it unlawfully (e.g. suspicion that a former employee of organisation X left and joined organisation Y, bringing with him a list of X’s employees [along with salaries and private contact details] or X’s clients [along with pricing applied and services requested] – frequent scenarios).

4.What if you wish to attack?

All of the above can be relevant if you wish to go on the offensive, but you must think carefully before you use data protection rules offensively.

If you file a data breach notification alleging that a competitor obtained unauthorised access to personal data of which you are a controller, nothing prevents the supervisory authority from investigating your own processing as well as e.g. whether your security measures were (in)appropriate to the risk.

Likewise, if you file cease-and-desist proceedings, ensure that your processing is (at least at first sight) beyond reproach, to avoid having to face cease-and-desist proceedings in response.

This does not mean you should not file data breach notifications or defend your interests (on the contrary – filing a data breach notification is in many cases mandatory), but that the better you are prepared, the easier it will be for you to use data protection rules offensively.

dotted_texture