Is the GDPR likely to lead to a deluge of complaints and litigation by claimants who allege their data protection rights have been infringed? Matheson Intellectual Property Partner Deirdre Kilroy looks at the likely impact, through an Irish lens, in this month's Law Society Gazette.
At a glance
There has been a significant number of notifications to the Data Protection Commission in Ireland since 25 May 2018 Practitioners will see activity in data protection litigation increasing significantly Data subjects can authorise a not-for-profit organisation to lodge DP complaints on their behalf and to act on their behalf in breaches of DP laws Collective action mechanisms will assist data subjects to instigate litigation and to access legal assistance and knowledge in a novel way in Ireland The General Data Protection Regulation (the GDPR) came into force on 25 May 2018, just 24 hours after the Data Protection Act 2018, resulting in the largest overhaul of Irish data privacy laws in over 20 years. The question at the forefront of many practitioners' minds is whether here will be a deluge of complaints by claimants who allege their data protection rights have been infringed, and consequent litigation.
It has already been reported that there has been a significant number of data-breach notifications and complaints to the Data Protection Commission in Ireland since 25 May. While highly unlikely to be as ubiquitous as personal injuries litigation, practitioners will see activity in data protection litigation increasing significantly.
Potential civil claims are not confined to classic data infringement disputes, but will also crop up as an additional heads of claim in all kinds of civil disputes, including employment disputes, contractual disputes, personal injuries, financial services claims, and breach of confidence actions.
Claimants in the Irish Courts?
Under the GDPR and the Data Protection Acts 1988-2018 (the DPA), for individual data subjects, the people identified or identifiable from the data that is processed (data subjects) are empowered to seek compensation if a breach of the GDPR has affected them (articles 79 and 82 GDPR).
With regard to collective actions, article 80 GDPR and section 117 DPA introduce different types of collective actions for data privacy breaches. Data subjects can authorise a not-for-profit organisation to lodge data protection complaints on their behalf, to act on their behalf in a breach of data protection...