On this date in November 1963, President Lyndon Johnson established the Warren Commission to investigate the assassination of President John Kennedy only eight days previously. After some 10 months of gathering evidence and questioning witnesses in public hearings, the Warren Commission report was released, concluding that there was no conspiracy, that Lee Harvey Oswald acted alone all with the aid of the magic bullet theory. The Commission also found that Jack Ruby, the nightclub owner who murdered Oswald on live national television, had no prior contact with Oswald. This report has been widely derided and even mocked over the years but it still stands as the “official” version of event.

I recently had the chance to check in with Jonathan Armstrong on the dramatic class action lawsuits around data privacy and data protection in the UK and EU. Much of this activity has occurred since the go-live of General Data Protection Regulation (GDPR) on May 25, 2018. Fortunately Armstrong was more thoroughly prepared than the Warren Commission.

Armstrong cited to two UK class actions which were filed under the prior UK data protection law. The starting point is to note that EU/UK class actions differ materially from US class actions, as class members in the EU/UK must opt-in whereas in the US class members are automatically in unless they opt-out. One of the most significant involved the UK entity Wm Morrison Supermarkets plc (Morrisons). Once again, the facts are so twisted that it would appear as if they are concocted out of thin air.

A Morrisons employee was suspected of running a drug ring from the company. Packages of his products were intercepted and tested and it turned out they were supplements, not illegal drugs. This employee was suspended and was required to repay Morrisons for the postage he had used to send out the supplements. But it turned out he harbored a very deep grudge against the company for these actions.

Unfortunately for the company, it provided him with a mechanism to exercise that grudge. The company’s auditor wanted payroll records to audit. Rather than auditing with some specificity or even reviewing the payroll records on site, the auditing firm demanded a full set of all company payroll records delivered to its offices and the company acquiesced. Ill-advisedly the person Morrisons assigned to complete this task was the same disgruntled employee, who pulled the information and burned it to a CD as requested. He also made duplicate copies of the disc and sent one to a UK newspaper. While the now former employee is in prison, it is Morrisons who are on the hook for a class action involving potentially 120,000 employees.

There are many morals to this story. They start with how you secure your data and how you should share secured data. First it begins with the auditing firm demanding the full payroll data for all employees. If you are going to give this out, at the very least it should only be reviewed in a secure data room or on the client’s premises. But the misstep by Morrisons in assigning this critical data privacy task was to its disgruntled employee. This points up the changing nature of risk in an organization and why it needs to be assessed on an ongoing basis. Putting such an employee in charge of sensitive data was a clear mistake by the company.

There were additional steps the company could have taken, such as focused and effective training. Moreover, if an employee gets into financial trouble this might mean they should not be around financial controls which can be easily overridden allowing fraud. The same for screening IT employees to see if they have engaged in prior similar acts.

Armstrong also pointed out that if you are going to make such a massive transfer of personal data under GDPR, you should perform a Data Protection Impact Assessment (DPIA). Such an exercise, done properly, would have raised numerous red flags which would have alerted Morrisons to the dangers presented. It would have also allowed Morrisons to take less risky steps. It also brings up the need for a vendor or consultant to perform a DPIA. A vendor should ask such questions as: When are we going to receive data? How are we going to receive the data? Do we have protections around how it will be stored on our facility? What if that data had been leaked or stolen or even purloined from the audit firm? What if a vendor employee left the disc in a cab? This matter also provides a very prescient example for contractors, vendors and others that they also need to do DPIAs.

Unfortunately it was one that they may pay quite a bit of money for in the ongoing class action lawsuit. The company tried to claim that it was not responsible for an employee who engaged in criminal activity. Nonetheless, this is clearly a losing argument. Armstrong believes that some 12,000 claimants have opted in on the class action case and even if the award is only £1,000 per claimant the monies will add up quickly.

Under GDPR, there are going to be enhanced rights to claim damages and there will be a lower burden approved to get damages. Armstrong believes a claimant will be required to bring suit in the national state court relevant to those data subjects rather than bring one action that covers everybody across the EU. In addition to the difference in opt in/opt out from America, he believes this could be a limiting factor for privacy class action cases. However he believes there will be an overall rise in privacy litigation under GDPR.

To listen to the full podcast on this topic, check out Episode 19 of Life with GDPR on the Compliance Podcast Network.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018