Jeroen Spanbroek, Marsh Risk Consulting
Collective redress and data protection
Two seemingly non-related initiatives in Europe are in fact the key elements of a ‘perfect storm’ in the making. The European Commission has taken action to improve consumer rights by investigating the introduction of a collective redress system across European member states, which will potentially make it easier to collectively claim across multi-jurisdictional regions. Secondly, if introduced the proposed data protection regulation will mean that companies are required to respond and notify consumers if personal data is breached.
Collective redress in the EU
Informally, the European equivalent of the US class action is called ‘collective redress’. The European Commission has issued a number of documents to assess the possibilities of European legislation around collective redress and a hearing was held in April 2011 to discuss the value of a collective redress system. In February 2012, the Members of European Parliament (MEP) expressed their support for a collective redress system but a decision whether to implement the legislation has yet to be taken.
The European Commission’s rationale for investigating the means of collective redress is that consumers are facing barriers when pursuing claims. These barriers include the high costs associated with starting a court case; difficulties in accessing legal systems in other Member States; and low attractiveness i.e. low claims values versus court costs. According to research conducted by the European Commission, consumers experience problems mainly with the recovery of costs in court cases relating to the financial, telecommunications, and transportation sectors. An earlier study has also shown that one in five European consumers would not start a court case if the amount is less than EUR 1,000.
In some Member States consumers already have access to forms of collective redress, called Alternative Dispute Resolution (ADR). Of the 27 Member States, 13 Member States have a mechanism which is used by consumers. The structures vary among Member States and can be divided into three categories: a direct judicial possibility; redress actions via consumer organizations; and capabilities through a public authority. Dutch consumers have the most confidence in the legal system (57%), the Bulgarian consumers have the least confidence in their redress possibilities (12%) [Source: European Commission].
Although a final decision has still to be made, it seems that the need for a system has presented itself through a decision by a court outside the EU. A US court decision in the case of Morrison v National Australia Bank ruled that US legislation against securities fraud does not apply to investment deals that occur outside the country, even if they have a domestic impact or effect. The meaning of this court decision is highly relevant to European Member States, as it is expected that law firms will utilise their internal office networks to start multinational class actions in European countries. In countries with an opt-out system like The Netherlands, an increase in the number of class actions is to be expected. Now that the MEPs have backed the initiative, it is likely that a collective redress system will be introduced in the next 12 months.
Data Protection Act in EU
Businesses rely more and more on digital data compared to a decade ago and this growth is largely driven by consumers. The adoption of mobile hardware, combined with the use of non-location bound internet access and a new purchasing attitude - clicks rather than bricks, has revolutionised a number of industries. The flipside of the developments is the spread of personal data – essentially the more we buy online, the more we share our personal information.
In response to these developments, the European Commission introduced in 2012 new legislation called the ‘European Data Protection Regulation’ which will update and supersede the existing Data Protection Directive (95/46/EC). In short, it will require companies to report data breaches occur within 24 hours to consumers and authorized bodies. Within the 24 hour notification period, companies are required to stop the breach, limit the impact, identify the root cause and establish exactly who has been affected. Financial penalties with a maximum of 2% of the annual global turnover will be applied to companies that do not comply with the regulation. The new regulation will have an impact on all companies active within the EU, including companies located outside but active within the EU, such as global search engines and social media sites.
An example of a new rule within the legislation relates to the processing of sensitive data. Data can only be processed with the consent of each individual; otherwise it is considered a serious violation. Other less serious breaches relate to charging consumers fee for requests for their personal data. National data protection watchdogs will have their powers extended so they can enforce the new rules.
These new data protection rules aim to considerably strengthen consumer protection. When consent is required for data processing, that consent has to be explicit. People will have a right to data portability i.e. they should be able to transfer personal data from one service provider to another. The rules will enforce a ‘right to be forgotten’, which will allow people to request that their data is deleted. Companies in receipt of a request for deletion of data will also have the responsibility to pass that request on to companies that have copies of that data.
The perfect storm in the making
The new rules surrounding data protection in the EU will impact companies significantly, not only in terms of resources but from a process perspective as many changes to existing procedures may have to be made. Some organizations may not have the experience or the means to respond swiftly to a data crisis and therefore it is unlikely they will be able to comply with the rules, in particular to the 24 hour notification rule. Besides the tightening of rules set by the European Commission, companies will continue to struggle with the ever-rising number of malicious data breaches. In short, stricter regulations x the increase of personal data x the increasing threat of hackers = leads to a risk exposure which is often underestimated by many companies.
Up until now it has been very difficult for consumers to file a collective claim across jurisdictional geographies. With the new collective redress system, it should become easier for consumers to file a claim together. When companies breach the new legislation, simultaneously they fall victim to both the new data protection act and the collective redress system.
Claims figures are expected to be high: groups can easily access the legal means through the new collective redress legislation to launch court cases; and the proposed ‘opt out’ system means affected individuals are automatically included in groups during court proceedings unless they explicitly state otherwise.
Preparing for the perfect storm seems to be the soundest advice, given that corporate reputations and revenue are both at stake. To assess and mitigate cyber risks and in particular data breaches, organisations need a specific set of skills consisting of pre-loss and post-loss knowledge. The pre-loss knowledge set requires the organisation to assess cyber risks within the processes and quantify the exposures. When the impact is known, the organisation can then determine whether to transfer the exposure and prepare itself for a data breach.
Jeroen Spanbroek is the European Liability Practice Leader in Marsh Risk Consulting.