There have been three reported decisions under the Directive 95/46/EC which are of relevance to GDPR.
Secretary of State for the Home Department v TLU  EWCA Civ 2217 established liability for damages for distress suffered by claimants who were not identified directly through a data breach. The case also discussed the definition of ‘personal data’.
B v The General Medical Council  EWCA Civ 1497 was a successful appeal by a patient for disclosure of a medical report containing mixed personal data of both the patient and the doctor. The decision involved a balancing exercise.
Tietosuojavaltuutettu v Jehovan todistajat — uskonnollinen yhdyskunta (Case C-25/17) – The Court of Justice of the European Union applied a broad interpretation to what constitutes a filing system. It also considered the issue of joint controllers. (For those experiencing difficulty committing the name of this case to memory, it may conveniently be referred to as ‘the Jehovah’s Witness case’.)
The Information Commissioner’s Office (ICO) imposed a £200,000 fine on the Independent Inquiry into Child Sexual Abuse. It is not beyond possibility that similar breaches could happen in a law firm – sending emails to multiple addressees without blind copying, and failing to train staff on the risk. The monetary penalty notice contains details: https://ico.org.uk/media/action-weve-taken/mpns/2259427/mpn-iicsa-20180705.pdf.
ICO statistics for legal sector breaches in 2017/18 show that people sending emails to the wrong person are a greater confidentiality and GDPR breach risk in practice (22.64%) than malware, ransomware, phishing, unauthorised access (cyber) and other cyber incident combined (11.95%).
Links to the cases can be found on www.legalrisk.co.uk/GDPR. We have advised many firms on GDPR risk assessments and compliance. These include a large number of major US firms, and we also have a webpage for those firms: www.legalrisk.co.uk/GDPRUSA.‹ Back to Publications