Predictions 2023: Data disputes

We predict 2023 will see a large number of mass data claims brought as CPOs (Collective Proceedings Orders) before the Competition Appeal Tribunal.

Why?

• One of the most significant litigation trends in late 2021, was a wave of mass data claims brought on an opt-out basis as representative actions, following the Court of Appeal’s 2020 decision in the Lloyd v Google case.
• After the Supreme Court reversed that decision in November 2021, most of those claims were dropped in short order; the judgment presented a laundry list of issues that was perceived as difficult for claimant firms and litigation funders to overcome, creating particular difficulties for claimants in proving 'same interest', calculating measure of damages, and established a high de minimis threshold.
• Claimant firms have, nevertheless, been seeking ways to manoeuvre round the Supreme Court’s decision, and we are anticipating another upswing in such litigation in 2023.
• Throughout Europe, claims fundamentally based on breaches of data protection law are increasingly being brought as competition class actions where that data infringement also relates to consumer protection or unfair commercial practices. This approach was approved by the European Court of Justice in April 2022.
• In the UK, there is an increasingly well-developed, opt-out competition class action regime which allows such claims to be brought as ‘CPOs’. The growing backlog of cases indicates this is proving a popular mechanism for claimant firms where there is any infringement of competition law.
• This European trend outlined above has, indeed, already spread to the UK. In January 2023, the Competition Appeal Tribunal will determine whether the first UK CPO (where the competition claim is fundamentally based on a misuse of data claim) can be certified. Given the low bar applied to CPO certifications to date, this claim must be regarded as having reasonably good prospects of being certified. If it is, we expect that a wave of data breach mass claims will be reformulated as competition class actions, and that many such claims will be issue in the course of 2023.

Prediction author: Tom Bowen

We predict 2023 will bring a continued rise in organisations successfully appealing ICO decisions, and the regulator being forced to reach more of a 'middle ground' with businesses.

Why?

• During the early years of the ICO’s enforcement mandate, few organisations chose to incur the time and costs associated with exercising the right to appeal an ICO decision at the First Tier Tribunal (Information Rights).
• Organisations traditionally tended to adopt the view that, because of the amount of time that the ICO took to complete an investigation and issue a fine, a significant amount of their money and resource had already been invested in co-operating and responding to the regulatory investigation.
• In recent years, however, there has been a notable increase in the number of organisations successfully disputing ICO decisions. In 2022 alone:

1. DSG Retail Limited (Dixons Carphone): the First Tier Tribunal cut the ICO’s £500,000 fine in half and rejected the majority of the ICO’s findings (July 2022).
2. Somerset Bridge Insurance Services Limited: the ICO announced that, following discussions, it had reached a 'pragmatic compromise' with the company and Somerset Bridge agreed to withdraw its appeal (February 2022).
3. Cabinet Office: the ICO agreed to reduce the £500,000 penalty imposed on the Cabinet Office in 2021 (in relation to the New Year Honours data breach) to £50,000 (November 2022).

• In 2023, the ICO could potentially be on the wrong side of the high-profile Experian ruling, and Ticketmaster appeal (likely to be heard in the second half of next year).
• With the ICO’s decision-making and procedures under increasing scrutiny - alongside its new commitment to scale back monetary penalties on public sector organisations - businesses entering into enforcement and penalty negotiations with the ICO could find themselves armed with more bargaining power than previously, when dealing with a regulator that is likely to be adopting a more cautious approach to handing out 'blockbuster' fines.

Prediction authors: Emily Agnoli, Ben Boddington

We predict that in 2023 there will be an increase in claims brought against Data Centre providers for outages which cause users’ business-critical systems to be offline for a period of time, triggering penalty clauses under user agreements.

Why?

• Data centre providers are under strict obligations to provide continuous power to, and operation of, their servers to allow users constant access to business-critical data and systems, usually formalised by the inclusion of the industry standard 'five nines' obligations or 99.999% availability in service level agreements. This translates as a promise that service will only be down or 'offline' for approximately five minutes and 15 seconds every year. For longer periods, there will be penalty clauses in service level agreements in favour of the user.
• Having resilience built into the power and connectivity of data centres is fundamental. However, current global conditions and a range of external factors directly affect the ability to meet these up time / down time requirements; these may not have been factored into service level agreements, leaving data centre providers and users in dispute as to who is liable.
• We predict the three main causes of such disputes will be: 1. energy security; 2. adventurous green initiatives in a world of ever-increasing weather irregularities; and 3. cyber threats.

1. Energy security has become a serious issue following the war in Ukraine, with threats of winter power blackouts across Europe. Such is the concern, two of the biggest data centre operators are stockpiling generator fuel to manage risk. Compounding energy supply challenges is the ability of energy networks to provide power to data centres. In England, whilst carbon-based energy demand has fallen in recent years (use of electric cars and households’ heat pump installation), extra demands are forecast to be placed on energy networks - coupled with increased numbers of power-intensive data centres, this puts a creaking network under severe strain.

To the extent a data centre provider experiences an extended black-out which knocks out both mains and back-up power causing down time, this may lead to a dispute as to whether uptime obligations should stand.

2. Given the ever-increasing and necessary focus on ESG and the global drive to achieve net zero, data centre providers are now actively driving initiatives for sustainability to achieve their 'green' goals (eg Meta’s plan to run its data centre halls at 90 degrees Fahrenheit - significantly warmer and drier than the usual environment). Such initiatives are essential in a modern society, however a push to 'greener' is often a push to the limits at which data centres can operate effectively; the margin for taking account of external factors is diminished and, as the world continues to experience episodes of extreme weather, the resilience of these data centres and the risk of down-time events will be tested, potentially triggering penalty clauses under user agreements.

3. The war in Ukraine has highlighted growing cyberspace threats, with recent attacks against satellites, critical infrastructure and government departments. Senior figures at GCHQ have warned of the rising capabilities and sophistication of cyber tools available, increasing the risk and unpredictability of hacking attacks on governments, businesses and individuals. In a world that becomes more and more reliant on data centres, taking them offline by cyber-attack is an obvious tactic for those seeking to target critical infrastructure. Whilst most providers will cover this risk through cyber insurance, that market has hardened recently - potentially leaving providers exposed to risk, leading to the potential for disputes between providers and users where a breach causing down-time is unclear.

Prediction author: Charles Goodwin, Emily Monastiriotis, Steve Kaye and Cian O'Hara

We predict that in 2023 forward thinking businesses will begin implementing post-quantum cryptography to protect data.

Why?

• Each year milestones are being hit and quantum computing takes one step closer to becoming a reality, one key impact of which will be the demise of conventional encryption.
• This is important as the fundamental encryption that protects data - including IP, trade secrets and know-how - will soon be at risk.
• New encryption standards for post-quantum cryptography are becoming available.
• Businesses may feel that they have time as quantum computers have not yet become a reality. However, bad actors can store data encrypted under the current standards for future decryption. Therefore, forward thinking businesses will be thinking about post-quantum cryptography sooner rather than later.
• Future disputes and investigations may revolve around:
  • contracts that require third parties to implement post-quantum cryptography;
  • the improper use of IP, trade secrets and know-how (both by third-parties and employees) that was thought to be protected;
  • regulators who will require implementation of these standards to protect consumers’ data.

Prediction author: Luke Norton