Opt-in to a safer business: a spotlight on privacy rights

Emma Stevens, Associate Solicitor - Dispute Resolution, Coffin Mew, discusses the risks to businesses of privacy violations

2018 has been an eye-opening year for the general public in terms of how their data is being used and passed on, particularly online.

Data sharing is more prolific than ever with the vast majority of the western population parting with their personal information on the internet in some form, the most common being online shopping and social media.

Whilst the internet is often viewed as tool of convenience and connectivity, the implementation of the GDPR, coupled with various high-profile data breaches, has increased concerns surrounding the risks of data processing.

Individual privacy and data protection - risks to businesses
Historically, breaches in terms of individual privacy have predominantly been associated with celebrities.

However, an increase in technology-based advertising has resulted in the commoditisation of information relating to the average consumer; an individual's online spending and searching habits are now being used and sold to companies for the purposes of tailoring advertising.

The Cambridge Analytica scandal concerning Facebook earlier this year highlighted the ways in which companies can use personal data to manipulate online consumers. Cambridge Analytica allegedly harvested the information of 50 million Facebook users in a bid to influence voting patterns by customising content on the basis of individual preferences garnered from use of the social media platform.

Businesses possessing and utilising this kind of information must be very careful about the way in which it is used and stored; the most common breaches of privacy occur when information is mistakenly shared, lost or stolen. An infringement of the GDPR is not the only cause of action an individual can bring if their private data is mismanaged; a claim for ‘misuse of private information' can be brought against an individual or company where information pertaining to their ‘private life' has been attained or passed on unlawfully.

Private information is defined in relation to Article 8 of the European Convention of Human Rights (ECHR), which provides that "everyone has the right to respect for his private and family life, his home and his correspondence". There is no exhaustive legal definition of what constitutes private life - it continues to expand relative to societal and technological advancements.

In light of widely reported breaches such as the recent British Airways data leak, individuals are more aware than ever of their rights in relation to their data and the risks posed by its mishandling from corporate entities. Hackers took personal and financial information of customers who purchased or amended flights through the British Airways website and app, including card numbers and CVC codes.

The GDPR provides for substantial damages in remedy of the most serious breaches. In order to avoid significant losses, businesses responsible for the handling of personal data and confidential information must be vigilant in ensuring its protection. Where developments in technology have facilitated the wide scope and ease of data processing, it is essential that businesses are equipped with up to date protection.

It is also vital to be aware that businesses are not exempt from liability where a third-party data handler is responsible for the breach. In addition to ensuring the adequacy of their own preventative measures, companies must ensure that any other entities that they share their clients' data with are similarly protected.

Well-drafted contracts can be invaluable in safeguarding a business' position and in limiting its potential liabilities, both for data-related breaches and for other claims. It is increasingly advisable to agree express terms in relation to the parties' responsibilities under the contract, including any responsibility for data processing, and to make sure that there are clear indemnities in place to offer protection in the event of an incident or third-party claim.

Businesses and their own confidential information
In addition to protecting themselves against claims from individuals, businesses must also be wary of their own confidential information being processed unlawfully. Misuse of private information and the GDPR apply exclusively to personal information. Therefore, the best mode of protection for businesses comes from the provisions they set out in their own contractual terms.

To ensure maximum protection, it is essential to ensure that contract terms relating to confidential information are clear and precise.

Provided that the correct terms are in place, a party whose confidential information is misused is likely to have a potential claim for a remedy in breach of contract.

Whilst contractual terms relating to information are not essential to offer protection, as confidential information is also protected to some extent by a breach of confidence claim in the event of misuse, well-drafted confidentiality provisions can greatly assist with obtaining a remedy for any loss or damage suffered in the event that confidential information is used when it should not be. Where appropriate, non-disclosure agreements should also be considered.

The issue of data and privacy protection has been an increasingly prevalent topic in the media this year, with frequent fearmongering that the technological advancements facilitating data sharing are outstripping relevant safety regulations.

Recent legislation is indicative of a move towards much more stringent measures of protection against the misuse of personal and confidential information. Businesses must equip themselves with adequate protection, both with their contract terms and their internal procedures, in order to ensure that they avoid the potentially crippling costs of liability.

Emma Stevens, Associate Solicitor - Dispute Resolution, Coffin Mew