European consumer lawsuit tsunami will come in wake of GDPR

23 Mar 2017

From left: Denis Kelleher, senior legal counsel, Central Bank of Ireland; Pat Moran, cyber leader, PwC; and Helen Dixon, Data Protection Commissioner for Ireland. Image: Jason Clarke Photography

Businesses with lax data compliance have been warned to expect a flood of lawsuits from consumers.

The initial consequence of the arrival of the new EU General Data Protection Regulation (GDPR) will be a surge in the number of legal cases taken by consumers against businesses over the handling of their data.

Experts agree that businesses simply aren’t ready for the likely surge in litigation.

‘Consumer litigation and class actions will quickly follow once this regulation goes live, as has happened in the US’

In recent months, Data Protection Commissioner of Ireland, Helen Dixon, warned readers of the legal tsunami that is looming.

“An interesting feature of the GDPR is the fact that it increases the rights of data subjects, in terms of their ability to take civil actions against organisations that contravene their data protection rights, and obtain compensation from those organisations, so I really think we are going to see a big increase in terms of actions taken by individuals directly against organisations.”

At a PwC briefing on GDPR, business leaders were told that the new regulation is far-reaching and compliance should not be underestimated.

The impact of GDPR

GDPR will impact a business’s systems and processes across all business units, from marketing to sales to IT, warned PwC cyber leader Pat Moran.

Moran said that up to 4pc of global annual turnover is at stake if a firm is found not be to adequately protecting consumer information, or misusing it for purposes where no consent has been given.

Agreeing with Dixon’s warning, Moran added: “It is also expected that consumer litigation and class actions will quickly follow once this regulation goes live, as has happened in the US.

“We are already seeing niche legal firms being established to cater for this anticipated demand, which could see another Personal Protection Insurance (PPI) debacle emerging.”

But for all the warnings of litigation and fines, Moran said GDPR could also be an opportunity for Ireland.

For one thing, he said that in a post-Brexit world, multinationals based in Ireland will not have to deal with different jurisdictions and with obvious language complexities.

“There are significant efficiencies for multinational companies having their key data management functions located in Ireland.

“Negotiating with one Data Protection Commissioner, and in the only English-speaking member state post-Brexit, will be very appealing to multinationals,” Moran said.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years