Friday, October 26, 2012

Privacy-litigation: get ready for an avalanche in Europe

The US has long been a litigious country.  What's true in general in the US, is also true for privacy.  The US has a vibrant privacy litigation industry, led by privacy class actions.  Within hours of any newspaper headline (accurate or not) alleging any sort of privacy mistake, a race begins among privacy class action lawyers to find a plaintiff and file a class action.  Most of these class actions are soon dismissed, or settled as nuisance suits, because most of them fail to be able to demonstrate any "harm" from the alleged privacy breach.  But a small percentage of privacy class actions do result in large transfers of money, first and foremost to the class action lawyers themselves, which is enough to keep the wheels of the litigation-machine turning.  

Europe, by comparison, is not nearly as litigious as the US.  What's true in general in Europe, is also true for privacy.  In Europe, privacy is mostly handled as a regulatory matter, by Data Protection Authorities, who have the power to investigate complaints, launch enforcement actions and impose sanctions for breaches.  

In theory, any DPA enforcement action or sanction can be appealed to national courts.  In practice, this is rarely done.  Why?  Because European DPA sanctions tend to be very small.  Rationally, would you hire an expensive law firm to appeal a DPA enforcement action resulting in a 100,000 euro fine, if you knew that your outside counsel costs for the appeal alone would exceed that amount?  Even if you knew you'd win, you probably wouldn't appeal, as a purely rational matter. 

One of the unfortunate consequences of the current European DPA enforcement/sanctions model is that very few of its decisions are tested or validated by the courts.  If more of these cases were appealed to the courts, I am absolutely certain that many of them would be over-turned as a matter of law.  So, Europe is building up a body of regulatory "case law", which has never really had the discipline of judicial review, as we'd understand that concept in the US.  

Starting around 2015, when the new EU Privacy Regulation comes into effect, all this will change.  The new laws are almost certain to introduce vast new sanctions and fining levels for privacy breaches, expressed as a percentage (say 2%) of a company's global turnover.  Yes, you read that correctly.  Compare today, when the largest fine ever imposed by the CNIL in its history was 100,000 euros to this near-future, when fines could in theory run to many many millions.  You can do the math.  

Once there is real money at stake, everything changes.  Companies that today shrug their shoulders and pay small fines, rather than be bothered to hire lawyers and launch long legal processes, in the future will be confronted with the risk of massive fines.  Facing massive fines, companies will be required to hire expensive lawyers, launch intense legal battles, and generally handle privacy breach litigation with the full battery of legal process and tools.  Companies already do this in many other areas of law, so extending such practices to privacy law will not be hard.  

DPAs, on the other hand, are completely unprepared for this near-term future.  Many DPAs today operate "prosecution by press release", which is really not meant to withstand legal process, but rather to generate some press and reputational impact.  But DPAs are completely unprepared and un-staffed to launch serious legal actions, with a solid basis in law, and a solid respect of legal process, in a way that would withstand tough legal scrutiny and the judicial appeals process.  It's one thing to launch an enforcement action where the money at stake is 100,000 euros.  It's entirely different when the money at stake is 100,000,000 euros.  

In this post, I'm not commenting on whether creating large sanctions for privacy breaches in Europe makes sense or not.  I'm just saying that the entire legal/procedural game changes when there's lots of money at stake.  Privacy litigation will become an outside counsel growth area in Europe.  Companies will handle privacy in Europe increasingly as a litigation matter, rather than a regulatory matter.  And DPAs are going to have to figure out how to stand up to defendants' legal heavy artillery, something few of them have ever faced.  

Privacy litigation is already a big business in the US.  In a couple years, privacy litigation will go big time in Europe too, once big money is at stake.  Finally, we've found a growth industry in slow-growth-Europe.  

No comments: