When I wrote my post about Facewatch, I was a bit wary. Although it’s famously difficult for a company to sue for defamation, I didn’t watch to let slip any words that went too far. In that light, I should obviously be that bit more careful when writing about a law firm.
And yet, I cannot find any other way to say it: if people purporting to be qualified to represent individuals in data breach litigation cannot competently describe how UK data protection law works, I wouldn’t trust them to hold open the door of a court building for me, much less win a case.
I was alerted to an article on the website of Hayes Connor, a firm that describes itself as “Data Breach Experts”. It appeared on GDPR Day, 25th May, and is an explanation of how data protection works in the UK. I assume it was written by ChatGPT.
“The Data Protection Act 2018 sets out how personal information can be used by organisations and businesses in the UK as well as the Government or any public bodies.” No, it doesn’t. It sets out how personal data can be used by law enforcement bodies and the intelligence services.
“Acting as the primary framework for data protection laws in the UK, it replaced the previous Data Protection Act 1998”. No, it didn’t. The UK GDPR is the primary framework; the DPA supports and tailors it. If you know what DPA 1998 did and compare it to what DPA 2018 does, you couldn’t possibly see it as a replacement.
“The Data Protection Act is divided into many different sections which all perform a range of functions. One important section that you should be aware of is UK GDPR.” Wrong again; the UK GDPR is an entirely separate instrument.
“GDPR (General Data Protection Regulation) defines the key principles for the collection, storage and processing of personal data in the EU. UK GDPR is the UK’s implementation of these rules.”
After the cavalcade of cackhandery above, this isn’t as bad but it’s still wrong. The UK GDPR is technically the UK’s *replacement* for the GDPR. GDPR applied while we were in the EU; the UK GDPR is an amended version we put in its place.
“Failing to comply with UK GDPR could lead to a breach of the Data Protection Act.” To be fair, this is just a gross oversimplification. Most breaches would be of the UK GDPR; the Information Commissioner has enforcement powers under the DPA to enforce against those breaches.
“Generally speaking, there are two ways in which a breach of the Data Protection Act could occur. They could be the result of a human error, or they could be caused by a malicious attack from an unauthorised third party.” Neither of these is automatically a breach of the GDPR or the Data Protection Act; you couldn’t pick worse examples.
The rest of the article is overhyped waffle about how “distressing” data breaches are and I can’t say it’s wrong or right. I do know that a lot of organisations get low quality, low value claims from ambulance-chasing lawyers and regrettably the cost of engaging and winning is greater than settling so that they go away.
The article isn’t a formal legal document; it’s badly written PR guff designed to lure in people who want some free money. But it’s perfectly possible to write a simple summary of how UK GDPR and the DPA 2018 work together. It’s easy to produce competent examples of what constitutes a personal data breach, how that relates to an actual breach of the law, and how the latter might lead to a valid claim.
What puzzles me is why Hayes Connor didn’t bother to do that. Is it simply that they don’t think it matters because the audience won’t really know the difference? Or could it be that they don’t actually know the difference themselves?
Whatever the answers to these questions might be, I would be embarrassed to present myself as an expert and then show myself incapable of competently explaining the basics of the subject in public. If I was picking a lawyer to represent me, my personal opinion is that I’d want one with a bit more attention to detail.