On 27 January, the High Court of Northern Ireland granted British MP George Galloway leave to serve proceedings on Google Inc. out of the jurisdiction. The application was based on a variety of claims including libel, harassment, misuse of private information, and unlawful data processing under the Data Protection Act 1998 (the Act).

The claims relate to three videos uploaded to Google’s YouTube platform by William Frazer. It was claimed that these videos had been uploaded unlawfully. The court stated that there could be no doubt that one of the three videos contained sensitive personal data, but that the question of whether Google was a data processor or data controller would be a “fact specific investigation” which would have to wait until full trial. The view was expressed in the judgment that “[T]he facts as presently put before the court would suggest that Google will not find it easy to defend this claim if it is found to be a data controller.”

This aspect of the judgment highlights a major change to the existing data protection regime which will be brought about by the General Data Protection Regulation (GDPR) once in full force in May 2018. Whereas data subjects can currently only bring an action against data controllers under section 13 of the Act, the GDPR will grant data subjects the right to “an effective judicial remedy” for infringements of their rights under the GDPR which may be exercised against both controllers and processors. Processors may be liable for damage caused by processing which does not comply with the obligations specific to processors under the GDPR, or where they process personal data contrary to the instructions of a controller.

While much speculation has abounded over the ways that Data Protection Authorities may wield their increased enforcement powers, a key risk that organisations should consider is the potential consequences of a court action brought by an aggrieved data subject. To begin to guard against this risk, both controllers and processors should take steps such as reviewing processing agreements to ensure that instructions are drafted in an appropriate amount of detail.