When Compliance Law is violated, does the "right to be (re)compensated" exist, and must it be encouraged or not? - The Marriott case
Marie-Anne Frison-Roche (????????)
Directrice chez Journal of Regulation & Compliance | Droit économique, Droit processuel, Droit de la régulation et de la compliance
In August 2020, the enterprise Marriott has been put before British court by a consultancy entity by the procedural technique of class action. It published online a document named : Why I'm taking Marriott International to court.
Simply written, without legal terms, this document is a sort of direct letter for everybody.
Before the facts description, it said in general terms that when a company suffers a data breach we simply receive a letter, we sign a document and we forget. We must take action against the firm and explain why: to obtain a real change. For the time being, "if a major corporation suffers a breach because it didn’t do everything it could to protect your data, and the worst it suffers is a fine for breaking data protection rules, there’s little incentive for anything to really change. But if the company becomes accountable to the customers whose data they lost, it’s a different matter.".
The firm explains that it is the reason why it has filed a data breach group action in the High Court of England and Wales against Marriott International, seeking to obtain damages "on behalf of millions of hotel guests who made reservations".
After this explanation of the causation and the consecutive action, the letter describes facts more precisely. The reservations platform belongs to Marriott International. It affirms that the cyber-attack that happened in 2018 is linked to "a failure to take adequate steps to ensure the security of guests’ personal data, and to prevent unauthorised and unlawful processing of that data. That failure was a breach of data protection legislation.".
It says that everyone who was a "resident in England and Wales whose data was stolen in the Starwood/Marriott breach, wherever in the world they stayed", or everyone who "stayed in a hotel of any of the following brands before 10 September 2018", will automatically be included in the group (opt-out system).
We will see if this class action will succeed or not.
But many class actions are pending, often before British courts, about Personal Data Compliance Law.
Why this flowering ?
Maybe because it is a very specific legal area, the Data Protection Compliance Law, through procedural techniques more usual in British and American legal systems ; the question is would it be a good idea to encourage, or not, this sort of action.
WHY ACTIVATION OF PROCEDURAL AND SUBSTANTIAL RIGHTS IS EFFECTIVE IN PERSONAL DATA COMPLIANCE LAW BEFORE COMMON LAW COURTS
Firstly, Personal Data Compliance Law is very specific because this set of rules is based on a subjective right: the right for everyone to be protected against others, to obtain their privacy protection.
It is easy to find some subjective rights in other sectorial Regulatory and Compliance Laws. For instance, the "right to energy". But it is an "adjacent right". In the Personal Data Compliance Law, this subjective right is intimate to all the system, made by the effectiveness of this everyone's fondamental right.
This is why it is so important to distinguish the Personal Data Compliance and the non-Personal Data Compliance. Because the rules are opposite: Non-Personal Data must circulate (Information, Market) and, on the contrary, Personal Data must not circulate (Privacy). This is why in the European Law, the so famous RGPD of 2016 organizes the principle of non-circulation of Personal Data, while the European Regulation of 2018 organizes the circulation of Non-Personal Data.
It is not at all a contradiction: it is because in the case of Personal Data Compliance, the basis is everyone's right (as a California Law of 2018 said: Law on Consumer Privacy) while in the case of non-Personal Data, this right doesn't exist.
When a substantial subjective right exists, Law automatically associates to it a procedural right: right to ask Court to sanction the violation of this right. If this procedural right doesn't exist, the substantial subjective right doesn't exist in reality.
This is why actions are so currently about Personal Data Compliance, because courts welcome them, more than in other areas, in order to protect the substantial right of privacy effectively.
Secondly, actions are currently put before British or American courts, more than before courts in others legal systems.
Simply not only because Tort Law is the most developed in these Common Law systems, but also because this Class Action system (described in this letter) is very mature.
Many other legal systems have transplanted this procedural mechanism, as in France the Law of 2014 sur la protection des consommateurs ("on the consumers protection") ("on consumers protection"), but the transplantation is very difficult because its success depends on the general legal context and Civil Law systems are not Common Law systems (for better and for worse).
This is why for the time being these actions are before Common Law courts.
But why do it?
The letter expresses it: not for the consumers themselves, but to create an "incitation" for the enterprises, for instance build an efficient reservation platform.
If it is true, it is not only true for the specific legislation on Personal Data Compliance: it is true for all Compliance Law.
ENCOURAGING OR NOT A GENERAL "RIGHT TO BE COMPENSATED" IF COMPLIANCE LAW IS VIOLATED
It is easy to focus on the serious defects of Class Action.
But firstly in Compliance Law the efficiency and the effectiveness are not just good news, they are also legal requirements. Secondly, taking Compliance seriously, the protection of people is everywhere.
Firstly, Tort Law and Access to Court constitue private enforcement in Compliance Law
In the Marriott case, this letter refers to the conception of "incitations".
As Lucien Rapp explains, Incitations and Compliance Law mix very well, especially when the international or global institutions do not exist. Hubert Tardieu explains that by this way a more sovereign Europe might be built.
That is true, because enterprises know their great interest in helping public authorities in Compliance matters, notably for obtaining Trust.
Even if they don't, in legislation of Compliance in Financial and Banking Area without consideration for individual rights , the effectiveness of the legal dispositions is not a wish, it is a legal requirement.
For instance, when an operator must implement inside its organisation a structural mechanism against corruption, it must be effective. This is supervised by the public authorities, for instance the Financial and Banking Regulatory Authorities for the Banks, and if they failed they will be sanctioned. By the sectorial Regulator or a trans-sectorial public body (for the necessarily prevention of corruption, for instance).
The distribution of procedural and substantial subjective rights, allowing individuals to access court (procedural right), to obtain damages (substantial right) is the way to obtain the efficiency of the general legal requirements themselves.
Of course and especially in the U.S., the evolution of class action rules has suffered of degeneration, but it is not a fatality.
For instance, in Compliance Law, jurisprudence will take in consideration entreprises don't an obligation of result (only an obligation of means), for instance about integrity of databases again cyber-criminality.
It is more necessary when the effectiveness of rules for everyone must be burdened by these enterprises! These enterprises must have legally the power to regulate, but only if they comply with the legal burden to concretize the legal mission to aim the Compliance Monumental Goals.
If they don't, and if they don't want, Law, by a way or another, takes back their power, they must receive an incitative message through individual actions.
A very classical German author, Rudolf Jhering, has written a landmark book: The Struggle for Law (see also Law as a mean to a goal). He wrote that Law is the path toward some "goals" and everyone must "fight" for the effectiveness of this practical mean, for instance going before court when Law is ignored, not only when it is your own personal interest or right that is concerned.
Compliance Law is a so classical branch of Law....
Secondly, protection of people being the Monumental Goal of Compliance Law, Access to court must be effectively open
Taking the Compliance Law definition, its purpose is the protection of person.
For example, workers, children, women, foreigners, etc.
Precisely individuals who have so few rights, and so few effective rights.
But they have Law.
They must have the benefit of the systemic functioning of transportation, health, energy, digital, telecommunication, systems, all these regulated sectors, whose rules are internalized in crucial enterprises by Compliance Law.
This is why the effectiveness of the objective Compliance Law must be supported by procedural rights, even exercised by others.
__________________________________________
Reference : Frison-Roche, M.-A., Compliance & Trust, 2017.
Who this action represents
The action represents every resident in England and Wales whose data was stolen in the Starwood/Marriott breach, wherever in the world they stayed. If you stayed in a hotel of any of the following brands before 10 September 2018, you will automatically be included in the group:
- W Hotels,
- St. Regis
- Sheraton Hotels & Resorts
- Westin Hotels & Resorts
- Element Hotels
- Aloft Hotels
- The Luxury Collection
- Tribute Portfolio
- Le Méridien Hotel & Resorts
- Four Points by Sheraton
- Design Hotels.
It will not cost you anything to participate in this legal action and you will have no financial risk in relation to the claim, which is being funded by Harbour, a highly reputable litigation funder.
Visit the claim website for more information, and to register your interest if you think you may be part of the group. You’ll be kept up to date as the case progresses.
As our lives become increasingly digital, our personal data will only become more important. It’s time we all as a society valued it more. That’s what I hope this case will achieve. I look forward to updating you as it progresses