I came to the data field very much by accident rather than design. I was growing a little bored with my existing practice (predominantly in the fields of employment and public law) and a colleague suggested I try my hand at doing cases in the (then-) nascent field of UK freedom of information law. That led into my doing a smattering of data protection cases which, as data privacy concerns came to the fore more widely across society, fairly rapidly turned into a deluge. As the cases I was dealing with evolved, I increasingly saw the virtues of practising in an area of the law that was almost entirely unchartered, was constantly throwing up novel challenges across a wide array of human activities and, perhaps most importantly, raised really significant public policy questions, including not least how the law should seek to regulate data practices in the online world.
Major highlights for me include the first ever group action data case to reach the Supreme Court (Various Claimants v Morrisons); acting for Facebook in the context of its challenge to the penalty imposed by the UK Information Commissioner in connection with the Cambridge Analytica affair; and more recently acting for British Airways in the context of both the group action damages claim brought against it in connection with a major cyber incident, and also in respect of the largest-ever fine threatened by the Information Commissioner (£183 million subsequently reduced to £20m).
One of the biggest challenges is gauging judicial attitudes in data cases, many of which raise entirely novel legal issues. The evolution of the Morrisons litigation (which involved a group action brought in connection with a data leak by a rogue employee) is a case in point: the High Court and Court of Appeal were both strongly of the view that the employer could be fixed with vicarious liability for the rogue employee’s breach of UK data laws; the Supreme Court took precisely the opposite view. Similarly, in Lloyd v Google (which concerned the viability of bringing a representative action in a data protection case), the Court of Appeal saw no difficulty in allowing the action to proceed, whereas both the High Court and the Supreme Court reached the opposite conclusion. This lack of certainty around judicial attitudes often causes major difficulties for clients and their advisors in terms of predicting litigation outcomes.
One of the joys of working in the field of data law in the UK is that, as a still fairly novel practice area, and one that is concerned with very contemporary, modern issues, it generally avoids getting mired in some of the less helpful gender tropes that can afflict other more established and traditional areas of the law. My impression is that this is an area of the law where women can readily feel valued, and that the sky is the limit in terms of where their talent can take them. The challenge in such a young field is to create good role models not only across the Bar and in law firms but also within the judiciary, bearing in mind that the UK now has a specialist court to deal with data cases.
A piece of advice I would give aspiring data lawyers and professionals is that the opportunities in this field are near limitless. Be ready to search for those opportunities and, when you do, be prepared to embrace “blue skies” thinking on how best to push and test the boundaries of the law. Also do not assume the person sitting above you in the hierarchy has all the answers. The novelty of the terrain means we are all often simply feeling our way. This is an area where being an active, vocal and initiative-taking team member is likely to take you places.