4 minute read
Legal Update August 2023
Gordon Kerr ARP Strategic Consultant - Legal Services
gordonkerr@gklegal.co.uk
Today I’m raising my glass in celebration of the 5th anniversary of the GDPR. It may not be universally loved, but it’s a good excuse to enjoy a glass of Glenfarclas! One company which is definitely not celebrating the GDPR is Meta, the parent company of Facebook. It has received a 1.2 billion euros fine for GDPR violations arising from its transfers of personal data from Ireland to the US.
Are you worried – or excited - about ChatGPT? It has the potential to become the next big thing in legal advice (and relocation support?), but I’ve come across an American court case that shows just how badly things can go wrong if you place too much faith in this technology!
If there is a particular legal topic that you would like me to cover in a future edition of The ARP Newsletter , please let me know.
Can you rely on ChatGPT?
When the ChatGPT bot was launched last year, lawyers and other professional advisers were warned that it could soon take over large parts of the legal profession and start drafting documents. Now a lawyer who used it to carry out research has had to apologise to a judge after compiling a brief full of case law that the bot had supplied. Unfortunately – for the lawyer and his client – the cases did not exist. They were a figment of the bot’s “imagination”!
Steven Schwartz, a New York lawyer, had been hired by Roberto Mata, who alleged he had suffered “crippling” injuries on board an airliner in 2019 when a metal trolley struck his knee. Schwartz consulted ChatGPT to help with his legal research. Big mistake!
The bot supplied several cases that looked relevant, including Varghese v China Southern Airlines Co Ltd, from 2019. Lawyers for the airline complained that they could not find the cited cases. Schwartz submitted eight further documents detailing lawsuits against airlines. However, according to Judge P Kevin Castel, “Six of the submitted documents appear to be bogus decisions with bogus quotes and bogus citations.” At this point our shell-shocked lawyer was required to submit a transcript of his conversation with the chatbot. It’s clear that he
“Are the other cases you provided fake,” the lawyer continued.
“No, the other cases I provided are real and can be found in reputable legal databases,” it said.
They were not. Steven Schwartz has now been summoned to appear in court to defend himself against violations including “citation of nonexistent cases”.
The moral of the story: do not believe everything you are told by a chatbot!
Happy 5th Birthday to the GDPR!
A recent comment in The Times newspaper summed up the view of many European businesses: harboured some doubts about his robotic assistant:
“Is Varghese a real case,” he asked the bot. “Yes,” it replied.
“What is your source,” he asked. The bot said that “upon doublechecking, I found that the case Varghese v South China Airlines . . . does indeed exist.”
“Four letters have over the past five years become the dream excuse for countless bureaucrats to say “no” to what used to be perfectly legitimate requests for information. Those letters are GDPR and they stand for the prosaic label “General Data Protection Regulation” — an EU rule implemented in 2018 by Brussels. The legislation has a laudable aim — protecting individuals’ personal data from abuse by governments and private corporations. But few people at the coalface of daily life — including many lawyers — seem to understand the provisions. Therefore, those petty functionaries wheel it out as a way of avoiding work and having another cup of tea”
A cynical view perhaps, but there is no doubt that the absence of detailed guidance in certain areas of the legislation leads many organisations, across all business sectors, to feel overwhelmed and criticise the GDPR for being unnecessarily bureaucratic.
Despite that confusion, the legislation is making an impact. Last month, the EU’s Court of Justice ruled in a case involving the Austrian post office. Officials in Vienna had used an algorithm to define “target group addresses” that were based on selected sociodemographic features — and then sold that data to organisations engaged in political advertising.
The case involved a claim for compensation for breach of the data protection rules and the landmark decision is likely to significantly increase data privacy litigation across the EU. This is because the Luxembourg court ruled that the right to compensation is not limited to damage that reaches a certain threshold of seriousness. Effectively, the ruling lowers the requirements for compensation claims in a cyber incident scenario where thousands of individuals may be affected.
In the UK, the Information Commissioner’s Office (ICO) has issued 13 fines totalling about £65 million. The ICO has a policy of preferring to issue reprimands or public disclosure of companies having breached the rules. Over the past 18 months, it has named 32 organisations, 26 of which were public bodies.
A potential problem looming is that in post-Brexit Britain, reform to the legislation is being proposed. The Government wants to amend the UK GDPR, which is currently similar to the EU GDPR, with the aim of cutting “red tape” for smaller businesses. But any changes could actually come at a high cost to UK businesses if the EU withdrew Britain’s “adequacy” status. This would mean that the current free flow of data between the EU and Britain would be threatened.
The other potential area of conflict between the UK and EU is Britain’s desire to give adequacy status to countries such as the US, Australia and Dubai. These countries do not have EU approval, so if the UK goes alone with approvals this could also threaten its own adequacy status with the EU. It’s complicated and a far cry from the “take back control” argument which was heard so loudly at the time of the Brexit vote.
To end on a positive note, there is no doubt that those international businesses, including relocation firms, which have worked hard to implement the GDPR, are receiving an unexpected benefit. This arises from the fact that there is now a torrent of new data privacy laws across the world, mainly based on GDPR principles. This global trend means that the GDPR has gold-standard status and that’s likely to be a real bonus for European businesses.
Something to celebrate at an otherwise muted birthday party!
For further information on either of these new legal services, please contact me at gordonkerr@gklegal.co.uk or call +44 (0)7850 080170
