To date, the main risk identified in respect of a personal data breach has been the regulatory penalties. With the advent of GDPR, the discussions regarding liability focused on fines of €20 million or four percent of worldwide turnover. However, in the past year or so, a potentially far greater financial risk has emerged: class actions from large groups of affected data subjects.
Personal data breaches – particularly cyber-attacks – are perhaps obvious targets for litigation funders and claimant law firms. There is often a large pool of potential claimants, but each may only have a low value claim. The mandatory breach notification under the GDPR also helps with establishing a claim, as individuals will be informed by the controller that they have been affected. In August 2020, the UK Government launched a ‘call for views’ on allowing non-profit organisations and children’s rights organisations to bring data protection claims on behalf of individuals, even without the individual’s specific authorisation.
In the last 12 months, a number of class actions relating to data protection have been brought, attempted and/or thwarted in the English courts. Perhaps the most high profile was the Morrisons case, brought by some 9,000 claimants after a disgruntled employee of the supermarket chain deliberately uploaded payroll data of around 100,000 employees onto the dark web. In April 2020 the Supreme Court held that Morrisons was not vicariously liable for the employee’s actions, but crucially left open the possibility for similar claims in future – making it clear that the Data Protection Act does not exclude vicarious liability for personal data breaches caused by an employee.
Another case making headlines is Lloyd v Google. Mr Lloyd is seeking to bring a representative action against Google on behalf of more than four million iPhone users, whose browsing activity he alleges was unlawfully tracked by Google between 2011 and 2012. Backed by litigation funding and ‘after-the-event’ insurance, Mr Lloyd is seeking damages estimated by Google to be between £1-3 billion to be distributed evenly (i.e. on a “uniform sum” basis) to all affected individuals.
The Court of Appeal’s judgment in Lloyd v Google (given in October 2019) is now being appealed to the Supreme Court. The case raises two important issues for data protection class actions, for the Supreme Court to rule on:
- Firstly, must the claimants prove actual damage (i.e. financial loss) or distress in order to obtain compensation under data protection law? The Court of Appeal decided that it was sufficient for a data subject to have lost control or autonomy over their personal data, irrespective of whether they had suffered any pecuniary loss or distress.
- Secondly, in order to bring a representative claim, Mr Lloyd must establish that he has the “same interest” as all of the other (more than four million) claimants. The Court of Appeal found he did: the alleged wrong was the same for all affected individuals, and because nobody in the class was seeking compensation for financial loss or distress, they were all claiming the same loss (i.e. loss of control).
Meanwhile, British Airways and Marriott are both facing large class actions in the UK in respect of the data breaches they suffered in 2018.
As all of these claims are still only in the early stages, the most significant unknown is the amount of any award: how much compensation would an individual receive for breach of their data protection rights, in the absence of any pecuniary loss? However, even if claimants receive only a nominal amount, if the pool is large enough, this could quickly dwarf even the largest GDPR penalty. If a cyber-attack affects 200,000 customers, and each customer receives £500, that would be £100 million in compensation.
There are two alternative routes which have been used to bring ‘class actions’ for data breaches in the English Courts: a representative action or a Group Litigation Order (GLO). Which route the claimants choose will likely depend on the details of the claim. For a representative action, all the claimants in the class must have the same interest in the claim (the point being considered in Lloyd v Google). But representative actions, if achievable, may be more attractive to claimant lawyers because, unlike a GLO, claimants are automatically included if they fall within the defined class. In contrast, participants in a GLO must ‘opt-in’, and so they are usually better suited to smaller classes.
It is important to emphasise that the case law in this area is still only at a nascent stage. No one has yet been successful in bringing a large class action for a data protection breach. Those organisations facing claims are, understandably, fighting hard to get them dismissed. Notably, a class action against Equifax, with a potential class of fifteen million, was quietly withdrawn after Equifax filed its defence. Given the potential cost consequences of losing, those embarking on a claim will still be balancing the potential gain against those risks.
Finally, it is also worth mentioning the possibility that these cases are overtaken by decisions at a policy level. Awards of the amounts being discussed, have the potential to destroy even the most solvent organisation who – if the breach was a cyber-attack – was ultimately the victim of a crime. In the longer term, therefore, it is conceivable that these sorts of claims could be thwarted by policy, rather than case law.