As consumers become increasingly reliant on digital services and the amount of data stored by online giants accumulates, the amount of data breaches has also increased. Correspondingly, English courts have seen a rise in the amount of data litigation over the last few years. This is significant due to the number of consumers involved and the high monetary compensation that may be awarded, as well as the possible reputational implications for the firm.
There have been numerous high-profile cases over the past few years: In 2018, after British Airways announced that over 500,000 customers’ data had been leaked following a breach of its security systems, the airline was faced with claims that could amount to more than £3 billion. This is much larger than the regulatory penalty it is facing, a penalty notice handed down by the Information Commissioner’s Office (“ICO”) for £20 million. In Lloyd v Google LLC  EWCA Civ 1599 (“Lloyd”), which is a representative action on behalf of an estimated 4.4 million individuals (with the compensation set at £750 per individual), Google’s potential is for £3.3 billion excluding costs. Furthermore, in the aftermath of a data breach which resulted in the exposure of 300 million individuals’ data, an action has been commenced against Marriott International which could cost it £1.7 billion.
An Introduction to Data Claims
According to Clifford Chance, data claims generally belong to one of the following two categories (or both):
1. Claims that a defendant has misused the data it holds
Situations where data has been misused include, for example, the delivery of unauthorised electronic communications, the selling or tracking of data or the inappropriate use of facial recognition technology. Apart from this, any firm that stores data in a way that renders it vulnerable to a breach, for instance on a USB stick or a personal laptop, might also be liable. This risk has only heightened during the advent of remote working and learning, leading to more sources of vulnerability.
2. Claims relating to a data breach, where the defendant has been subject to malicious action by a third party (e.g. a cyber attacker)
Clifford Chance emphasizes that claims can concern a very wide range of material, covering information that is personal or non-personal, commercial or non-commercial, sensitive or non-sensitive. This means that relevant data could range from, for example, names, email addresses, corporate financial information, private photographs, medical history, browser-generated information (BGI) or genetic data.
In addition, it is not a requirement for claimants to have suffered financial loss or distress to claim that their data has been misused, as seen by Lloyd, mentioned above, where Google allegedly tracked the BGI of 4.4 million iPhone users in order to sell to advertisers.
Claims may be brought against companies even in the absence of regulatory action by the ICO, although it is more common that such data claims follow regulatory action. This is because the presence of a favourable regulatory ruling or penalty will be relied on by claimants seeking to bring follow-on claims. Some companies may choose to pay (and not appeal) penalties imposed by a regulator; however, this may give rise to larger headaches down the road. Thus, companies should consider this when considering whether to accept the rulings of regulators.
Individual claims for misuse of data do not usually attract high damages. However, if most or all of a customer base has been affected, those customers may join forces to claim as a “class” or group, and the damages in these cases can quickly balloon. The Court of Appeal in Lloyd notably allowed the claim to proceed in UK courts as a representative action (pending appeal to the Supreme Court). In the 2019 British Airways (“BA”) case, the High Court also permitted BA customers to bring a collective action under the mechanism of a Group Litigation Order. These high-profile cases demonstrate that the rise of US-style class actions in this area does not seem to be abating anytime soon, particularly given the European Parliament’s recent approval of the EU Representative Actions Directive. The use of collective class actions is relevant because it renders data claims more likely. Individuals are less likely to bring claims on their own for various reasons, and the low level of damages may not justify the inconvenience, cost and risk of an adverse costs order. On top of this, law firms can encourage claimants to join collective litigation on a “no win, no fee” basis. This is becoming an increasing source of financial risk to firms as collective data actions are disproportionately costly to contest, and the damages awarded are often much higher than any regulatory penalty due to the number of individuals involved.
Multiple factors have contributed to the rise of data litigation in the UK, including increased public awareness about data rights and firms’ obligations, the provision of more online services and the increase in certain protections under the General Data Protection Regulation (“GDPR”), which has been incorporated into UK law under the Data Protection Act 2018. Companies, particularly large profitable ones, should be aware of the significant risk of group litigation in relation to the handling of data and data breaches.
To minimize the risk of being exposed to data actions, firms should establish comprehensive data handling policies and take measures to protect any data stored. If faced with a data breach, it is crucial to take early action, ascertain the extent of the damage and the nature of the data that has been leaked, and consult legal experts as soon as possible.