In addition to the power of the Information Commissioner’s Office (ICO) to issue higher monetary penalties under GDPR, the recent wave of data protection group litigation claims in the UK courts highlights the additional liabilities that businesses may suffer to individual data subjects.
Rise of data protection group litigation claims
The UK courts have recently seen several high-profile group litigation cases for breach of data protection legislation. Such claims were made either on an opt-in basis pursuant to a Group Litigation Order, where individual claimants have to take positive steps to join the action, or on an opt-out basis, known as representative actions, where individuals are not required to be named or joined at the inception of the proceedings.
Following the Group Litigation Order for the Morrisons case, the High Court granted another Group Litigation Order for claims brought against British Airways in relation to its high profile data breach in 2018. This is the mainstream route to group litigation claims in the UK and is often preferred where the underlying individual claims vary from individual to individual, for example victims of an environmental incident. However, the issues of the group litigation must be 'common or related issues' of the underlying individual claims.
Examples of representative actions include the Court of Appeal’s judgement in Lloyd v Google [2019] EWCA Civ 1599 (see below) and, following that decision, the recent submission to the High Court for a representative claim against Equifax. The opt-out mechanism was previously less used as the representative must prove to the court that the affected individuals have the 'same interest'.
However representative actions have recently gained momentum from the Lloyd and Equifax cases, which raised two interesting points:
1. A broader representative class
The Court of Appeal’s broad interpretation of 'same interest' is likely to lead to an increase in the number of eligible individuals in a representative class, which could encourage more representative actions in the future.
In Lloyd, Mr Lloyd brought a representative action on behalf of more than four million UK iPhone users. The claimant alleged that Google had been gathering browser generated information (including sensitive personal data) by using a workaround on the Safari browser between August 2011 and February 2012. Google had already been fined $22.5m in the US in relation to this workaround.
In the first instance the High Court found that the ‘class’ members were ‘unidentifiable’ and lacked the requisite ‘shared interest’ in the claim. However, the Court of Appeal overturned this decision. It was held that the individual claimants had all suffered from the same misuse of their data, over the same period, without their consent. It was pointed out that there was no defence Google could raise to one of the individuals in the class, which would not apply to the others.
This decision therefore applies a broad brush interpretation to the definition of 'same interest'. Previously the need to prove the same specific damage had been a bar to joining a class. It now seems that, at least in the context of loss of control of personal data, the same type of loss will suffice. Businesses could therefore face representative actions which would not previously be permitted.
It has been estimated that Google could face a liability of between £1bn and £3bn following the Court of Appeal’s decision, although it remains to be seen whether the Supreme Court will allow an appeal.
2. Damages for loss of control of personal data permitted
According to the ICO, damages for breach of data protection legislation may be ‘material’, such as monetary losses, or ‘non-material’, such as distress. However, previously it was not clear whether infringement of individuals’ data protection rights per se can give rise to an award for damages. The Court of Appeal’s decision in Lloyd confirms that damages may be awarded for a 'loss of control' over personal data, even in the absence of pecuniary loss or distress, meaning business can still suffer significant losses in group litigation even where the tangible impact on data subjects may appear limited.
Lloyd v Google
In Lloyd, the claimants sought damages for loss of control over their personal data but did not claim for financial loss or distress. The Court of Appeal overturned the High Court’s assessment that the class had not suffered damage under s.13 of the Data Protection Act 1998 (DPA 1998). It was held that ‘browser generated information’ could be sold to advertisers to generate commercial value and therefore the loss of control over that data does have value. To ensure individuals are provided with effective remedies for infringement of their data protection rights, damages can be awarded for a ‘loss of control’ of personal data without proving pecuniary loss or distress.
Whilst the basis for this decision was found in the now repealed DPA 1998, the decision considered principles and recitals of GDPR which explicitly refers to 'loss of control' of data. Future claims brought under the GDPR are therefore likely to receive similar judicial treatment.
Equifax
Similarly, Equifax Ltd received the then-maximum fine of £500,000 under the DPA 1998 when its US parent company failed to protect the data of 15 million UK customers for whom it was processing data. Following the precedent set in Lloyd, a representative action was launched in the High Court in October 2019, which is currently advertising for additional claimants.
This is a prime example of how Lloyd has set the stage for further group litigation claims in relation to data protection. Businesses may be in for a shock when they are exposed to the risk of exponentially larger fines under the GDPR and a more claimant friendly approach to group litigation.
What steps can you take?
It is no coincidence that all of the defendants subject to a representative action were initially penalised by a regulator, as the regulatory decision will prompt group litigation claims and are often relied on by claimants in court to demonstrate the controller’s breach of data protection legislation. These decisions enforce the need for comprehensive data protection practices and agreements in all business that control personal data.
The value of these claims is dependent on the number of affected individuals and can present a significant business risk in addition to the risk of regulatory fines under GDPR. At Burges Salmon we can assist you with your data protection related queries, including mitigating the risks posed by group litigation. For more information, please contact David Varney in our Data Protection team.