- DPO's Blog
How major data breach class actions are changing everything
A new era for consumers and data litigation
By eleanor blackwood
Wed 24 June 2020
When new data protection legislation, GDPR, came into force in 2018, it dramatically increased the rights that individuals, or ‘data subjects’ had over their personal data. As well as this, it introduced much tighter restrictions about what companies, or ‘data controllers’, could do with it. While many of us became aware of this change, either from media coverage or from the onslaught of emails we received from various companies, a crucial part of GDPR is only now gaining traction.
What hasn’t received much coverage is that the legislation states that victims of data breaches are entitled to monetary compensation, where a company, or ‘data controller’ is at fault.
While there’s been a small rise in the amount of individual claims related to data breaches, it’s U.S.-style class action cases which are heralding a new era in consumer rights and data protection regulation.
So what exactly is a data breach class action?
Essentially, a class action is a lawsuit filed or defended by an individual on behalf of a wider group.
Historically, class action cases haven't been associated with data breaches, but mass personal injury. For example, the famous class action initiated by legal clerk Erin Brockovich against the Pacific Gas and Electric Company, which later became the subject of a feature film. The class action claimed compensation for people who suffered illness due to a contaminated water supply.
In the case of a data breach, the class action would claim compensation for a group of people negatively affected by the misuse of their personal data.
How are these class actions changing the entire data landscape?
It used to be the case that in order to claim compensation, claimants needed to present proof of material or non-material damage caused by the data breach. That was before 2019, where the Lloyd vs. Google case set a new precedent: that the loss of control of your data, which holds economic value, is enough to be awarded compensation.
This is a huge change in the law that will have massive implications for both individuals and companies, and is nothing short of groundbreaking.
To explore this further, we’ve gone through the key data breach class actions of the last few years, and highlighted the precedent set by each.
WM Morrisons Supermarket PLC v Various Claimants 2018
In the UK’s first data protection class action, the High Court initially found Morrisons 'vicariously liable' when one disgruntled employee, after having received a verbal warning from the supermarket in a disciplinary hearing, leaked the personal information of 100,000 fellow employees to data sharing websites and newspapers. The personal information included dates of birth and salaries.
✔️ The Court of Appeal at first found that organisations can be held liable when the actions of rogue employees cause major data breaches.
They therefore ruled in favour of the over 5,500 claimants, stating that Morrisons was liable for the data theft.
❌ However, the case was then elevated to the Supreme Court, who overturned this ruling, stating that the employee had acted alone.
The Supreme Court said that the decisions of previous courts were 'contrary to the established approach to questions of this kind, and were based on a misunderstanding of this court’s decision.'
Precedent set by this case:
This case established that in a UK court of law employers can only be held liable for the actions of employees, particularly in the case of a data breach, if they were ‘closely connected’ with their duties at work. Meaning, if the actions of the employee that caused a breach were indistinguishable from the activities they carried out on behalf of their employer.
Lloyd vs. Google 2019
Back in 2017, Richard Lloyd, former director of Which?, filed a representative lawsuit, on behalf of 4.4 million iPhone users whose data, he claimed, was collected and used by Google’s tracking technology without their knowledge or consent.
Mr. Lloyd claimed that Google tracked the behaviour of iPhone users in the UK between August 2011 and February 2012, ignoring their privacy settings and collecting data about not only their browsing habits, but their ethnicity, health, sexuality, political views, and finances.
Google then, he claimed, used this data to section users off into groups such as 'football lovers' and allowed advertisers to target people in these groups through its DoubleClick ad sales service.
❌ Initially the UK’s High Court dismissed the class action saying it was 'officious litigation, embarked upon on behalf of individuals who have not authorised it.'
This judgement was made in reference to the U.S. style opt out nature of the claim; affected individuals being represented had to actively opt out to not be included, rather than choosing to opt in in the first place.
✔️ However, the Court of Appeal reversed this decision, and gave Mr. Lloyd permission to proceed with the claim, based on three key findings, which set important precedents for data protection litigation.
1) Compensation for loss of control:
The Court decided that the data that was gathered from claimants had monetary value, and therefore under data protection regulation, they could claim compensation for loss of control over their data, without the burden of having to provide proof of resulting personal damage.
2) The Claimants had the same interest:
Essentially, the claimants represented in this case were all claiming compensation for loss of control of their data, rather than resultant distress, which would vary much more person to person. It’s crucial for claimants to have the same interest in representative action.
3) Google’s misuse of data was 'wholesale and deliberate':
The Court held the view that Google deliberately gathered the data with a view to garnering commercial benefit, and did so knowing users had not consented to and were not aware of this practice.
Google has since been granted permission by the Supreme Court to appeal the court of appeal’s decision. The Google camp claims that the privacy of their users is their primary concern, and that this incident of misuse happened 'nearly a decade ago'.
Precedents set for data protection litigation:
This case is a landmark in the post-GDPR era of data protection litigation: it's the first large scale class action to be taken against a major tech company in the UK.
The Court of Appeal, if their ruling stands, established the precedent that loss of control over one’s data merits compensation in and of itself. Mr. Lloyd said that the decision showed that 'big tech companies and anyone else can be held to account in this country'.
Atkinson v. Equifax 2019
The seeds of this UK class action against Equifax, the consumer credit reporting agency, were sown back in 2017, a breach of data held by Equifax Limited’s US parent company, Equifax Inc, took place.
The Federal Trade Commission alleged that hackers copied around 147 million names and dates of birth, 145.5 million social security numbers, and 209,000 card numbers and expiration dates.
With such a catastrophic data breach, the details are quite complex, but the long and short of it is that the FTC warned Equifax that one of their databases was dodgy, they agreed to patch things up but failed to double check that the issue had been resolved. This led to the critical vulnerability of the data they had stored on the financial health of consumers: hackers stole that data for months before being caught.
Beyond the $800,000,000 fine that the parent company had to pay to the Federal Trade Commission, the Information Commissioner's Office fined the company £500,000 in the U.K. Mr Richard Atkinson then sued Equifax in the High Court of England and Wales, in an opt-out class action representing 15 million affected people.
Equifax responded in court with what Ryan Dunleavy of the Global Data Review called a 'wide-ranging attack', which argued that there needed to be a 'threshold of seriousness' in terms of the damage caused by data breaches.
Equifax’s legal counsel argued that the High Court’s decision, and the precedent it set in Lloyd vs. Google was 'wrongly decided', and said that there was no statutory basis for an data breach opt-out class action claim in the UK.
They argued that GDPR was rather designed to ‘afford protections to persons affected by a legal wrong in a confined set of circumstances', and that rather than righting a wrong, the Court finding in favour of Atkinson would chiefly 'serve to enhance the financial interests of the claimant’s lawyers and/or litigation funders'.
Dunleavy further commented that for Equifax’s counsel to base their argument on Lloyd v Google was bold considering that we 'do not yet know what the Supreme Court is going to decide on the google case'.
In April of this year Mr. Atkinson withdrew his representative action, after the robust defence presented by Equifax, leaving the claimant now responsible for Equifax’s legal costs should they choose to claim the expense.
Precedents set by this case:
It was highly unusual that the defence presented by Equifax’s lawyers focused on Lloyd vs. Google, an ongoing case. Their argument, that there is no clear legislative basis for a data breach opt out class action in the UK exposes the fact that the UK courts are dealing with many unknowns.
Whilst this case may act as a deterrent for claimants planning to rush into class actions in the UK, it fixes the spotlight firmly on Lloyd vs Google now. The outcome of the case will now determine whether there is, in fact, a legal basis for cases of this nature, and whether Atkinson was right to withdraw his class action.
British Airways Group Litigation Claim
In 2018 nearly 400,000 British Airways customers had their data stolen in a severe cyber-attack on its website and mobile app, which they announced in a now deleted tweet.
This data included customer’s personal contact information as well as their credit card details.
The ICO issued an extremely punishing £138,000,000 fine on BA; the stunned airline said they were 'surprised and disappointed' by the scale of the fine. Comparatively, this was 367 times larger than the fine the ICO issued to Facebook in the wake of the Cambridge Analytica scandal.
The key difference in these two cases being that GDPR came into force after the Cambridge Analytica scandal.
The ICO’s fine was, as we know by now, only the start of BA’s woes. UK Law firms PGMBM (at the time known as SPG Law), and Your Lawyers Limited, are representing 5,300 customers in a group litigation claim which works on an opt in basis.
Precedent set by this case:
In the case of BA we witnessed in full how severely the ICO will punish the misuse of customer data - the sum BA have been ordered to pay dwarfs the £500,000 fine issued to Facebook, which in hindsight seems relatively minimal. This is an example of an opt in claim, rather than the opt out claim made by Lloyd against Google. This style of group litigation may well work in the claimants favour when we consider how a lack of legislative basis undermined the case against Equifax.
EasyJet Group Litigation Claim
The latest major data breach class action is undoubtedly that being levelled against easyJet, who announced in May this year that the personal data - including in some cases card details- of 9 million of their customers had been breached in a 'highly sophisticated cyber attack'.
easyJet first knew of this attack in January 2020 - which stole data relating to travel details such as arrival times, contact information and email addresses.
The ICO are yet to issue a fine to easyJet, but PGMBM, the same law firm leading the claim against BA, have issued a claim against easyJet in the London High Court and publicised that it would be seeking damages of up to £18 billion on behalf of impacted customers, and that they will send a letter of claim to easyJet in June 2020.
Why should companies, or 'data controllers', be worried about class actions?
Previously, the Information Commissioner’s office (ICO), the UK data protection regulator, issued fines in the case of data breaches. However, with GDPR making clear the rights of data breach victims to compensation, and the 2015 Consumer Rights Act allowing consumers to sue companies as a group, it's the possibility of class actions which could involve thousands, even millions of claimants suing at once, that have many companies extremely concerned.
Over the last two years major cases have set the precedent for data breach class actions in this new, uncharted legal landscape. Whilst UK law previously only allowed for opt in style class actions (in which claimants have to actively choose to be represented) the case of Lloyd vs. Google 2018 saw the High Court allow an opt-out style representative class action to proceed. This set a landmark precedent: Lloyd was able to represent 4.4 million claimants without them having to actively opt into the claim.
While some of the above five cases are still ongoing, and their impact remains to be seen, there is no doubt that data protection class actions are set to become a major concern for data controllers, and a powerful tool for consumer rights.
The GDPR paved the way for these major data breach class action cases which have unfolded in the last two years, but perhaps it would be pre-emptive to say that it has unleashed a tidal wave of such cases. Should data controllers be extremely alarmed? Not just yet. That prospect will be largely decided by the outcome of Lloyd vs. Google, which has already set the groundbreaking sentiment, through the Court of Appeals, that loss of control over one’s data merits compensation, without the burden of proving distress or material damage.
As Google launch their own appeal to have this decision reversed, the future course of UK data breach group litigation hangs is waiting to be determined. Perhaps, after the withdrawn claim against Equifax, the U.S style opt in style of class action will prove less successful than the opt in style class actions which have been launched against both BA and easyJet. The staggering fine issued by the ICO to BA should certainly serve as a notice to all data controllers, if these class actions haven’t, that now is the time to take data security seriously.
Data has been described as the oil of the internet; a play on its economic value, and the rush to monetise it as a commodity. GDPR has spelled the end of that gold rush, and has put the rights of data subjects at the forefront of UK law - rightly so.