Post a comment
Print articleClass action liability following a data breach
February, 2024 - Shoosmiths LLP
Following the news that up to 45 million claimants under competition law have been given the go-ahead for a £2bn class action against Meta, many are thinking about what the real risk of class action litigation is after a mass data breach. The fact is that, outside the realm of competition law, organisations are in somewhat of a lacuna as to whether they will face serious liability to data subjects following such a breach.
It is well known that the Supreme Court case Lloyd v Google at the end of 2021 posed serious problems to data subjects wanting to make mass claims where claimants do not have to expressly opt-in. The two-step process that the case set out – requiring claimants to first establish that an organisation is liable, and only then to set out individual cases of harm – have prevented opt-out class actions from getting off the ground, largely because the first step will not generate any financial return for claimants, claimant law firms or litigation funders. The years since have been characterised by claimants trying to get around that case (and failing).
However, this will not last forever. Data subjects will almost inevitably break through at considerable risk to organisations, as has been shown in the competition sphere. Otherwise, the situation may be ripe for bespoke legislation, perhaps providing for fixed amounts of compensation, as has been adopted by certain US states. In either case, Shoosmiths’ latest analysis shows that Boards consider class action liability following data breaches to be a key concern for the foreseeable future.
Here, we set out key themes as the law currently stands, together with some predictions.
Class actions under data protection legislation
Lord Leggatt’s ‘bifurcated process’ in Lloyd v Google presents a key stumbling block for claimants. That case was brought on behalf of over four million iPhone users claiming that Google had worked around Safari’s privacy settings to secretly track users using advertising cookies. It was brought on the basis of the old Data Protection Act 1998 and could have established huge liability for Google, even if only on the basis of ‘lowest common denominator’ damages per claimant. The sheer quantity of claimants posed the greatest liability.
However, in broad terms, the court stated that a class action could not succeed because each claim needed an individualised assessment, such as whether any wrongful use of the specific claimant’s data had occurred and, if so, what level of harm they had suffered.
Class actions not under data protection legislation
In the last year, another individual, Mr Prismall, sought in the High Court to get round these problems. He brought a case on behalf of 1.6 million patients whose data was shared with a medical app (run, incidentally, by another Google company) without their consent. He sought to distinguish Lloyd v Google by bringing a claim on the basis of misuse of private information rather than breach of the applicable data protection legislation. Under the tort of misuse of private information, a claimant can claim damages for loss of control of information alone, which was not the case under the legislation. Mr Prismall submitted that meant Lloyd v Google was distinguished. Provided he could show all claimants had suffered more than trivial harm, then they should all be entitled to ‘loss of control’ damages and no individualised assessment would be necessary. Moreover, misuse of private information claims are arguably not caught by the legislative changes in 2018 which limited the types of claims where a claimant can recover the costs of any conditional fee agreement and ‘after the event’ insurance premium from a defendant.
However, Mr Prismall failed to convince the court that all claimants had the same interest in the claim, which is required to get a class action off the ground. The court held that different patients had different data accessed at different levels of harm. Some patients’ data was not considered a misuse of private information at all. The court also required Mr Prismall to show more than non-trivial harm was suffered by all claimants, which the court believed he would not be able to do. Accordingly, the case was dismissed.
Claimants have therefore failed twice in the last couple of years to establish major liabilities following data breaches. Prismall v Deepmind is being appealed. Details should be available this coming year.
Other types of claim
Alongside these showstopper class actions, organisations face extremely costly to defend but ultimately low value individual claims. It has now been established, following a string of High Court decisions, that where only distress following a data breach is claimed, damages (if any) range from between £250 to £1,000 and that the case should be allocated to the small claims track. On the small claims track, Part 36 settlement offers, which can be used tactically to secure settlement, do not apply, and it is very unlikely costs will be awarded to any party.
Organisations, though, defend these claims owing to the risk of the floodgates opening. Where a class action may not get off the ground, claimants could bring many of their own individual claims. We have even seen unreported judgments where King’s Counsel have been instructed on both sides, despite being in the small claims or fast tracks, because of the importance of the underlying issues and the risks at play.
The impact of personal injury
Greater liability, however, arises when claimants purport that they have suffered personal (generally psychological) injury following a data breach. Usually, claimants seek a medical report to corroborate their claims. Personal injury has a bespoke claims regime under the law, and it is therefore unusual that personal injury has now become intwined with what are largely specialist data claims.
Certain low-level personal injury claims must be brought under a specific claims portal and there is a fixed costs regime in place. In a data breach context, whilst relatively new, the courts have tended to permit claims for personal injury, and have used what are known as the personal injury Judicial College Guidelines to assess loss. Such an assessment can lead to liability into the tens of thousands of pounds depending on severity of harm, but equally, poses the risk of floodgates opening if the data breach has affected many data subjects who can all show psychological injury.
Costs
Complications further arise if damages for the personal injury could exceed £1,500. If they do, the court will generally automatically allocate the matter to the fast track, such that ‘losers’ face paying a proportion of the ‘winner’s’ costs. If the cause of the injury accrued after 1 October 2023, a new extended fixed recoverable costs regime is in place which leads to organisations to face very high irrecoverable costs when defending such actions.
Litigation funders often fund these types of claims regardless and have showed no signs of stopping, perhaps because organisations choose to settle early. Claimant law firms and funders are alive to these issues and see the space as fertile ground if a large enough cohort of potential claimants is built, even though some of the large class actions must have caused considerable initial losses.
How to approach a claim
To best increase an organisation’s chances of avoiding/managing a claim and/or regulatory engagement, they should act: a) now, by taking action to avoid a data breach and ensuring appropriate processes will be followed; and b) immediately on discovering a breach, if one arises. Courts and regulators will pay close attention to the actions organisations took both before and after a breach when determining liability. For example, under the UK GDPR, it is up to an organisation to show that it had reasonable technical and organisational measures to protect personal data. Equally, organisations are exempt from liability if they can show that they are not in any way responsible for the event giving rise to the damage (a ‘no fault’ defence). Courts have upheld this exemption where, for example, an organisation is essentially a victim of a criminal data hack alongside data subjects.
A worldwide issue
Parallel disputes are often bought in other jurisdictions when a multinational suffers a breach. However, foreign regimes may be more amenable to the type of class actions which are currently unavailable in England and Wales. The EU Representative Actions Directive, for example, came into force at a national level in mid-2023 and provides for representative actions for data protection claims. But the EU courts seem to have followed similar approaches to those in England. In 2023, for example, the Austrian Post claim was another blow to claimants, as the CJEU rejected that mere infringement of the GDPR was sufficient for a compensation award. Many claims were stayed pending that decision.
In the US, the SEC’s data security disclosure rules require data breaches to be reported even if they arise in a foreign home country’s jurisdiction. This increases risk of litigation. In fact, Shoosmiths’ just-released litigation risk report 2024, which analysed interviews with over 360 General Counsels from companies with revenues of over £100m, showed over that, over the last year, whilst 60% of disputes related to England and Wales, disputes in non-EU Europe, Asia Pacific and the US followed closely behind. Many multinationals see litigation as a key route to recovery – particularly in the areas of unlawful cross-border transfers of data, data scraping and data recovery through law enforcement authorities.
Regulation
All of this must be seen in the context of greater regulation, which has recently focussed on the protection of sensitive data. Last year, TikTok was fined £12.7m by the UK ICO, for example, for misusing children’s data, and the ICO issued a reprimand to the Police Service of Northern Ireland over the high profile leaking of police staff’s personal data. Reprimands are public and cannot be appealed. Out of the jurisdiction, appeals of showstopper foreign regulatory enforcement action have included Meta being fined €1.2 billion by the Irish DPC, and TikTok facing a €345 million fine for misuse of children’s data.
What does the future hold?
Shoosmiths’ 2024 litigation risk report reveals that 51% of General Counsels saw group litigation as providing the biggest increased risk over the next three years, with 32% believing that it would involve litigation following a data breach. Almost 40% responded that this emerging risk causes their Boards most concern.
What the above shows is that courts appear to accept that organisations may be liable on the basis of arguable claims (and, in principle, for large amounts) but are unwilling to accept that claimants can join an ‘opt-out’ class action as a result. Only in the competition sphere has such an opt-out procedure been permitted by bespoke legislation, and data breaches have sometimes been hammered into the competition regime to make use of that procedure – the above Meta class action being a case in point.
However, claimants are not going away. We see increased advertisements for data breach claims and increased media attention following data breaches in an attempt to build up a large enough cohort of potential claimants. This area is possibly ripe for specific legislation, if parliament were to consider a divergence from the UK GDPR and the EU’s approach. This has occurred in US states and could perhaps mirror certain UK regimes for different types of claim (such as that for personal injury claims, for example). We should expect more attempts at raising opt-out class actions in 2024 and look out for the appeals of those already made.
Having proper processes in place both before and after a data breach will mitigate liabilities alongside having a proper litigation strategy should the (almost) inevitable happen. The current difficulties posed to claimants may well prove to be a false comfort to organisations.
Link to article
