25 March, 2021
It is clear to see that GDPR claims are certainly on the rise, with a flurry of activity featuring heavily in the media lately in relation to representative "class" actions against huge organisations such as Experian and Facebook.
In class actions, sometimes called mass actions, claims will usually be brought on the basis of alleged wrongdoing causing loss to a wide number of claimants in the exact same way. They are brought in this way as often the loss suffered by a single claimant is not large enough to make individual claims economically viable, but pursuing them on a collective basis brings economies of scale and efficiency. Most of the options currently available in England and Wales for class actions operate on an 'opt-in' basis, meaning that in order to participate, every claimant has to take proactive steps, such as to issue or join proceedings or authorise another to bring the claim on their behalf.
A significant case in the continued evolution of the UK 'class actions' in data breach cases, is that of Lloyd v Google. Claimant Lawyers practicing in this area are eagerly anticipating the decision of the Supreme Court in this case. Permission to appeal was granted in March 2020 and whilst there is no confirmed date for the hearing at the present time, it is expected to be heard in April 2021.
In this case a large number of claimants had their browser generated information taken without their consent. A class action was brought arguing that they were all victims of the same alleged wrong and had all sustained the exact same loss. The Claimant, Richard Lloyd sought to bring a US-style 'opt-out' class action against Google in the English courts, relying on the representative claims procedure set out in Civil Procedure Rule (CPR) 19.6. He sought to bring his claim on behalf of around 4 million people, seeking a set amount of damages for each claimant, without them having to 'opt in' or prove damage for each individual, which he argued would significantly reduce the complexities and cost of the claims.
In October 2018, the High Court refused permission for this, finding that Lloyd's claim failed to identify a basis for the members of the represented class to claim compensation under the DPA, holding that the claims had no prospects of success as there had been no proven pecuniary loss or distress. The claimant was not therefore permitted to continue as a representative class action.
Lloyd appealed, and on 2 October 2019 the Court of Appeal allowed the appeal, holding that damages can in fact be awarded for loss of control of data under section 13 of the Data Protection Act 1998 (DPA 1998), even when there had been no pecuniary loss or distress. In arriving at this decision it relied on the case of Gulati v MGN Ltd - a claim based on the tort of misuse of private information by media organisations, in which damages were awarded without proof of pecuniary loss or distress. It also relied on the fundamental right to data protection contained in Article 8 of the Charter of Fundamental Rights of the European Union 2012/C 326/02, reinforced by article 47 of the European Union (EU) Data Protection Directive (95/46/EC) which was the underlying law for the DPA 1998.
The uncertainty and discrepancy surrounding this area has also now prompted the Government to undertake a Review of Representative Action Provisions, focussing on whether new legislation should now be implemented to enable organisations to bring actions on behalf of claimants without their express consent. The Response will consider whether Article 80(2) UK GDPR should be implemented which would permit anyone to act on behalf of individuals independently of a data subject's mandate. If adopted this would create a legislative route for "opt-out" proceedings to be brought in future data protection cases.
The Supreme Court may well overturn the Court of Appeal's finding and rule that mere loss of control is not sufficient to attract compensation for damages under the DPA 1998, if there is no evidence of material damage or distress. If so, then the Lloyd case will fail at the first hurdle, and the Supreme Court would not be obliged to determine the issue of whether CPR 19.6 could allow Mr Lloyd to bring this claim on behalf of over 4 million claimants on an 'opt out' basis. This may result in the question being left unanswered as to whether CPR 19.6 can be relied upon in large-scale data breach actions and whether Article 80(2) UK GDPR should be implemented.
What is abundantly clear however is that Lloyd's substantive claim has now been given the green light to progress, and if successful has the potential to significantly increase exposure for organisations following a data breach or other breach of data protection rules. If the Supreme Court upholds the Court of Appeal's finding on this point, it could mean that a range of breaches of the Data Protection Act 2018 and UKGDPR become the basis for claims. Processing outside any of the data protection principles in UKGDPR article 5(1) could include an element of "loss of control", even in cases where that contravention is accidental, does not create a data breach and might not even have been noticed by any individual data subject.
Just how consequential this decision could be in establishing the future landscape of our data protection law remains to be seen.
Although we don't deal with class actions here at Forbes Solicitors, the emerging cases show that the courts are willing to award compensation for the loss of control of data of an individual. If your data or information has been incorrectly sent out by an organisation to the wrong address, either by e-mail or post, you may have claim for damages. If you think you have please contact the Data Breach Claims Team on 01254 872 111.
For more information contact Lisa Atkinson in our Data Breach Claims department via email or phone on 01254 222448. Alternatively send any question through to Forbes Solicitors via our online Contact Form.