When the General Data Protection Regulation (GDPR) first came into force in May 2018, it was widely anticipated that there would be a deluge of class action claims for infringements of data protection laws. The first reason for this anticipation is that the GDPR confers extensive rights on data subjects to make claims for data protection breaches. Under articles 78 – 80 inclusive, data subjects can bring claims against supervisory authorities, controllers and processors. They also have the option to be represented by a not-for-profit body to bring the claim on their behalf. Secondly, the GDPR brought with it an increased burden on controllers and processors to be more transparent about how they are using data. It is therefore much clearer to data subjects, (and claimant law firms) when data is being mishandled.
Finally, under article 79, claimants are given flexibility to bring their claims either where the controller is established, or where the data subject has their habitual residence. A combination of these factors led the industry to believe class actions would be extremely popular with the introduction of the GDPR, but this has not materialised. There have, however, been a few recent, significant cases which we can learn from.
Why have there been so few class action claims?
1. Administrative Burden
It is worth noting that there are two types of class action claims: there is an “opt-in” procedure, and an “opt-out” procedure. If a country is using opt-in, individuals are required to actively opt into a class action rather than being part of it automatically as they are in an opt–out procedure. Different countries have adopted different approaches, for example, the USA follows the opt-out system whereby all those falling into the definition of the class are included in the action automatically unless they actively opt-out. Countries following the “opt-in” method, such as France, have the additional administrative burden of finding a group of people willing to participate, one or two claimants is insufficient for such cases. This could be a contributing factor to why we see fewer class actions from these countries.
2. Overwhelmed Supervisory Authorities
In the early stages of the GDPR, many claimant firms were waiting to assess the approach being taken by supervisory authorities, such as the UK’s Information Commissioners Office (ICO). The ICO highlighted that it was dealing with high volumes of data breach reports as data controllers struggled to demonstrate the required transparency, and manage risks. This “over-reporting” resulted in a delay in assessing reported breaches and issuing penalties. As the GDPR has developed and controllers understand their obligations more fully, we may see an increase in class actions as supervisory authorities have the capacity to deal with them.
3. Not-for-profit Status Requirement
Article 80(1) of the GDPR allows for not-for-profit organisations to bring a claim on behalf of the data subject. However, the definition of not-for-profit for these purposes is strict, making it difficult to comply. To qualify, organisations must be “active in the field of protection of data subject’s rights” as well as have “statutory objectives in the public interest.” Not-for-profit organisations also face the obstacle of a lack of resources, both monetary and non-monetary, which may limit their ultimate success in litigation. Receiving investment from an external litigation funder may affect their ability to qualify as a non-for-profit. This issue has paved the way for activist companies such as None of Your Business (NOYB), founded by activist Max Schrems to come forward in bringing class action cases. It is likely that we will see an increase in claims once other privacy activists understand how to meet these Article 80(1) requirements.
4. Costly Litigation
Litigation is renowned for being an expensive process and so firms will only commit to taking on class action cases when it would be worth their while. Whilst there is a “strict liability” regime on data controllers and processors, meaning that data subjects can bring a claim without having to prove the controller or processor’s fault or negligence. Damages for data protection claims have remained comparatively low, ranging from £1,000 – £10,000. Awards for punitive damages, aimed at punishing wrong doers, are rare in the UK, unlike in the USA. Before hearing a case, the Court will want to know what steps the claimant(s) have taken to settle the claim. This is to be evidenced by communications with the data controller or processors, with the aim of settling and to inform the organisation before commencing Court proceedings. With this in mind, the attitude is generally to settle and avoid litigation where possible.
Despite the above substantial reasons that class actions have not been as common as we initially expected, there have been a few recent, significant cases which we can learn from.
- WM Morrison Supermarkets plc v Various claimants  UKSC 12 – In this case, Morrisons faced a data breach class action from 9,000 employees or former employees for unlawful publication of employee payroll data by an aggrieved Morrisons employee. The claim was brought using the Group Litigation Order (GLO) mechanism in Rule 19.11 of the English Civil Procedure Rules (CPR) which allows a group of claims which have related issues in fact or law, to be heard together. Both the High Court and Court of Appeal initially found that the supermarket was not directly liable, but vicariously liable for the actions of their employee, which means Morrisons was responsible for their employee’s actions that caused the breach. The decision was later overturned in the Supreme Court where it was found that the actions of the employee that resulted in the data breach, were not connected closely enough to the course of his employment to fairly and properly amount to vicarious liability. A good result for companies and their insurers.
- Lloyd v Google LLC  EWCA Civ 1599 – In this case, the ex-director of Which? The consumer rights group brought an action on behalf of over 4million iPhone users against Google for their use of a “Safari Workaround.” The workaround enabled Google to set cookies on user’s devices to gather data on the time and location of user’s activities on some websites. The case raised many important issues surrounding the application of CPR 19.6 which allows for representative class actions in the UK, where a case can be brought by one person on behalf of many claimants. It was held that the class action constituted a common loss from the same wrong, in the same circumstances, and at the same time, thereby meeting the CPR requirements to represent the “same interest.” Further, the individuals suffered a loss constituting “damage” which they were entitled to compensation for. The case was decided under the previous Data Protection Act 1988 but still provides very useful guidance.
- A GLO has been granted against British Airways allowing thousands of claimants to bring an action against the company as a result of the data breach it suffered in September 2018. The breach saw the British Airways system hacked to divert customers to a fraudulent site where their personal details were stolen. The ICO has announced its intent to fine British Airways a record £183.39 million for their sub-standard security arrangements which allowed the breach to occur. The case also clarifies that an ICO fine does not negate data subject’s ability to pursue a class action.
So, whilst there has not been the deluge of class action cases brought that the industry anticipated, we are now seeing a steady uptick of activity in this area. The cases we are seeing now are likely to be crucial in setting the path for how class actions are dealt with in court. Data Protection compliance is therefore more important than ever as class actions gain momentum.
As a full service, international Data Protection Office, HewardMills is excellently positioned to assist your business with your data protection needs. Our experts are on hand to make sure you are GDPR compliant, saving time, money and unnecessary fines or legal action.