Litigating data protection in the UK: the next twelve months will be crucial

A major talking point as the General Data Protection Regulation came into force in May 2018 was the possibility of an increase in English class actions based on infringements of data protection law. Various reasons were given for this. These included the express right to compensation for "material or non-material damage" set out in Article 82 GDPR, the provision in Article 80 GDPR for claims to be brought by representative organisations and (more generally) the strengthening of individuals' rights and the increased scrutiny of companies' data processing activities.

Two years down the line, the deluge of GDPR-specific class actions is yet to materialise. This may in part be explained by the fact the ground-rules around how such claims can proceed are still being worked through. Gradually, though, a series of cases brought on behalf of large groups of individuals under the pre-GDPR regime are beginning to establish those ground-rules. These cases have proceeded under existing structures for class actions, and the way they have progressed is likely to be instructive for future claims under GDPR and the Data Protection Act 2018.

When we refer to “class actions” what we mean are claims brought by groups of affected individuals collectively. As we explain below, there are two types of vehicle to do this: a Group Litigation Order (GLO); or a representative claim. 

GLOs: Morrisons and British Airways – opting-in

The most well-publicised class action data case has been the Supreme Court's recent decision in a claim brought by over 9,000 current or former employees against the supermarket chain, Morrisons [1]. The case related to the deliberate and unlawful publication of employee payroll data, including onto the dark web, by a disgruntled employee, Mr Skelton. The claimants, ie the affected employees and ex-employees, commenced litigation against Morrisons for breaches of the Data Protection Act 1998 (which applied at the time), along with misuse of private information and breach of confidence. As well as claiming that Morrisons was directly liable, the claimants argued that the supermarket was vicariously liable for the actions of Mr Skelton. 

The claimants' action was brought after the High Court made a GLO pursuant to Rule 19.11 of the Civil Procedure Rules (CPR). GLOs can be made by the Court where there is a group of claims which give rise to common or related issues of fact or law. Importantly, they are opt-in procedures, meaning that each claimant must take steps to make their own claim, albeit this will then be added to the overall proceedings subject to the GLO. The claims are often run by a single law firm or small group of firms. They are conducted effectively at no risk to the claimants as their own costs are covered by third party funding and/or their lawyers and any exposure to the legal costs of the defendants is typically backed by insurance. Collecting the claims together makes this model economically viable. The benefit to the court of a GLO is that it prevents multiple separate claims proceeding, leading potentially to different outcomes and significant case management challenges. It is easy to see why GLOs are appealing in data cases affecting a large number of individuals (the typical example being a data security breach). Another example of a GLO case in the pipeline is a claim by customers affected by the well-publicised British Airways data leak. As of May 2020, it appears that a GLO case may also be on the cards in respect of the data breach suffered by EasyJet.

In the Morrisons case, the supermarket was found by the High Court not to be directly liable, primarily on the grounds that it had discharged its material obligations under data protection law. However, the High Court held that Morrisons was vicariously liable for Mr Skelton's actions, a decision with which the Court of Appeal agreed. On further appeal to the Supreme Court, those decisions were overturned. In summary, the Supreme Court determined that Mr Skelton's disclosure of the payroll data was not so closely connected with acts he was authorised to do in the course of his employment that it could fairly and properly be regarded as having been made while acting in the ordinary course of his employment. As such, Morrisons should not be held vicariously liable.  

The wider implications of this decision (and a related case involving Barclays Bank) will be addressed in another briefing. However, clearly, it is a welcome ruling for companies and their insurers.

Representative "opt-out" actions: Google and Equifax

The principal alternative to GLOs in data cases is the representative action, under Rule 19.6 of the CPR. Representative actions are much more reminiscent of the opt-out class actions with which practitioners in the United States will be familiar. They enable one or more persons to bring an action as representatives of others within a class, again effectively at no adverse costs risk to the claimants in the class. However, until recently, they were regarded as being very limited in scope. This is because, for a representative claim to proceed, the individuals in the class must have "the same interest" in the claim in question. The concept of "the same interest" has historically been interpreted restrictively by the Courts. The test is narrower than that for GLOs noted above.

However, the Court of Appeal recently allowed a representative action against Google to proceed, granting permission to the representative claimant, Richard Lloyd (a champion of consumer protection) to serve Google LLC outside the jurisdiction at its corporate address in Delaware [2]. Mr Lloyd's claim (the substance of which is yet to be determined) is on behalf of approximately four million Apple iPhone users. In summary, it relates to Google's use of the so-called Safari Workaround to track individuals' browser usage and thereby obtain or deduce other personal data (browser generated information or "BGI"), without their knowledge or consent.  

The High Court had previously dismissed the application by Mr Lloyd to serve Google outside the jurisdiction, thereby preventing the claim from proceeding. However, the Court of Appeal allowed his appeal on two main grounds:

1. First, it accepted that the lack of any financial loss or distress did not preclude the claim from proceeding. This is because the individuals' loss of control in respect of their data protection rights was, according to the Court, capable of constituting "damage" for which they were entitled to be compensated under English data protection law (see our previous article here).
   
   
2. Second, the Court of Appeal held that the individuals whom Mr Lloyd claimed to represent did have the "same interest", meaning a representative action could proceed. The Court highlighted that Mr Lloyd did not seek to rely on personal circumstances (such as distress or the volume of data extracted by Google), and was only relying upon the fact that the individuals in question had lost control over their browser generated information. On that basis, the represented class had "all sustained the same loss, namely loss of control over their BGI". Contrary to the High Court, the Court of Appeal also held that the requirement of identifying who falls within the class was met. This was on the grounds that (a) affected individuals should in theory know whether they met the conditions for the class specified in the claim and (b) data held by Google would enable those in the class to be identified.

While the limiting of the damage claimed to loss of control of personal data means that the compensation per member of the class is likely to be low (the figure of £750 was mooted in pre-action correspondence), the total figure (depending on the size of the class) could easily reach into the billions of pounds. It is small wonder then that Google sought to appeal to the Supreme Court. Permission to appeal has now been granted with the Supreme Court likely to reach a determination in early 2021.

In the immediate aftermath of the Court of Appeal's decision in Lloyd, a representative action was launched by an individual (Mr Atkinson) against Equifax, the credit reference agency. The claim related to the loss of personal data of individuals in the UK, caused by a cyberattack centred on Equifax's US holding company in 2017. Again, the claim sought to rely upon the concept of loss of control of personal data for the purpose of damage. 

Equifax filed a robust defence. The company argued that the claim was misconceived for a number of reasons, including that the Court of Appeal in Lloyd wrongly concluded that damages were available where there is no pecuniary loss or distress. Equifax also argued that the fact different categories of personal data had been compromised by the breach inevitably meant the representative class did not have the "same interest", again calling into question the decision in Lloyd. Interestingly, it has recently been announced that the claim against Equifax has been withdrawn "in light of how matters had been put in the defence". All eyes will therefore turn to the Supreme Court when it comes to consider Lloyd.

Looking ahead to the next twelve months

While the decision in Morrisons is very significant for the scope of vicarious liability to data claims involving rogue employees, it does not necessarily mean that law firms will be dissuaded from pursuing GLOs in data claims more generally. The name of the website for opting into the British Airways claim - https://www.badatabreach.com/ - is unlikely to be a one off in the post-GDPR world. The decision of the Supreme Court in Lloyd v Google will be highly significant, indicating whether representative opt-out class actions are here to stay in the data context. In the long term, that decision may be the most significant; if the Supreme Court upholds the Court of Appeal, it is easy to envisage a world in which the floodgates open wider to data claims brought by single claimants on behalf of huge classes of affected individuals.

These litigation risks also front-load the risks involved in failing to effectively respond to an investigation by a relevant regulator, such as the UK’s Information Commissioner (ICO). If an adverse regulatory ruling is made, this can be the springboard for the class action by the affected individuals. This is why we are beginning to see organisations pushing back much more against the ICO’s sanctions (such as Facebook paying its pre-GDPR fine to the ICO arising out of the Cambridge Analytica scandal on the basis of “no admissions”) and the ICO’s indications of intentions to fine (such as in the British Airways and Marriott data breach cases where final Monetary Penalty Notices are still awaited after over nine months since they were first announced). 

The next year or so is therefore likely to be crucial in crystalizing where we arrive at for this combination of adverse regulatory rulings and the ease or otherwise with which follow-on class actions can be brought and, consequently, the extent of risk that organisations face for non-compliance with data protection laws.

References:

[1] Various Claimants v WM Morrison Supermarkets plc [2020] UKSC 12, view here.
[2] Lloyd v Google LLC [2019] EWCA Civ 1599, view here.

If you require further information about anything covered in this briefing, please contact Ian De Freitas, Thomas Rudkin, or your usual contact at the firm on +44 (0)20 3375 7000.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, May 2020