My go-to January blues tonic, like many, is booking a summer holiday. This January, jetting off seems like a distant memory, with a trip further than the local park feeling practically exotic.
It has been a difficult 12 months for the travel industry, and BA hit another obstacle this month as the group claims against them for their 2018 data breaches were back in the news.
Claimant firms appeared across the press claiming figures as high as £2.4bn could be paid out to the 430,000 individuals affected by two data breaches caused by a cyber attack in 2018. BA denies liability for the claims and states that it does not recognise the figures suggested, which one might surmise have been put forward by claimant firms to recruit more claims their group action.
Any civil liability awarded against BA through these claims will be in addition to the £20m fine it has already received from the ICO. It is becoming clear that regulatory fines are only the tip of the iceberg for companies found in breach of data laws, with civil liability having a far great impact on finances, resources and reputation.
UK Group litigation procedures
You’d be forgiven for assuming that group claims for data breaches were created by the GDPR, with a marked increase in such claims since the Data Protection Act 2018 brought UK law into line with the provisions of the GDPR.
In fact, the right to compensation for data breaches existed under previous privacy legislation, and the group procedure mechanisms in place for bringing these claims have been available across the UK in some form for many years.
In England and Wales, specific procedures have been in place for more than two decades, which cover a variety of claim types, including data breach claims. A Supreme Court decision in the Lloyd v Google data breach litigation is imminent which could significantly change the ease with which the largest groups of claimants can be certified, giving them significant leverage and exponentially increasing the total awards that could be made against defendants.
Scotland came slightly later to the party. A group action procedure was only introduced into the Scottish courts in August 2020. Prior to this, claims had to be raised at court individually, before ad hoc grouping of common cases could take place if required. The new Scottish group procedure makes raising group claims in Scotland more attractive to pursuers. It allows for a nominated representative party to act as a figurehead in whose name a group of cases which give rise to similar issues of fact or law can proceed. Lead cases may then be identified which represent the issues raised by the group of claims as a whole. Claims are added to the group on an opt-in basis, requiring pursuers to actively sign up to be involved, and decisions made in lead cases will be persuasive as regards the rest of the group, but are not necessarily binding.
Unlike England, there are no mandatory pre-action protocols in place for these types of claims, meaning that no exchange of correspondence between parties is required in advance of any litigation. However, businesses concerned about group litigation in Scotland can sign up to the court’s early warning “caveat” system, whereby their solicitor will be immediately notified by the court of any application for group procedure which names them as a defender.
Why now?
So if data privacy group claims have been available to consumers for so long, why the recent upsurge in claims?
It is in fact the publicity given to the DPA, heightening public awareness of their data rights, together with the wider harvesting and use of data as an asset that has resulted in a significant increase in data breach related group litigation. This has no doubt been fortified by the increase in the availability and legitimacy of litigation funding and investment which underwrites these group claims for claimant firms.
This trend is not predicted to fade any time soon. A UK government consultation took place at the end of 2020 considering whether to allow public interest bodies in England and Wales to take court action and other steps on behalf of individuals whose data rights have been infringed, without requiring their consent to do so. The Department for Culture, Media and Sport was required to report to Parliament on the outcome of this consultation by the end of November, and publication of that report is awaited. There is also scope for the government to create a bespoke procedure for data breach actions in England and Wales. Whether it will exercise that ability remains to be seen, but pressure on the courts from large numbers of data breach claims will no doubt have an impact on that decision.
The introduction of the new group procedure in Scotland was designed to make it easier for claims to be brought here. With the new procedure now in place, an uptick in group claims in the Scottish courts is predicted, with more data breach claims seeming to be something of an inevitability. Watch this space.
Data privacy and group litigation in the year ahead
And so the first month of 2021 comes to a close – a worthy winner of the prize for delivering the strongest dose of January blues ever. But as we get over the hump of blue Monday, there is light at the end of the tunnel.
Covid vaccine programs, a new US president and, for companies with one eye on their data breach exposure, a host of potential answers to the legislative and judicial questions that remain on data breach group actions (I’m feeling lighter already!).
Burness Paull’s data privacy and group litigation experts are on hand to advise on all aspects of data breaches and group litigation in any sector, from prevention to defence. Our top-ranked team have decades of experience of international group litigations, and are currently defending Scotland’s first and only group procedure claim.
Please visit our Group Action page to find out more about our team and how we can help.
Written by
Related News, Insights & Events
Risk horizon scan: 2025
January is the optimal time for businesses to review risk registers against management plans and goals for the next 12 months.
The Scottish Law Commission’s proposed changes to the law of personal injury damages in Scotland
A look at the SLC’s recommended reforms which, if implemented, will represent one of the biggest changes in Scots law in personal injury law for decades.
Costs in personal injury claims – Where are we now?
From inflationary increases and complexity based uplifts in claimant costs to QOCS, the cost of litigation in defending people claims has increased in Scotland.