In the run up to the implementation of the EU General Data Protection Regulation 2016/679, there were various dystopian predictions of huge fines and the rise of US style class action. Some of these claims have rightly been criticised as sales patter and scaremongering. Yet GDPR does include powers to impose revenue based fines and a host of other sanctions and also includes various rights which will make it much easier for claimants to bring compensation claims, notably the right to claim compensation for “non-material damage”. There is no requirement to prove financial loss to claim compensation under GDPR; mere distress is sufficient. From a brief search online it is easy to find various different claimant law firms advertising off the back of large public data breaches the possibility to bring a group claim for compensation. There is also a large amount of litigation funding available in the UK and the funders have shown an appetite for class actions. These make for a potentially toxic mix.
Two recent cases in the English courts help to some extent to clarify the evolving risk of group litigation for data protection, albeit that these are early skirmishes and there will undoubtedly be more litigation to follow.
Morrisons #2 Court of Appeal
The Court of Appeal delivered its decision in the case of WM Morrisons Supermarkets Plc v Various Claimants ( EWCA Civ 2339) in October, dismissing Morrisons’ appeal against an earlier decision from 2017 finding the supermarket vicariously liable for the actions of a former employee, Andrew Skelton. Mr Skelton had taken personal data (including name, address, gender, date of birth, phone number, national insurance number, bank details and salary information) relating to nearly 100,000 employees and posted it on the internet. Mr Skelton, a senior internal IT auditor at Morrisons, had been provided with payroll data by an HR colleague on an unencrypted USB device, to pass to external auditors. Previously, Mr Skelton had been involved in disciplinary proceedings relating to his use of Morrisons’ postal services for private purposes, leading him to hold a grudge against his employer. Before passing the payroll data to external auditors, he copied it to another USB device which he took home to copy to his personal laptop and later post the data on a file sharing website. He also sent copies of the data to three UK newspapers anonymously, one of which notified Morrisons of the issue. Within hours of being notified, Morrisons alerted the police and took steps to get the data taken down by the website. Mr Skelton was arrested and charged, later being sentenced to 8 years imprisonment.
Despite no known financial loss being suffered by the individuals whose data was posted on-line, just over 5,500 of those employees commenced a group action for damages for misuse of private information, breach of confidence and breach of the statutory duty owed under section 4(4) of the Data Protection Act 1998 (“DPA”). Although the case considered the old DPA, its findings are equally pertinent to the new Data Protection Act 2018 and the General Data Protection Regulation.
Notwithstanding that Mr Skelton had deliberately and criminally set out to harm his employer as a “rogue” employee, the Court of Appeal dismissed Morrisons’ appeal, noting that, despite the act of disclosure being committed at Mr Skelton’s home, there was an ‘unbroken thread’ that linked his work to the disclosure and a ‘seamless and continuous sequence of events’ that lead to the data being disclosed.
Morrisons has indicated that it will appeal to the Supreme Court, and the next step will be to seek permission for this appeal.
The solution is to insure against ruinous group claims…
It is unclear what more Morrisons could have done to stop the actions of a rogue employee. The Court of Appeal suggested that insurance may be an answer to the issue:
“There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees…”
Many insurers are actively marketing cyber insurance policies though as with all insurance cover, care needs to be taken to ensure that the cover offered is sufficient to address the potential losses and claims arising. Many standard cyber policies tend to have relatively low limits and focus more on the costs of investigation and remediation following a breach and business interruption. Fines are typically only covered to the extent recoverable under applicable law (and in many cases fines will not be recoverable as a matter of English law) and third party claims are typically capped at a relatively low limit so may not cover worst case group litigation losses such as the potential claim against Morrisons. Standard exclusions and policy terms may also present barriers to successful claims for the unwary insured. It is a sobering thought that the quantum claimed by Lloyd in the representative class action against Google (see below) was between £1 and £3 billion. In light of the comments made by the Court of Appeal, now would be a good time to review current insurance cover with brokers and coverage lawyers and to supplement that cover as appropriate to address the specific cyber risks faced by an insured and likely losses arising.
What compensation will be payable for distress?
One of the key open legal questions is what compensation should be paid following a breach of data protection laws. What is now settled law is that there is no need to prove financial loss to claim compensation for breach of data protection law. Compensation can be claimed for “non-material damage” including distress. The quantum of damage for distress is far from a settled area of law and unlike personal injury claims where guidelines for the assessment of damages are readily available, the jurisprudence considering damages for distress arising from breach of data protection laws is sparse and ambivalent.
In cases arising under the DPA 1998 and the related Privacy and Electronic Communications Regulations 2003, it was fairly common for organisations to pay hundreds and sometimes low thousands of pounds in relation to spam email and text. There is an argument that distress will be more significant where personal data has been compromised following a data breach, particularly where sensitive financial information has been disclosed which may facilitate fraud and identity theft, but there is no clear authority on quantum which in turn makes it hard to insure against the risk. The good news for defendants is that this legal ambiguity also makes it hard for claimant lawyers and litigation funders to calculate potential returns on their investment in group litigation, which is a disincentive to such claims, at least in the short term. Nevertheless given the potential upside for claimant lawyers (working on a conditional fee) and litigation funders, it seems likely that claims will continue to follow major data breaches. Defendants may also prefer to agree quantum to avoid having to pay their opponents’ legal fees in the event a court sides with the claimant. It therefore seems likely that over time jurisprudence and practice will develop to set precedent to determine quantum for compensation for distress, making it easier to bring and settle group litigation for data breach.
Lloyd v Google – 1:0 to Google
The Morrisons case follows the recent High Court decision in Lloyd v Google  EWHC 2599 (QB). The High Court in that case refused to grant leave to serve a claim on Google Inc (a Delaware corporation) outside of the English jurisdiction in relation to the ‘Safari Workaround’, which involved Google allegedly using cookie technology on the iPhone Safari browser to obtain browser-generated information about iPhone users between 2011-12 (tracking internet activity) without their knowledge.
In order to obtain leave to serve out of the jurisdiction, Lloyd needed to satisfy the Court, amongst other things, that the claim had a reasonable prospect of success. In order to determine whether that test had been satisfied, the Court asked itself two questions: 1) whether there was any basis for claiming compensation under the DPA based on the facts as pleaded; and 2) if so, whether the Court should or would permit the claim to continue as a representative action.
The Court dismissed the application on the basis that the facts as pleaded did not support the contention that any claimant had suffered damage within the meaning of DPA s13. Alternatively the Court held that, if that was wrong, the Court would refuse to allow the claim to continue as a representative action because members of the class did not have the ‘same interest’ within the meaning of CPR 19.6(1). For example, a casual internet user may be less distressed by Google’s activities than a heavy internet user. There was no uniform impact across the class of affected users. The Court also held that it would be impossible to reliably ascertain the members of the represented class – which was estimated to be in the region of 4.4 million.
The Lloyd v Google judgment highlights the unwillingness of the English Courts to create an American-style “opt out” class action regime under the Civil Procedure Rules and follows earlier decisions considering similar attempts in competition jurisprudence. The English judiciary have not been receptive to US style litigation which provides some comfort for defendants.
Not every breach of data protection law results in compensatable harm
The Court’s observations in paragraph 74 are potentially helpful for future defendants of data protection group litigation:
‘I do not believe that the authorities show that a person whose information has been acquired or used without consent invariably suffers compensatable harm, either by virtue of the wrong itself, or the interference with autonomy that it involves. Not everything that happens to a person without their prior consent causes significant or any distress. Not all such events are even objectionable, or unwelcome. Some people enjoy a surprise party…The bare facts pleaded in this case, which are in no way individualised, do not in my judgment assert any case of harm to the value of any claimant’s right of autonomy that amounts to “damage” within the meaning of DPA s 13.’
Where do these cases leave group data protection litigation?
The Lloyd v Google judgment has been reported as a set-back for claimant lawyers and group litigation. It is; but it is certainly not the end of data protection group litigation. The Court made much of the fact that not all contraventions of data protection laws will trigger compensatable harm and that no evidence of actual damage had been put forward by Lloyd. But there is a stronger argument that compensatable harm will flow from a breach of data protection law (such as a failure to maintain appropriate security) leading to a personal data breach where, for example, there is a fear of fraud or identity theft. Potentially the ongoing Morrisons litigation will provide an opportunity for the Courts to consider the critical issue of quantum of damages for distress, though this assumes that Morrisons will be unsuccessful in the Supreme Court and that the case does not settle, neither of which is certain. It may be some time before we have a decision on quantum. This uncertainty will give claimant lawyers and funders reason to pause before embarking on potentially expensive group litigation – building classes of litigants is costly and time consuming – but the potential upsides of a successful claim where hundreds of thousands or millions of sensitive records are compromised in a breach mean that data protection group litigation is likely to be here to stay.
By Ross McKean (Partner, London, and co-chair of the UK data protection practice), and James McGachie (Legal Director, Edinburgh).