Data breaches, investigations and parallel civil proceedings

The pandemic, massed working from home and an accompanying whirlwind of online scams, hacks and fraudulent activity has accelerated the digitalisation of businesses worldwide and emphasised the criticality of data and other related systems and controls. 2020 saw a long awaited uptick in enforcement activity by data privacy regulators, including the UK's Information Commissioners Office (ICO). The ICO has in the past six months concluded major investigations against British Airways (fined £20 million); Marriot International (£18.4 million) and Ticketmaster (£1.25 million).

Between the ICO's increasing surefootedness, the upswing in data protection enforcement worldwide, the sheer number and significance of data breaches occurring in the past few years (a number of which are under investigation) and the significant lag between breach and enforcement, we're confident in predicting a material increase in the volume and value of ICO enforcement in 2021 (see our 2021 Investigations Outlook here).

These investigations and the data breaches that prompted them have been accompanied by a significant increase in parallel civil litigation. The British Airways investigation has been accompanied by a high profile, and widely advertised, group action launched in 2020 that is now being described as the UK's "largest-ever group privacy claim". If the claimants' arguments that the appropriate level of damages is £2,000 per person are correct, the claim would be worth up to approximately £800 million. It is a claim that is likely to be extremely difficult to successfully defend given BA's public statements at the time of the breach and availability of a critical, factually dense 114 page decision notice from the ICO.

More significantly still, the process of Lloyd v Google through the appellate court system has been accompanied by a wave of similar representative actions. Mr Lloyd has been allowed by the Court of Appeal to bring an opt out representative action on behalf of approximately 4 million people in the UK who lost control of personal data as a result of Google bypassing default privacy settings in iPhones to track browser-generated information and sell this for advertising purposes. That decision is subject to an outstanding ruling by the Supreme Court, but has prompted actions against a growing list of companies including Marriot International, Salesforce and Oracle, YouTube, TikTok, Facebook, Yahoo and Virgin Media.

Running such claims as 'opt out' actions is hugely significant. Each of these claims quotes headline figures for damages worth hundreds of millions or billions. These numbers are clearly far in excess of any likely regulatory fines and relate to claims which will be made far harder to defend in the context of corporates' reporting obligations under the GDPR and ICO enforcement activity. 

The success of this approach hinges on the judgment of the Supreme Court in Lloyd, which is expected around April 2021. However, if the Court of Appeal's judgment in that case is upheld, opt out data class actions will almost inevitably become a hugely significant and complex part of the litigation landscape for - given the pervasiveness of personal data in the modern economy - almost all corporates in every sector.

If you found this interesting, there's a lot more comment you may find helpful on UpData, which provides regular updates on contentious, criminal and insurance risks relating to data, from cyber-attacks to regulatory enforcement.