The "Tidal wave" of data protection-related class actions: Why we're not drowning just yet...

Prior to the GDPR's entry into force in May this year, much was being said about the "inevitable" deluge of class actions likely to flood the UK court system as a result. Many justifications were put forward to support this theory, including that:

• The GDPR bestows a greater number of and stronger, clearer rights upon data subjects, which provides them with a basis for legal claims;
• Due to the massive hype surrounding GDPR prior to its entry into force, data subjects, and claimant law firms, could not fail to be more aware of these rights and have them front of mind in dealings with controllers;
• The obligations in the GDPR upon controllers to be more transparent about what data they have and how it is used means that data subjects can more easily discover where controllers are contravening data law, particularly thanks to the duty of controllers to notify subjects of data breaches;
• The GDPR contains a clear confirmation that monetary compensation should be available to any data subject who suffers damage, even if not material damage; and
• It also contains specific provisions allowing representative bodies to obtain compensation on behalf of data subjects (even without having to opt in if the national government chooses to adopt that version of the provision).

The goal of this article is not to cast doubt upon the theory and reasoning set out above, which still holds good; but, six months into the new GDPR regime, we are far from drowning in group litigation - and below we consider some of the factors why the arrival of the "tidal wave" may have been delayed.

1. ICO backlog

First, and perhaps foremost, any claimant law firm is going to be focussed on choosing the right case upon which to cut its teeth as to the UK court's attitude to data protection class actions.  Informing this choice is likely to be a close study of decisions made by the ICO which are highly critical of a controller's actions/processes and which impacted a large number of data subjects.  This is class action gold, as far as claimant firms are concerned, and it is worth waiting for "the one". 

The problem with this is that the ICO is currently suffering the effects of extreme over-notification of data breaches.  Indeed, at a conference in September, the Deputy Information Commissioner remarked "Some controllers are 'over-reporting': reporting a breach just to be transparent, because they want to manage their perceived risk or because they think that everything needs to be reported……".  Consequently the ICO's resources are at full stretch and they are not yet therefore able to turn their attention to assessing reported breaches or issuing enforcement notices/penalties.   To date, only one post-GDPR enforcement notice has been issued, against Canada-based AggregateIQ for its part in the Cambridge Analytica debacle. 

This is not to say that claimant lawyers will back off entirely pending an ICO decision.  There have, very recently, been certain breaches where, put bluntly, irrespective of the who-did-what-to-who analysis, the numbers simply work and make collective action irresistible.  We discuss this further below.

2. Representative body challenges

Secondly, whilst Article 80 GDPR appears, on the surface, to be relatively simple, dig a little deeper into its wording and you soon run into difficulty.  This Article purports to enable certain organisations to bring legal actions and, if appropriate, claim compensation on behalf of data subjects.  However, there are a number of stipulations as to which organisations can take on this role.  They must be not-for-profit: what if, for example, a representative body is established solely for the purpose of bringing a claim which receives investment from a litigation funder – as discussed below, naturally, funders will only be interested in a case precisely because there is a good chance for them to make profit.  Where does this leave the representative body in relation to the "not-for-profit" requirement?  Other stipulations, such as the need to have "statutory objectives which are in the public interest" and to be "active in the field of the protection of data subjects’ rights and freedoms" present further obstacles.

As mentioned above, Member States were given the option under Article 80(2) GDPR to allow representative bodies on an "opt-out" basis; that is, every affected data subject is deemed to be represented in the action unless and until they actively choose not to be.  The UK government, however, has for the time being chosen not to enact this provision.  Consequently, even once a representative body passes the many definitional tests set by Article 80(1), it still then faces the mammoth and time-consuming task of having to collect signatories to the claim.

In the UK, Section 168 of the Data Protection Act 2018 supplements the right to claim damages set out in Article 82 GDPR.  On the author's reading of subsection (2)(a) of section 168, which refers to claims for damages brought by an Article 80 representative body,  the UK government's intention is that such claims will probably still have to meet the criteria applied to the existing "representative action" mechanism set out in Part 19 of the Civil Procedure Rules 9 (the "CPR").  This interpretation is derived from the words "in accordance with the rules of court" in this subsection.  If this is correct, then, essentially, a standing test will apply to Article 80 actions in the same way as they have been applied to Part 19 actions.  The key measure for standing is whether or not the represented parties can all be said to have the "same interest in a claim", a common grievance and the relief sought must be of benefit to all.  This test presents a significant procedural hurdle to getting representative actions off the ground.  For many potential claimants/their advisers, the alternative mechanism of a Group Litigation Order (where the bar for joining claimants together is the slightly lower "claims which give rise to common or related issues of fact or law") is often therefore the preferred option, even though it can take longer to put the group structure and financing in place.

3. Existing collective action mechanisms require critical mass

Under the current UK CPR, there are two forms of collective action: group litigation orders, or a representative action.  Irrespective of which form is adopted by claimants, all participants in the represented group need to have actively opted in.  For a representative action under the CPR, therefore, you need to find a minimum of 2 claimants who will opt into proceedings.  This differs from the US position, where a single claimant can represent the entire group, as the basis for representation is opt-out (i.e. everyone who falls within the group is deemed to be represented unless they actively opt out).

Consequently, in the UK, there is an administrative challenge involved in identifying and signing up willing litigants.  This challenge is all the harder because, in reality, a group of 2 claimants will not usually cut the mustard.  This is because of the high costs of collective litigation, which often necessitates the involvement of a professional litigation funding outfit. Due to the limits imposed under UK law on the recoverability of success fees, law firms are often reluctant to fund such actions themselves; and so litigation funders' resources are often called upon. Increasingly, in the world of data protection litigation, funders are showing interest – but they remain hesitant.  There are two main reasons for this.  First is the rule in the UK that the party who prevails in litigation is entitled to recover a proportion of its legal costs from the losing party.  This significantly increases the risk associated with funding a class action, and so funders will be looking for cases where they assess their chances of success as more than likely.  This is where the absence of ICO decisions on non-compliance with GDPR plays its part – such decisions will provide a useful starting point for claimant law firms to identify cases likely to attract the interest of litigation funding outfits. 

Secondly, in order for a funding outfit to view data protection litigation as a worthwhile investment, there needs to be a critical mass of claimants signed up to it to render the potential damages pot large enough to merit the costs risk.  To date, data protection damages awards have been relatively low (typically between £1,000-£10,000 per claimant).  Where claims are brought purely in respect of non-material damage this seems likely to remain the case.  Unlike in the US, punitive damages are only very rarely awarded in the UK, and currently we have only limited precedent of damages awards made against commercial organisations held liable for a data breach.  We are awaiting the quantum judgment in the class action brought against Morrisons supermarket[1]; this will inform potential future group actions and, depending on the damages awarded, may encourage/discourage litigants and funders accordingly.   

Finally, related to the required size of class and damages claimed, one recent decision by the UK courts has raised the question of whether there is now, at least in relation to claims brought against data controllers without an EU presence, a minimum threshold applicable before the courts will entertain a class action relating to data protection.  In the judgment handed down in Lloyd v Google[2] last month, the judge appeared unimpressed by the amount of damages that each individual would receive, particularly once the percentage of damages reserved for payment of legal costs and return on the funder's investment was taken into account.  This appears to have partially influenced his decision that the claim amounted to an abuse of process and his consequent refusal to permit the claimants to serve the claim form out of jurisdiction on Google.  Whether this will crystallise into a threshold in all such compensation claims for non-material damage against non-EU entities (or indeed against those based within the EU as well), remains to be seen, but will certainly sound a warning shot to those considering class actions.

Will the floodgates remain closed?

So, can data controllers kick back and breathe a big sigh of relief, safe in the knowledge that the dam remains shored up against the threatened barrage of class actions? In short, no.  There are a number of reasons why it remains advisable to prepare for the tidal wave, including:

• There is clear evidence that claimant lawyers and litigation funders are gearing up for the fights in this area.Experienced US and Australian class action law firms are mobilising their troops; for example, the US firm Sanders Phillips Grossman has recently opened a UK arm based in Liverpool and has been advertising online and in the press for claimants to join its proposed class action against British Airways (following its recently announced data breach).These firms are sophisticated litigation outfits, with class action credentials and funding structures that are likely to succeed in persuading affected individuals to sign up to proceedings.
• Whilst we await the quantum decision in Morrisons, earlier this year the courts held that the supermarket was in fact liable for the data loss suffered by the 5500 employees who brought the class action against it (and the Court of Appeal recently upheld this decision).This is despite the fact that the ICO investigated Morrisons' part in the incident and concluded that it was not liable.This decision will almost certainly encourage potential claimants (and deeply concern potential defendants) and demonstrates that claimant law firms will not only concentrate on ICO decisions to inspire their choices on which entities to target in their next action.
• Slowly but surely, the thinking around forming Article 80 representative bodies is developing.Somewhat unsurprisingly, early to the party was None Of Your Business (NOYB) the body set up by the privacy activist, Max Schrems, to enable him to continue his campaign against Facebook's privacy practices. In France, a similar body, La Quadrature du Net, has been established to bring seven separate complaints against a number of US-based internet companies.It seems likely that privacy activists in other EU Member States will learn from these bodies how to qualify as a representative body pursuant to Article 80; when this happens we anticipate a growth in representative actions.
• Speculation about class actions to date has largely focussed on litigation arising out of data breaches.Whilst this will surely be a key driver in the growth of data protection-related class actions, it is easy to imagine claimant law firms casting their net more widely to also target companies found liable for other sorts of non-compliance with GDPR once enforcement action starts being taken by regulators.
• The high profile nature of the GDPR's entry into force, and the fact that it bestows stronger rights upon data subjects, has led to a rise in low-value claims by individuals.A significant portion of commercial organisation's legal resource is now being taken up in fighting off this plague of small but "important-in-principle" claims.Savvy claimant lawyers can watch and learn where these smaller claims gain most traction, and build larger class action campaigns from these.
• Finally, although the Article 80 representative action, as adopted in the DPA 2018, remains opt-in only, the UK government has committed to a review of this in 2020 – and so it is not beyond the realm of possibility that, in the field of data protection class actions, an opt-out model more akin to that of the US class action regime, may yet be in our future.

Best tips for staying waterproof

If the spectre of class actions remains, what are the steps you can take to minimise the damage they could cause to your organisation?  If you're handling large amounts of data, particularly in a consumer-facing environment, then sadly it's probably a case of when-not-if you face some sort of litigation threat, but that doesn't mean there aren't measures you can implement now that will allow you to be in an optimal position for responding to that threat when it comes.  For example:

• Get your house in order with GDPR compliance: the trend to date is for claims relating to consumer/customer-facing data processing.Whilst back-end processing should also be assessed for compliance (particularly as regards employee data, bearing in mind the Morrisons case), if you have limited resources it makes sense to start by fixing "the shop window".Revisit privacy policies and notices and examine them for compliance with GDPR.
• Pay attention to complaints-handling: well-considered communications at an early stage with customers/employees who approach you with a data protection grievance can significantly reduce the risk of subsequent litigation. Train your staff on how to recognise a data protection complaint and the escalation procedure for ensuring it reaches the right hands for resolution as quickly as possible. Also, take note of the data protection practices in relation to which you receive the most frequent complaints and consider whether there's an easy(ish) fix that could avoid the complaints from spiralling into larger claims.
• Be careful to preserve legal privilege: from the outset of a complaint, any communications you exchange internally relating to it could potentially be used against you later in court.If such communications contain speculation, for example, as to your organisation's liability, then it is easy to envisage how damaging this could be later down the line. The best way to minimise this risk is to seek advice from lawyers on how to maximise your chances of asserting legal privilege over any and all communications about the dispute, and again ensure staff are trained on how to put this into practice.
• Be wary of the use of Data Subject Access Requests as a litigation tactic: under the GDPR there are enhanced rights for individuals to obtain information about the data you are processing about them.Increasingly these are being used by data subjects to fish for further ammunition to fuel active litigation against a business, or to obtain sufficient evidence to get an action off the ground.It is therefore critical to adopt the right approach to responding to such requests so as to avoid revealing any hostages to fortune that could come back to bite you subsequently.Again, seek legal advice in this respect, and ensure staff are properly trained.
• Plan and practice your data breach response: not only should you ensure that your organisation has the processes and expertise in place to comply with the strict breach notification requirements set out in the GDPR but, again, competent handling of a data breach in its early phase (including obtaining the cooperation of any third party suppliers who can assist in minimising damage to personal data and enlisting the skills of a good PR advisor to work on messaging) can be invaluable for staving off potential litigation.
• Watch for significant ICO decisions/penalties: as explained above, these will provide a good indication of the types of complaint that class action law firms will likely be focussing on.