UK and Europe: a new hub for data breach class actions?

Michael Bywell

Hausfeld & Co, London

mbywell@hausfeld.com

Alexandre Predal

Hausfeld & Co, London

apredal@hausfeld.com

Josie Greener

Hausfeld & Co, London

jgreener@hausfeld.com

Alexander Batty

Hausfeld & Co, London

abatty@hausfeld.com

Recent cases

For a long time, class actions, as understood in the United States, have not really existed in Europe and the United Kingdom. However, although still relatively new, large group claims for data protection infringements are increasingly being heard in these jurisdictions. Recent filings could well be at the vanguard of a shift in culture towards the use of class actions as a means for consumers to obtain redress where they are affected by data breaches.

On 31 May 2017, consumer rights activist Richard Lloyd filed a claim against Google LLC in England and Wales. Lloyd v Google concerns allegations that Google illegally harvested and sold personal data from a class of more than four million Apple iPhone users, on behalf of whom Mr Lloyd seeks damages on a representative basis. On appeal from a decision refusing Mr Lloyd leave to serve the proceedings on Google LLC in the US, the English Court of Appeal, in a ground-breaking judgment,[1] endorsed the use of the representative action procedure contained in rule 19.6 of the English Civil Procedure Rules to enable a class of affected consumers, with the same interest, to recover damages for loss of control over their personal data on an ‘opt-out’ basis.

On the question of damages, the English Court of Appeal recognised that personal data has an economic value and so too does consent to its use. The court concluded that Mr Lloyd, and the class of individuals he represents, lost something of value, namely the right to control their personal data, such that damages for loss of control over that data could properly be regarded as compensatory in nature. The court stated that data subjects could make a recovery on this basis without having to show pecuniary loss or distress.

Google has since appealed to the UK Supreme Court and that appeal was heard in April of this year. The parties currently await the outcome.

In the meantime, several other representative actions in the data breach space have been filed in England and Wales and are waiting in the wings. These include Bryant v Marriott (failure to safeguard customer data);[2] McCann v YouTube (misuse of children’s data);[3] Jukes v Facebook (relating to the Cambridge Analytica scandal);[4] and Williams v Experian (misuse of customer profile data).[5]

Likewise in the Netherlands, which recently introduced a new legal framework for class actions[6] building on a procedure for collective settlements dating back to 2005,[7] a number of group data breach claims have been filed in the past 18 months, including against Facebook,[8] TikTok[9] and Salesforce/Oracle.[10] The Settlement of Large-scale Losses or Damage (Class Actions) Act, which came into force on the 1 January 2020, allows collective claims to be brought in the Netherlands for monetary damages on an ‘opt out’ basis. Dutch law provides a basis for damages in respect of non-financial loss pursuant to Article 6:106 of the Dutch Civil Code.

Regulatory fines

In many instances, claims are brought following findings of data protection infringements by regulators, often resulting in substantial fines. The representative actions against Marriott, Facebook and Experian in England and Wales are instances where class actions have been filed following decisions by the local regulator.

In Ireland and Luxembourg, regulators have recently issued headline-grabbing fines to WhatsApp and Amazon, of €225m and €746m respectively, the largest under the General Data Protection Regulation (GDPR) to date.

While the Amazon decision has not been published, press reports suggest that it concerns GDPR infringements related to targeted advertising and the way in which Amazon presents personalised advertisements to its customers.[11] The WhatsApp fine relates to lack of transparency around how the company processes customers’ data.[12] Interestingly, the fine originally proposed by the Irish Data Protection Commissioner was considerably lower (between €30m and €50m) and was only increased after objections by supervisory authorities in eight other EU countries including France, Germany and Italy – and an intervention by the European Data Protection Board.

While the prospect of fines such as these may act as a deterrent to corporations tempted to shirk compliance with privacy obligations, they do not provide compensation for data subjects affected by breaches. The only way civil compensation may be obtained, absent any settlement payment to those affected, is via the courts.

Collectives in the anti-trust or competition law area

Several recent class actions against ‘big tech’ companies have also been filed in England and Wales in the competition law area. These include a claim on behalf of a class of around 29 million consumers against Qualcomm, which alleges abuse of dominance in the market for standard essential patents and long-term evolution chipsets,[13] as well as claims against Apple[14] and Google[15] for excessive and unlawful charges in Apple’s App Store and Google’s Play Store, respectively.

While these are not data breach cases, they are nonetheless reflective of an upwards trend in the number of class actions being pursued in Europe and the UK, particularly against big tech companies, for infringements of consumers’ rights. A recent report notes that the number of class actions in 17 jurisdictions in Europe (including England and Wales) grew by 120 per cent from 2018 to 2020 across various practice areas.[16]

Why are data breach class actions on the rise and what might the future look like?

The emergence of data breach class actions in Europe and the UK is probably borne out of a confluence of factors, including:

• the phenomenal growth, popularity and power of social media platforms;
• increased activity by data protection regulators across Europe and the UK;
• increased awareness, in the wake of the GDPR, of data protection rights on the part of data subjects including the right to compensation for infringements; and
• increasing recognition by the courts that collective claims, via opt-out style class actions, is the only effective way for consumers affected by data breaches to seek redress.

Slowdown in the foreseeable future is unlikely. Much may depend on how data controllers and data processors react to the increased scrutiny by regulators, the uptick in civil lawsuits by consumers seeking compensation and whether, looking ahead, steps are taken to improve compliance with data protection law and regulation.

For now, the gap between the legal standard and the conduct of certain defendant organisations appears very wide indeed. Looking at recent high-profile decisions by regulators, including those mentioned in this article, it is clear that these are not marginal cases where there might be an argument, for example, that the degree of security was close to satisfactory (in hacking cases) or, in monetisation cases (where data is misused for commercial gain), that required user consents were obtained. Instead, regulators have been highly critical of what they view as extremely serious infringements by organisations which, in some cases, appear to have scant regard for data protection compliance.

For organisations with business models reliant on unfettered access to, and the monetisation of, personal data, increased regulatory activity and the growing threat of consumer actions may be insufficient to encourage a wholesale change in behaviour – especially where market position and profitability are at stake. For others, where personal data might be routinely handled but is not a commodity sitting at the heart of the business model, the dynamic will undoubtedly be different.

Legislative moves are also afoot in Europe. The EU Representative Actions Directive (RAD), which entered into force in December 2020, requires EU Member States to put in place a mechanism for qualified entities to bring representative actions on behalf of consumers. Member States have until December 2022 to transpose the RAD into national law and it will be interesting to see to what extent other jurisdictions, in exercising their discretion around implementation, look to the opt-out regimes of the Netherlands and the UK when it comes to choosing the path ahead.

Litigation funding

Before concluding, a brief word on litigation funding because, without it, consumers in data breach class actions would be unable to pursue civil remedies.

In the case of Lloyd v Google, the court at first instance formed the view that the litigation was ‘officious’[17] with the main beneficiaries being ‘the funders and the lawyers, by a considerable margin’.[18] The judge was concerned that Mr Lloyd, the representative claimant, ‘should not be permitted to consume substantial resources in the pursuit of litigation on behalf of others who have little to gain from it’.[19]

However, the English Court of Appeal disagreed:

‘[T]his representative action is in practice the only way in which these claims can be pursued. I do not accept the judge’s characterisation of this claim as “officious litigation”. To the contrary, this case, quite properly if allegations are proved, seeks to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit. It is not disproportionate to pursue such litigation in circumstances where, as was common ground, there will, if the judge were upheld, be no other remedy. The case may be costly and may use valuable court resources, but it will ensure that there is a civil compensatory remedy for what appear, at first sight, to be clear, repeated and widespread breaches of Google’s data processing obligations and violations of the Convention and the Charter.’[20]

In other words, the Court of Appeal not only had no objection to the involvement of funders but, from a policy perspective, recognised that it was not disproportionate to allow the case to proceed because, without it, there would be no other remedy for affected consumers. It remains to be seen whether the Supreme Court agrees with that view.

Litigation funders are also active in the Netherlands and backing a number of Dutch data breach class actions filed in recent months.

Commentary

These developments provide strong evidence of a growing market for class actions in Europe and the UK, as well as a cause for optimism that meaningful access to justice for data subjects is here to stay. They represent a shift away from historic caution at the European level, at the heart of which has been the misconception that the availability of class actions as a means for collective redress will somehow open the floodgates to a culture of vexatious litigation.

While it is still early days and some jurisdictions are ahead of others, the overall direction of travel is clear. We expect to see a steady increase in class action filings in the data breach space, in many cases by way of ‘follow on’ to decisions by regulators.

For data controllers facing the prospect of regulatory investigations and follow-on civil claims, the answer must be to increase compliance efforts and ensure their organisations do not fall foul of data protection laws in the future.