The end of the road for data breach litigation?

February 2022  |  SPOTLIGHT | LITIGATION & DISPUTE RESOLUTION

Financier Worldwide Magazine

February 2022 Issue

In recent years, there has been a well-documented increase in litigation arising from data breaches. This litigation has been on a grand scale, in the form of representative actions and group litigation orders (GLOs), and on a smaller basis, with individual claimants bringing claims in their own right. Two factors have particularly contributed to this trend. Firstly, the Court of Appeal’s decision in Lloyd v. Google was understood in some quarters to establish an automatic right to damages for the loss of control of data, meaning that any data subject whose data had been compromised could assert a claim for damages without needing to prove distress. Secondly, it was economically attractive to law firms to bring these claims, and for data subjects to permit them to do so, because after-the-event (ATE) insurance could be purchased against the risk of an adverse costs order, in the expectation that the premium could be recovered from the unsuccessful defendant. The practical effect was that data subjects could litigate risk-free, and that it was economically attractive for law firms to represent them under conditional fee agreements (CFAs).

The prospect of follow-on litigation has added to the burden on data controllers. Already faced with maintaining cyber security standards in the face of increasingly sophisticated ransomware attacks and dealing with the very significant demands of a data breach, data controllers have also had to spend their time and resources answering such claims. However, several recent judgments suggest that the tide may have turned decisively in favour of data controllers. This article explains what two of those judgments decided and why they are so important to this still-developing area of the law.

Data breach claims: a quick recap

In general, data breach claims following cyber security have adopted a common formula, seeking damages for loss of control and alleged distress based on a handful of causes of action, as outlined below.

First, breach of confidence on the basis that the compromised personal data (such as name, address, email details and banking information) included information that was subject to a duty of confidentiality.

Second, misuse of private information on the basis that the loss of data constituted a misuse of the data subject’s private information.

Third, negligence on the basis that the data controller breached a duty of care owed to the data subject to keep their personal information confidential.

Fourth, breach of obligations owed under the UK GDPR/Data Protection Act 2018 (DPA 2018) on the basis that the data controller breached some or all of the following obligations contained in both article 5(1)(a)-(f) of the UK GDPR and sections 35-40 of the DPA 2018 which sets out a data controller’s obligations to process personal data: (i) lawfully, fairly and transparently; (ii) only for a specified, legitimate purpose; (iii) in a limited capacity, holding only what is relevant and necessary for the purpose of holding the data; (iv) accurately, with an obligation to delete or rectify outdated or incorrect personal data; (v) only for a reasonable amount of time; and (vi)
with appropriate technical and organisational measures that ensure the security of the data, including protection against unlawful processing and accidental loss (also known as the security duty).

Warren v. DSG Retail [2021] EWHC 2168 (QB)

In Warren, the claimant’s personal data was accessed in a 2017 cyber attack exposing his name, address, telephone number, date of birth and email address. The claimant brought a claim in the High Court seeking £5000 in damages for distress, alleging that the defendant was liable under all four heads of liability.

The defendant successfully argued that all claims other than the alleged breach of the security duty should be summarily dismissed. The court decided that allegations of the defendant’s failure to protect data against cyber criminals could not be interpreted as a positive, unlawful act on the part of the defendant who was the victim of a crime. The court further found that imposing a common law duty of care in these circumstances was unreasonable because the UK GDPR and DPA 2018 had already imposed statutory duties.

The effect of Warren was therefore to narrow the liability of data controllers in the context of cyber security claims, to only include their statutory duties, if they have not committed any ‘positive acts’ in the breach of their data. However, crucially, under the relevant statute it is not possible for a successful claimant to recover its ATE insurance premium from an unsuccessful defendant for claims based solely on the UK GDPR and DPA 2018. As Warren was not appealed, the position is therefore that data breach claims arising from cyber attacks must be based on the UK GDPR and DPA 2018 alone, and that the cost of purchasing ATE insurance cannot be recovered. This dramatically impacts the economic viability of such claims.

Lloyd v. Google LLC [2021] UKSC 50

On 10 November 2021, the UK Supreme Court handed down its much-anticipated judgment, unanimously allowing Google’s appeal and reversing the decision of the Court of Appeal.

In summary, the Supreme Court ruled that damages for ‘loss of control’ are not available for breach of the Data Protection Act 1998 (DPA 1998), and that even if loss of control damages had been available, the claim could not be brought as a representative action as it would still have been necessary to assess the extent of the unlawful processing in each individual case.

Background. Mr Lloyd sought to bring a claim as a representative action against Google on behalf of approximately 4 million individuals, claiming that Google had unlawfully processed browser data directly from users’ mobile devices without their consent using what has been called the ‘Safari Workaround’, to bypass privacy settings in order to track cookies for the purposes of targeted advertising.

A representative action is a form of ‘opt-out’ litigation that is brought on behalf of all members of a particular class of claimant, unless they opt out. This type of class action contrasts with a GLO which requires individual claimants to ‘opt-in’ to the litigation.

The procedure for bringing a claim as a representative action is embodied in rule 19.6 of the Civil Procedure Rules, which requires that such a claim may be brought by or against a representative of others who have the ‘same interest’ in the claim. Mr Lloyd argued that this ‘same interest’ test was satisfied as each of the individuals he sought to represent had had their data protection rights breached in the same way. He argued that it was not necessary to prove any facts particular to individuals, on the basis that compensation should be awarded under the DPA 1998 (which was the relevant legislation in force at the time of the alleged breaches, but has since been replaced by the UK GDPR, supplemented by the DPA 2018) for ‘loss of control’ over their personal data.

Google was successful at first instance, before the judge’s decision was overturned in Mr Lloyd’s favour by the Court of Appeal. On appeal to the Supreme Court, the court considered the following key issues. First, loss of control damages: whether a damages claim under the Act could proceed in circumstances where no pecuniary loss, damage or distress has been suffered, with the result that claimants can bring an action for the mere ‘loss of control’ of their data. And second, same interest: whether the ‘same interest’ requirement can be satisfied if the pecuniary loss or distress suffered by the claimant class varies or, where recovery for mere loss of control is allowed, the class of claimants will satisfy this requirement as they have all suffered the same loss, namely the loss of control of their data.

Decision and implications. In a decision that will be welcomed by data controllers, the Supreme Court found on these central issues that, firstly, the claim that individuals could recover damages for ‘loss of control’ over their personal data failed on the wording of section 13 DPA 1998. The court held that on its proper interpretation, the term ‘damage’ in section 13 must mean material damage (such as financial loss) or mental distress, and not just any unlawful processing itself. Accordingly, claims under the DPA 1998 require proof of financial loss or distress to find a cause of action.

The court also found that a claim for damages will not be able to be brought as a representative action unless the damages claimed can be calculated on a common basis for all the members of the class represented. Thus, the circumstances in which such a claim may be brought will naturally be limited by the compensatory nature of damages as a remedy, given that this will usually require “an individualised assessment which raises no common issue and cannot fairly or effectively be carried out without the participation in the proceedings of the individuals concerned”.

The court’s decision understandably focused on the interpretation of section 13 DPA 1998 as the provision on which Mr Lloyd’s claim was based. While the court did not determine whether the same approach applies to claims brought under the current data protection legislation (namely, the UK GDPR and DPA 2018), it is notable that the equivalent provision in the UK GDPR, article 82, is worded in substantially similar terms. The decision therefore largely removes the threat for data controllers of claims from large numbers of affected individuals seeking damages for the fact of a data breach or cyber attack based on data protection legislation, although ‘loss of control’ damages remain available for breaches of the tort of misuse of private information.

Similarly, although the court was keen to stress that the representative action procedure remains a legitimate means by which to bring low value claims on behalf of consumers, the court’s reasoning in relation to the ‘same interest’ test is likely in practice to limit the use of this procedure as a ‘one stop shop’ means of bringing low value damages claims against data controllers on behalf of a large class of individuals. Instead, claimants may need to adopt a two-stage process of the sort described in the court’s judgment, whereby the representative action is brought to determine issues of liability which can then form the basis for individual claims for compensation. As the court recognised, however, such an approach may in practice be less economically viable for claimants and their funders.

 

Charlie Weston-Simons is a partner at Norton Rose Fulbright LLP. He can be contacted by email: charlie.weston-simons@nortonrosefulbright.com.

© Financier Worldwide

BY

Charlie Weston-Simons

Norton Rose Fulbright LLP

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.