Mass claims for data breaches: if Lloyd v Google doesn’t open the floodgates then perhaps the DCMS will?

Giving proper effect to individuals’ data privacy rights is at the heart of the GDPR and Data Protection Act (DPA) 2018. It is therefore no surprise that s187 DPA 2018 allows ‘representative actions’. Individuals can ask certain non-profit organisations to complain to the ICO on their behalf about a data controller or processor, represent them in court when seeking to resolve those complaints and bring court claims against organisations for data law breaches.

DCMS consultation

The Department for Digital, Culture, Media and Sport (DCMS) has launched a consultation on the effectiveness of the existing provisions, acknowledging that to date the take-up is “quite low”. Based on data from early this year, only around 65 complaints made to the ICO since May 2018 came from organisations on behalf of individuals (in total the ICO received 41,661 complaints in 2018-2019) and the DCMS is not aware of any qualifying court claims. 

Significantly, the review will also consider introducing a form of ‘opt out’ rule enabling non-profit organisations to take action for breaches of individuals’ data rights without affected individuals’ consent. ‘Opt out’ style class action claims are common elsewhere (notably the US) but are currently only available in England for private competition damages claims. The importance of this change, particularly in terms of bringing mass compensation claims in the courts and the consequential risks for large data controllers, is difficult to underestimate.

Current law: impact of Lloyd v Google

Under r19.6 of the English Civil Procedure Rules, opt-out representative actions can be brought in other areas (outside of competition law) on behalf of persons who have the “same interest” in a claim. (Group litigation is possible under other rules, but individual claimants must actively ‘opt in’.) The r19.6 regime has not been widely used, primarily because the courts have traditionally required that the “same interest” test address both the legal basis of the collective claims and the damages sought. That regime may be about to grow in popularity in the data privacy sphere because of Lloyd v Google, a representative claim purportedly brought on behalf of five million iPhone users against Google for breaches of DPA 1998. The Court of Appeal allowed the claim to proceed, in part because, to satisfy the “same interest” test, the claimants accepted a ‘lowest common denominator’ level of damages (for loss of control of their personal data). The Supreme Court will have the final say when it hears the case next April, but a significant number of similar claims have been filed (such as against Marriott) or are waiting in the wings.  

Next steps

Where English law goes on this will be of real interest to data controller organisations and individuals wishing to give effect to their data privacy rights (and claimant law firms and funders looking to bring ‘mass claims’). 

The deadline for consultation responses is 22 October 2020. The government must report to Parliament on the s187 DPA 2018 provisions by 25 November 2020.