Mass claims in the data sphere: what will 2021 bring?

While there is plenty of uncertainty on the horizon, one thing we can expect in 2021 is some big developments in relation to collective action claims for data law breaches.

These mass claims from large groups of aggrieved individuals for breaches of their data privacy rights are an increasing risk for businesses, and often follow hot on the heels of data breaches hitting the headlines or high profile regulatory fines. Our recent client publication – The Perils of Data: Are Mass Claims for Data Privacy Breaches the New Norm? – provides an overview of recent developments in collective claims for data breaches and the ways these types of claims can be brought in England. It also suggests some practical steps that organisations can take to address this developing risk. 

The key case to watch out for in 2021 is the Supreme Court’s decision in Lloyd v Google. If the Supreme Court upholds the Court of Appeal’s decision it will mean that groups of claimants can more easily bring “opt-out” representative actions for data breach claims on the basis that all the claimants have lost control of their data (and therefore meet the necessary “same interest” legal test). The appeal is expected in April 2021, with a decision later in the year.

We can also expect to see developments in the other mass claims that are in progress against the likes of British Airways, easyJet, TalkTalk and Marriott following their respective data breaches, as well as new cases that are waiting in the wings pending the outcome in Lloyd v Google. The growing rise in enforcement actions for breaches of data privacy rules in the context of "business as usual" data processing activities is only likely to add to the number of claims.

In addition, we await the Department for Digital, Culture, Media and Sport’s (DCMS) response to its recent consultation on representative action provisions in the DPA 2018. Importantly, the consultation includes “opt-out” style proposals that would enable certain non-profit organisations to take action (including bringing court claims) against organisations for breaches of individuals’ data rights without individuals’ consent.

The DCMS’ proposals and Lloyd v Google have the potential to significantly increase data controllers’ exposure to mass compensation claims and are therefore key areas to watch in 2021.