British Airways negotiates the settlement of mass data claim

In December, I attempted to forecast what 2021 might bring in relation to mass claims in the data sphere. The big unknown remains, as we await the Supreme Court’s decision in Lloyd v Google, following a hearing in April. This will determine whether or not groups of claimants can more easily bring “opt-out” representative actions following data breaches on the basis that all the claimants have lost control of their data (following a data breach or otherwise). However, in the meantime there has been a substantial development in the “opt-in” claim against British Airways, which is organised using a group litigation order.

This litigation had been commenced by individuals said to have been affected by a cyber-attack on the airline identified in September 2018. The personal data lost included names, addresses, and payment-card details. BA was separately fined £20 million by the ICO.

On 6 July, BA announced it had reached a settlement with a number of the claimants. The terms of the settlement are confidential, and critically we do not know exactly how many claimants participated and how much BA will compensate each individual. It has been reported that the settlement did not include any admission of liability, suggesting that the settlement offers nothing for other claimants faced with the challenges of showing a cyber-attack by a third party caused the losses claimed.

We do know, however, that the total claimants involved in the case is far lower than it would have been had the claim been “opt-out” rather than “opt-in”. At a case management hearing in February, Mr Justice Saini stated approximately 23,320 claimants had signed up to the group litigation order, representing less than 5% of the total 500,000 eligible individuals. The number may have risen since then, but this was a surprisingly low figure given the incentive of a potentially considerable pay-out. Although the question of the quantum of compensation for distress and/or loss of control of personal data remains unclear, payments in earlier (pre-GDPR) cases have ranged from £750 in cases of minor infringements to £20,000 in the most extreme.

The settlement is therefore a reminder that an “opt-out” regime will lead to claims on an entirely different scale and all eyes remain on the outcome of Lloyd v Google. That being said, claimant-focused law firms are using the widespread publicity of the BA settlement to promote their mass claims against other firms involved in data incidents, including easyJet, TalkTalk and Marriott (notwithstanding the fact that their advertising costs are not recoverable). It is therefore likely that the scale of future data class actions will continue to grow irrespective of the decision of the Supreme Court.