Two recent developments in the United Kingdom highlight the growing risk of privacy litigation and “group actions” which is likely to further increase following the enactment of the General Data Protection Regulation (“GDPR“) in May 2018. The focus to date on GDPR has largely been on the revenue based fines that can be imposed for non-compliance. However litigation risk, particularly group action litigation risk, is potentially an equally significant hazard for organisations which should not be overlooked in GDPR readiness programmes.
Article 82 of the GDPR provides a legislative basis for the right to compensation for both “material” and “non-material” damage caused by infringement of the GDPR. This reflects the decision of the Court of Appeal in Vidal-Hall v Google  EWCA Civ 311, which was the first group action in the United Kingdom taken based on data protection law, where the court held that damages for distress could be claimed against data controllers for contravention of the Data Protection Act 1998, even where there was no financial loss. This is significant as it is often challenging to prove that a specific data breach caused a particular financial loss – information used by fraudsters and criminals could have been gleaned from various different sources – whereas it is easier to prove that a claimant is distressed about their personal data having been compromised following a personal data breach.
The Vidal-Hall decision has since been relied upon in successful claims for damages for distress including TLT & others v Secretary of State for the Home Department and the Home Office  EWHC 2217 (erroneous publication of personal data by the Home Office) and Gulati v MGN Ltd  EWCA Civ 1291 (phone hacking). The Vidal-Hall proceedings are now being continued as a larger “representative action” – a claim brought by an individual on behalf of a group, in this instance “Google You Owe Us” – led by Richard Lloyd, the former executive director of the consumer group “Which?”, discussed further below.
The GDPR makes it simpler for consumers to claim compensation as part of a wider group by providing a statutory right under Article 87 to mandate any claim for damages to a not-for-profit body, organisation or association – providing a legislative basis to permit such bodies to solicit and co-ordinate group actions for damages.
GDPR also makes it more likely that consumers will be made aware of potential claims as controllers (those organisations who determine the purposes and means of processing) are required to notify regulators and, in the case of high risk data breaches, affected individuals of personal data breaches.
Even before the commencement of the GDPR, two developments in the past week signal that group actions are likely to be encountered on a more regular basis in future.
“Google You Owe Us” – Representative Action
On 30 November a campaign group called “Google You Owe Us” announced that it intended to raise a group claim against Google. The group claims that between June 2011 and February 2012 Google obtained personal information by bypassing the default privacy settings on the iPhone to install cookies in the Safari web browser.
It is alleged that collecting personal data in this manner in respect of individuals’ browsing histories to target adverts at them – known as the “Safari Workaround” – was in breach of the data subjects’ rights under section 4 of the Data Protection Act 1998 and the data protection principles. It is suggested that in the region of 5.4 million people in England and Wales alone may each be eligible for compensation.
The group advises on its website that the action is funded by a “third party funder” – an organisation which agrees to cover the costs of bringing the action in return for a share of damages.
This has the impact that claimants bear none of the costs of bringing the claim, while if the claim is unsuccessful the third party funder loses its investment in terms of its costs. The “Google You Owe Us” website indicates that the claimant has however arranged for the third party funder to take out After the Event Insurance so that the insurer pays the winning side’s costs in such circumstances. Equally, if the claim is successful, the funder will receive a fee and after that is paid, the damages will be distributed to those who are covered by the claim.
The ability to raise proceedings while relying on third party funding and insurance, coupled with the new statutory rights under Article 87 of the GDPR described above is likely to fuel the trend of group actions based on breach of data protection laws.
Various Claimants v Wm Morrisons Supermarket PLC  3113
In a decision issued on 1 December 2017, the High Court considered the ability to claim damages for distress based upon the actions of a Data Controller’s employee.
In 2013, a Morrisons employee posted an edited version of Morrisons’ payroll file online. This resulted in criminal proceedings based on breach of the Computer Misuse Act 1990 and section 55 of the Data Protection Act 1998 and, following conviction, an eight year prison sentence for the employee in question. Subsequently, over 5,500 claimants joined a group action raised on the basis that Morrisons was either directly liable or had vicarious liability for the acts of its employee.
Employer’s vicarious liability for insider threat
The High Court found that Morrisons was not directly liable for the individual’s acts and could not have anticipated what happened or taken steps to prevent disclosure. However, in a ruling that will have significant implications for employers whose employees cause or contribute to a data breach (often referred to as “insider threat”), the High Court held that Morrisons was vicariously liable for the actions of its employee.
The High Court rejected Morrisons’ arguments to the effect that the Data Protection Act 1998 did not allow for any common law vicarious liability and instead reached this decision under the extended concept of acting “in the course of employment” developed in recent cases before the UK Supreme Court.
Repercussions and next steps
Permission was granted to Morrisons to appeal. It remains to be seen whether the dispute will indeed reach the Court of Appeal or instead be settled prior to a trial on quantum, which would be expected to be heard by the High Court in 2018, and whether such settlement could encourage potential claimants who were affected, but did not form part of the original group action, to raise separate proceedings.
The decision highlights the risks of data breaches arising from within organisations. While this year has seen many instances of cyberattacks and data breaches originating from external hackers, the risk of “insider threat” posed by rogue employees can be of equal damage to those arising from external actors, as the Morrisons case demonstrates.
Further, this judgment has implications for all companies who rely on employees or agents to process data. The actions of a rogue employee can open up data controllers to potentially significant financial liability, even if data controllers take reasonable steps to secure their data in compliance with the legal standard of care. Controllers should consider what else they can to prevent these issues, such as internal monitoring of employee system activity to flag inappropriate system usage and regular audits of user access controls to ensure that permissions are only afforded to employees who are appropriately vetted and who continue to require access.
Evidence of non-compliance
The decision is also important with regard to the evidentiary threshold which claimant lawyers will need to meet to show that a failure to comply with data privacy law has taken place. As most of the facts were not in dispute, having been established during the criminal trial, the hearing in the Morrisons civil case proceeded without any of the claimants being called to give evidence.
On this basis, the evidentiary burden in any civil privacy litigation in circumstances where the criminal courts or regulators have imposed sanctions or fines is likely to be significantly lower than in normal cases. Such regulatory action is likely to make private claims that follow enforcement action more straightforward.
These two matters are likely to be a taste of things to come under GDPR as result of a combination of (i) mandatory breach notification requirements under GDPR; (ii) the removal of any requirement to prove financial loss to claim compensation; and (iii) the availability of third party litigation funding and insurance to cover third party costs making group actions a relatively low risk venture, particularly where criminal courts or regulators have already established liability.
Organisations should therefore prepare for increased privacy litigation risk in the run up to May 2018 and how to address the menace of insider threat. What amounts to appropriate defensive controls will vary among organisations and specialist advice should be obtained. Controls are likely to include a combination of: reviewing and updating incident response policies; training response teams; training staff on how to recognise incidents and the vital importance of reporting them quickly to internal response teams; appointing specialist legal, forensics and communications advisors; ensuring that threat detection and data loss prevention technology and controls are implemented (where appropriate); ensuring that access rights are appropriate and regularly reviewed and updated, and reviewing cyber insurance policies to ensure that there is sufficient coverage for the higher losses likely to arise under GDPR.