GDR can reveal that Equifax has mounted a wide-ranging attack against an English lawsuit seeking to hold it accountable for its high-profile data breach.
Representative claimant Richard Atkinson sued Equifax in the High Court of England and Wales in October. Atkinson says Equifax could pay up to £100 million (€116 million) in compensation on behalf of approximately 15 million individuals allegedly affected by the data breach Equifax suffered in 2017, which has led to the company facing litigation and regulatory investigations in multiple countries.
Making use of the UK data watchdog’s Equifax regulatory findings, Atkinson alleges that Equifax committed a tortious misuse of private information in relation to data over which he had a reasonable expectation of privacy. He has sued Atkinson as a representative claimant on behalf of an opt-out class of allegedly affected individuals.
He also said the company intruded on his privacy, and that it failed to comply with the UK’s pre-GDPR legislation. He seeks damages based on an infringement of his and the class’s data protection rights; misuse of private information; and loss of control of their personal data.
In court documents obtained by GDR, Equifax’s counsel argued that the lead claimant had no expectation of privacy over the information that was affected – as the data, which comprised Atkinson’s name, date of birth and landline phone number, was listed in a public phone directory.
The company said names and dates of birth are not inherently private as the information is inevitably widely disseminated, and that a publicly available phone number “self-evidently cannot be private”.
What’s more, Equifax said, the claimant “did not exert any meaningful control over that data” – and that data subjects cannot complain they have suffered loss of control damages where third parties have lost control of the data. The company also said there can be no meaningful loss of control over data when it has been gathered from sources other than the subjects themselves, which was the case for the affected data.
“[T]he fact that the controller is not the originator of the data, does not exert exclusive control over the data, and indeed has obtained such data from external third party sources means that there is no relevant loss of control where the data in the hands of the controller is subject to third-party criminal attack,” Equifax said.
The company went on to say that the claim could only proceed if it met a seriousness threshold under the European Convention of Human Rights: “That threshold is not even arguably met on the facts of the case … the impact (if any) on the claimant’s privacy rights and his right to data protection was at best trivial.”
Equifax also denied that it owed a tortious duty or common law obligation to keep Atkinson’s data secure or reasonably secure.
Lloyd v Google and breach v monetisation
As part of its arguments, Equifax said that loss of control damages are not available under the UK’s pre-GDPR data protection legislation or under the common law tort of misuse of private information, when claimants have suffered no distress or monetary loss.
“To the extent that the Court of Appeal decided otherwise in Lloyd, that case was wrongly decided,” the company said.
The appeal court in Lloyd had revived a “loss of control” representative action against Google, overturning a High Court ruling that the claimants could not seek damages without proving loss or distress.
Equifax went on to reiterate that data subjects cannot recover loss of control damages when data was controlled by third-party controllers – in this case Equifax – as opposed to being controlled by data subjects themselves.
The company distinguished the litigation with Lloyd, where Google had taken data that was controlled by data subjects without consent to monetise it; the case had involved argument that the data had economic value to the claimants. In a case where a data controller has lost control over data due to a criminal attack, loss of control damages are not available, Equifax said.
“Further or alternatively, following Lloyd … loss of control damages are not available in cases involving trivial loss,” the company added. “In the present case, if the claimant suffered any loss of control, it was at best trivial.”
No class action available
Under English procedural rules, representatives can sue on behalf of others that have the “same interest” in the litigation.
But Equifax said that the claimants in the Atkinson lawsuit do not have the same interest, as different individuals’ claims involve different categories of data and will necessarily have different interests.
In Lloyd v Google, the Court of Appeal ruled that the class Lloyd represented had the same interest, as they were “all victims of the same alleged wrong” and all suffered loss of control of their data.
Equifax’s lawyers wrote that Lloyd was “wrongly decided”.
And in data breach cases, Equifax said, opt-out class actions such as the Atkinson litigation should only be allowed to go ahead when there is a statutory basis for such collective action – for example under legislation that created them for competition law cases, or under the GDPR.
“Such legislation is designed and intended to afford protection to persons affected by a legal wrong in a confined set of circumstances and that has been carefully considered and calibrated by the legislature,” Equifax’s lawyers wrote.
“That is not the case here. In the absence of any legislative framework, such an opt-out class action creates uncertainty and unfairness to the defendant,” they continued, noting for example that it would be unclear how individuals would be certified, what would happen to unclaimed sums from aggregate damages, or how a comprehensive and final settlement binding all members of a class would be possible.
Equifax added that instead of remedying an injustice, the Atkinson case would “principally serve to enhance the financial interests of the claimant’s lawyers and/or litigation funders” – and that if it were to go ahead, the case would encourage similar litigation that mainly serves the financial interests of claimant lawyers and funders.
It urged the court to use its discretion to stop the case from going ahead as a representative action: “If the data subjects are victims of the attack, then so too is the defendant.”
Ryan Dunleavy, partner and head of media disputes at Stewarts Law in London, told GDR that Equifax’s defence is “aggressive”.
“The defence is also very detailed, which reflects the fact that there are so many undecided points that the media and communications courts are going to have to make rulings upon in the near future for these types of cases,” he said.
“Of particular interest in this matter is that Equifax … is raising ‘threshold of seriousness’ and ‘triviality’ points, even though the claim alleges that multiples of millions of records of individuals in the United Kingdom were affected by a data breach that forms the background to the class action, and even though the claim has relied upon a report by the UK’s Information Commissioner’s Office as well as ... the ICO [having] imposed the maximum monetary penalty on Equifax,” Dunleavy said. He said it is “not yet clear in the very limited English case law law available exactly how high the bar will be set for seriousness/triviality when it comes to data privacy class actions.”
Dunleavy also said Equifax’s argument that Lloyd v Google was wrongly decided is “a bold move when we do not yet know what the Supreme Court is going to decide on the Google case, assuming that appeal goes ahead”.
Counsel to Equifax
Anya Proops QC and Robin Hopkins in London
Counsel to the plaintiffs
Exchange Square Chambers
Louis Browne QC and Ian Whitehurst in Liverpool
Hayes Connor Solicitors