Shortly after the Court of Appeal handed down its judgment this month in Lloyd v Google allowing a £1bn to £3bn representative data protection claim against the technology giant to proceed in the Media and Communications Court in London, a second data breach class action was launched in the English High Court.
This time the claim was against credit reference agency Equifax. The High Court compensation action relates to Equifax’s failure to protect the personal information of up to 15 million UK citizens during a cyber attack in 2017.
In 2018 Equifax was fined £500,000 for this breach by the UK’s data protection and information rights regulator, the Information Commissioner’s Office (ICO). This was the maximum fine possible at the time, as the applicable relevant legislation pre-dated the implementation of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Under the UK’s new privacy and data regime, the fine could have been up to €20m (or the equivalent in sterling), or 4% of the total annual worldwide turnover in the preceding financial year, whichever was higher.
The incident affected 146 million customers globally and happened in the US, but the ICO decided that Equifax Ltd was responsible for the personal information of its UK customers.
We could shortly see many more representative actions of this nature being launched in the English High Court. Only time will tell, particularly as Google has said it will appeal this month’s Court of Appeal decision allowing data protection class actions to proceed in the UK.