Many organisations feared the worst after the introduction of the EU General Data Protection Regulation (GDPR) in May 2018. The levels of fines that can be imposed by regulators have been significantly increased; it is easier for individuals and consumer groups to bring claims regarding a data breach; and individuals can now claim non-pecuniary damages, including for distress arising from the loss of personal data. These factors give rise to a plethora of risks and liabilities for any organisation that processes or controls personal data, and also for its insurers.
GDPR was automatically applicable across the entire EU, which has a population of around 512 million. As a result of the more onerous regulations and easier rules for bringing group actions, and the emergence of an expanding litigation-funder market to back them, market commentators predicted that these were perfect storm conditions that would encourage large US-style class actions for EU-wide data breaches and a substantial uptick in liabilities for large corporates. But will the class-action floodgates open and companies be held accountable? GDPR has been in force for only nine months, so it is too early to give a definitive verdict. But two recent cases in the English courts highlight some interesting possibilities, and point to different directions of travel.
Lloyd v Google
To have a reasonable prospect of succeeding , Lloyd had to establish that he and the other claimants suffered damage. In deciding this issue, the High Court looked at two distinct issues:
- Did the claim gave rise to a basis for seeking compensation under the DPA?
- Was there a real prospect that the claim could progress as a representative claim under the English court Civil Procedure Rules (CPR)?
Definition of damage under the DPA
Lloyd did not argue that any distress had been suffered: he relied on the breach itself, rather than any consequences the breach had on the potential claimants. In addition, the extent of any damage suffered will be fact-dependent, and may differ between individuals. Lloyd sought damages on a tariff basis, rather than on the basis of actual damages suffered per claimant.
The definition of damage in the DPA was closely examined in an earlier English case against Google in 2015. In Vidal Hall v Google,2 which also concerned the Safari workaround, the Court of Appeal awarded compensation for the claimants' severe emotional distress and anxiety as a result of Google obtaining, without their consent, information on their internet habits, which was later provided to third-party advertisers. This widened the previous interpretation by the courts, which limited compensation to circumstances where individuals had suffered financial losses.
In Lloyd, the High Court held that although Google's actions may have been an actionable breach, Lloyd fell short of establishing that he, or indeed any of the potential claimants, suffered any damage as a result of the alleged breach.
Limits to collective action claims
The second issue considered by the High Court was whether Lloyd should be allowed to bring a collective action claim on behalf of all the iPhone users reportedly affected by the breach. Despite several arguments as to why the claim should proceed, the court held that the claim did not meet the requirements for a collective action claim under the CPR for three reasons:
- The members of the class could not all have the same interest. The value, nature and the extent to which each individual would be affected by the breach would vary dramatically. As such, there was no uniformity to their respective claims.
- Neither Lloyd nor the court could accurately identify all the members of the class, despite a public appeal to identify affected users. The court highlighted the various estimates of the class size through the various definitions of class put before the court (with a variance in size of 1 million individuals). The court also noted the practical difficulties in ascertaining whether an individual would fall within the defined class.
- Even if the all of the members of the class could be identified, any award received by the class members would be nominal and the main beneficiaries of the claim would be the parties' lawyers. Consequently, with regard the court's overriding objective, the court felt it was important to exercise its discretion and dismiss the claim, particularly given the amount of time and expense that would be required for it to continue for an unidentified amount of people.
The claimants' strategy of trying to use the CPR in relation to collective actions was designed to avoid the need to produce evidence from each the 5,000+ potential claimants that they had suffered distress as a result of the unauthorised use of their personal data. The claim was, therefore, that damages should be awarded on tariff basis. This gave rise to a total potential exposure for Google of between £1 billion and £3 billion. The court took the view that the real beneficiaries of the action would be the claimants' lawyers and the litigation funders, so was not prepared to allow a claim to use up valuable court time and resources where there was no evidence that any claimant had indeed suffered any loss.
Although the claim was brought under the pre-GDPR regime, it is likely that the court's reasoning and approach to mass claims for data breaches will also apply to claims under GDPR that are determined by English courts. GDPR also expressly contemplates compensation being awarded where material or non-material damage (i.e. distress) has been suffered. Although under GDPR there is power for data subjects to mandate a consumer protection body to bring claims on their behalf, claims brought in the English courts will still be subject to the same procedural rules (under the CPR) relating to bringing representative claims. In practice, this is likely to make it harder for claimant lawyers to bring mass claims. Accordingly, the High Court's dismissal of Lloyd's claim against Google will provide welcome relief to policyholders and their insurers.
Another recent case involved an action brought by a large number of data subjects against their employer, Morrison Supermarkets (Morrisons), as a result of the criminal actions of a former employee, Andrew Skelton.
Skelton stole personal data (including name, address, gender, date of birth, phone number, national insurance number, bank details and salary information) of almost 100,000 Morrisons employees and deliberately downloaded the information onto a file-sharing website. Skelton had obtained the data through his position as a senior internal IT auditor at Morrisons. He had become aggrieved with the company following disciplinary proceedings relating to his misuse of the company's postal service, and sought to damage the company's reputation through the data breach and by alleging that Morrisons had failed to comply with their obligations under the DPA.
As well as illegally posting the information online, he sent copies of the data to three newspapers, one of which alerted Morrisons, who in turn contacted the police. Skelton was later arrested and sentenced to eight years' imprisonment.
The affected data subject claimants argued that Morrisons should be held vicariously liable for Skelton's misuse of personal information, breach of confidence and breach of its statutory duties under the DPA. At first instance, the High Court held that Morrisons had not breached its primary duties under the DPA, but found it vicariously liable for Skelton's actions.3 The Court of Appeal agreed with the High Court, and held that:4
- The legislative regime imposed by the DPA did not exclude claims for vicarious liability.
- Although Skelton had the intention of harming his employer, there was both an unbroken thread that connected his employment to the unlawful disclosure, and a seamless and continuous sequence of events that lead to the data being leaked. Skelton's actions were, therefore, carried out during the course of his employment by Morrisons, which was deemed vicariously liable.
Implications of Morrison Supermarkets
Morrisons is appealing to Supreme Court, which will have the final say on its potential liability. For now, the decision will be of concern to employers whose staff handle personal data. Despite the fact that the data breach arose solely from the acts of a rogue employee, Morrisons was still held to be vicariously liable. The courts considered only liability, and did not determine the quantum of loss. There were around 100,000 Morrisons employees who could potentially have a claim for damages for the distress of having their personal data released (there was no suggestion that any of employees suffered financial losses). Even with a nominal damages award of £100 for each claimant, this results in an aggregate exposure to Morrisons of around £10 million. But a more realistic award is likely to be in region of £1,000+ per claimant, which results in a potential of exposure for Morrisons of more than £100 million.
In addition to the liability exposure to third parties, the potential penalties under GDPR for data breaches (€20 million or 4 percent of global turnover, whichever is the higher) are significantly higher (previously the maximum fine was £500,000).
Both of these decisions highlight the growing importance of cyber insurance to reduce exposure from third parties as a result of a data breach. The availability of insurance was raised by the Court of Appeal in Morrison Supermarkets, where the employer argued that it was unjust for it to be held liable for excessive sums when the breach was not its fault. The Court of Appeal's response to that submission was that "the solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest and malicious employees." Insureds should, therefore, consider whether they are adequately protected by their existing insurance programmes for risks arising from data breaches, including those that arise from employees.