The Supreme Court has unanimously rejected the notion that compensation can be awarded for “loss of control” of personal data by reason of any non-trivial contravention of the Data Protection Act 1998 (the “DPA 1998”) alone, without the need to prove any facts relating to specific individuals. As a result, the claim could not proceed as a representative action under rule 19.6 of the Civil Procedure Rules CPR because the members of the class did not have the same interest.
The decision will be pored over in weeks to come and was the subject of a nice summary from Google’s lawyers’ Pinsent Masons, yesterday. Osborne Clarke previously summarised the arguments of both sides after the hearing, without trying to predict the outcome, but those who sat through the grilling of counsel at the hearing may not be entirely surprised by the decision.
It’s early days but what are the consequences of the decision for the many post-data breach claims that have been stalled in anticipation of this decision?
Before considering that question, it’s worth pausing to reflect on how important this decision was and how polarised opinions were as to whether class actions of this nature should be allowed to proceed.
As the case proceeded through the courts, and various copycat actions emerged, including against TikTok, Marriott and others, it became very clear that the Court of Appeal’s reversal of the High Court decision by Warby J had the potential to have very severe unintended consequences and create an unhealthy market for ambulance chasing lawyers and litigation funders seeking to profit from the misfortune of companies that are the victim of cyber-attacks.
These consequences were no doubt not lost on Lord Leggatt and the rest of the Supreme Court panel in reaching their careful conclusion, which despite the lengthy history of group actions in the UK that preceded it, can be distilled down to few relatively simple points as to the ordinary meaning of the words in section 13(1) of the DPA 1998 which provide that an individual has a right to claim compensation “where they have suffered damage as a result of a breach of the Act by a controller“. In essence, to determine whether damage has been caused by the breach, you have to look at the circumstances of each case to determine whether any damage was actually suffered. It sounds remarkably simple in hindsight, but of course the back story is much more complicated.
In his conclusion, Lord Leggatt pointed out the vastly different approaches taken by Mr Justice Warby in the High Court and in the Court of Appeal where Mr Justice Warby is now sitting. Warby J saw the case as “an officious litigation, embarked upon on behalf of individuals who have not authorised it” and in which the main beneficiaries of any award of damages would be the funders and the lawyers. The Court of Appeal on the other hand saw the litigation as one of access to justice – the only way of obtaining a civil compensatory remedy for what, if proved, was a “wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit.”
The Supreme Court declined to wade into this policy debate, although it’s not too difficult to detect some sympathy with Warby J’s views as to who is really benefitting from the creativity around the concept of loss of control damages.
What does the judgment mean for post-data breach claims?
The case was about data processing by Google without consent. So how does it apply to cases against data controllers in relation to data that is compromised as a result of data breaches and cyber-attacks, which is the major concern of data controllers in all sectors?
The first thing to point out is that whilst Lord Leggatt was keen to point out that the wording of the GDPR was of no assistance to the court in reaching its decision concerning the old law under the DPA 1998, the reasoning applies in full to the new regime. Without going into detail here, the relevant concepts discussed in the judgment can all be carried across to the GDPR, in particular the basis on which individuals can seek compensation under Article 82 GDPR. Whilst there are minor differences between Article 82 GDPR and section 13 of the DPA 1998, they are not such as to make the Supreme Court decision distinguishable.
Secondly, in analysing the consequences of the decision, it’s important to distinguish between claims brought against data controllers for deliberate acts (for example, processing without a lawful basis for processing) and those brought in relation to omissions, most notably claims that allege a data controller failed to take appropriate technical and organisational measures to protect personal data.
It’s possible that the Court of Appeal did not fully appreciate that armies of former personal injury lawyers, disproportionately operating in the North West of England would seek to use the reasoning in the Lloyd case to circumvent the need to show that the victim of a data breach has suffered financial damage or distress as a result of the breach, therefore potentially paving the way for a class action on behalf of all victims of a data breach and, in some cases, exposing data controllers to eye-watering liabilities for damages.
Lord Leggatt on the other hand, seemed to have spotted that things may have got a little out of control. He set out the maths in his judgment as to what the potential damages liability may have been based on the £750 per person figure claimed by Lloyd on behalf of every member of the class: £750 x 4,000,000 = £3,000,000,000 (£3bn)! That’s a lot of money, even for Google.
Apply similar maths to a start-up company that is the victim of a cyber-attack where the personal information of, say, 50,000 individuals is stolen and you get an even more unjust result: £750 x 50,000 = £37,500,000 (£37.5m) = end of company (even before costs are factored in). You can see why claimant law firms and litigation funders got excited and why data controllers were a little nervous before Lord Leggatt appeared to summarise his judgment.
Whilst these numbers are theoretical in that only a proportion of individuals tend to come forward to collect their share of the spoils from class action awards, the uncertainty of such a potential liability in recent months has been enough to cause corporate transactions to be abandoned pending the Supreme Court’s decision because of the theoretical risk of multi-million pound claims facing companies that were otherwise a very attractive target for buyers. Indemnity insurers simply could not get comfortable with the worst case scenario.
The end of the gravy train
But will we see now see an end to ambulance-chasing data litigation? Unfortunately not.
The litigation that follows cyber-attacks and data breaches is different from the type of claim brought by Lloyd against Google. Many such claims are founded on the basis that the individuals who have been notified of a data breach suffer “distress”, either because they apparently fear that their data might be misused by criminals (thereby causing sleepless nights and illness) or because their personal data has apparently been misused by criminals, for example to commit identity theft or send unwanted emails, including phishing emails. In such cases, unlike in the Lloyd case, the question of liability does not tend to turn on what the data controller did with the relevant personal data but on what it failed to do to protect it. If liability for breaching the legislation in this way can be established, the question then turns on what damage the data subject has suffered as a consequence of that failure.
There is a serious question in most of these claims, as part of the question of liability before quantum can be considered, as to whether the co-called “minimum threshold” is met. In other words, even if there is a technical breach of the legislation, is the breach and/or the damage caused by the breach so trivial such that the controller is not liable to pay damages?
Whilst Lord Leggatt made some helpful comments in this regard, the Supreme Court did not need to address the issue of how such triviality is assessed and when the threshold is met. That debate will therefore rumble on and claimants lawyers will continue to argue that even lost email addresses that are freely available online is sufficiently serious to cross the threshold.
So the Lloyd decision does not spell the end of post-data breach claims. Nor does it mean that we will not see a growth in data protection group actions, albeit that they are most likely to be brought as either test cases or under the group litigation order regime. Indeed, many such claims have been issued or threatened as distress claims without an attempt to use the representative action regime.
How important is knocking out representative claims?
But the Supreme Court has materially changed the data litigation game for claimants and their lawyers.
The knock-out blows to both “loss of control” damages in data protection claims and the ability to rely on CPR 19.6 to bring opt-out class actions will seriously dampen the interest of litigation funders in this market. Without a huge pot of gold at the end and a slam dunk case on liability, the returns won’t be there for funders and ATE insurers to justify the risk in bringing such claims.
Further, where claimants cannot bring claims for misuse of private information alongside data protection claims (which will be very difficult in cases where there is no deliberate act by the controller), claimants will struggle to get any costs protection because ATE insurance premiums are not recoverable for pure data protection claims. The risk of paying adverse costs will therefore likely outstrip any damages they could hope to be awarded and if law firms want to pay ATE insurance premiums themselves, that will make a big dent in any profit margin they can achieve from copy-pasting template letters before action and delegating as much work as possible to paralegals.
Lawyers will of course still be free to run cases on conditional fee (no-win-no-fee) agreements. There may be some good cases where a law firm is prepared to rack up a lot of time knowing that there are reasonable prospects of recovering at least 50% of their costs. But there will be limited scope to claim success fees from their clients in such cases. Those firms that take these risks on a volume basis risk running out of cash to repay lenders if they don’t achieve a good enough success record.
Whilst some of these claims are quite basic once the technical issues have been resolved, the requirement, as emphasised by Lord Leggatt, to focus on individual circumstances, and prove that damage has been caused by the breach, can create high evidential burdens. In some cases it may be necessary to obtain forensic and medical evidence to back up such claims. Judging by some of the recent half-hearted attempts to do this that we have seen, this will be a tall order for many claimants, particularly those running multiple claims at once.
As Lord Leggatt explained, it will in principle continue to be possible to run opt-out group litigation for data protection claims, but only on the issue of liability alone. There are serious questions marks as to whether such claims would be economically viable if the issue of damages has to be resolved further down the line. Claimant lawyers bringing such claims would face the possibility of winning a case on liability, and maybe recovering some of their costs, but then being pushed to the small claims track of the County Court for a damages assessment where the costs of assessing individual claims for compensation will not be recoverable.
So time will tell as to precisely what effect this decision will have on the data litigation market. There will still be plenty of data litigation, especially now that regulators across Europe are ramping up their enforcement activity. But in the short term at least, companies that are already facing data protection representative actions, companies who have recently received litigation threats following a cyber-attack, and the cyber insurance community can all breathe a little easier.