- What EasyJet teaches us about data breaches and class actions
What EasyJet teaches us about data breaches and class actions
What EasyJet teaches us about data breaches and class actions1st June 2020 - Published by Kuits data protection team
Under Article 82(1) of the General Data Protection Regulation (GDPR), individuals who have suffered damage as a result of a breach of data protection laws (including a data breach) have the right to claim compensation from the company that caused such damage.
Such actions can be brought on an individual basis or class actions (also referred to as collective actions or group litigation) where numerous claimants who have been similarly affected join the same action in a single case.
Since the implementation of the GDPR and the UK’s Data Protection Act (“DPA”) in 2018, we have seen a drive in significant growth towards group litigation in the UK’s legal landscape. Whilst it is very unlikely the UK will make a total shift towards U.S.-style class action litigation, the cultural change among legislators, regulators and the broader legal community should serve as a reminder to us that the UK is very much receptive to class actions. Consequently, we would urge businesses to ensure that its data security measures are sufficient to reduce the risk of being subject to regulatory scrutiny, hefty fines and potential group actions.
Here, we look very briefly at the recent background to group actions in respect of data breaches and also give our thoughts on what this landscape might look like in the coming months/years.
Lloyd v Google
In 2018, Mr Lloyd alleged that between 2011 and 2012, Google had used ‘double-click cookie’ technology to secretly track the internet activity of Apple iPhone users which they then collated, used and sold in breach of the Data Protection Act 1998. Mr Lloyd brought the claim in a representative capacity on behalf of an estimated 4.4 million iPhone users who had used certain Apple iPhone devices which meant they were subjected to the abuse of their data, and suffered the same damage. These 4.4 million users are as yet unidentified.
Mr Lloyd did not allege any financial loss or distress, but rather his data protection rights had been infringed and this led to the loss of control of his personal data. The High Court dismissed Mr Lloyd’s application for permission to serve Google outside of the jurisdiction on the ground that Mr Lloyd (and the other members in the class) had not suffered material damage or distress.
Mr Lloyd’s appeal to the Court of Appeal saw the High Court’s decision overturned. The Court of Appeal held that Mr Lloyd could proceed with his claim on the basis that loss of control of data was in itself, a damage attracting compensation and that all individuals within the representative class would have suffered the same deprivation of their rights flowing from the loss of control over their personal data. Mr Lloyd therefore served Google outside of the jurisdiction on behalf of the 4.4 million users.
The Supreme Court has now granted permission to Google to appeal the Court of Appeal’s decision to address the following considerations:
1. Whether a non-trivial breach of the Data Protection Act 1998 which does not cause any material damage or distress can amount to an award of compensation deriving from the loss of control of personal data experienced by the members of a representative action; and
2. Whether it must be possible to identify all of the members of a class when pursuing a collective action.
Unless overturned by the Supreme Court, the Court of Appeal’s finding that compensation can be obtained from a mere loss of control of personal data (without any accompanying financial, emotional or property damage) establishes a much lower threshold for claimants, and an increased risk for organisations controlling and processing personal data. Although this case will be decided under the Data Protection Act 1998 we expect the courts will apply similar rules when dealing with any claims under Article 82 of the GDPR.
We will closely follow the Supreme Court’s reasoning on the issues highlighted by this case.
On 19th May 2020, British budget airline EasyJet announced that it had been affected by a serious data breach. It is understood that the cyber-attack, which occurred in January 2020, compromised the email addresses and travel details of nine million customers, with a further 2,208 customers having their credit and debit card details stolen, including the CVV number. EasyJet failed to notify their customers of this incident until the beginning of April 2020, four months after the breach occurred. In addition to this, EasyJet have only just uncovered the anticipated rippling effect of the breach on their customers, with their recent warning indicating they may be at risk of further cyber-attacks, such as phishing emails or identity theft.
We understand that a group action has now been submitted to the English courts in respect of such breach claiming £2,000 in compensation per affected customer, meaning EasyJet’s potential liability to data subjects for the breach could total £18billion and any compensatory payments such as this anticipated figure will be entirely separate to any fines which the ICO may impose at their discretion. Under the GDPR and DPA, the ICO has the power to enforce fines of £20 million or 4% of annual worldwide turnover. Taking into account EasyJet’s reported 2019 turnover, the ICO’s fines could reach in excess of £255 million.
By comparison, the cyber-attack suffered by British Airways outlined above compromised the personal data of 500,000 of their customers and the intention is to fine BA £183.4 million. Given the difference in scale between the two breaches, together with EasyJet’s failure to comply with reporting requirements following the breach, we anticipate that its fine could be significantly larger (although we suspect the ICO may exercise some level of leniency given the financial pressures faced by airlines during the current crisis).
Thoughts and conclusions
Although we don’t yet know the damage, it is alleged that the affected EasyJet customers have suffered to justify the claimed amount of £2,000 per person, until the Supreme Court rules otherwise, the claimants do not have to prove any material damage so are likely to receive at least some compensation (even if not the full amount claimed). With the number of individuals affected, even half of the claimed amount would have a huge financial impact on EasyJet.
Law firms are now geared up to effectively and efficiently bring this type of action on behalf of individuals (generally working on a no-win no-fee basis), in some cases, actively seeking out claimants to help them launch the claims. This, in turn, means that more and more individuals are becoming aware of their rights to compensation and are willing to bring claims.
Whilst group actions will typically affect larger businesses whose data breaches make national news, the very fact of these group actions means that individual are, in turn, becoming aware of their rights to compensation and are willing to bring claims (even if only individual claims). Whilst individual claims don’t on their own have a substantial financial impact, they can still utilise valuable time and other resources in dealing with these.
Accordingly, the best way to avoid costly data protection claims is to minimise the risk of data breaches. Our data protection team works collaboratively with IT teams and providers to ensure that businesses put in place appropriate technological and legal compliance measures to protect against situations like this and, if your business is the subject of a breach, to proactively manage and defend claims by data subjects and the ICO.
If you would like advice on data protection, please get in touch with our data protection team on 0161 838 7996 or by email to firstname.lastname@example.org.