A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 17 December 2021
On 6 December 2021, at our annual Data Protection & Cyber Conference, Hans Allnutt, Patrick Hill, Eleanor Ludlam and Astrid Hardy spoke about the developments in data breach compensation claims from the past year.
Hans Allnutt spoke about the evolution of privacy litigation. The law in this area is fast developing and a timeline was provided of privacy litigation from 1998 through to 2021 with a snapshot of the notable cases and how this has developed with our increased use of the internet. The session focussed on the key judgments which have helped clarify the way in which Courts assess what claimants are entitled to claim for, how the actions can be brought, what level of damages are awarded for each cause of action, which forum and jurisdiction is appropriate for bringing a low value data breach claim and the costs associated with those claims.The notable cases in 2021 were:
Astrid Hardy spoke about the challenges of individual data breach compensation claims and how the strategy compares when dealing with volume compensation claims. Astrid expanded on the recent legal developments, including Warren v DSG and Eastlight v Johnson, and applied this practically to how this will impact individual vs volume claims. Notably, the key trend is claimant law firm's costs and how this impacts settlement strategy.
Astrid highlighted that some claimant law firms are trying to circumvent the recent cases cited above in arguing that the appropriate forum for low value simple data breach claims is the Small Claims Track of the County Court by issuing claims as multi-party claims to argue that the claimed amount in the aggregate is over the Small Claims Track threshold. One to watch for 2022.
Astrid also spoke about the claims farming activities used by Claimant law firms over the past year and the lengths they will go to for book-building.
Patrick Hill spoke about Group Litigation Orders and the developments seen over the past year in some notable cases currently being heard by the Courts. GLO's are relatively modern and were introduced as part of the CPR rules in April 1999 (but they were in existence beforehand, albeit informally). A GLO is a mechanism under CPR 19, which permits a number of claims which give rise to a collective interest to be managed collectively (otherwise known as GLO issues). However, each claim is an individual claim.The key features are that the claims are: (i) brought as a group, usually with at least ten claimants and often using the same lawyers; (ii) all claimants wishing to join the group litigation must apply to be entered on the group register (i.e. they must "opt in") by a date specified by the court; and (iii) a GLO will not be permitted if the court considers it more appropriate that the claims are consolidated or for there to be a "representative action".
GLO's are not very common in England and Wales yet (a list is published on the English Court’s website) and this is possibly a result of the lack of an opt-out system.
In Weaver and others v British Airways (BL-2019-001146) - The High Court granted a Group Litigation Order (GLO) on 4 October 2019, effectively giving the green light to a class action from about 500,000 BA customers affected by the cyberattack. The affected individuals had until March 2021 to join the class action. The action was transferred to the Media & Communications List and there is a Tomlin Order on the Court file dated 7 July 2021 may indicate at least part of the claim may have settled.
Eleanor Ludlam spoke about Representative Actions with an overview of the mechanism, and most notably the much-anticipated decision by the Supreme Court in Lloyd v Google.Representative actions may be made by (or against) one or more persons who have the "same interest" in a claim (CPR 19.6). One or more of them represents the others who have that same interest i.e. named claimant or defendant prosecutes or defends an action on behalf of itself and a class of individuals. Members of the represented class are not joined to the action and are therefore not automatically subject to disclosure or costs obligations. Any judgment or order given is binding on all persons represented but the judgment can only be enforced by or against a person who is not a party to the claim with the permission of the court.To bring a claim under CPR 19.6, case law establishes three elements to be satisfied for (i) the representative party; and (ii) the persons that party represents, to have the same interest:
On 10 November 2021, the Supreme Court handed down its judgment, finding in favour of Google. The Supreme Court was clear that the claim against Google was not able to succeed for two reasons. First, Lloyd needed to establish that damage had been suffered in order to claim compensation under section 13 of the Data Protection Act 1998 (“DPA”). That is distinct from a mere contravention of the Act. Second, in order to assess compensation under section 13, it would be necessary to consider matters such as over what period time Google tracked individuals, the quantity and nature of data captured, how that data was used and what commercial benefit there was to Google in processing it. In the absence of any evidence of any of these matters, an individual is not entitled to compensation. The metaphorical floodgates of data protection class actions have been held shut by the Supreme Court. Read more in our client alert here.A number of class actions, against Marriott, Facebook and YouTube, for example, had been stayed pending the Supreme Court’s decision in Lloyd v Google and we will watch with interest how those claims unfold. It seems reasonable to conclude that privacy and consumer rights campaigners will argue that the judgment inhibits the enforcement of individuals’ data protection rights given the costs associated with individual privacy claims.
London - Walbrook
+44 (0) 20 7894 6925
+44 (0)20 7894 6930
+44 (0)20 7894 6098
+44(0)20 7894 6595
Darryn Hale, David Hill, Sophie Devlin
Jade Kowalski, Charlotte Halford
Johanna Lipponen, Rebecca Morgan
Hans Allnutt, Patrick Hill, Eleanor Ludlam
Pavan Trivedi, Charlotte Halford
Eleanor Ludlam, Astrid Hardy
Eleanor Ludlam, Pavan Trivedi
Charlotte Halford, Johanna Lipponen
Eleanor Ludlam, Charlotte Halford, Pavan Trivedi
Hans Allnutt, Alexander Dimitrov
Hans Allnutt, Tom Evans
Aidan Healy, Charlotte Burke
Eleanor Ludlam, Camilla Elliot
Eleanor Ludlam, Sonali Malhotra
Brett Randles, Annabel Walker
Hans Allnutt, Florence Clissitt
Justin Tivey, Charlotte Muzabazi
Alex Stovold, Tom Evans
Eleanor Ludlam, Alexander Dimitrov