Compensation Claims

Compensation Claims's Tags

Tags related to this article

Compensation Claims

Published 17 December 2021

On 6 December 2021, at our annual Data Protection & Cyber Conference, Hans Allnutt, Patrick Hill, Eleanor Ludlam and Astrid Hardy spoke about the developments in data breach compensation claims from the past year.

2021: evolution of privacy litigation

Hans Allnutt spoke about the evolution of privacy litigation. The law in this area is fast developing and a timeline was provided of privacy litigation from 1998 through to 2021 with a snapshot of the notable cases and how this has developed with our increased use of the internet. The session focussed on the key judgments which have helped clarify the way in which Courts assess what claimants are entitled to claim for, how the actions can be brought, what level of damages are awarded for each cause of action, which forum and jurisdiction is appropriate for bringing a low value data breach claim and the costs associated with those claims.

The notable cases in 2021 were:

  • Warren v DSG Retail Limited [2021] EWHC 2168 (QB), where Justice Saini found that misuse of private information and breach of confidence will never be appropriate causes of action in the event of such a breach. The only question is whether the security of the data was sufficient. In a data breach claim arising from a cyber-attack, therefore, an ATE premium would not be recoverable by a claimant. Read more in our client alert here.

  • Lloyd v Google LLC [2021] UKSC 50 reversed the Court of Appeal judgment in favour of Google stopping a £3bn representative action for the mere loss of control of data and dismissed Mr Lloyd's claim. Read more in our client alert here.

  • Johnson v Eastlight Community Homes [2021] EWHC 3069 (QB), where Master Thornett observed that the claim included overlapping and often inadequately pleaded causes of action. Master Thornett struck out the entirety of the claim, save for the GDPR claim and confirmed that the case had all the hallmarks of a Small Claims Track claim. This case will therefore have significant ramifications for how low-value data breach claims should be brought: they may still be brought but should be simplified and within the cost controlled environment of the Small Claims Track of the County Court with no recoverability of ATE insurance premium from the Defendant. Read more in our client alert here.

The challenges of individual claims

Astrid Hardy spoke about the challenges of individual data breach compensation claims and how the strategy compares when dealing with volume compensation claims. Astrid expanded on the recent legal developments, including Warren v DSG and Eastlight v Johnson, and applied this practically to how this will impact individual vs volume claims. Notably, the key trend is claimant law firm's costs and how this impacts settlement strategy.

Astrid highlighted that some claimant law firms are trying to circumvent the recent cases cited above in arguing that the appropriate forum for low value simple data breach claims is the Small Claims Track of the County Court by issuing claims as multi-party claims to argue that the claimed amount in the aggregate is over the Small Claims Track threshold. One to watch for 2022.

Astrid also spoke about the claims farming activities used by Claimant law firms over the past year and the lengths they will go to for book-building.

Collective redress - Group Litigation Orders ("GLO")

Patrick Hill spoke about Group Litigation Orders and the developments seen over the past year in some notable cases currently being heard by the Courts. GLO's are relatively modern and were introduced as part of the CPR rules in April 1999 (but they were in existence beforehand, albeit informally). A GLO is a mechanism under CPR 19, which permits a number of claims which give rise to a collective interest to be managed collectively (otherwise known as GLO issues). However, each claim is an individual claim.

The key features are that the claims are: (i) brought as a group, usually with at least ten claimants and often using the same lawyers; (ii) all claimants wishing to join the group litigation must apply to be entered on the group register (i.e. they must "opt in") by a date specified by the court; and (iii) a GLO will not be permitted if the court considers it more appropriate that the claims are consolidated or for there to be a "representative action".

GLO's are not very common in England and Wales yet (a list is published on the English Court’s website) and this is possibly a result of the lack of an opt-out system.

In Weaver and others v British Airways (BL-2019-001146) - The High Court granted a Group Litigation Order (GLO) on 4 October 2019, effectively giving the green light to a class action from about 500,000 BA customers affected by the cyberattack. The affected individuals had until March 2021 to join the class action. The action was transferred to the Media & Communications List and there is a Tomlin Order on the Court file dated 7 July 2021 may indicate at least part of the claim may have settled.

Collective redress - Representative Actions

Eleanor Ludlam spoke about Representative Actions with an overview of the mechanism, and most notably the much-anticipated decision by the Supreme Court in Lloyd v Google.

Representative actions may be made by (or against) one or more persons who have the "same interest" in a claim (CPR 19.6). One or more of them represents the others who have that same interest i.e. named claimant or defendant prosecutes or defends an action on behalf of itself and a class of individuals. Members of the represented class are not joined to the action and are therefore not automatically subject to disclosure or costs obligations. Any judgment or order given is binding on all persons represented but the judgment can only be enforced by or against a person who is not a party to the claim with the permission of the court.

To bring a claim under CPR 19.6, case law establishes three elements to be satisfied for (i) the representative party; and (ii) the persons that party represents, to have the same interest:

  • A common interest;
  • A common grievance; and
  • A remedy beneficial to all.

Lloyd v Google - Representative actions and what next?

On 10 November 2021, the Supreme Court handed down its judgment, finding in favour of Google. The Supreme Court was clear that the claim against Google was not able to succeed for two reasons. First, Lloyd needed to establish that damage had been suffered in order to claim compensation under section 13 of the Data Protection Act 1998 (“DPA”). That is distinct from a mere contravention of the Act. Second, in order to assess compensation under section 13, it would be necessary to consider matters such as over what period time Google tracked individuals, the quantity and nature of data captured, how that data was used and what commercial benefit there was to Google in processing it. In the absence of any evidence of any of these matters, an individual is not entitled to compensation. The metaphorical floodgates of data protection class actions have been held shut by the Supreme Court. Read more in our client alert here.

A number of class actions, against Marriott, Facebook and YouTube, for example, had been stayed pending the Supreme Court’s decision in Lloyd v Google and we will watch with interest how those claims unfold. It seems reasonable to conclude that privacy and consumer rights campaigners will argue that the judgment inhibits the enforcement of individuals’ data protection rights given the costs associated with individual privacy claims. 


Hans Allnutt

Hans Allnutt

London - Walbrook

+44 (0) 20 7894 6925

Patrick Hill

Patrick Hill

London - Walbrook

+44 (0)20 7894 6930

Eleanor Ludlam

Eleanor Ludlam

London - Walbrook

+44 (0)20 7894 6098

Astrid Hardy

Astrid Hardy

London - Walbrook

+44(0)20 7894 6595

< Back to articles