30th Floor, North Tower, Beijing Kerry Centre, 1 Guanghua Road, Chaoyang District, Beijing, 100020
+86 10 8519 0011
50th Floor, Central Plaza, 18 Harbour Road, Wan Chai, Hong Kong
+852 2521 5621
Room 4605, Park Place, 1601 Nanjing West Road, Jing An District, Shanghai, 200040
+8621 6321 1166
Suite 2405, 24/F, SCIA Tower, Qianhai Shenzhen-Hong Kong Modern Service Industry Cooperation Zone of Shenzhen, Shenzhen, 518000
+86 755 6123 5666
Select your language
Please accept the geolocation request appearing in your browser
Find other officesOUT-LAW NEWS 2 min. read
14 Dec 2021, 11:24 am
Actual or threatened data subject claims were identified in 9% of cases Pinsent Masons’ cyber team worked on over the past 12 months, up from 8% in 2020 and 3% in 2019.
David McIlwaine
Partner
Every single entity that has received a monetary penalty notice issued by the Information Commissioner’s Office following a cyber incident that occurred since the General Data Protection Regulation has been in force, is now also the subject of data subject claims
David McIlwaine of Pinsent Masons said: “The perfect storm has arisen with an increased awareness by data subjects of their data rights, an obligation to notify data subjects where there has been a personal data breach resulting in a high risk of harm to the individual under both UK and EU data protection law, a number of high-profile data incidents, and a focus by claimant law firms to industrialise the process for data subjects to bring actions. Coupled with this is the exponential growth of ransomware which commonly involves exfiltration, and the consequent loss of control of data by the data subjects.”
Individuals enjoy a qualified right to claim compensation from organisations for breaches of UK or EU data protection law that they are responsible for. However, in many cases individuals are put off from pursuing claims due to the cost of litigation and relative low value of their individual claims. However, McIlwaine said mass claims in the field of data protection and privacy are increasingly common in many European countries, including the UK.
McIlwaine said: “The UK has seen a very significant increase in the amount of litigation by data subjects for compensation under data protection legislation, both where the infringement was allegedly deliberate, such as misuse of personal data by the controller, and where it was not, as in the case of a cyber-attack.”
“To put this in context, every single entity that has received a monetary penalty notice issued by the Information Commissioner’s Office following a cyber incident that occurred since the General Data Protection Regulation has been in force, is now also the subject of data subject claims, including British Airways, Marriott and Ticketmaster. With the exponential rise of cyber attacks during the pandemic, litigation in this area is expected to increase dramatically,” he said.
According to Pinsent Masons’ report, the scope for mass data subject claims differs across Europe.
David McIlwaine
Partner
We foresee the continued rise of data subject claims
In the Netherlands, 27 class actions have been filed since rules around class actions were reformed in early 2020. Mass actions are also on the rise in Germany, but they are still largely uncommon in France. In Ireland and Spain, under-developed legislation has impinged data-related class actions. However, across the EU, it is expected that the new EU Collective Redress Directive, once implemented, will be a significant of class action-style cases, including in the field of data protection and privacy.
In the UK, there are a number of routes available by which mass or collective actions may be brought.
“First, multiple claimants may group together to bring similar actions on the one claim form, and we see this occurring reasonably frequently,” said McIlwaine. “Secondly, the court may order a Group Litigation Order (GLO) allowing the individual claims made by multiple individuals to be managed together. Finally, a representative action may be available under the Civil Procedure Rules in England and Wales – where representative actions are permitted by the court, all individuals that meet the class criteria are included in the claim unless they opt-out. The introduction of a bespoke ‘opt-out’ class action procedure for data protection and privacy was considered, but ultimately rejected, by the UK government following a consultation exercise.”
A significant ruling by the UK Supreme Court in the case of Lloyd v Google in November 2021 has cast doubt on the viability of data-related representative claims in England and Wales.
“The Supreme Court decision in Lloyd v Google was being watched closely by many stakeholders, with a number of cases put on holding pending the judgment,” McIlwaine said. “We wait to see what will become of those cases.”
“In the UK, the British Airways group litigation will also be closely watched, particularly in terms of the effectiveness of the GLO procedure for managing large-scale litigation. We will also start to see an increasing number of carriage disputes, that is disputes between claimant law firms, and their funders, as to which should lead on a particular mass claim. In the meantime, we foresee the continued rise of data subject claims, with claimant law firms seeking to recover damages, albeit of low value, with costs in addition,” he said.
Contact an adviser
Stay ahead by signing up to our weekly email of news and expert analysis, tailored for you
Data, privacy & cyber
Valid email address
Thanks, we have sent an email to
Please check your inbox to confirm your subscription. The confirmation email may take up to 15 minutes to arrive.
• Check your spam or junk folder
• Ensure your email address was entered correctly.
• You can amend your details and resubmit if required
• If the email has still not arrived, please contact us for assistance
OUT-LAW NEWS
An historic ruling against a multi-million pound libel suit highlights the needs for broader speech protection laws in the UK, according to an expert.
OUT-LAW NEWS
Upcoming changes to China’s export tax rebate system will materially affect global supply chains, including South Africa’s solar panel market, an expert has said.
OUT-LAW NEWS
Australia’s new mandatory merger control regime will enter its next major phase this week, on 1 April, introducing additional notification thresholds and voting power rules that expand the number of transactions requiring clearance.
We use cookies that are essential for our site to work. To improve our site, we would like to use additional cookies to help us understand how visitors use it, measure traffic to our site from social media platforms and to personalise your experience. Some of the cookies that we use are provided by third parties. To accept all cookies click ‘accept all’. To reject all optional cookies click ‘reject all’. To choose which optional cookies to allow click ‘cookie settings’. This tool uses a cookie to remember your choices.
Please visit our cookie policy for more information.
