Heightened cyber risk spurs rise of data subject claims

Out-Law News | 14 Dec 2021 | 11:24 am | 2 min. read

The growing cyber risk to corporate systems and data is spurring a rise in compensation claims made by, or on behalf of individuals, according to analysis conducted by Pinsent Masons.

Actual or threatened data subject claims were identified in 9% of cases Pinsent Masons’ cyber team worked on over the past 12 months, up from 8% in 2020 and 3% in 2019.

McIlwaine David

David McIlwaine

Partner

Every single entity that has received a monetary penalty notice issued by the Information Commissioner’s Office following a cyber incident that occurred since the General Data Protection Regulation has been in force, is now also the subject of data subject claims

David McIlwaine of Pinsent Masons said: “The perfect storm has arisen with an increased awareness by data subjects of their data rights, an obligation to notify data subjects where there has been a personal data breach resulting in a high risk of harm to the individual under both UK and EU data protection law, a number of high-profile data incidents, and a focus by claimant law firms to industrialise the process for data subjects to bring actions. Coupled with this is the exponential growth of ransomware which commonly involves exfiltration, and the consequent loss of control of data by the data subjects.”

Individuals enjoy a qualified right to claim compensation from organisations for breaches of UK or EU data protection law that they are responsible for. However, in many cases individuals are put off from pursuing claims due to the cost of litigation and relative low value of their individual claims. However, McIlwaine said mass claims in the field of data protection and privacy are increasingly common in many European countries, including the UK.

McIlwaine said: “The UK has seen a very significant increase in the amount of litigation by data subjects for compensation under data protection legislation, both where the infringement was allegedly deliberate, such as misuse of personal data by the controller, and where it was not, as in the case of a cyber-attack.”

“To put this in context, every single entity that has received a monetary penalty notice issued by the Information Commissioner’s Office following a cyber incident that occurred since the General Data Protection Regulation has been in force, is now also the subject of data subject claims, including British Airways, Marriott and Ticketmaster. With the exponential rise of cyber attacks during the pandemic, litigation in this area is expected to increase dramatically,” he said.

According to Pinsent Masons’ report, the scope for mass data subject claims differs across Europe.

McIlwaine David

David McIlwaine

Partner

We foresee the continued rise of data subject claims

In the Netherlands, 27 class actions have been filed since rules around class actions were reformed in early 2020. Mass actions are also on the rise in Germany, but they are still largely uncommon in France. In Ireland and Spain, under-developed legislation has impinged data-related class actions. However, across the EU, it is expected that the new EU Collective Redress Directive, once implemented, will be a significant of class action-style cases, including in the field of data protection and privacy.

In the UK, there are a number of routes available by which mass or collective actions may be brought.

“First, multiple claimants may group together to bring similar actions on the one claim form, and we see this occurring reasonably frequently,” said McIlwaine. “Secondly, the court may order a Group Litigation Order (GLO) allowing the individual claims made by multiple individuals to be managed together. Finally, a representative action may be available under the Civil Procedure Rules in England and Wales – where representative actions are permitted by the court, all individuals that meet the class criteria are included in the claim unless they opt-out. The introduction of a bespoke ‘opt-out’ class action procedure for data protection and privacy was considered, but ultimately rejected, by the UK government following a consultation exercise.”

A significant ruling by the UK Supreme Court in the case of Lloyd v Google in November 2021 has cast doubt on the viability of data-related representative claims in England and Wales.

“The Supreme Court decision in Lloyd v Google was being watched closely by many stakeholders, with a number of cases put on holding pending the judgment,” McIlwaine said. “We wait to see what will become of those cases.”

“In the UK, the British Airways group litigation will also be closely watched, particularly in terms of the effectiveness of the GLO procedure for managing large-scale litigation. We will also start to see an increasing number of carriage disputes, that is disputes between claimant law firms, and their funders, as to which should lead on a particular mass claim. In the meantime, we foresee the continued rise of data subject claims, with claimant law firms seeking to recover damages, albeit of low value, with costs in addition,” he said.