Data breach representative actions: hints at a rising tide?

We had previously identified that the Court of Appeal's judgment in Lloyd v Google LLC would mean that we would be likely to see an uptick in opt-out representative class actions in respect of data breaches. While Google has been granted permission to appeal to the Supreme Court, a decision is unlikely to be available until early 2021, leaving the door open for claimant groups to litigate data breaches/misuse under the precedent set by the Court of Appeal. One such claim has recently been filed in the High Court, with another expected imminently.

Marriott and Oracle/Salesforce

A major representative action was filed in the High Court earlier in August against the hotel group, Marriott International. The representative action against Marriott concerns a data breach that exposed the information of around 500 million guests around the world between July 2014 and September 2018; our blog post on the fine imposed by the Information Commissioner's Office (ICO) can be found here.

In a similar vein, the Privacy Collective, a Dutch non-profit foundation, has filed a class action lawsuit against Oracle and Salesforce in the Netherlands, alleging that the two companies have violated the GDPR by using third-party cookies to process and share personal data in order to sell targeted adverts online. A parallel English High Court representative action against Oracle and Salesforce is expected to follow in the next few weeks.

Drawing inspiration from Lloyd

To bring a claim under the representative action procedure, which is set out at Part 19.6 of the CPRs, it must be demonstrated that the whole class has the "same interest" in the claim. Both the Marriott and the Oracle/Salesforce data breaches concern large and potentially diverse claimant groups containing individuals that may have suffered varying types of damage (or no damage) caused by the respective data breaches.

Following the approach in Lloyd, both claimant groups will likely assert that their respective members have the "same interest" by disavowing any reliance on facts specific to the individuals and claiming a uniform per capita sum in respect of each claimant's loss of control over their data. The claims will also rely on the precedent set in Lloyd that permitted the award of damages for loss of control of personal data even where there is no pecuniary loss or distress.

Third-party funding and looking to the future

These representative actions will be of interest to observers of the litigation funding space. In both cases, the claims have been backed by third-party funders (Harbour is backing the Marriott class action, and Innsworth, who is also funding the Mastercard class action, is funding the Oracle/Salesforce action). The scope, following the Court of Appeal's decision in Lloyd, for claims to be pursued for uniform (and thus, quantifiable) damages on behalf of very large and diverse claimant classes represents an attractive proposition for funders. Likewise, claimant groups of this type will often have cash-flow issues of their own and thus require third-party funding to get their claim off the ground.

The combination of the Court of Appeal's permissive interpretation in Lloyd, together with the increased appetite among litigation funders to back these types of claims, looks set to increase the prevalence of representative actions by victims of data breaches, at least until we have a decision from the Supreme Court. Some will tout this as a victory for access to justice, particularly as there is no other effective collective means of redress available to victims of mass data incidents. Others, and in particular, data controllers, will be concerned that, barring a decision in Google's favour in the Supreme Court, we could see a deluge of these types of claims in respect of data breaches. It may then become normalised for data controllers to be expected to pay out twice in respect of data breaches: once in respect of ICO fines and then again in respect of civil class actions.