Class actions are widely known for their popularity in the United States. These types of actions are now developing in the UK because of recent data breach litigations.

In the UK, group litigation can arise in two different scenarios: Group Litigation Order (“GLO”) or representative actions. GLOs are orders given by the Courts to manage collectively different claims that give rise to “common or related issues of fact or law”. The claimants in a GLO need to opt-in to join the GLO; however, all claims remain separate. A representative action, on the other hand, allows a representative to bring an action on behalf of a class of claimants who have the “same interests” in the claim. Any judgment in a representative action will be binding on all class members represented, unless they actively opt-out’of the claim. It is worth noting that the English Courts have discretion to allow any group litigations to proceed.

There has been a recent rise in group litigation before the English Courts as a result of personal data breaches, where the courts seem to be embracing a more pro-individual approach. This increase can be linked to the strengthening of individuals’ rights in general, but also to two provisions of the General Data Protection Regulation (‘GDPR’):

  • The express provision that claims can be brought by a representative (Art. 80 GDPR); and
  • The right for compensation for material or non-material damage (Art. 82 GDPR).

Not long after the Information Commissioner’s Office (“ICO”) announced that it intended to fine British Airways (“BA”) for a 2018 data breach, the High Court allowed a GLO, comprised of approximately 500,000 claimants, to proceed.

In 2019, in a case against Google LLC, Richard Lloyd issued a representative action against Google in relation to the “Safari Workaround”, which, he alleges, allowed Google to track users’ activity and sell browser generated information to third parties without the users’ consent. In its decision, the Court of Appeal overturned the High Court’s decision and allowed Richard Lloyd’s representative action against Google to proceed, The Court of Appeal considered that “loss of data” is enough to give rise to damages, the “same interest” threshold was met as all affected class members had their browser generated information sold without their consent, and preventing the claim would have essentially barred any other remedies for the class members. Google was since granted permission to appeal to the Supreme Court, which is due to be heard in late 2020 or 2021.

Following from the Court of Appeal’s decision in Lloyd v Google LLC, this year we have seen two new representative actions relating to data protection breaches come before the English Courts. A representative action has been issued against Marriott International for a data breach between 2014 and 2018, which exposed the personal data of around 500 million individuals, while another representative action was issued against Google Ireland Limited regarding the unlawful use of children’s data on the social media platform, YouTube.

What does the future hold?

The future of group litigation is still uncertain, however the Supreme Court’s decision in Lloyd v Google LLC will certainly provide useful guidance regarding representative actions and will set an important precedent. If the Supreme Court upholds the Court of Appeal’s decision, this could potentially open a floodgate of group litigations, especially in the sphere of data protection. An even bigger incentive for controllers to get (and keep!) their house in order when it comes to data protection compliance.

We will watch out for, and keep you updated with, any further developments in the cases referred to in this blog.