Law firms are beginning to build groups of easyJet customers to bring a collective action over the data breach the airline announced last month.
PGMBM and Hayes Connor are both advertising for customers to sign up, while other firms, such as Leigh Day, say they are investigating possible claims.
PGMBM – which recently changed its name from SPG Law – has gained headlines by issuing a claim form and putting easyJet’s potential liability at £18bn, or £2,000 per impacted customer, under GDPR.
Article 82 says customers have a right to compensation for inconvenience, distress, annoyance and loss of control of their personal data.
EasyJet announced on the 19 May 2020 that sensitive personal data of nine million customers from around the world had been exposed in a data breach – four months after the breach itself occurred and notifying the Information Commissioner’s Office.
The data included full names, email addresses and travel data, such as departure, arrival and booking dates.
PGMBM said the exposure of details of individuals’ personal travel patterns “may pose security risks to individuals and is a gross invasion of privacy”, although easyJet said there was “no evidence that personal information of any nature has been misused”.
The firm said it would now seek a group litigation order, having instructed counsel from Serle Court and 4 New Square.
Tom Goodhead, PGMBM managing partner, said: “This is a monumental data breach and a terrible failure of responsibility that has a serious impact on easyJet’s customers.
“This is personal information that we trust companies with, and customers rightly expect that every effort is made to protect their privacy.”
PGMBM said it would take a maximum of 30% of clients’ compensation, while Hayes Connor said its cap was 25%.