The introduction of the General Data Protection Regulation (GDPR) will only increase the appetite for group or representative action for data breaches, a QC has claimed.
Ben Williams said the current climate was “ripe” for this development.
Writing on the 4 New Square website with colleague George McDonald, the silk said: “Not only is misuse of private information a hot topic both in the press and the legal world, but group and representative claims are being successfully pursued through the courts and aspects of the GDPR will prompt further communal action.”
With large corporations now collecting and holding personal data “on an industrial scale”, they said recent privacy scandals illustrated that data breaches often arise from systemic failings on the part of data controllers.
“Such infringements are likely to affect a mass of individuals, be well-publicised, share common issues, and be prohibitively expensive for any individual to prosecute. They have all the necessary ingredients for group actions.”
The pair explained that article 82 of the GDPR provided consumers with a statutory basis for compensation from a controller or processor for any “material” or “non-material” damage. Article 80, they continued, “positively encourages representative actions”.
Article 80 says: “The data subject shall have the right to mandate a not-for-profit body, organisation or association which… has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data…. to exercise the right to receive compensation referred to in article 82 on his or her behalf”.
The barristers said: “We therefore anticipate that article 80 can and should be used as a successful vehicle for many claims to be brought by one claimant entity on behalf of many individuals.
“This would mirror experience in competition law cases, where a number of high profile group claims have been brought by high-profile campaigning groups like the Consumers’ Association.”
In addition, article 33 imposes stringent notification requirements on data controllers, meaning they must notify the “supervisory authority” of a personal data breach within 72 hours of becoming aware of it.
Article 34 provides that the data controller must communicate any personal data breach which is likely to result in a “high risk to the rights and freedoms of natural persons” to the data subject without undue delay.
“These self-reporting obligations should lead to: potential claimants being informed of data breaches (whereas the past they might have been kept in the dark) and many potential claimants being informed of the breach at roughly the same time, leading to communal action,” the barristers predicted.
This would be combined with regulatory action at a similar time. “If the regulator imposes fines or other sanctions on the data controller, that will give claimants the confidence to pursue a claim for compensation through the courts.
“These factors are likely to increase the prospect of group or representative actions for data breaches yet further.”
The article recorded that group and representative actions were already on the go even before the implementation of GDPR.
There is a case against Google for misuse of private information without consent, where the Court of Appeal has held that damages could be awarded for the distress suffered by the claimants.
It is now proceeding as a representative action, with the data breaches said to have affected around 5.4 million people in England and Wales alone.