It was anticipated that the introduction of the GDPR would open the door to an increase in the number of data class actions brought against data controllers and data processors pursuant to Articles 77-82 of the new legislation. The GDPR introduces, for the first time, a right to be compensated for distress caused by a data breach. Where there has been non compliance with the GDPR, Article 79 grants a data subject the following:
“each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed…”.
The GDPR has therefore granted individuals a wider forum in which to bring class action claims. This effectively means that data subjects now have the right to receive compensation from data controllers or processors for the damage they have suffered as a result of non compliance.
In December 2017 the High Court found Morrisons liable for a former senior employee leaking personal information belonging to nearly 100,000 staff members. The class action case is the first of its kind with the High Court ruling that Morrisons was legally responsible for the data leak. The High Court ruling allows for the nearly 100,000 employees to claim compensation for the distress and upset that was caused as a result. Although we still await the results of this compensation claim, in the meantime employers are being reminded to put in place adequate security processes to insure against negligence by individuals acting in the course of their employment, and to mitigate losses caused by dishonest or malicious employees. Whilst the Morrisons claims were made under the Data Protection Act 1998, claims like this are likely to become more common under the new legislation.
In 2018, British Airways suffered a data breach in which around 380,000 customers’ data was stolen in what was called a “sophisticated, malicious criminal attack”. The GDPR exposes companies to large administrative fines if data subjects have suffered a material or non-material damage as a result of such infringement. Whilst the Chief Executive of British Airways vowed to compensate those who have suffered any financial hardship as a result of the breach, Article 82 of the GDPR goes further and grants data subjects the right to claim for compensation if they have suffered non-material damage such as distress. This therefore provides the opportunity for a class action to ensure that British Airways customers are fully compensated for both the material and non material damage they suffered as a result.
Collective action claims seem set to increase this year following cases like Morrisons and British Airways. However, there are still many issues that remain unclear, especially with regard to how damages will be calculated in the wake of data breaches. With collective action claims set to increase, organisations should think about doing the following to minimise the risk of data falling into the wrong hands and being faced with a collective action claim:
- implement adequate security processes and ensure firewalls are property configured;
- ensure that your staff have had proper training on data processing obligations and see that they only have access to the systems they need;
- monitor who has access to what data by introducing auditing software; and finally
- speak with your insurance broker – insurance companies are increasingly marketing cyber insurance policies and in the wake of the Morrisons case, organisations are being encouraged to review their current insurance cover and implement an appropriate policy that addresses cyber risks likely to result in significant losses.