Companies could face the prospect of major US-style class actions for data breaches – with pay-outs potentially running into tens of millions of pounds – under a proposed amendment to the UK Data Protection Bill, which goes way beyond the measures included in GDPR.
According to a report in The Sunday Times, the proposed change has been tabled by Lord Stevenson of Balmacara and Baroness Kidron, and is designed to make it much easier for lawyers to take mass legal action against firms which fail to protect their customers’ data.
While breaches of GDPR do carry substantial fines, of up to €20m or 4% of annual turnover, the UK Information Commissioner’s Office has consistently stated that monetary penalties will be a “last resort”. Last week, Commissioner Elizabeth Denham reaffirmed her office’s commitment to a measured approach.
However, under the amendment, lawyers will no longer have to obtain the consent of those affected by a breach. Instead, it would introduce an “opt-out” system, under which cases could be brought on behalf of all victims without first seeking their permission.
In December, the High Court handed down its ruling in the first data leak class action in the UK, when it ordered Morrisons to compensate more than 5,500 former and current staff over a historical breach, which took more than three years to bring to the courts.
At the time, Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who represented the 5,518 claimants, hailed it as a landmark victory, although the court has yet to decide on the amount of compensation each plaintiff will receive.
The proposed changes to the Data Protection Bill would speed up legal action and will no doubt have lawyers licking their lips. It has been claimed that there is already an an army of “no win, no fee” compensation lawyers waiting in the wings, ready to act for clients who deem that the information held on them by companies is potentially damaging.
Julian Box, CEO of cloud business Calligo recently predicted that once consumers realise companies are holding data that they should not, it could easily trigger a flood of lawsuits. The costs related to that would “dwarf” those handed down by a regulator, he insisted, adding: “We truly think you’re going to see ambulance chasers here.”
Class actions are common-place in the US. According to the 2017 Data Breach Litigation Report, compiled by US law firm Bryan Cave, there were 76 class actions filed for data loss during 2016, with negligence the most popular legal theory.
One industry source said: “The ICO might be trying to calm the waters, but the legal sharks will be circling. If this amendment is passed, once the lawyers scent blood, there are many firms who will get very badly bitten.”
Denham acts to allay fears over GDPR D-Day apocalypse
Lords act on ‘eye-watering harvesting of kids’ data’
Thousands of Morrisons staff to get data leak pay-off
Brace yourselves for the GDPR data ambulance chasers
Morrisons staff start High Court fight over 2014 breach
Privacy chief Denham hits out at GDPR scaremongering
Firms face bombardment of data requests under GDPR
GDPR compensation to dwarf £30bn bill for PPI claims
Firms face Herculean task to keep right side of data law
Business leaders welcome new UK Data Protection Bill
Industry backs new UK data laws but calls for dialogue