The Government should activate a clause in UK legislation to give data breach victims stronger rights for legal redress against firms who lose their personal information, in what could be a major blow to the new army of ambulance chasing law firms.
So says consumer champion Which? on the back of a survey of its members that reveals almost half (46%) whose data was stolen by hackers then went on to experience fraud. This was out of nearly a quarter (23%) of Which? members who said they had had their data compromised following a breach involving a company or organisation.
Which? also heard from people who said they had not only lost money but seen their mental health impacted in the aftermath of being involved in a data breach. These victims have also struggled to get any form of redress from the companies that failed to protect their personal data.
The call comes amid a new consultation by the Department for Culture, Media & Sport on the operation of the “representative” action provisions of the Data Protection Act 2018, which helps to ensure that the standards set by GDPR are enshrined in UK law.
Under the provisions, individuals would be able to ask non-profit organisations to act on their behalf when their data rights have been infringed.
DCMS is also considering new provisions that permit non-profit organisations and children’s rights organisations to undertake similar actions if they consider that an individual’s data rights have been infringed without their specific authorisation.
This could allow representative action in the interest of individuals whose data rights are violated but who cannot readily authorise a non-profit organisation to act on their behalf, such as children or vulnerable adults.
Individuals would be able to opt out of any representative legal action, should they wish, however.
Currently, victims have limited options to seek redress when data breaches occur. Under GDPR, consumers have a right to claim compensation if they have suffered damage as a result of an organisation breaking data protection law, but doing so is far from easy.
The Information Commissioner’s Office, which has so far issued just one fine over a breach of GDPR in over two years, advises victims to take independent legal advice to try to settle with the organisation first. If this fails, victims may be able to make a court claim.
This is where the “no win, no fee” compensation lawyers are aiming to make a killing. Claims over data breaches have rocketed since GDPR came into force, as predicted before the regulation was passed, with cases being planned against British Airways, easyJet, Virgin Media, TalkTalk, Marriott International, the British Dental Association and Google to name but a few.
If the Government was to allow not-for-profit firms to take group actions, this could seriously affect the “no win, no fee” mob.
Which? money editor Jenny Ross said: “Whether we’re shopping online, booking a holiday or signing up to a new mobile phone contract, we have to trust the companies we deal with to protect our details – and if things go wrong we need to know that businesses are held to account.
“We need the ICO to be a regulator with teeth that is prepared to step in and issue fines in the event of companies breaking data protection laws, to ensure more businesses better protect consumers from data breaches.
“Consumers should also have a much clearer route to redress when they suffer the financial and emotional toll of data breaches – and that’s why the Government must allow for an opt-out collective redress regime that deals with mass data breaches.”
One industry insider added: “Consumers should be give the power to get compensation without having to resort to the ambulance chasers. I have been a victim of two recent breaches, at Virgin Media and easyJet, and what have they offered me? Diddly squat, that’s what? Not even ID fraud monitoring.
“The ICO investigations take years so my only hope is to join a group action by a big legal firm, who will no doubt take a huge cut of any payout. How can that be right?”
The DCMS consultation closes on October 22 2020. More details are available on the Gov.uk website>
Related stories
Dentists bare teeth against BDA in breach legal action
Google faces £2bn GDPR class action over kids’ privacy
TalkTalk customers seek payout for double data breach
Law firm pounces on EasyJet breach with £18bn claim
Over 10,000 customers join EasyJet data breach action
Marriott faces data loss claim – will it open floodgates?
Will it ever end? Now Marriott wins further GDPR delay
Fresh delay to Marriott and BA fines fuels ICO criticism
Students secure payout over ‘life on show’ data breach
We can screw Virgin Media for billions, claims law firm
Ambulance chasers in A&E as £100m Equifax claim axed
Brace yourselves for the GDPR data ambulance chasers