Riding the tidal wave - Part Two

By Bryony Hurst


In the second of a two-part series on data protection-related class actions, Dispute Resolution partner, Bryony Hurst examines a few of the class actions already underway and steps businesses can take to further prepare for when the tidal wave hits. 

Who’s taken a dip so far?

You can be sure that the economics of class actions dictates that claimants and their lawyers will follow the money. If an organisation commits a breach of data protection law that impacts lots of people in a serious way, claims will be brought against that organisation even where forum-shopping is not an option. For example, following British Airways’ data breach in 2018, one claimant law firm published its first advertisements for data subjects to join its class action against the company within a couple of weeks of the breach being announced. If they have a choice, they will of course seek to commence claims in the friendliest forums – but if they have to, or if the maths means it makes sense, they will also get creative to tackle the trickier jurisdictions. A good example of this is the actions recently brought in the Netherlands (and shortly to be brought also in the UK) by The Privacy Collective, a civil rights group, against Oracle and Salesforce in relation to their use of cookies to collect data for use in real time bidding. The Privacy Collective has been very open about choosing the Netherlands due to the collective action regime available there, and has also spoken about its hopes of taking advantage of the Court of Appeal’s decision in Lloyd v Google to pursue remedies in the UK. 

The Lloyd v Google case itself is another example of claimants taking on a jurisdiction which historically has presented hurdles to collective actions, and to circumvent a legislative lacuna to establish a new route to mass remedies. A note of caution for excitable claimant lawyers in this regard: whilst the novel structure of the Lloyd v Google claim does appear to present an opportunity to craft a collective action that passes the representative action standing test, this will not be a one-size-fits-all solution to data protection group claims. As a more recent case (Jalla & others v Shell, not a data privacy case) which referred to the Court of Appeal decision in Lloyd v Google has demonstrated, where questions of individual causation still exist, altering your action to claim only a uniform amount of damage à la Lloyd v Google will not convince the court that your action should be squeezed into the mechanism. In the UK we are currently witnessing a rise in group claims following on from data security incidents, typically alleging that passwords and data belonging to individuals has been stolen as a result of a lapse in an organisation’s IT systems; in cases such as these, one could envisage a large question mark over whether damage suffered by any given individual was caused by this particular security lapse, or one of the many other data breaches that occurs daily, and which could also have allowed the individual’s data to be stolen, proving an obstacle to a Lloyd-style effort. The Court of Appeal, in its obiter comments, also appeared to support the continuance of some sort of de minimis threshold for data protection group claims, indicating that “an accidental, one-off data breach that was quickly remedied” would not give rise to a claim for loss of control over personal data alone. This is the lone encouraging aspect of the decision and one that potential defendants are hoping the Supreme Court will confirm (and expand usefully on).

Another good indicator of tomorrow’s class actions is today’s regulatory investigations. Class action lawyers and litigation funders can window shop potential claims by watching and waiting to see where data protection authorities are focusing their energy and, more importantly, who they decide to penalise most stringently. One current trend is the attack on adtech –  an industry under a great deal of regulatory scrutiny that has already been criticised by many data protection authorities as being in breach of the GDPR in various significant respects.  For consumer associations looking to expedite change and hammer home to large organisations the need to alter their practices, filing mass damages claims alongside regulatory complaints is proving a popular tactic. For example several civil rights groups in France are focused on changing what they see as unacceptable data practices by Big Tech. Two of note currently are the Internet Society France’s claim against Facebook in respect of 7 different data privacy-related complaints (which, it was announced last month, has failed to settle and so will head to court shortly), and UFC-Que Choisir’s action against Google which focuses on Google’s targeted advertising data practices, which commenced last summer and in respect of which a decision on admissibility is pending. 

Another national court system likely to be kept busy by privacy activists (well, one in particular) in times to come is that of Austria, the home of the not-for-profit Noyb, founded by Max Schrems, the perennial thorn in Facebook’s side. Noyb was founded in 2018 to, in its own words, “bring long-term strategic enforcement cases” . It is clear that, in instances where it reaches what it considers to be a regulatory dead end (or delay) in Ireland (where Facebook has its main establishment for GDPR purposes), it will file claims in the Austrian courts to drive matters forward. Austria is another potentially interesting forum for data protection mass actions, being one of only a few Member States to have specifically implemented a right for representative bodies to bring damages claims on behalf of data subjects, pursuant to Article 80(1) of the GDPR. 

It is worth noting that the class action mindset is catching – it is no longer just consumers and their representatives taking on organisations who they view as profiting at the expense of their privacy. In the UK, at least, data subjects are looking at how else their data is being used for commercial gain and testing if there is any value to claiming an abuse of their rights. New types of group litigants are emerging as a result; for example, one well-publicised potential suit, known as Project Red Card, involves over 400 footballers threatening action against gambling operators and data supply companies for use of their performance and tracking data without their consent. Successful or not, it’s not hard to imagine similar cases being brought by athletes in other sports, and in other countries – or analogous actions in other industries.

Put your life jacket on 

As an organisation processing the data of European citizens, what can you do to avoid drowning when this tidal wave eventually hits? 

Wherever actions are brought, you can expect some commonality in tactics used by claimants, and forewarned is forearmed. Where available, claimants will definitely seek to use findings and evidence from published data protection authority decisions, so keep that in mind if you become ensnarled in any regulatory investigation – documents clearly summarising the systems and processes you had in place to minimise harm to data subjects, for example, make for a nice paper trail for a defendant to group actions later down the line. Another common tactic is the use of data subject access requests (“DSARs”) by claimants to fish for information and evidence to bolster any action being put together by their lawyers. Any failure to comply with a DSAR is also sometimes used to beef up a list of other breaches levied against a defendant. For both these reasons, approach DSARs carefully and ensure they are handled properly.

As claimants start to adopt US-style offensive tactics, another certainty is that defendants will do the same in terms of their defence. Expect to see key battlegrounds emerging around class certification and defendant applications equivalent to a US motion to dismiss, as defendants become clued up on challenges likely to cause a collective action to stall early on. Another line of defence likely to cause problems to groups is questioning the suitability and organisation of representative bodies bringing claims on behalf of consumers; different EU member states have their own requirements as to such bodies’ constitutions, structure and funding which one could expect defendants to rake over and use as objections to the progress of any action. 

As a final note, the European authorities have, since their 2018 review, decided that EU-wide legislation is required to harmonise collective consumer actions and a draft directive was recently sent to the European Parliament for approval. If brought into force, it will ensure that a means of collective redress for consumers for a wide range of legal breaches will be available in each member state – and will significantly assist groups with members in more than one member state (a harmonised cross-border action approach is included in the draft text). 

On one hand, this legislation is good news for defendants. It may eradicate, or at least reduce, the need for forum shopping for cross-border representative actions. On the other hand, however, the much talked about tidal wave could finally hit. Whilst the draft introduces the “loser pays” principle across Europe and still prohibits punitive damages, this widespread availability of collective action mechanisms and remedies would still bring Europe a good few steps closer to the US-style mass claims culture. In 2018, then-European Commissioner for Justice, Consumers and Gender Equality Věra Jourová said: “Representative actions in the European way will bring more fairness to consumers, not more business for law firms.”  We will all have to watch this space to see if she was right.

A version of this article first appeared in Global Data Review.