Data Protection and the Rights of the Ordinary Individual
December 18, 2018
“If men will have multiple injuries, actions must be multiplied too; for every man that is injured ought to have his recompense” (Chief Justice Holt, 1704)
The predictions of flood gates opening and US class actions coming to the English courts following the implementation of the General Data Protection Regulation (GDPR) have been exaggerated; there has not yet been one.
The GDPR was expected to empower the individual and demand greater transparency from data controllers. Following the availability of group remedies with the Consumer Rights Act 2015 and the rise in litigation funding there appeared to be a receptive environment for potential group actions. However, UK representative actions are subject to restrictions under the Rules of Court, which means that they cannot develop into anything resembling the nature and scale of US class actions.
In the US the class action is a social institution. It regulates conduct, it is a deterrent, it rewards lawyers who act as gate keepers, and it compensates the public. Culturally the UK has not shown acceptance of US Court practices, particularly the class action. “Compensation culture” has not been viewed with universal approbation in the UK, by the public or the courts. The popular reaction to PPI exemplifies this; huge efforts by claims management companies have only resulted in 12 million claims being brought even though regulators estimate there are some 64 million miss-sold policies. The British public is reluctant to pursue compensation.
The UK government’s decision not to adopt the opt-out option in the GDPR Article 80(2) reflects the lack of enthusiasm. Opting-in requires any qualifying representative body to collect signatories with all parties choosing to opt-in. The criteria to qualify as a representative body include that they must be not-for-profit, have “statutory objectives which are in the public interest” and be “active in the field of the protection of data subjects’ rights and freedoms”. In the US a single claimant can represent an entire group, resulting in a large class action as claimants have to opt-out.
English common law requires that damages should be limited to compensation for an actual loss. The US operates a punitive damages regime; juries hear the case and set the damages, which can then be trebled if the judge considers the defendant should be punished. None of this applies in the UK.
There is a commercial barrier in the UK, as small amounts historically awarded in this jurisdiction for data breaches are insufficient to support a group action. The prospect of scant financial reward means there is little incentive for claimants to opt-in to a group action. Even if sufficient claimants can be identified, their reticence means that trial lawyers would not have a critical mass of claimants to represent.
There are no successful test cases and no financial incentives to make such costly and time consuming cases appealing for claimant firms or litigation funders. There is little to entice lawyers to build a case. Also, ironically, the unsolicited direct communications that the GDPR seeks to limit actually hinder the ability of claimant lawyers to find signatories for group actions and the chances of one happening.
In the RBS Rights Issue Litigation last year, the court ordered the funder to pay £7.5 million security on account of soaring costs. This shows a court can take into account the fact that a party is funding litigation on a commercial basis and seeking to profit from it. The costs order caused the funder to re-evaluate the risks of continuing the litigation, which had an influence on the final settlement reached in June 2017.
The structure of group actions and the funding mean that proceeds go into the pockets of litigation funders and claimant lawyers, not to the claimants themselves. Lloyd v Google case was the first time a data misuse representative action was brought in the UK. The cause of action was for misuse of confidential information and damages under section 13(1) of the Data Protection Act 1998. It concerned a “cookie” attached to the Safari app used in Apple iPhones, which, without the user’s knowledge or consent tracked “visits by the device to any website displaying an advertisement from [Google’s] vast advertising network, and to collect considerable amounts of information.” In the US, there had been a substantial regulatory penalty and payments in consumer based claims brought by the Attorney-Generals of 37 States. In England there had not even been a regulatory penalty.
The claim for damages was negotiated, based on what would be a reasonable price for a license to use the data. Mr Justice Warby (Warby J) held that this was not available under English Law for the collecting and misuse of data.
Warby J stated that the claimant was seeking to represent individuals who “have not authorised the pursuit of the claim, nor indicated any concern about the matters to be litigated”. Even though Google’s actions were potentially a breach of duty, “the main beneficiaries of any award by the end of this litigation would be the funders and the lawyers by a considerable margin” and that the case would consume a “considerable amount of court time”. The claimant claimed to be a “representative claimant” under CPR 19.6 alleging a group with a shared grievance. However, loss would have to be assessed on an individual basis and there was not a “shared interest” between the individuals, a requirement for a representative action. The judge did not allow the case to proceed.
There is no track record for data abuse group claims being successful in the UK, no financial inducements for lawyers or funders, and nothing to whet the appetite for individual claimants to become involved. When the Consumer Rights Act 2015 was introduced with its opt-out clause relating to damages actions, there were similar predictions that there would be a wave of US-style class actions. Collective proceeding orders under section 47B of the Competition Act 1998 (which allows opt-out proceedings) were not granted by the Competition Appeal Tribunal on the facts in Dorothy Gibson v Pride Mobility Products Limited (mobility scooters) and Walter Hugh Merricks v MasterCard Incorporated (Credit Card charges). The GDPR does not provide as much scope as section 47B, as in the UK it is opt-in only.
The Morrisons data breach case might indicate that there could be certain group actions. Mr Justice Langstaffe held that although the supermarket was not the data controller and had no personal liability for a data leak affecting some 100,000 employees, it was vicariously liable for the data controller. The case provided employees with the opportunity to claim compensation against their employer for distress: Various Claimants v Wm Morrisons Supermarket Plc  3 W.L.R. 691. There is a strong policy argument for protecting employees and giving them an effective remedy against their employer for data leakage. Employees should receive compensation when the data controller, a person given that role and funded by the employer, is liable for data leakage.
Culturally, economically and legally the UK is not yet receptive to group actions on the scale of US class actions. Regulatory bodies can impose fines. The EU directive offered member states the opportunity to provide redress to individuals damaged through data abuse, on an opt out basis. That opportunity has not been taken, at least until 2020 when there is the opportunity for the UK Government to review implementation of Article 80. Roman law set the bar with its principle of ‘Ubi jus ibi remedium’ (where there is a right there is a remedy). This is a fundamental principle of the English common law; Chief Justice Holt said in 1704, “…It is no objection to say that it will occasion multiplicity of actions; for if men will have multiple injuries, actions must be multiplied too; for every man that is injured ought to have his recompense.” Data misuse is an area where the rights of the ordinary member of the public are yet to be protected with an effective remedy.