Global Regulation, Local Solutions Emerging Themes 2020 - Page 71



FINANCIAL CRIME AND INVESTIGATIONS
EMERGING THEMES 2020
CONCLUSION
Recent Court decisions have clarified two key
points that were previously seen as barriers
to successful group actions in the UK – the
concept of what “damage” is caused by a data
breach, and the difficulties in obtaining a Group
Litigation Order for class litigation.
In Lloyd v Google the Court of Appeal reversed
the lower court’s decision and ruled that a
loss of control of personal data was “damage”
of itself, and that this damage could be
compensated financially without the need for
the claimant to show any actual financial loss
or distress. This moves away from the previous
position that a claimant needed to identify
actual financial harm or distress as a precursor
to a monetary award.
This approach also overcame another common
difficulty in progressing representative claims
– proving that all members of the class have
the “same interest” in the claim. The Court felt
that all claimants had suffered the same loss of
control of their data. The lead claimant gave up
any reliance on the individual circumstances of
claimants, effectively bringing damages to the
lowest common denominator.
However, this was only a preliminary decision in
the context of seeking permission to serve the
claim abroad. It remains to be seen whether
the claim will succeed and what quantum of
damages, if any, will be awarded.
Moreover, claimants will still need to prove the
claim has passed the de minimis threshold of
being “non-trivial”. Financial institutions may
find some comfort in Sir Geoffrey Vos’s obiter
comment: “that threshold [of seriousness] would
undoubtedly exclude, for example, a claim
for damages for an accidental one-off data
breach that was quickly remedied.”
In a second recent case, Weaver, the High
Court has approved a Group Litigation Order
for claims against British Airways for data
breaches in 2018.
An interesting feature of the British Airways
Group Litigation Order is the test set out for
inclusion in the “class”: to join the action an
individual must have been notified by British
Airways of the data breach, must raise an
issue of whether British Airways is liable to that
individual for damage, and the individual must
have suffered damage (which is not limited
to financial loss or distress). It seems that the
concept of damage for data breaches is one
that will continue to be the focus of these initial
UK litigations for now.
As an alternative to class litigation, firms may
be better served by offering voluntary collective
redress. While collective redress schemes
are fairly common in financial services, they
have been less common to date in respect of
data breaches. News International offered a
collective redress scheme in the phone-hacking
scandal but victims were reluctant to enter it in
preference to court claims as there was no
tariff for damages suffered for this relatively
new sort of claim. It remains to be seen whether
this alternative proves attractive to victims of
data breaches.
The true cost of a data breach
to a financial institution could
be significantly more than the
€20 million/4% global turnover
figure that has been much
publicised under the General
Data Protection Regulation
Together, these two decisions appear to move
the UK closer to a culture of collective actions
for data breach litigation. This leaves financial
institutions subject to potentially significant
liabilities for data breaches affecting large
numbers of users. Combined with exposure
to the Information Commissioner’s Office, the
financial regulators and now potential class
litigants, the true cost of a data breach to a
financial institution could be significantly more
than the €20 million/4% global turnover figure
that has been much publicised under the
General Data Protection Regulation.
ORAN GELB
Partner,
London
70/
Where there has been a
breach, firms will need to
distinguish between
meritorious claims from
impacted data subjects
and vexatious litigants
who are easily mobilised
by consumer groups. A
voluntary collective redress
scheme, or one imposed by
regulators, may help firms
do that on a more costeffective basis whilst also
appeasing public and
regulatory criticism.
SARAH MCATOMINEY
Senior Associate,
London
JACK DUNN
Trainee Solictor,
London
/71

Paperturn



Powered by


Full screen Click to read
Paperturn flip book system
Search
Overview
Download as PDF
Print
Shopping cart
Full screen
Exit full screen