Data Protection Report - Norton Rose Fulbright

In November of 2015, the English High Court in London approved a Group Litigation Order (“GLO”) allowing employees of one of the United Kingdom’s largest supermarket chains to join the pending action.

The action arises out of a data security breach that occurred in March of 2014 when a disgruntled former employee stole and published payroll details for approximately 100,000 employees.  We believe it may be the first GLO approved for claims arising out of a data breach. The former employee, who was sentenced to an eight year term of imprisonment, uploaded employee “salaries, National Insurance numbers, dates of birth and bank account details” to data-sharing websites.  The data is reported to have been posted for a few hours before the company had the data removed.  Following the incident the company reported that “th[e] theft was not the result of an external penetration of our systems” and stated that “there has been no loss of customer data and no colleague will be left financially disadvantaged.”

Under the British group litigation system, affected individuals must positively “opt-in” to an action to be included in the claim.  While there are rumours that several thousand claimants have already opted in to the action, the firm handling this litigation is currently seeking additional claimants to join the action during the four-month period for enrollment set out in the GLO.

One of the key issues in this case is likely to be influenced by the England and Wales Court of Appeal’s decision in Google, Inc. v. Vidal-Hall, [2015] EWCA Civ 311.  There, the court held that claimants can state a claim for “distress,” enabling them to recover damages, without having to prove pecuniary loss.

Under Section 13(2) of the U.K.’s Data Protection Act 1998 (the “Act”), an individual who “suffers distress” arising from a breach is entitled to compensation only if the individual “also suffers damage” or if the breach “relates to the processing of personal data special purposes,” which includes journalistic, literary or artistic purposes.

Although historically, this “damage” requirement had been interpreted as meaning pecuniary loss, the Court of Appeal decided this was incompatible with the right to an effective remedy under Article 47 of the EU Charter of Fundamental Rights. What was needed was “the disapplication of section 13(2), no more and no less.” In reaching its decision, the Court of Appeal held: “[s]ince what the Directive purports to protect is privacy rather than economic rights, it would be strange if the Directive could not compensate those individuals whose data privacy had been invaded by a data controller so as to cause them emotional distress (but not pecuniary damage)”.

On July 28, 2015, the U.K. Supreme Court granted Google permission to appeal the Court of Appeal of England and Wales’ decision.  Although Google’s application for permission to appeal was granted, the case has not yet been decided by the Supreme Court and the case does not yet appear on the Court’s list of “current cases,” which publishes a list of cases, summaries, and case details “a few weeks before the appeal is due to be heard by the Court.”

Our Take

Although it is unlikely that group data breach litigation will become as prevalent in the United Kingdom as it is in the United States, this action could signal increased interest in data breach class actions by British firms, particularly if the Supreme Court upholds the Court of Appeals decision that damages are recoverable without the need to prove any pecuniary loss.  The interest of potential claimants in this case, coupled with a decision that Section 13(2) does not apply, could present signal significant additional exposure for companies operating in the U.K. that are the victims of data breach incidents.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.