Clyde & Co London’s legal director Seaton Gordon believes group claims, and potentially class actions, from data breaches could become the new PPI in 2021.
Gordon notes how, with fewer legal barriers to individuals bringing claims for loss of their personal data have been reducing in recent times, claims management companies and claimant law firms have been increasingly circling the potentially lucrative market in data privacy group action claims.
While there have so far been limited opportunities for them, Gordon says the ICO’s GDPR fines levied against British Airways, Marriott and Ticketmaster changes the situation, provides the claimant market with an opportunity to seek to leverage an adverse regulatory decision to bring claims, as they successfully did with PPI misselling cases.
“The final piece of the puzzle could be a positive outcome for Richard Lloyd in the Lloyd vs Google data protection case that goes before the Supreme Court in early 2021,” Gordon said.
“If Lloyd wins, it will confirm that individuals are, in principle, entitled to compensation if a controller has lost control of their personal data, potentially taking the law closer to strict liability for data protection breaches.
“Moreover, it could potentially open the floodgates to ‘class actions’ with a surge of US-style opt-out ‘representative’ actions likely to follow.”
Gordon added that the threat of a class action claim brought by experienced claimant lawyers seeking to leverage a regulatory sanction will raise the stakes for any organisation that suffers a large and newsworthy personal data breach.
For now, these organisations typically face reputational damage linked to negative headlines, potential loss of consumer confidence and, in all likelihood, a data protection regulatory fine. While these outcomes are unfortunate, they are not ruinous.
“However, a surge of low value compensation claims from hundreds of thousands or even millions of individuals could cripple an organisation,” he added.
“The cost and burden of dealing with such a scenario represents a significant, and long-tail, risk to organisations’ financial viability and their reputation.
“With this threat on the horizon, data breach based group claims (and potentially class actions) are a risk that should be high on the risk radar next year.”