The number of class actions brought in the UK is likely to grow considerably. In particular, we expect claimant firms to continue making claims for misuse use of data where an issue affects a large number of individuals. This post:
- introduces group and representative actions in the English legal system (typically referred to as ‘class actions’, albeit there are significant differences with US proceedings of the same name);
- outlines the relevant legislative frameworks under which privacy class action claims are brought; and
- explains the expectations of the courts of England and Wales in relation to the exchange of information and documents before proceedings are commenced, which can be onerous.
Class actions: an overview
England has no direct equivalent to US class actions. However, there are a number of models under its procedural rules (the ‘CPR’) that have similarities:
Representative actions under CPR rule 19.6: this is considered to be a ‘true’ class action model as it does not involve active participation by individual class members. It is often referred to as an ‘opt out’ class action.
The claimants must have ‘the same interest in a claim’. However, the court has a discretion to refuse to allow the action to proceed and, historically, this “same interest” has been policed strictly by the court.
If viable, this type of claim is attractive to funders and claims management firms as they do not need to sign up or manage a large claimant cohort. This limits up-front costs whilst providing the prospect of claiming damages on behalf of an entire class, whose numbers in some cases could run into millions of individuals.
Group actions under CPR rule 19.10: this model requires potential claimants to actively opt into the litigation.
Claimants must have claims which ‘give rise to common or related issues of fact or law’. Claims management firms will typically advertise the group action in order to increase the size of the claimant group. This can lead to substantial upfront costs, including costs of advertising, signing up claimants, triaging claims, etc.
The economic viability of the claim will largely depend on the numbers of claimants signing up to join the group action and the value of the individual claims.
Joint claims by multiple claimants: this involves all claimants bringing their claims together using one claim form and is practicable where the claims ‘can be conveniently disposed of in the same proceedings’. Usually the claimants will be represented by a single legal team. Notably, this mechanism is available only where there are no conflicts of interest between the claimants.
Stalking horse claims: this involves one claimant (or a small number of claimants) bringing an action with a view to building a large class of claimants for a group or representative action should the stalking horse claim succeed.
The advantage to funders and claim management firms is that up-front costs are low. They hope that success in what appears to be a small claim will build momentum or set a useful precedent for a subsequent class action.
The case law relating to class actions in England is not well developed, although there have been some recent notable judgments, and, to date, the viability of class actions has been limited as compared to the US and other jurisdictions. However, the number of class actions in the English courts is predicted to grow considerably; this is being driven by a range of factors, including a focus on access to justice, particularly for data subjects, as well as the rapid growth of third party litigation funding, which has made funding class actions more viable.
Relevant legislative considerations
Class action claims relating to alleged data protection failures can be framed under the UK’s General Data Protection Regulation (‘GDPR’) or the Data Protection Act (‘DPA’).
The UK GDPR provides:
- Article 28: the right to an effective judicial remedy against a controller or processor – this requires each data subject to have an effective judicial remedy (without prejudice to any available administrative or non-judicial mechanism for compensation).
- Article 82: the right to compensation and liability – this provides that:
- any person who has suffered material or non-material damage as a result of infringement has a right to receive compensation for the damage suffered;
- each controller or processor is liable for the entire damage in order to ensure effective compensation; and
- the controller or processor that pays compensation can seek a contribution from others at fault to reflect their respective responsibility for the damage.
The DPA 2018 provides:
- Section 167: compliance – a court may make an order to secure compliance with the data protection legislation.
- Section 168: compensation for contravention of the GDPR – ‘non-material damage’ as identified by Article 82 of the GDPR includes distress. The court can also award compensation where proceedings are brought by a representative body.
- Section 169: compensation for contravention of other data protection legislation – a person is entitled to compensation where there has been a contravention of data protection legislation other than the GDPR.
Data protection claims may also be framed in common law as the misuse of confidential or private information.
Pre-action Protocol/Letter of Claim
The CPR typically require fairly extensive exchanges of information and documents before proceedings are commenced, under Pre-action Protocols.
- Data privacy and breach claims, including misuse of confidential information, are within the Pre-action Protocol for Media and Communications Claims.
- The protocols are intended to narrow issues and allow the parties to explore an appropriate resolution before proceedings are issued.
- Any claim should therefore start with a ‘Letter of Claim’ providing details of:
- the information or types of information alleged to have been compromised;
- the circumstances giving rise to a reasonable expectation of privacy; and/or
- any damage or distress suffered or anticipated, including an explanation of the financial claims which are made.
- The potential defendant will be expected to respond to a Letter of Claim explaining:
- whether the claim is accepted in whole or in part; and
- if the claim is rejected, the reasons why.
- whether the claim is accepted in whole or in part; and
- Although alternative dispute resolution is not compulsory, potential litigants are expected to consider at the pre-action stage whether some form of ADR procedure might help to settle their dispute without the need for formal court proceedings.
- Pre-action protocols in this context tend to more onerous for defendants but can also provide a meaningful opportunity to challenge liability theories and damage calculations.
Organisations can minimise the risk of data class actions by following these important steps:
- ensure that the company’s cybersecurity systems and processes are fit for purpose;
- plan for all eventualities and carefully train internal teams on how to react in a crisis situation, such as a data breach;
- have a team of trusted multi-disciplinary advisors on standby ready to act swiftly should the worse case scenario arise and a data breach occurs – so that any breach can be contained and handled as effectively and efficiently as possible; and
- observe trends in any data complaints that the company receives so that any emerging issue can be remediated before it becomes substantial.