Hogan Lovells 2024 Election Impact and Congressional Outlook Report
With the entry into force of the GDPR, are we going to see a greater number of collective actions for data privacy breaches and how can organsations protect themselves?
In the UK, there are a number of ways in which litigation can involve multiple claimants.
These include:
Historically, the types of claims brought under these collective action mechanisms were competition claims, personal injury or product liability claims and pensions disputes.
The end of 2017 saw the first data privacy dispute to be heard by the English courts using a collective action mechanism.
In Various claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB), the High Court considered whether an employer should be vicariously liable for an employee's deliberate disclosure of his co-workers' personal information.
The judgment, handed down in December 2017, related to liability only (as is common in English cases).
Once liability is established, damages are assessed at a separate hearing (or agreed if the case settles following the judgment on liability).
In the Morrisons case, Mr Skelton was employed by Morrisons as a senior IT auditor.
In his role, he had access to personal data about employees, including their payroll information.
As well as his job at Morrisons, Mr Skelton sold a legal slimming drug on eBay.
One day, a package he had sent through the company post room split revealing a white powder.
The police were called and Mr Skelton was arrested as there was a concern that the powder was an illegal substance.
When he returned to work, Mr Skelton was subjected to a disciplinary procedure for the powder incident. He lost the disciplinary action but remained at the company.
Later that year, Mr Skelton was tasked with sending payroll data to Morrisons' external auditors.
He copied this data onto a personal USB stick and then posted a file containing the personal details of almost 100,000 employees on a file-sharing website and sent it to several newspapers.
Mr Skelton was arrested and charged with fraud, an offence under the Computer Misuse Act 1990 and under section 55 of the Data Protection Act 1998 (DPA).
He was sentenced to eight years in prison.
Over 5,500 employees whose data had been disclosed made a group civil claim against Morrisons for:
The claims were typical for a breach of this nature.
What made the case unusual was the fact that this was a group civil claim.
The claimants argued that Morrisons had primary liability for its own acts and vicarious liability for Mr Skelton's actions.
The claims for primary liability were dismissed.
The court also dismissed all the claims of non- compliance with data protection principles 1, 2, 3 and 5 as it concluded that Morrisons was not a data controller for these purposes and as such did not owe a duty of care to the claimants. However, the court ruled that Morrisons had not taken appropriate technical and organisational measures under DPP7.
DPP7 stands apart from the other principles as Morrisons was undoubtedly the data controller of the information at the time the duty fell to be discharged.
Morrisons should have taken steps to ensure that the data stored on Mr Skelton's laptop for the legitimate purpose of transferring it to Morrisons' auditors was then deleted from his laptop.
It should have had in place an organised system for the deletion of data.
As far as vicarious liability was concerned, the court held that where an employee misused his position with an employer to harm others, it was only fair that the employer that had entrusted the employee with that position should be held responsible.
The conclusion that Morrisons was vicariously liable was the same for the claims under the DPA, misuse of private information and breach of confidence because the actions constituting the legal wrong were the same in each case.
Morrisons has been granted leave to appeal.
If it is unsuccessful, even if the damages awards for each affected employee are individually small, given the number of employees involved, the financial implications for the business are potentially huge.
With the entry into force of the GDPR, we are likely to see a greater number of similar collective actions for data privacy breaches in the UK, in particular combined with claims for breach of confidence and misuse of private information.
Whether we will see a slew of class actions as in the US remains to be seen but we would expect to see more claims along the lines of the Morrisons' model, particularly where there has been a widespread cyber breach.
Organisations must ensure that they have put in place appropriate technical and organisational measures to protect as best they can the personal data they process or control – to guard against the wrongful actions of their own staff and hackers.
This will become even more important with the GDPR having come into force since organisations not only risk significant damages awards under civil collective actions but also significant fines from the regulators if they lose or misuse personal data.
To learn more about data class actions in other jurisdictions, you can view our Data class actions: the era of mass data litigation guide, of which this article forms part.
Take advantage of the far-reaching changes brought about by the GDPR with our European Privacy Tool, which offers realistic, practical and workable insights as well as templates, helping to ensure that you are successful in meeting the applicable regulatory requirements.