Businesses across the World have been taken back by recent reports that UK lawyers, acting on behalf of litigants of those affected by the 2019 British Airways data breach, stand to gain an eye-watering £3 billion from compensation – attributed to the breach.
The right to claim compensation for a data breach is not new. The UK 1984 and 1998 Data Protection Act both contained the right to seek redress in the Civil Courts for loss and distress caused by a data breach. British Airways, part of the Global IAG, look likely to suffer the perfect storm – a downturn in the global air travel market, and a £20 million fine for the breach from the UK regulator: the ICO. They also now face the prospect of claimants joining together in class action.
There are plenty of precedents set in the UK Courts in recent years, to support that individual claimants stand to gain significant compensation for a breach. Under pre-GDPR legislation, the 1998 Data Protection Act, a data subject had to show that they had suffered a financial loss arising from the misuse or loss of their personal data.
The Courts in recent years have extended the scope to something less tangible than real financial loss (see Gulati v MGN Ltd 2015). This scope now includes mental distress and loss of control of personal data. In the case of Lloyd v Google, the Supreme Court was asked to rule on compensation for a class action of 4.4 million people. All were potentially affected by infractions of data protection law. In the High Court, damages of up to £12,500 were awarded to six individuals. This was for the shock and distress caused to them by the accidental publication of their personal data by the Home Office.
If the numbers in the BA breach are correct, up to 500,000 claimants stand to have financial redress up to £2,000 per data subject, which becomes a big number for any organisation.
What has changed with GDPR?
I am often asked, but what has changed with GDPR? Well, the starting point is awareness of the right to compensation under GDPR. Many data protection practitioners are unaware that the right has existed since 1984, but now there is a wider awareness of individual rights by the general public. In addition to increased awareness, having further clarity on how the right to compensation is given by legislation, we have seen the effect of a moth to a flame for potential litigators. This has seen several online adverts for lawyers chasing the compensation dollar.
The extent of this extends to TV adverts asking for those affected by the British Airways data breach to come forward. After all, who can blame lawyers – the law is clear in that there is a right to claim where a breach has occurred. This is likely to follow a similar path taken by PPI claims, law firms are a business after all.
Sources close to British Airways have indicated they are to settle out of court. The outcome of this might be subject to secrecy. However, the outcome of the class action against Google in the Supreme Court could be a real game-changer for the organisations. I for one, will be watching with interest.
Nigel Gooding
Is a Masters level Data expert, who wrote the UK's first CPD Accredited DPO Training Course, Nigel is the Director of Data Privacy Advisory Service.