James Castro-Edwards looks the genesis of the Facebook group litigation now before the courts and considers whether the current trickle of such claims could become a flood.
A group litigation claim has been filed in the High Court in London against Facebook, for its alleged failure to protect the personal data of around one million of its users in England and Wales. The claim was brought by journalist and writer Peter Jukes, on behalf of himself and the affected users. This is the second such UK group action against Facebook, following a similar claim brought on behalf of Facebook You Owe Us last October by Milberg London LLP. Mass claims for breaches of data protection rights have only recently begun to emerge in the UK, following developments in the common law. To date, none have progressed as far as an award being made for damages. However, if such a claim were to be successful, it could set a precedent that would have significant implications for businesses that handle substantial volumes of personal data.
Mr Jukes' claim stems from the investigation of Facebook and subsequent fine issued by the Information Commissioner's Office (ICO) in 2018, following the Cambridge Analytica scandal. The ICO investigation found that between 2007 and 2014, Facebook processed users' personal data unfairly by allowing third party app developers to access their information without obtaining sufficiently clear and informed consent. Developers were able to access information even where users had not downloaded the app themselves, but were 'friends' of people who had. The ICO found that Facebook also failed to keep information secure by carrying out insufficient checks on apps and developers that used its platform. According to the ICO, one developer collected the personal data of up to 87 million people around the world, including one million in the UK, without their knowledge. According to the ICO, the misuse was discovered in 2015, however once it became aware of the issue Facebook did not ensure that those third parties that continued to hold the personal data took adequate and timely remedial action such as deleting the data.
Following the investigation, the ICO fined Facebook £500,000, the maximum permissible fine under the Data Protection Act 1998 (DPA), which was the legislation in force at the time of Facebook's failings. In May 2018, the DPA was superseded by the General Data Protection Regulation ('GDPR') which carries far higher fines, of up to 4% worldwide annual turnover or £17.5 million, whichever is greater.
Mr Jukes seeks damages from Facebook for its alleged failure to protect his personal data, in breach of the DPA. His representative action also seek damages for the affected UK users. The claim does not rest on whether users' personal data was transferred to Cambridge Analytica, but instead, that Facebook allowed third parties to access users' personal data without their knowledge or consent. Essentially, Mr Jukes asserts that Facebook did not look after his personal data.
Mass claims for breaches of data protection rights have only started emerging in the UK relatively recently, following developments in the common law. The decision Judith Vidal-Hall & ors v Google Inc  EWHC 13 considered the types of loss under s.13 of the DPA that could give rise to damages. Previous case law had found that damages for distress could only be recovered where financial loss had also been suffered. However, the judge in Vidal-Hall formed the preliminary view that for the purposes of s. 13 DPA, 'damage' could include non-pecuniary loss. On appeal, the Court considered the intention of Directive 95/46/EC, from which the DPA stems, vis-à-vis damages. The Court held that since the Directive sought to protect privacy rather than economic rights, the intention of the Directive must have been to compensate individuals whose privacy had been violated, resulting in their distress.
Mr Jukes' claim is not the first instance of a group litigation claim being brought after a breach of data protection rules. A comparable group litigation claim involving Google is due to be heard in the Supreme Court in April of this year. The Supreme Court's decision in Lloyd v Google has been heralded as a key case to watch out for in 2021. Two years ago, the Court of Appeal allowed Richard Lloyd, the former editor of consumer protection rights group Which? to represent 4.4 million iPhone users that were allegedly tracked by Google. The claim relies on the principle established in Vidal-Hall, that individuals may claim compensation for pure distress, where their data protection rights have been infringed. If the Supreme Court decides in Mr Lloyd's favour, it would set a precedent that could make Mr Jukes' prospects of success more likely.
The implications of the Vidal-Hall decision have also given rise to another type of mass data protection claim. Following Vidal-Hall, individuals who have suffered an intrusion to their privacy need not necessarily have suffered any financial loss, but instead may bring a claim based on pure distress. For instance, an individual may claim compensation where they have suffered anxiety, embarrassment or humiliation. In practice, far more people are likely to suffer distress as a result of a large-scale data breach than would have suffered a financial loss. It would also be difficult for the respondent business to disprove the assertion that a claimant had suffered sleepless nights as a result of their distress. As a result, a subtly different type of mass data protection claim to the one being brought my Mr Jukes is also emerging.
A growing number of claimant litigation firms are actively canvassing for clients to join group litigation claims, following high-profile data breaches such as those involving British Airways and Marriott International. In these types of action, each affected individual may only claim a relatively small sum, however, the total award could be huge. For instance, according to claimant litigation lawyers PGMBM, the 420,000 customers affected by the British Airways data breach could each claim up to £2,000, bringing the total value of an award to around £800 million. If any one of these actions were to be successful, it could set a precedent that might see mass data breach claims becoming the next Payment Protection Insurance (PPI) 'feeding frenzy' for claimant litigation firms.
It is worth noting that individuals who have been affected by a data breach may not have to pay legal fees in order to join a mass data breach claim, where the compensation claim firm offers its services on a 'no win, no fee' basis. In such a case, there may be few barriers to entry for those affected by a large scale data breach, potentially resulting in a large number of claimants. One successful mass data protection claim could set a precedent in this emerging area of the law. Businesses that hold a significant volume of personal data should watch this space closely.
James Castro-Edwards is a partner at Wedlake Bell LLP where he leads the data protection team, as well as the firm’s outsourced data protection officer service, ProDPO