To date the potential fines for non-compliance with the GDPR have attracted headlines. However, it is important for organisations to appreciate that there is also potential liability to pay compensation to individuals for a data protection breach. There is a developing claimant industry for compensation claims following a data protection breach. We round up below some recent cases and developments on data compensation claims.
Class action claim against EasyJet
On 19 May 2020 EasyJet reported that they had suffered a personal data breach relating to names, email addresses and travel details of 9 million customers and the credit card details of 2,208 people. Only 3 days later, on 22 May, a law firm publicised that they had issued a claim form on behalf of affected customers, that it would be now seeking a group litigation order and asking for affected people to join the claim. The litigation against EasyJet has been widely publicised by the national press, stoking up interest by individuals in making a claim.
EasyJet first became aware of unusual system activity in January 2020 but carried out investigations before informing affected individuals of the breach. They have reassured affected customers that there is no evidence that their personal data has been misused. However, those acting for claimants have described this as a monumental data breach which has had a serious impact on customers. It seems that the battle lines are being drawn for a claim for significant compensation, all at a very difficult time for the airline industry. In the meantime, EasyJet has reported the breach to the Information Commissioner’s Office (ICO) which is investigating.
Other recent breaches
The EasyJet personal data breach follows on from others in the airline industry. In March 2020, the ICO fined Cathay Pacific £500,000 for having failed to secure its systems from October 2014 to May 2018, leading to the exposure of the personal data of 111,578 customers’ from the UK and about 9.4 million more worldwide. The security breach took place before the GDPR, so this was the maximum fine that the ICO could impose.
The ICO has also indicated an intention to fine British Airways £183 million for a personal data breach in 2018 including payment card and travel booking details which involved about 500,000 customers. In addition, British Airways is currently facing court action from affected individuals for compensation. One law firm informs potential claimants that they will be able to claim significant compensation from British Airways ranging from thousands to tens of thousands of pounds.
Atkinson v Equifax Ltd
One issue is whether an Individual who has suffered no financial loss or distress from a data breach can still recover compensation.
These were the circumstances in the Atkinson case. The claim arose from a significant cyber-attack on Equifax US in 2017. Mr Atkinson brought a representative civil action seeking, according to his solicitors, compensation of £100 million on behalf of 15 million affected customers. He claimed damages for “loss of control” of his data. This followed the Court of Appeal judgement in Lloyd v Google which found that damages can be awarded for loss of control of data, even if there is no pecuniary loss or distress. Equifax Limited had already been fined £500k by the ICO, the maximum amount as this was a pre-GDPR breach, so the civil action represented further significant liability.
It has recently been reported by the barrister team acting on behalf of Equifax that, following service of the defence, Mr Atkinson is withdrawing his representative action and his solicitors have accepted that Equifax is entitled to recover its costs. Although this is not a reported case, it is indicative that there are limits on “loss of control” damages. The defence is said to have challenged the correctness of Lloyd v Google and its application to a cyber-attack case and must have been persuasive to lead to the withdrawal of the claim. Lloyd v Google has also been appealed to the Supreme Court so further developments on “loss of control” damages are expected.
However, the decision is unlikely to have an immediate impact on the mushrooming data protection claim industry, where the net for compensation following a data breach is usually cast wide to include damages for distress as well as for any financial loss and personal injury.
WM Morrison Supermarkets Plc v various Claimants
This is a recent Supreme Court decision which considered the circumstances in which an employer will be vicariously liable for a data protection breach committed by an employee. Importantly, the Supreme Court found that the employer, Morrisons, in the circumstances of this case was not vicariously liable.
The employee (S) was a senior auditor who as part of his job was given access to the payroll data of the whole workforce. Unbeknown to Morrisons S harboured a grudge which led to him copying and uploading the data of nearly 100,000 employees to a publicly accessible file sharing site as well as sending data to various newspapers. S took extensive steps to cover his tracks but was eventually caught and imprisoned. Morrisons spent more than £2.26 million in dealing with the aftermath of the disclosure.
A group action for damages was commenced by 9,263 employees/former employees who alleged they had suffered distress because of the disclosure. If successful Morrisons faced potential claims from all the affected individuals, so its potential liability was significant. In both the High Court and the Court of Appeal, Morrisons was found not to be directly liable for the disclosure. However, it was found to be liable on a vicarious basis as the employee was considered to be acting in the course of his employment when he made the disclosure. Fortunately for Morrisons, the Supreme Court overturned this decision.
The Supreme Court considered that the key question to establish vicarious liability is whether the disclosure of the data was so closely connected with acts that the employee was authorised to do that, for the purposes of the liability of the employer to third parties, the employee’s wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment. In this case the Court considered that the employee was not engaged in furthering the business of his employer when he committed the wrongdoing but rather was pursuing a personal vendetta. His wrongful conduct was not so closely connected with acts which he was authorised to do that it could fairly and properly be regarded as done by him while acting in the ordinary course of his employment so as to establish vicarious liability.
This is a case under the Data Protection Act 1998 but it is expected that the same constraining principles will apply under the GDPR to establish vicarious liability in respect of processing by rogue employees. However, it is important to remember that where an employee is processing data on behalf of their employer, the employer is directly liable for any non-compliance with the data protection legislation. Employees should be trained on data protection and compliance monitored. An employer who fails to put in place appropriate security measures to guard against unlawful disclosure and/or data loss which causes or contributes to a disclosure will also be liable under the GDPR.
For breaches that affect a large number of individuals, compensation can be a significant potential liability. Whilst the Morrisons and Equifax cases demonstrate that there are some limitations on data protection compensation claims, there is still a mushrooming industry pursuing these claims on a “no win no fee” basis. We await with interest the future outcome of these compensation claims to give further guidance in this developing area.
If you require any further information or assistance please contact our specialist data protection team: