Skip to main content

Responding to data breach claims, a common sense approach

First published in CCTA Magazine – April to July 2021

In the run-up to the General Data Protection Regulation (GDPR), the focus was on the fines that data protection regulators can impose for infringements. Another issue that has become increasingly significant is that of data breach claims, compensation and costly group litigation.

Under GDPR and the Data Protection Act 2018, individuals can claim through the courts for compensation for ‘material’ (i.e. financial) and/or ‘non-material’ damage, including distress and loss of control over their personal data. No hard and fast rules have developed regarding the level of compensation. The judge will take into account all the circumstances, including how serious the infringement was and its impact on the claimant. While the amounts to date (under the old Data Protection Act) have tended to be modest, in group litigation with high claimant numbers the total could be considerable. It is also not yet clear whether compensation may be higher now.

The Court of Appeal’s decision in Richard Lloyd v Google LLC [1], currently subject to a Supreme Court appeal, marked a turning point concerning how group claims are brought. A representative was allowed to claim on behalf of himself and an estimated class of 4.4 million people who do not have to opt in to the litigation. If the Supreme Court agrees, we are likely to see an increase in mass data breach claims.

We are seeing an uptick in the volume of these types of claims often brought by claims management firms. Many times they are spurious and/or not fully documented but the amount claimed is usually small (up to £2,500) and firms may be tempted to make a settlement payment as it is not cost effective to litigate. However, such strategies can open the floodgates to more claims if you are characterised as a soft target. It is important that firms take a common sense approach where each case is investigated and considered on its merits.

In Lloyd v Google, the court referred to a threshold of seriousness which it said would undoubtedly exclude a damages claim for an accidental one-off data breach that was quickly remedied. If the court decided that the infringement was trivial it would be entitled to refuse to make an award for loss of control damages. Firms should consider these factors carefully in light of the facts of each case, and the sensitivity of the personal data involved, when deciding whether an offer of compensation is justified.

[1] [2019] EWCA Civ 1599