Businesses across the World have been taken back by recent reports that UK lawyers, acting on behalf of litigants of those affected by the 2019 British Airways data breach, stand to gain an eye-watering £3 billion from compensation – attributed to the breach.
The right to claim compensation for a data breach is not new. The UK 1984 and 1998 Data Protection Act both contained the right to seek re-dress in the Civil Courts for loss and distress caused by a data breach. British Airways, part of the Global IAG, look likely to suffer the perfect storm, a downturn in the global air travel market, a £20 million fine for the breach from the UK regulator: the ICO, and now the prospect of claimants joining together in class action, and bringing forward claims against British Airways.
There are plenty of precedents set in the UK Courts in recent years, to support that individual claimants stand to gain significant compensation for a breach. Under pre-GDPR legislation, the 1998 Data Protection Act, a data subject had to show that they had suffered a financial loss arising from the misuse or loss of their personal data.
The Courts in recent years have extended the scope of that to include mental distress and loss of control of personal data, something less tangible than real financial loss (see Gulati v MGN Ltd 2015). In the case of Lloyd v Google, the Supreme Court was asked to rule on compensation for a class action of 4.4 million people who were potentially affected by infractions of data protection law. In the High Court, damages of up to £12,500 were awarded, each to six individuals as compensation for the shock, and distress caused to them by the accidental publication of their personal data by the Home Office.
If the numbers in the BA breach are correct, up to 500,000 claimants each stand to have financial redress, up to £2,000 per data subject, which becomes a big number for any organisation.
I am often asked, but what has changed with GDPR? Well, the starting point is awareness of the right to compensation under GDPR. Many data protection practitioners are unaware that the right has existed since 1984, but now there is a wider awareness of individual rights by the general public. In addition to increased awareness, having further clarity on how the right to compensation is given by legislation, we have seen the effect of a moth to a flame for potential litigators. This has seen several online adverts for lawyers chasing the compensation dollar.
The extent of this extends to TV adverts asking for those affected by the British Airways data breach to come forward, after all, who can blame lawyers, the law is clear in that there is a right to claim where a breach has occurred. This is likely to follow a similar path taken by PPI claims, law firms are a business after all.
Sources close to British Airways have indicated they are to settle out of court. The outcome of this might be subject to secrecy, however, the outcome of the class action against Google in the Supreme Court could be a real game-changer for the organisations, and I for one, will be watching with interest.