Another day, another breach. In the eight months since the EU General Data Protection Regulation (GDPR) came into effect, mandating all firms must report breaches of personal data, there have been nearly 60,000 breaches reported across Europe.
The regulation includes fines of up to 4% of annual global revenue for companies that expose users’ data. But the true cost of GDPR could come from class action lawsuits: Customers suing companies for exposing their personal information.
Recently hacked firms including Facebook and British Airways (BA) have already been targets of such lawsuits, with the outcomes still to be revealed. And if these firms are forced to pay out, some experts are predicting that future class action suits could quickly reach hundreds of millions. That’s in addition to fines which can come to tens or hundreds of millions – potentially enough to put a company out of business.
Class actions have been cropping up following the introduction of GDPR, in part due to a specific part of the regulation, Article 82. This stipulates that any person who has suffered “material or non-material damage” – such as emotional stress or inconvenience – as the result of a data breach has the right to receive compensation.
The words “non-material” are important: They demonstrate that compensation goes beyond financial loss, says Guy Cartwright, an associate solicitor at Coffin Mew.
Morrisons: A test case
It didn’t fall under GDPR, but the class action lawsuit against UK supermarket Morrisons – which saw over 5,000 disgruntled staff win a claim after a rogue employee disclosed the personal information of around 100,000 colleagues – is widely been viewed by experts as a “test case” for future class actions.
“What is perhaps most notable about the Court of Appeal decision is that Morrisons was found vicariously liable, despite the fact it had appropriate data protection controls in place and bore no criminal responsibility,” Cartwright says.
A similar outcome could await BA, which is currently facing a class action claim from customers affected by a data breach last September. In this case, 380,000 customers were affected by a malicious cyber-attack. While BA has offered to compensate for the hack’s financial impact on individuals, it has not offered to compensate for non-material losses.
The BA suit is still in relatively early stages, says Batya F. Forsyth, partner at Hanson Bridgett, Globalaw, so the outcome won’t be available for some time. “GDPR implementation is still relatively new, and any class action will depend upon there being a breach large and serious enough to warrant the costs.”
But GDPR is certainly ramping up these cases.
Facebook is already the subject of multiple class action lawsuits. In July 2018, it emerged advocacy group Fair Vote is assembling a class action suit against Facebook over the data exposed to Cambridge Analytica, while non-governmental organization the French Internet Society is pursuing a class action lawsuit against Facebook for allegedly violating users’ privacy under GDPR. A group of UK residents are also in the process of filing a suit over the Cambridge Analytica scandal, which nearly 1.1 million people in the UK could be eligible to join.
Aside from the specific Article 82 mention, class action lawsuits wouldn’t even be possible without the regulation’s mandatory data breach notification requirement, Forsyth says.
Moreover, now that claims can be pursued for non-material damages – such as distress and inconvenience – the ultimate resulting damages for a company could be significant, “if not catastrophic”, according to Cartwright.
Consumers paid for privacy breaches
The impetus is certainly there, but will this type of litigation result in multiple payouts for consumers? Only time will tell, but in the meantime, Andy Searle, European data protection officer at AmTrust International, says consumers can expect to see more individuals claiming for data breaches: “Especially where they have suffered damage or distress – financial or otherwise. And we can expect to see law firms and compensation organizations working this aspect into the fabric of their processes.”
“As the claims and payouts become common knowledge, expect to see individuals becoming more proactive in this space,” he says, adding that it could see people initiate compensation requests directly with the company involved as a means to reach a quick settlement and prevent the matter going to court.
And while individual payouts may be relatively nominal, the cumulative cost could potentially bankrupt an organization, says Searle. “The loss of 1 million bank account records, paying out £200 per person, is £200m,” he points out.
Even so, bringing a claim could be expensive for an individual. For this reason, launching a class action lawsuit may not be cost effective, says Cartwright. But at the same time, he points out, people could resolve this by pursuing a class action in a group. Those seeking class action could also ask non-profit and privacy groups to do this on their behalf. Therefore, it doesn’t always cost, says Fouad Khalil, VP of compliance at SecurityScorecard. “I think fines will be imposed quicker than they have been before,” he says, adding: “As it’s such an easy task, hungry attorneys will be looking to make money out of this.”
Forcing firms to manage privacy
In the future, class action could become big business. Searle predicts the process to claim will become “much more efficient”, with firms that once chased for personal injury or accident details now turning their attention to data breaches.
“We will see the development of online forms and apps to collect the required consumer information and submit the claim – and we will also see the payments being offered for referral cases. Class actions will increase over time, and we can expect to see average payouts of between £1,000 and £2,000 depending upon the circumstances.”
The impact on businesses could be huge, with the threat of these lawsuits in addition to GDPR fines driving firms to put privacy and data protection at the forefront of their business.
And even this might not be enough, says Cartwright. “In its judgement, the Court of Appeal advised employers like Morrisons to insure against data breaches of this nature, to avoid potentially ruinous fines.”
The true scale of GDPR payouts will become clear as cases involving major firms such as BA and Facebook are concluded. But companies should up their data game: as regulators and lawyers flex their GDPR muscles, any breach of consumer privacy could cost dearly.