United Kingdom - Litigating data: class-actions and supply chains to the fore

April 2021 has seen some major developments in the gradually expanding world of data protection class actions. A year ago, we noted that the next 12 months would be crucial in demonstrating the ease or otherwise of class actions involving personal data breaches. On 28 and 29 April 2021, the Supreme Court heard Google’s appeal in the representative “opt-out” action of Lloyd v Google. Our previous summary of the case can be located here.

However, by way of reminder, the key issues the Supreme Court will be giving judgment on are:

• whether a claim can proceed where the sole measure of damage suffered relates to individuals’ “loss of control” in respect of their data protection rights (and there is no claim based on financial loss or distress caused by the actions or failings of a data controller (in this case, Google)); and
• whether a representative action is viable where the claimant elects not to rely on personal circumstances and only on loss of control of their data protection rights. A representative action is a claim in which one individual or a group of individuals acts as representative(s) of an entire class, and class members do not need to actively opt-in to the litigation. The principal test for representative actions being able to proceed is whether the members of the class have the “same interest”. The “same interest” test has historically been interpreted restrictively by the courts, meaning that US-style opt-out class actions have not taken off in the UK. However, in Lloyd v Google, the Court of Appeal was prepared to allow Mr Lloyd’s claim on the grounds that he was only relying upon the fact that the individuals affected had lost control over their browser generated information (BGI), and therefore the class had “all sustained the same loss, namely loss of control over their BGI”.

If the Supreme Court agrees with the Court of Appeal’s analysis, the repercussions are potentially very significant. The need for claimant law firms to scale the more traditional (in the UK) “opt-in” group litigation order model (as used in the Morrisons and British Airways cases) can make such claims financially unviable and also less practical. However, a model of mass claims brought by a single representative certainly has the potential to open the floodgates.

One such claim waiting in the wings is a claim brought in the English High Court against TikTok (and associated entities) on behalf of children under the age of 13 in the UK (and under 16 in the European Economic Area), who have used either the TikTok and / or Musical.ly apps since 25 May 2018 (when the General Data Protection Regulation came into force). The claim alleges that TikTok is failing to be transparent about the extent of children's personal data it processes and the purposes for which children's personal data is collected, and is also collecting children's personal data without effective consent (from a parent or guardian) and / or any other lawful basis. In the TikTok case, the lead claimant is an anonymous 12-year-old girl, with the former Children's Commissioner for England, Anne Longfield OBE, acting as her litigation friend. The case is currently stayed (ie on hold) pending the decision of the Supreme Court in Lloyd v Google regarding the use of representative actions in this way.

A further interesting case involves the cyber-attack that affected Ticketmaster in 2018. In November 2020, the Information Commissioner's Office issued a £1.25m fine against Ticketmaster for failing to appropriately secure customer data (in accordance with its obligations under Articles 5(1)(f) and 32 GDPR). In fact, the attack was targeted not at Ticketmaster itself, but at a third-party supplier (a well-established trend in cyber-attack cases). The attack involved the compromising of the JavaScript for a customer service chat bot that was hosted on the payment page of Ticketmaster's website by a third party, Inbenta Technologies Inc (Inbenta). The attacker inserted malicious code into the chat bot's JavaScript that enabled customer data to be passed back to the attacker. Because the chat bot was used on the Ticketmaster payment page, that customer data included financial data (such as names, payment card numbers, expiry dates and CVV numbers). In its Penalty Notice, the ICO considered that Ticketmaster had failed in its obligations, finding in particular that it should have been aware of the risk of implementing third party JavaScripts into a website that processes personal data such as payment card data and that it did not take steps to mitigate or remove this foreseeable risk.

Ticketmaster has appealed against the ICO's decision, both on the grounds that it did not breach its obligations under GDPR and also that the fine was either not justified or excessive. Separate to the proceedings before the ICO, there is also a High Court claim against Ticketmaster brought (under the opt-in group litigation model) by 795 Ticketmaster customers who claim that their personal data was compromised by the cyber-attack. Within that claim, Ticketmaster has counterclaimed against Inbenta. The High Court will therefore be looking closely at the application of data protection law in circumstances where the breach has affected another party in the supply chain. As a result of this, Ticketmaster's appeal against the ICO's decision and fine has been stayed until after the High Court gives judgment (which is unlikely to be before the second half of 2023). This is because the First Tier Tribunal (which will consider the appeal) will be bound by the decision of the High Court.

So, we have some important developments, but a case of waiting to see the decisions of the Supreme Court (in the case of representative "opt-out" class actions) and the High Court (in the Ticketmaster supply chain case), with the former likely to arrive considerably sooner than the latter!

By Ian De Freitas and Thomas Rudkin
Farrer & Co LLP,
May 2021
London, United Kingdom