The number of class actions brought in the UK is likely to grow considerably in the coming years. In particular, we expect claimant firms to continue making claims for misuse use of data where an issue affects a large number of individuals. This post:
- Introduces group and representative actions in the English legal system, which typically are referred to as ‘class actions’, albeit with significant differences compared to US proceedings of the same name.
- Outlines the relevant legislative frameworks under which privacy class action claims are brought.
- Explains the expectations of the English courts in relation to the exchange of information and documents before proceedings commence, which can be onerous.
Class actions review
England has no direct equivalent to US class actions. However, there are a number of models under the UK Civil Procedure Rules (CPR) that have similarities, as outlined below.
Representative actions under CPR rule 19.6
Often referred to as an ‘opt-out’ class action, this is considered to be a ‘true’ class action model, as it does not involve active participation by individual class members. The claimants must have ‘the same interest in a claim’. However, the court has discretion to refuse to allow the action to proceed and, historically, has strictly policed this ‘same interest’.
If viable, this type of claim is attractive to funders and claims management firms, as they do not need to sign up or manage a large claimant cohort. This limits upfront costs whilst providing the prospect of claiming damages on behalf of an entire class, which in some cases could add up to millions of individuals.
Group actions under CPR rule 19.10
This model requires potential claimants to actively opt into the litigation, and they must have claims which ‘give rise to common or related issues of fact or law’. Claims management firms typically will advertise a group action in order to increase the size of the claimant group. This can lead to substantial upfront costs, including for advertising, signing up claimants, triaging claims, etc.
The economic viability of the claim will largely depend on the numbers of claimants signing up to join the group action and the value of the individual claims.
Joint claims by multiple claimants
This model involves all claimants bringing their claims together using one claim form and is feasible where the claims ‘can be conveniently disposed of in the same proceedings’. Usually, the claimants will be represented by a single legal team. Notably, this mechanism is available only where there are no conflicts of interest between the claimants.
Stalking horse claims
This model involves one claimant (or a small number of claimants) bringing an action with a view towards building a large class of claimants for a group or representative action, should the stalking horse claim succeed. The advantage to funders and claim management firms is that upfront costs are low – and they hope that success in what appears to be a small claim will build momentum or set a useful precedent for a subsequent class action.
The case law relating to class actions in England is not well developed, although there have been some recent notable judgments, and, to date, the viability of class actions has been limited compared to the US and other jurisdictions. However, the number of class actions in the English courts is predicted to grow considerably and is being driven by a range of factors, including a focus on access to justice, particularly for data subjects, as well as the rapid growth of third-party litigation funding, which has made funding class actions more viable.
Relevant legislative considerations
Class action claims relating to alleged data protection failures can be framed under the UK’s General Data Protection Regulation (UK GDPR) or the Data Protection Act 2018 (DPA).
Provisions in the UK GDPR
- Article 78, the right to an effective judicial remedy against a controller or processor, requires each data subject to have an effective judicial remedy (without prejudice to any available administrative or non-judicial mechanism for compensation).
- Article 82, the right to compensation and liability, provides that:
- Any person who has suffered material or non-material damage as a result of infringement has a right to receive compensation for the damage suffered.
- Each controller or processor is liable for the entire damage in order to ensure effective compensation.
- A controller or processor that pays compensation can seek a contribution from others at fault to reflect their respective responsibility for the damage.
Provisions in the DPA
- Section 167 covers compliance – a court may make an order to secure compliance with the data protection legislation.
- Section 168 covers compensation for contravention of the UK GDPR – ‘non-material damage’ as identified by Article 82 of the UK GDPR includes distress. A court also can award compensation where proceedings are brought by a representative body.
- Section 169 covers compensation for contravention of other data protection legislation – a person is entitled to compensation where there has been a contravention of data protection legislation other than the UK GDPR.
Data protection claims also may be framed in common law as the misuse of confidential or private information.
Pre-action protocols and letters of claim
Fairly extensive exchanges of information and documents typically are required by the CPR under pre-action protocols before proceedings begin. Data privacy and breach claims, including misuse of confidential information, are within the Pre-action Protocol for Media and Communications Claims.
The protocols are intended to narrow issues and allow the parties to explore an appropriate resolution before proceedings are issued. Any claim should start with a ‘letter of claim’ providing details of:
- The information or types of information alleged to have been compromised.
- The circumstances giving rise to a reasonable expectation of privacy.
- Any damage or distress suffered or anticipated, including an explanation of the financial claims being made.
The potential defendant will be expected to respond to a letter of claim to explain:
- Whether the claim is accepted in whole or in part.
- The reasons why the claim has been rejected, if applicable.
Although alternative dispute resolution is not compulsory, potential litigants are expected to consider at the pre-action stage whether some form of alternative dispute resolution procedure might help to settle their dispute without the need for formal court proceedings. Pre-action protocols in this context tend to be more onerous for defendants – but they also can provide a meaningful opportunity to challenge liability theories and damage calculations.
Organisations can minimise the risk of data class actions by taking these important steps:
- Ensure that the company’s cybersecurity systems and processes are fit for purpose.
- Plan for all eventualities and carefully train internal teams on how to react in a crisis such as a data breach.
- Have a team of trusted multidisciplinary advisers on standby ready to act swiftly if the worst-case scenario arises and a data breach occurs, so that any breach can be contained and handled as effectively and efficiently as possible.
- Observe trends in data complaints the company receives, so that any emerging issue can be remediated before it becomes substantial.