Civil proceedings arising from a major data breach

2020 saw a long-awaited uptick in enforcement activity by data privacy regulators, including the UK's Information Commissioners' Office (ICO). The ICO has in the past six months concluded major investigations against British Airways (fined £22 million); Marriot International (£20.45 million) and Ticketmaster (£1.25 million) in respect of well publicised data breaches. This is set to continue and we expect there to be a further material increase in the volume and value of ICO enforcement in 2021 (see our 2021 Investigations Outlook here).

These investigations and the data breaches that prompted them have been accompanied by a significant increase in parallel civil litigation. The British Airways investigation is proceeding alongside a high-profile, and widely advertised, group action launched in 2020 that is now being described as the UK's "largest-ever group privacy claim" and is valued at up to £800 million. Defending such claims is likely to be difficult given the availability of a critical, factually dense 114-page decision notice from the ICO.

Potentially more significant still is an apparent wave of claims being issued as opt-out representative class actions following the Court of Appeal's decision in Lloyd v Google to allow Mr Lloyd to bring proceedings on behalf of approximately 4 million persons in the UK who lost control of personal data as a result of Google bypassing default privacy settings in iPhones to track browser-generated information and to sell this for advertising purposes. That decision is subject to an outstanding ruling by the Supreme Court, but has prompted actions against a growing list of companies including Marriot International, Salesforce and Oracle, YouTube, TikTok, Facebook, Yahoo and Virgin Media.

For more see our full article on data privacy and parallel proceedings risk here. If you found this interesting, there's a lot more comment you may find helpful on UpData, which provides regular updates on contentious, criminal and insurance risks relating to data, from cyber-attacks to regulatory enforcement.

See our parallel proceedings microsite for further insight into the issues that arise when an incident leads to multiple legal proceedings and/or enforcement actions.