Data is at the heart of today’s business operations in sectors from logistics to financial services, and is increasingly raw material behind the research and innovation that will enable tomorrow’s products and services. Technologies powered by data will help to tackle some of the biggest issues our societies face, from climate change to COVID-19.
Against this backdrop, data protection is a complex and fast-changing field, which encompasses a multitude of actors, technical legislation, and case law that is developing fast. As the role of data-driven digital technology grows, businesses and people must have confidence in a UK ecosystem that effectively upholds and enforces people’s data rights.
This statement sets out the CBI’s view on ‘opt-out’ representative action with regards to data protection law. The Lloyd v Google case is exploring whether such action can be brought under the code governing civil court cases, the Civil Procedure Rules (CPR 19.6). As we stated in our response to government’s Review of Representative Action Provisions under the Data Protection Act 2018 (DPA 2018), businesses across the economy believe that departure from UK precedent to allow US-style class action is likely to harm consumers and firms. It is unlikely to improve access to justice for most individuals, while having a potentially chilling impact on the UK’s ambitions to be a leading science and innovation nation in the 21st century.
Industry recognises the importance of people engaging with their data rights, with a number of routes available to bring data protection-related complaints under the current regime.
Businesses understand the importance of individuals’ understanding and enforcement of their data rights. Industry compliance with GDPR plays a vital role in ensuring timely and effective enforcement of data subject rights.
The current framework in the UK provides numerous routes for data protection related complaints, in particular:
- Collective action: Collective action in the UK can be brought in a range of ways. Typically, collective proceedings are brought on an ‘opt-in’ basis, for example under the DPA 2018 whereby individuals can authorise non-profit organisations to act on their behalf for certain proceedings. However, there are exceptions, such as opt-out competition proceedings which were introduced by Parliament in 2015. The key issue at stake in Lloyd v Google is the ability to bring opt-out data protection class actions pursuant to the Civil Procedure Rules (CPR 19.6)
- Complaining to regulators: Individuals can bring complaints regarding data breaches to the Information Commissioner’s Office (ICO) and sectoral bodies such as the Financial Ombudsman Service
- Complaining to companies: Individuals can also go directly to companies themselves.
Government recently recognised the strong protection that the current regime provides for individuals with its decision not to introduce opt-out provisions for alleged data law infringements under the DPA 2018.
As highlighted above, opt-in representative action is possible under the DPA 2018. The UK government’s recent Review of Representative Action Provisions explored how the current regime is working, including the merits of introducing new DPA 2018 provisions to permit non-profit organisations to undertake opt-out representative action, on behalf of individuals without their specific authorisation.
DCMS received around 350 responses to the call for views from a broad range of civil society and industry organisations, including the CBI. On balance, government decided that there was not enough evidence to support the introduction of a statutory mechanism for opt-out representative action, stating in its response that:
The current regime already offers strong protection for individuals … and routes for redress. In the government’s view, there is insufficient evidence of systematic failings in the current regime to warrant new opt-out proceedings in the courts for infringements of data protection legislation, or to conclude that any consequent benefits for data subjects would outweigh the potential impacts on businesses and other organisations, the ICO and the judicial system.
Lloyd v Google is the latest development in group litigation, exploring whether US-style opt-out claims under CPR 19.6 can be brought regarding data breaches.
In 2018, under CPR 19.6, Richard Lloyd launched an opt-out class action lawsuit against Google on behalf of over four million people, for perceived breaches of data protection law. The High Court’s decision to dismiss the claim was reversed by the Court of Appeal, which made two key findings.
First, the Court of Appeal ruled that data subjects could recover damages for ‘loss of control’ of their data. Prior law permitted data subjects to recover damages both for financial losses and for distress, but the ruling that ‘loss of control’ of data in and of itself sounded in damages was an entirely new finding. Second, in relation to ‘loss of control’ damages, the class members in Lloyd v Google have the ‘same interest’, which is the test that must be met to bring representative action class actions pursuant to CPR 19.6. On this basis, the claim was permitted to proceed as a class action on behalf of in excess of four million persons.
The case will now be heard in the Supreme Court. Its outcome will have significant ramifications across the economy, for businesses and public sector bodies, individuals and the courts. Prompted by the Court of Appeal’s decision, claimant law firms have already filed large data protection class actions against a number of businesses in the tech, retail, and hospitality sectors, with class sizes in the multi-millions. These are simply the early cases, with many more likely to follow if the procedure is firmly established.
Impact of opt-out provisions
Opt-out representative action provisions could be highly detrimental to organisations (including businesses across sectors and public bodies), customers, the ICO, and the courts.
In our submission to the Review of Representative Action Provisions, the CBI argued against the introduction of opt-out class action provisions as a radical departure from UK precedent that would likely lead to a rapid and costly acceleration in claims, including meritless ones.
Businesses are concerned that the growing number of litigation funders and claimant law firms in this space is already leading to a greater focus on monetisation for funders’ benefit rather than seeking justice for individuals. This could impact organisations in sectors across the economy who rely on personal data for developing products and services, including public sector bodies such as central or local government departments.
The impact of opt-out provisions on a range of stakeholders could be:
- On organisations, including businesses: An opt-in mandate reduces the risk of unfounded actions, which as stated could be accelerated by litigation funders and claimant law firms monetising this area. In the US, where class action is well-established, business spend on defence against representative action rose to $2.64bn in 2019, accounting for 11.6% of all litigation spend in the US. The financial, legal, and time resource needed to challenge claims could prove prohibitive even where they are unmeritorious.
In addition to paying lawyers and damages awards, there is huge pressure on defendants to settle in order to avoid the risk of ruinous damages awards, regardless of a case’s merits – an effect repeatedly commented on by the US courts. Not all claims are meritorious, and class action systems that impose settlement pressures significantly in excess of the merits are not aligned to consumer interests and are harmful to the economy. Firms have already increased the resources they spend on compliance and fulfilling individuals’ rights requests. A steep rise in the number of claims due to opt-out class action may have a broader impact beyond organisations that are targeted by class actions: the potentially ruinous consequences of facing a claim could lead to a reassessment of the risks of working with personal data, leading to an overly cautious approach that could harm the UK’s innovation ambitions.
- On individuals: Class action is unlikely to improve access to justice for the majority of consumers. A recent Federal Trade Commission (FTC) report suggests that the median claims rate in consumer class action is just 9%, suggesting that opt-out representative proceedings equally have limited financial compensatory effects for class members. Litigation funders and claimant lawyers are enriched while individuals receive limited compensation – while businesses face high costs due to the size of the overall claim values for the aggregated class.
With claimant law firms able to move fast following an alleged breach, customers may encounter a challenging landscape as they are encouraged to pursue representative action instead of using other mechanisms that are free and potentially provide a quicker resolution. Numerous actions could create a time delay in receiving compensation, and individuals could be worse off as companies face difficulties balancing lawsuits with competing mechanisms to tackle the same issues, such as proactive remediation, harming people’s access to redress.
- On the courts and the ICO: An increase in claims would likely result in an increased and significant burden on the judicial system and the ICO, potentially causing delays. Opt-out class actions could see competing organisations attempting to duplicate representative actions on behalf of the same subject, in cases involving the same facts.
Given its potential implications for UK industry, the CBI continues to monitor this case closely. We believe that opt-out representative action for alleged data protection infringements will harm individuals and organisations across the UK data ecosystem. Given the huge impact they are likely to have, any introduction of class actions should be accompanied by further government policy interventions. As we said in our response to the Review of Representative Action Provisions, detailed rules and significant safeguards would be needed to prevent their vexatious use, for example requiring proof of expertise of organisations bringing claims, notification and opt-out procedures for class members, and claimants’ liability for own-party and adverse costs.