Amanda Graham Brazinski


In two decisions rendered this month, the UK courts have permitted two major class action lawsuits under the General Data Protection Regulation (GDPR) regime. The suits prove that the GDPR opens the door for large representative suits on behalf of data breach victims, even if the victims do not suffer significant damage, potentially creating huge liability for companies doing business in the UK that fail to adequately secure consumer data.

The first suit involves an October 4, 2019 decision against British Airways in which the High Court permitted half-a-million customers to proceed with a class action lawsuit against the airline. The suit arises from a 2018 data breach where hackers breached British Airways’ online and mobile booking systems, resulting in the compromise of payment card information of approximately 565,000 customers. This suit is on top of the £183 million fine imposed on British Airways by the Information Commissioner’s Office (ICO), the UK regulatory office responsible for enforcing GDPR.

In the second suit, Richard Lloyd v. Google LLC (decided October 2, 2019), the UK Court of Appeal permitted a class action of more than 4 million Apple iPhone users who alleged that Google tracked their internet activity for commercial purposes without their consent between August 9, 2011 and February 15, 2012. The court’s decision made two key rulings: (1) a class member who suffered a “loss of control” over the member’s data does not need to prove specific damages to have a right to compensation; and (2) an affected individual can bring a representative action on behalf of affected individuals – without the affected individuals’ consent – so long as the suit seeks uniform compensation for each affected individual.

While class action suits are common in the U.S., such suits have only recently developed in the UK. Nevertheless, class actions are becoming increasingly common in the UK, particularly in the privacy sector with the enactment of the GDPR, which permits representatives to obtain compensation on behalf of data subjects who have suffered only minimal harm (as evidenced by the Google decision). These recent decisions will encourage class action suits in the UK, as they make clear that such suits are legally cognizable under the new GDPR regime.

The decisions prove that fines are not the only potential risk for companies that violate the GDPR; class action suits permitted by the GDPR could also create liability even greater than the already large fines imposed by UK regulators. Mass data breaches have become so common that most companies should expect them to happen at some point. These judicial decisions and the regulatory fines accompanying such breaches reveal that businesses must invest in appropriate security measures or risk devastating financial, legal and reputational costs when a data breach occurs.

article hero image