What’s just happened?
In the largest group action personal data claim in UK history, it has been announced that British Airways could face claims amounting to more than £800 million.1 British Airways initially stated that their online reservation systems had been accessed by an unauthorized third party on 7th September 2018, compromising the data of more than 420,000 customers.2 According to the Information Commissioner’s Office (ICO), British Airways was alerted to the breach by a third party and did not detect the breach themselves.3
What does this mean?
BA’s data breach has resulted in the ICO issuing its heaviest fine to date. They stated that “the airline was processing a significant amount of personal data without adequate security measures in place,” exposing people’s data unnecessarily.4
However, British Airways is also facing civil action. Law firm PGMBM, among others, is actively seeking claimants who suffered as a result of the data breach. Damages are being sought for financial and non-financial losses, “including but not limited to: bank changes; credit/debit card and/or account fraud”.5 In addition, distress and inconvenience including but not limited to: “fear that the Claimant’s Personal Data would be used fraudulently now or at some time in the future; anxiety; stress and inconvenience in having to, inter alia, change credit cards and change passwords to various online accounts”.6 In an emailed statement British Airways stated that it continues to “vigorously defend the litigation in respect of the claims brought arising out of the 2018 cyberattack.” It also does not “recognize the damages figures put forward, and they have not appeared in the claims.”7
How does this affect the legal sector?
Group action litigation in the UK is on the rise and the outcome of this case is likely to influence other cases of a similar kind in the future. One notable case is the legal action against EasyJet brought by thousands of customers, after a cyber-attack last year that compromised the data of approximately nine million customers.
This British Airways case is the largest opt-in claim in relation to data breach in UK history and the first group lawsuit of its kind to be brought under GDPR.8 Indeed, Ian De Freitas of Farrer & Co, a specialist in data protection litigation, said the British Airways data breach will be “a seminal case”.9 This recent rise in group litigation can be linked to the privacy regulations enshrined in Articles 77-82 or the GDPR which came into force in May 2018.10 Two provisions are particularly interesting here:
The express provision that claims can be brought by a representative (Art. 80 GDPR)11; and
The right for compensation for material or non-material damage (Art. 82 GDPR).12
Generally speaking, this increase could also be an indication of the strengthening of individual rights in the eyes of the English courts and many expect that the aftermath of the coronavirus crisis will result in a surge of group action claims.13 14 Furthermore, a number of litigation firms have expanded, opening their doors in London to specialise in group action claims, suggesting that this is an area that has the potential to grow significantly in the coming years.15
The deadline to join the BA claim is in March 2021 and the next hearing is in February.
Written by Tatiana Hepher
Assessing Firms:
#MischonDeReya #MilbergPhillipsGrossman #KellerLenkner #Farrer&Co # PGMBM #ReedSmith #LeighDay #DLAPiper #EvershedsSutherlands #HoganLovells #JonesDay
References:
[1] Lawyer Monthly “British Airways could face £800 million data breach lawsuit” <https://www.lawyer-monthly.com/2021/01/british-airways-could-face-800-million-data-breach-lawsuit/>
[2] PGMBM “British Airways Data Breach”
<https://pgmbm.com/our-cases/data-breach/british-airways-data-breach/ >
[3] ICO “ICO fines British Airways £20m for data breach affecting more than 400,000 customers”
[4] Ibid
[5] BA Particulars of Claim <https://files.lbr.cloud/public/2020-06/BA%20particulars%20of%20claim.pdf?BrAt.nnYUI75cuvkZ2oOSF8d7fM9HWLc >
[6] Ibid
[7] Ellen Milligan “British Airways Faces Biggest Class-Action Suit Over Data Breach” (Bloomberg, 12/01/2021)
[8] Philip Georgiadis and Kate Beioley “BA faces largest-ever group privacy claim in UK over data breach” (Financial Times, 12/02/2021)< https://www.ft.com/content/f3dc6c8e-0f65-40d0-a5d5-9d57d3f9d0e0 >
[9] Ibid
[10] Neil Hodge “Companies face greater risk as GDPR class actions emerge” <https://www.complianceweek.com/data-privacy/companies-face-greater-risk-as-gdpr-class-actions-emerge/29512.article>
[11] The General Data Protection Regulation 2016/679 <https://gdpr-info.eu/art-80-gdpr/>
[12] Ibid
[13] Cynthia O’Donoghue and Sarah O'Brien “The rise of data protection group litigation actions in England and Wales” (Reed Smith, 2/10/2020)< https://www.technologylawdispatch.com/2020/10/in-the-courts/the-rise-of-data-protection-group-litigation-actions-in-england-and-wales/ >
[14] James Booth “Could group action claims explode in post-coronavirus crisis litigation boom?” (CityA.M. 7/05/2020)<https://www.cityam.com/could-group-action-claims-explode-in-post-coronavirus-crisis-litigation-boom/>
[15] Ibid
Disclaimer: This article (and any information accessed through links in this article) is provided for information purposes only and does not constitute legal advice.