There has been a growing number of claims arising from data and privacy breaches in the UK, particularly since the introduction of the General Data Protection Regulation and Data Protection Act 2018. Where there is a GDPR breach by a business or public body which affects many individuals, a new feature to such claims is the ability to pursue a group action in the Scottish legal system. This blog considers what a future claims landscape for GDPR breaches might look like.

Claims for a GDPR Breach

Data, and particularly personal data, are a commodity which can be traded. Technology enables businesses to process and transfer large volumes of data at a click of a mouse. Whilst electronic storage is the preferred mechanism, this can expose organisations to unprecedented risks of cyber-attacks and hacking – even where it is cognisant of complying with its data protection responsibilities. (Read about our top ten tips to help your organisation prepare for a "Cyber attack" here.)

Where individuals are affected by a breach and suffer damage – whether that damage is material or non-material - as a result of an infringement of their rights under data protection legislation, they can then pursue the responsible party for compensation. Calculating what monetary compensation is appropriate is a difficult task and will depend upon the specific facts and circumstances of each case, and the type of breach. For organisations which process large volumes of data, news of a data breach may become public news very quickly, particularly on social media.

Both controllers and processors can be liable for an infringement of data protection rights. Whilst processors will only be liable where damage has been caused by a failure to comply with the obligations specific to processors (unless the processor is acting outside the scope of the controller's instructions), UK GDPR provides that where multiple parties have been involved in the processing that has caused the damage by infringing an individual's data protection rights then the individual can bring a claim against any of them for the full damage sustained, leaving only a right of relief to the party that has paid the full damage to claim a contribution from the other(s).

There are a number of high profile cases following data breaches being tested in English courts at the moment which may likely have an impact in Scottish courts.

Group Proceedings in England

Normally, south of the border, a claimant firm will need a big enough book of claimants to establish a group proceeding (and therefore justify third party litigation funding). The larger the claim, the more attractive it makes these claims to funders.

In England, group litigation can arise in two different scenarios – by Group Litigation Order (“GLO”) or representative actions. In a GLO there must a common or related issue of fact or law for all the claims and the claimants must "opt-in" to join the litigation. In representative actions, claimants must have the same interests in the claim and they are automatically included unless they expressly "opt out" of the claim.

GDPR (and now UK GDPR) claims can be and will continue to be notoriously difficult to value but, even if an individual claim is relatively low value, the volume of claims can lead to very significant figures. For example, in the case of Lloyd v Google LLC which has been referred to the Supreme Court with a judgment due later this year, Google harvested browser information from iPhone users which accumulated data sold on for profit. The claim was valued at around £750 per individual but with an estimated 4.4 million iPhone users potentially affected, that results in a possible £3.3 billion claim.

More recently, the High Court has granted permission for a class action to proceed for up to the 500,000 individuals affected by the recent BA data breach in which information of 250,000 BA customers was compromised. Similarly, in May 2020, a GLO was submitted in relation to the Easyjet data breach where the data of up to 9 million of its customers was compromised – such claim having a potential value of £18 billion, or up to £2,000 for each customer affected.

Future Group Proceedings in Scotland

As in the USA and England, Scotland may see a rise in group litigations following GDPR breaches in the future.

The Civil Litigation (Expenses and Group Proceedings) (Scotland) Act 2018 is framed on an "opt-in" basis - similar to the English GLO procedure.

We know from the 2018 Act (which came into force on 31 July 2020) that the principal aim of the new rules is to make it easier to bring claims together that could not economically be brought to court individually due to their low value. Successful personal data breach claims can often result in low value awards to individuals. Where a claimant may have been reluctant to spend money pursuing an individual claim following a GDPR breach, they will now have the option to band together to form a group proceeding. As in the Lloyd case, the claim value can add up if there are is a large volume of claimants. Data protection breach claims seem to be a good fit for the purpose of the 2018 Act. Many claims of low value grouped together may also make third party funding a potential option in Scotland, as we have seen in England.

Given that in the UK, cyber attacks have targeted both large and small businesses, it is worth bearing in mind for all organisations how you can best protect your business from any breach to avoid facing a potential costly group litigation against you.


Emma Dyson