DATA BREACH CLASS ACTIONS IN THE UK AND THE US: THE OPENING OF THE FLOODGATES?

The challenge of safely processing and protecting millions of users’ personal identifying information is an uppermost concern for many businesses. When that challenge is not successfully met, there is the risk not only of significant regulatory fines, but increasingly also of class action lawsuits.

In the US, class actions have been a mainstay of the legal system for more than 50 years, and US plaintiffs make regular use of the procedure in a wide variety of disputes, including more recently in data breach and cyber-related matters. The rise of class actions is a more recent development in the UK, particularly in the context of cyber security cases. Regulatory action by the Information Commissioner’s Office (ICO) and others has been building in the UK and, since the implementation of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, a number of significant fines have been levied. The anticipated surge in substantive private action in the UK has perhaps been slower to develop than had been expected, however there are now signs that it is building pace.

Even with the availability of class action procedures, there remains uncertainty in both jurisdictions as to the scope and effectiveness of class action litigation in cyber security cases. In both jurisdictions the law is still developing in relation to the crucial question as to how to assess alleged harm and determine who deserves compensation for data privacy breaches. In two recent English decisions, the courts have indicated a greater willingness to permit class action lawsuits to proceed for data breaches, and the future may therefore be on its way to becoming more challenging for data processors and data controllers.

Jan-Mar 2020 issue

Cleary Gottlieb Steen & Hamilton LLP

Join our free mailing list to read the full article