British Airways data class action settles

Following a stay of proceedings to pursue ADR, a number of the claims being pursued as part of the Group Litigation known as the British Airways Data Event Group Litigation (the "BA GLO") have now been settled.

We last updated on the procedural developments in this case in February 2021, when a ruling was given on various matters, including confirming that the significant sums spent by the lead claimant law firm on advertising to potential claimants were not a recoverable costs of the action or chargeable to a client but rather to be viewed as part of a law firm's overhead costs (see our blog post High Court considers principles relating to cut-off dates and the costs of advertising in group litigation).

The BA GLO is one of a number of group and representative actions based on breaches of statutory and common law data and privacy rights currently working their way through the English courts. It was among the most advanced (although currently still at the statements of case stage) and was based on claims under the General Data Protection Regulation 2018 and the Data Protection Act 2018.

Background

The underlying claims were for damages resulting from a cyber-attack via British Airways' ("BA") electronic systems (specifically through the Citrix remote access gateway, using the credentials of a third party employee). The attack was identified in September 2018 and compromised BA’s website leading to the exfiltration of customer personal data (payment card details).

The claimants alleged that the attack succeeded as a result of BA failing to put in place appropriate security measures, and that they suffered harm in the form of distress and/or pecuniary loss and/or loss of control of data. Although the regulator, the Information Commissioner's Office (the ICO) fined and made regulatory findings against BA, BA denied the civil claims and we understand that the agreed settlement does not include any admission of liability.

As at the beginning of February 2021, some 23,000 claimants had signed with the lead solicitors or other claimant firms, but this still represented only some 5% of the 500,000 or so individuals who received notifications from BA and who were therefore in principle eligible to bring a claim.

Mediation and settlement discussions

The terms of the settlement reached by BA and seven of the firms representing claimants in the group litigation are confidential and therefore little is known about the terms of the agreed settlement, including the amounts to be paid by BA or the precise number of claims that have now been settled. It seems though that those settling claimants represent the majority of claims in the BA GLO, as we understand that the lead firm in the group litigation, PGMBM Law (formerly SPG Law), is acting on behalf of the majority of claimants in the BA GLO and was party to the mediation and settlement discussions.

Another firm acting on behalf of a smaller group of claimants, Your Lawyers, have stated in media reporting on the settlement that they did not participate in the settlement discussions. It is worth noting that while PGMBM invited claimants to join and pursue up to £2,000 each in damages, other law firms gave higher indicative amounts when seeking to sign claimants up to the BA GLO: Your Lawyers' website referred to possible damages awards of up to £6,000 per claimant or up to £16,000 each in cases involving significant distress.

Not the end of the story for British Airways

While some of the claimants who are already part of the BA GLO and have not settled their claims may therefore continue the action (or hold separate settlement discussions), the 11 June 2021 deadline for bringing a claim as part of the BA GLO has now passed. Any potential claimant who was not already part of the BA GLO will need the court's permission to be able to join any continuing BA GLO.

Claims may still be brought outside of the BA GLO, as the limitation date for claims against BA in relation to the underlying data events in 2018 has not yet passed, but any such claims which are now issued will be stayed pending determination of the remaining BA GLO claims.

Representative Actions and GLOs

We await the decision of the Supreme Court in Lloyd v Google, which was heard earlier this year. That will determine whether claims for "pure"' loss of control of data may proceed on an opt-out basis as a representative action under CPR r19.6  - and, indeed, whether "loss of control of data" is itself a valid basis for a claim.

If the Supreme Court validates the Court of Appeal decision (Lloyd v Google LLC [2019] EWCA Civ 1599, considered in this blog post), which gave permission for Lloyd v Google to proceed as a representative action, this could pave the way for claims to be brought which are entirely different in scale than the group litigation we have seen to date. Whereas the BA GLO involved only 5% of the potentially eligible claimants, despite a significant period of claim building and total spend on advertising expected to be in the order of £1m, in a representative action 100% of claimants are "in" from the start of the litigation. The availability of an opt-out mechanism of this sort would therefore radically reduce the hurdles for claimants to be able to bring large-scale claims in relation to data.

Data class actions pursued since the Court of Appeal judgment in Lloyd v Google have had to make a strategic decision on whether to seek to bring their claims as a representative action under CPR r19.6 (eg SalesForce, Oracle, Marriott, Facebook, TikTok, YouTube and Experian (latter now withdrawn)) and accept having their claims stayed pending Lloyd v Google, or to proceed under a Group Litigation Order (eg Virgin Media Group Action, Easyjet Group Action) irrespective of what happens with Lloyd v Google. The GLO route allows for differentiation between claimants of potentially different categories of loss or impact, but does require claimants to invest time and money in claim and class building.

While the settlement of so many of the BA GLO claims at this early stage means that we will have to wait even longer for judicial guidance on questions such as the proper quantum of damages for claims relating to distress and loss of control of data, BA's payment of settlement amounts in relation to a disputed data breach is likely to embolden claimant law firms and the third party litigation funders backing them to continue to bring data class actions, whatever the result in Lloyd v Google.

Finally, while the monetary penalty notice in the BA data event gave some insight into the ICO's expectations in terms of security measures (see this post on our Data Notes blog),  we will need to wait a bit longer for judicial consideration of the data security obligations in the GDPR (under Article 5 (1)(f), Article 24 and Article 32 of the GDPR). Judicial guidance is much needed in that respect, given the paucity of information in the GDPR itself.