The outcome of the latest UK Government review into data privacy enforcement means Scotland will continue to fly solo on the ability for public interest bodies to bring data breach claims.

We wrote in January about the predicted uptick in claims for data protection breaches, and discussed the UK government’s review into whether to allow organisations to bring GDPR claims on behalf of individuals.

The outcome of that review has now been published - and the decision taken that no such expansion of powers will take place in England and Wales.

Claims for data breach in England and Wales therefore must be brought in the name of the individual, rather than by a public interest body on their behalf.

This differs from the approach in Scotland where the group action procedure, launched in July 2020, allows for group claims of any kind, whether for data breaches or other loss, to be brought by an organisation acting on behalf of a group of pursuers, subject to fulfilling certain criteria.

Claims for data breaches in England and Wales

The Civil Procedure Rules in England and Wales provide two main mechanisms through which groups of claimants can bring collective actions for a wide range of claim types, including data breaches: Group Litigation Orders, and representative actions.

These require the party bringing the claim to be one of the claimant group, as opposed to an organisation that does not have a claim in its own right.

In addition, the GDPR (post-Brexit, the UK GDPR) allows certain organisations to bring actions and complaints for data breaches on behalf of individuals.

Article 80(1) UK GDPR, implemented by the Data Protection Act 2018, provides for such a process, providing consent is first obtained from the individual in question. To date this has only been used once in relation to a court action.

Article 80(2) envisaged a wider opt-out mechanism, allowing member states to enact legislation to allow such a process where no consent would be required from individuals.

A recent UK Government Review has just concluded that Article 80(2) should not be introduced into UK law.

Consequently, organisations can only bring GDPR claims on behalf of individuals with their consent, i.e. on an opt-in basis. This will be a significant disappointment to many.

Why not?

A key reason given was the sufficiency of existing court procedures as a route to redress for data breach claims.

In particular, the representative action procedure under CPR 19.6. Through this procedure, a claim can be brought on behalf of any group of claimants who share the “same interest” in the claim, and will be binding unless affected individuals expressly opt-out.

The key difference here is that representative actions must be brought by someone who has a claim in their own right, rather than an organisation.

On one view, this makes little difference in practice where any such organisation can simply run the claim in the background.

However, this court procedure has been under-utilised for data breach claims, as claimant organisations were deterred by the difficulty in demonstrating the “same interest” for all claimants, and used alternative collective action mechanisms instead.

In 2019 the Court of Appeal held in the case of Lloyd v Google that a claim for data breach could be brought under the representative action procedure, allowing it to cover 4.5 million people without their specific consent.

This case is being appealed to the Supreme Court and is due to be heard in April 2021.  It could open up the roadmap for data breach claims, or reopen the discussion.

While future developments may change the position in England and Wales in practice, Scotland remains open and available to public interest bodies wishing to bring litigation in their name on behalf of individuals.

Related News, Insights & Events