British Airways (BA) faces the largest group claim ever made in U.K. legal history over a 2018 data breach that exposed the financial and personal details of more than 400,000 of its customers.
Last October, the Information Commissioner’s Office (ICO), the U.K.’s data regulator, fined BA £20 million (U.S. $26 million) for violations of the EU’s General Data Protection Regulation (GDPR)—the largest penalty it has ever imposed.
“The question of whether the ICO has arrived at the right final figure may become immaterial and could begin to undermine the credibility of the ICO, leading consumer groups and others to question its efficacy.”
Britt Endemann, Partner, Forensic Risk Alliance
However, if BA was ever tempted to think it got off lightly (the originally penalty proposed by the ICO was £183.39 million), it might need to think again.
More than 16,000 customers have so far joined a consumer legal action ahead of a March 19 deadline, according to law firm PGMBM, the lead solicitors in the class-action suit. It is the first group lawsuit of its kind to be brought in the United Kingdom under the GDPR and is also the largest “opt-in” claim in relation to a U.K. data breach.
Lawyers at PGMBM believe each of the 420,000 customers and staff whose information—names, billing addresses, email addresses, and card payment details—were leaked could be entitled to £2,000 (U.S. $2,730) in compensation. That would leave the company with a compensation bill amounting to more than £800 million (U.S. $1.09 billion).
Another law firm representing claimants in the same case—Your Lawyers—has suggested the airline could be facing a potential compensation bill of up to £2.4 billion (U.S. $3.3 billion), with affected customers each potentially receiving an average of £6,000 (U.S. $8,195).
Media reports have said the airline is willing to settle. However, in a statement, BA refuted the claims: “We continue to deny liability in respect of the claims brought arising out of the 2018 cyber-attack and are vigorously defending the litigation.” The company said it “does not recognize the damages figures put forward” and added that “they have not appeared in the claims.”
PGMBM says it has not yet received any settlement proposals from BA but says it will push for the company to do so at a case management meeting in the High Court in February.
Aman Johal, director at Your Lawyers, believes “justice will be served, and the decision will send a strong message to other big corporations that they must take data protection seriously or face the financial and reputational consequences.”
Britt Endemann, partner at consultancy Forensic Risk Alliance, believes the 90 percent fine reduction BA received from the ICO might have spurred more people to join the collective action.
“The question of whether the ICO has arrived at the right final figure may become immaterial and could begin to undermine the credibility of the ICO, leading consumer groups and others to question its efficacy,” says Endemann. “It is still early days when it comes to GDPR enforcement, and we are gaining more clarity on their approach to fine calculation, but there are key lessons to be learned from the BA decision.”
The rights for EU citizens and nonprofit organizations to take legal redress over data privacy infringements is enshrined in Articles 77-82 of the GDPR.
There are two principal mechanisms: group litigation orders (GLOs), where large numbers of individual claimants “opt in” to having their claims brought under the same case management framework, and representative actions, where a lead claimant acts as the representative of other individuals (unless they opt out) who are victims of the same harm and have suffered the same loss.
BA is subject to a GLO, while Marriott—which received an £18.4 million (U.S. $23.8 million) fine from the ICO—faces a representative action.
Lawyers say an adverse finding by a data regulator—especially a major fine—could have devastating effects for a company’s liability to data subjects, as well as act as a real boost for affected individuals looking to get a class action up and running to claim compensation directly.
However, class actions are a relatively new phenomenon in the United Kingdom and are largely alien to the rest of the European Union.
According to research by European consumer rights group BEUC, only 18 EU member states allow for collective compensatory redress, and of those about half relate to specific sectors only. Just six EU countries have a fully functioning, efficient collective redress system (Belgium, France, Italy, Portugal, Spain, and Sweden).
Nevertheless, lawyers are optimistic about the way the BA group litigation case will pan out—both for claimants and companies.
Joanne Elieli, a litigator at law firm Cooley, believes the BA case “marks the potential rise of class-action litigation in the U.K.” She also opines the rise of group litigation will likely push companies faced with class actions “to pass liability down the contractual chain.”
“We should expect to see companies seeking to place at least some of the blame at the door of their vendors and/or suppliers, as well as arguments over who the processor and the controller of the data in question was,” says Elieli.
Such recourse would likely need to be taken by companies themselves, as data regulators have so far been unwilling to hold third parties accountable.