UK Litigation – Class Actions: A New Era in the UK?

[Article PDF]      

In the UK, regulatory scrutiny of data breaches has resulted in significant fines. But the repercussions of those actions are highlighting broader changes in the nature of collective actions that are starting to take root in the country.

In July 2019, the UK Information Commissioner’s Office (ICO), the country’s data protection and information rights regulator, announced that it planned to fine British Airways £183 million—about 1.5 percent of the airline’s annual revenue—for a 2018 data breach incident. It was by far the largest fine levied to date under the EU’s General Data Protection Regulation, which went into effect in May 2018. And many observers noted that the “mega-fine” marked a new, aggressive approach to data-privacy enforcement on the part of UK regulators.

But the British Airways case also points to another, and perhaps more significant, development—the potential rise of class action litigation in the UK. Not long after the ICO announced the fine, a group of UK plaintiffs launched a class action lawsuit against the airline under the GDPR, which provides a private right of action, and UK legislation makes such claims fertile ground for a class action. In October 2019, the High Court in London said that the lawsuit, involving some 500,000 plaintiffs, could proceed. That same month, another group of plaintiffs filed a class action lawsuit against Equifax for its 2017 data breach, seeking £100 million in compensation for the 15 million affected UK consumers. That lawsuit followed a £500,000 fine imposed on the consumer credit-rating company in 2018 for the breach—the maximum fine then allowable under pre-GDPR law in the UK.

Such high-profile group actions have been fairly rare in the UK, in large part because the country’s laws around collective actions—its approach to class actions—have limited the use of such lawsuits. “Over the years, there have been just a couple of notable cases, and they have tended to be primarily personal injury claims,” says Robert Weekes, a London-based partner in Crowell & Moring’s International Dispute Resolution practice. “The mining industry, for example, faced some personal injury group actions due to health issues with coal dust. But that’s about it.”

The situation has clearly changed following the GDPR. “It appears to be developing into more of a U.S.-style model here, with the ability for numerous claimants either to join or to  be part of the same action,” says Weekes. “So corporations are now facing the possibility of having thousands and even millions of claimants against them in one particular action, which breaks new ground here in the UK.”

"It appears to be developing into more of a U.S.-style model here, with the ability for numerous claimants to join the same action." —Robert Weekes

Regulators are clearly focused on data breaches, and in this emerging environment, their actions are likely to have a ripple effect across the UK legal landscape—creating a pattern of litigation that is only too familiar to U.S. companies. For example, when the ICO determines that a company is liable for a data breach and issues a penalty, plaintiffs’ attorneys are likely to move quickly to file follow-on class action claims. “There will be data subjects who have had their data breached, and they will be entitled under the GDPR to bring claims,” says Weekes.

As costs of that litigation grow, he says, “there will inevitably be attempts to share the blame, and companies will be looking down the contractual chain to attempt to pass at least some of the liability on to suppliers and vendors. We can expect arguments about who the controller of data is, who the processor of data is, and so forth.” And finally, he says, “there eventually will be insurance-led claims. Cyber insurance is becoming an extremely important component of company insurance. So there will undoubtedly be claims against insurers around coverage issues.”

Data breaches are not going away, and neither are regulators that are willing to scrutinize those breaches. As a result, says Weekes, corporate legal departments in the UK “should be preparing for a knock on the door from the regulators, because those regulators are more active and their powers are very wide-ranging.” And increasingly, class action lawsuits are not likely to be far behind.

The Potential Spread of Class Actions

The GDPR is certainly a significant driver of class action litigation in the UK, but it is not the only factor changing the legal landscape. When the country’s Consumer Rights Act of 2015 became law, it provided England and Wales with class action-type options, saying consumers could, as a group, sue companies that had violated competition laws. What’s more, claimants do not have to be from the UK, meaning online companies and companies based in other countries could  find themselves being taken to court in the UK by groups of claimants.

The act opened the door to more class actions in other ways, as well. In the past, when consumers had a complaint against a company, they had to opt in to a group action—that is, actively sign on to participate. The 2015 law changed that with an opt-out option, which essentially meant that any UK citizen affected by a company’s alleged action can be automatically included in the group action, unless they have proactively opted out of it. Overall, this tends to increase the size of groups of plaintiffs involved in a class action, making potential awards much larger. What’s more, as some claimants opt out to pursue their own individual lawsuits, companies may find themselves facing litigation over an issue on multiple fronts.

As such trends alter the view of collective actions, “class action lawsuits could be applied to other types of consumer actions beyond data breaches,” says Weekes. Already, he says, there is legislation being proposed that would in fact extend class actions to consumers’ claims in general. The courts are also moving the class action concept forward. Weekes notes, for example, an October 2019 decision by the UK Court of Appeals that said that a law firm could bring a claim for just one plaintiff who had allegedly been harmed by a company’s actions, but be awarded compensation for the entire population that had been affected by those actions.

At the same time, continues Weekes, “we’re seeing a significant growth in third-party-funded litigation in the UK—and over the past year, it’s exploded. There’s plenty of liquidity around in hedge funds and other financial vehicles to provide that funding.” Class actions, with their potentially large payouts, are of growing interest to these funders. “They’re becoming very much involved in helping claimants fund their lawyers and expert fees,” he says. “That will make it possible for claimants to file more class action claims, and those claims will be better resourced as a result of access to funding.”

The UK is probably not going to see an abrupt total shift to U.S.-style class action litigation, thanks to some key differences. For example, unlike the U.S. approach, parties that  lose lawsuits in the UK pay the other side’s legal costs, and judges are not able to award treble damages; these are factors that tend to make a rush to court appear less attractive. Nevertheless, says Weekes, there does seem to be a cultural change among legislators, regulators, and the broader legal community that is making the environment more open to an extended use of class actions—and legal departments should keep an eye on how those changing attitudes are affecting  the risk of litigation.

More Transatlantic Cooperation? In September 2018, officials from the U.S. Department of the Treasury and the UK’s HM Treasury, along with various regulatory agencies from both countries, came together in London for the first meeting of the U.S.-UK Financial Regulatory Working Group, which was formed “to deepen our bilateral regulatory cooperation” to support financial stability and investor protection in both countries. A second meeting was held in May 2019 in Washington, D.C. “And it looks like those meetings might be starting to create some cross-border synergies,” says Crowell & Moring’s Robert Weekes. For example, Weekes says, the UK Serious Fraud Office announced a bribery investigation into the Glencore mining company, which is also facing a corruption investigation by the U.S. Commodity Futures Trading Commission. “Whether by coincidence or design, this could signal that U.S. and UK authorities are positioning themselves to work together to investigate and prosecute cross-border wrongdoing,” he says. “It will be important for legal departments to think about how to work on both sides of the Atlantic and to balance their approach to ensure compliance with the distinct rules of each regulator.”