Making a data breach claim. What has changed?
A recent case against Google for illegal data harvesting has transformed how data breach claims are managed in the UK. But what has actually changed? And what does this mean for you?
The background
Between 2011 and 2012, Google used cookies on Apple's Safari web browser to illegally collect data about its users. In response, a group action was launched to help people challenge the big technology company over this data privacy violation. But, in October 2018, the case was thrown out.
Essentially, it was deemed too difficult to calculate how many people had been affected, and in what way. This is because, to make a data breach claim, each person had to show that they had experienced harm as a direct result of the breach. For example, emotional distress or financial loss. In group action cases such as this, where multiple people had been affected, this was especially complicated.
However, this case was taken to appeal, and, in a "ground-breaking" ruling, the Court effectively reformed the data breach claims process.
Change one - you can make a data breach claim even if you haven't suffered a loss
The Court of Appeal decided that data breach claims are valid, even if someone hasn't suffered financial or emotional damage as a result. If a company does not protect your data in the way it is legally obliged to do, you can claim for this data privacy failure.
Change two - you can make a data breach claim even if the only thing exposed was your email address
People can now seek compensation even if the only personal information breached was their email address. Everyone has the right to the protection of their personal data. Especially when such data now has an economic value (e.g. it can be sold).
Change three - there are now different ways to join a group action claim, depending on how you have been affected
Until now, if someone had their data breached, they would have to prove how this privacy violation affected them. In group action cases (where lots of people are affected by the same breach), this could be a complicated process. Because not everyone will have experienced the same loss and consequences. So, making an award in these cases can be tricky.
But, the Court of Appeal has made the group action claims process easier.
People involved in a significant data breach (that has resulted in differing levels of financial loss or emotional harm), can still make a group action case. You can find out more about how to make a group action claim here. So, in these cases, nothing has changed.
But now, people who have had their data breached in a mass privacy violation, but who have not experienced any harm, can also claim. To do this, they will need to join a representative action.
The type of action required for each case will depend on the exact breach. If you are unsure about which option is available to you, our helpful data breach experts are happy to answer any queries you might have.
What is a representative action?
A representative action is a type of group action. Representative actions are launched when a group of people are affected by the same issue and have experienced the same level of harm (e.g. having their email address stolen and data privacy violated).
In representative actions, one solicitor will represent all clients. A judge will decide who this solicitor is. Because of our unique experience in data breach group actions, we expect that Hayes Connor will be appointed as the representative in many future actions.
In addition, one member of the action will typically sue on behalf of themselves and the rest of the group. Once compensation has been agreed, each member of the representative action will receive the same amount.
A representative action is a quicker way to claim for compensation
A representative action can be launched based on the total number of those affected, not just the individuals who have proactively decided to pursue compensation. This will make claim process much quicker. However, to receive a share of the settlement, affected parties will still need to register to join the action. There is likely to be a strict time limit to do this.
What about individual data breach cases?
The ability to claim compensation for individual personal data breaches still exists (for example, where a bank has posted your financial statement to the wrong address). But now, you can claim compensation even if you haven't suffered because of the breach.
In such instances, people can claim directly with the organisation responsible. However, we would always recommend using a specialist data breach solicitor.
At Hayes Connor, we take a holistic and long-term view when it comes to claiming compensation on your behalf. And, our understanding of the effects of a breach mean we always ensure the best possible outcome for you. It is not unusual that - on reviewing your case - we uncover information that allows us to increase the value of your claim significantly. What might seem irrelevant to you could make a huge difference in the eyes of the law.
How will you know if you can make a data breach compensation claim?
Since the introduction of the General Data Protection Regulation (GDPR), any organisation that processes your personal data MUST let you know if it has been breached. And, once you have been told about any violation, you can make a claim.
How do you make a data breach claim?
If you experience a privacy violation due to an organisation breaching the Data Protection Act, you have a right to claim compensation.
At Hayes Connor Solicitors, we know what it takes to make a successful compensation claim. In fact, we've been helping people to do just that for over 50 years. We also steer you through the aftermath of a data breach - minimising the impact on you as much as possible.
In most cases, data breaches happen because of a failure to implement reasonable and robust processes. So, claiming compensation isn't just in your best interests. The only way organisations will be persuaded to take their responsibilities seriously and make the necessary improvements is by hurting their bottom line.