Download PDF

British Airways settles data breach class action – what now?

July 2021

It was announced yesterday that British Airways has settled a class action brought by thousands of customers impacted by a major 2018 cyber-attack and resultant personal data breach.

The personal data of approximately 430,000 customers – including login details, credit card information, address, and travel booking information – was compromised following a “formjacking” attack which diverted users to a fraudulent website.

In October 2020, the Information Commissioner’s Office found there was a “serious failure” by British Airways to comply with GDPR in regards to security protections and fined British Airways £20m.

Claimant law firms obtained a Group Litigation Order (“GLO”) to bring an opt-in group action against British Airways seeking compensation for alleged breaches of GDPR, breach of contract and/or breach of confidence. British Airways denied liability.

A split liability and quantum trial was ordered, with the liability trial expected in Summer 2022.

It is not known how many victims ultimately opted-in to the action and were party to the settlement with British Airways. At a hearing in February 2021, it was claimed 22,230 claimants were already in the action, with more expected to join. The Court recently extended the cut-off date for claimants to join until 3 June 2021.

The settlement with British Airways was reached following a mediation and the amount of the settlement is said to be confidential. At this stage, therefore, it is not known how much each of the claimants will receive in compensation. Much-awaited Court guidance on the quantum of such personal data breach claims under the GDPR therefore remains out of reach at this stage (see our recent article here on this question).

There is no let up. A GLO is currently being sought for a new class action against Easyjet. Easyjet revealed in May last year of the personal data of 9 million customers were compromised following a cyber-attack.

GLOs are just one type of “class action” procedure for claimants to pursue data controllers for personal data breaches or alleged unauthorised use of personal data. Instead, many claimants look to “Representative Actions”.

The opt-in basis of GLOs has led to low take up levels: it was estimated that just 5% of the potential victims in the British Airways case had joined the litigation. In a previous GLO case against Morrisons, following a personal data breach affecting nearly 100,000 Morrisons employees, only 9% of the impacted employees joined the action. Low take-up level may make class actions claims economically unviable for claimant solicitors and litigation funders.

By contrast, Representative Actions have the benefit of being on a US-syle “opt out” basis. This has attracted a number of persona data breach class actions against the likes of Google, TikTok, Salesforce, Oracle and YouTube. However, Representative Actions have a much stricter “same interest” requirement for claimants compared to the “common or related issues of fact or law” requirement for GLOs. There is a question of whether victims of personal data breaches can be said to have the “same interest”, given any financial losses and distress would differ depending upon their individual circumstances. In order to get around this, the ongoing Representative Action against Google has sought to “strip out” any claim for compensation related to such individual factors and only claim the “lowest common denominator” damage suffered common to all victims, in particular for what is said to be their “loss of control” of their personal data. The Supreme Court is currently pondering this question following a hearing in April 2021, with the Representative Actions against TikTok and others stayed pending the outcome, and the Court’s eagerly awaited judgment is expected soon. This judgment could materially change the landscape of personal data breach class actions going forwards.

Download PDF