|Claimants have a right to compensation unless a controller or processor of data proves that it is not responsible for the event that gave rise to the damage.
- The GDPR and DPA allow for both material (e.g., financial loss) and non-material damages (e.g., distress, ‘loss of control’).
Key distinctions exist between alleged misuse of personal information and alleged data breach.
- Misuse of personal information: Claimants usually allege that a loss of privacy has intrinsic value and that the defendant benefitted from the misuse or unauthorised use of private information. In the UK, claims can be brought for distress alone; there is no need to show pecuniary damages. For example, claimants may allege damages through emotional distress or loss of control of personal data (e.g., Lloyd v. Google).
- Data breach: Claimants generally focus less on the intangible value of loss of privacy and more on tangible harm resulting from invasion of privacy by a third party. Tangible harm can include costs associated with identity theft monitoring and prevention; time spent and/or loss of productivity to address the breach; future risk of ID theft; diminished value of private data; overpayment for service; and loss of access to account funds/adverse credit effects. Typically, defendants are accused of negligence in properly safeguarding private information, improper gains arising from underinvestment in protection, and/or failure to adequately remediate.
There are several options for bringing collective claims in the UK.
- Representative action (RA): Brought on an ‘opt-out’ basis. The relatively stringent ‘same interest’ requirement has prevented RAs from becoming more commonplace. The UK Supreme Court judgment in Lloyd v. Google will determine whether that changes.
- Group litigation order (GLO): Brought on an ‘opt-in’ basis. GLO requires a relatively lower bar of ‘common or related issues.’ GLO is a common route in matters related to personal data (e.g., Morrisons, British Airways, EasyJet).
|The ‘privacy paradox’ is a central challenge in quantifying the value of personal data.
- When asked, consumers may state that they value privacy, but they may behave as if they do not value it. For instance, consumers typically do not read Terms and Conditions statements, and they willingly provide personal information when interacting online.
- Survey respondents claim that they attach significant value to certain types of personal information, such as financial or health data.
- There can be substantial heterogeneity across individuals in terms of how much they value a given type of personal data.
When calculating damages in data breach matters, it is challenging to establish causality.
- It is important to establish that the loss was directly linked to a specific data breach.
- Data breach incidents are increasingly common. It can be complicated to determine whether a given claimant was impacted by a given data breach or by a variety of other data breaches that may have affected that same claimant.
- Other confounding factors exist, including that some private information may be accessible through other means.
Marketing and economics scholars have considered several methodologies to value personal data and potential harm due to loss or breach of privacy. It remains to be seen how UK courts will react to these methodologies.
- Stated preference methods: Contingent valuation and conjoint analysis ask survey respondents to state their preferences regarding data privacy and/or data breaches. These methods are subject to certain limitations, including the ‘privacy paradox’ noted above. Unless studies are carefully designed and implemented, unreasonably large damages estimates may result.
- Revealed preference methods: Natural experiments, event studies and difference-in-differences analyses use real-world data to measure actual behaviour following a ‘data event,’ rather than consumers’ stated responses. These approaches have advantages over stated preference methods, but may also be susceptible to modelling choices, confounding factors or assumptions.