Last week, a group action involving up to 16,000 claimants, each seeking up to £2000 in compensation, was settled with British Airways regarding the data breach that led to its £20 million GDPR fine. It is reportedly, the largest opt-in group action in the UK for a data breach.
Alex Zachary, corporate and commercial partner and GDPR specialist comments:
“GDPR brought in stronger rights for individuals to bring civil claims against businesses who breach their data protection rights, so an increase in consumer litigation and class actions was inevitable. We can expect to see these kinds of group claims to continue and increase. For example, there is a similar class action against Easyjet, which relates to an alleged data breach in 2020 which saw the data of nine million customers compromised. The speed with which the BA action was resolved shows how these claims are now being taken seriously and is likely to encourage other claims to be brought.
“The £20m fine levied against BA by the ICO and now this related class action settlement should hammer home the message to businesses processing large amounts of consumer data, how important it is to be constantly testing their cyber security measures to ensure that they are adequate and keeping pace with the latest threats, including by building data security into the foundations of the design of any new systems and processes they implement. Failure to do so can, and probably will, have serious consequences in this landscape of ever increasing cyber threats.”