After a multimillion-dollar privacy fine from the U.K. Information Commissioner’s Office, British Airways still faces a consumer class-action lawsuit for its 2018 data breach.
Photo: Dave Rushen/Zuma Press
Lawsuits filed against British Airways and Marriott could be the vanguard of a wave of European class-action cases dealing with privacy concerns, lawyers say.
A group litigation order was filed in the U.K. last year against International Consolidated Airline Group’s British Airways over a 2018 data breach that exposed payment-card details for around 380,000 individuals and personal records for 185,000 people world-wide. A hearing to determine court dates is scheduled for Nov. 25.
Class-action lawsuits for privacy incidents are uncommon in Europe, lawyers say, but law firms and consumer organizations are increasingly bringing cases to seek damages for individuals whose data is exposed by a breach.
“Now is the time when [British Airways] should compensate their customers,” said Tony Winterburn, head of consumer protection litigation at law firm Pogust, Goodhead, Mousinho, Bianchini & Martins, part of Excello Law Ltd., which is serving as lead counsel on the action against British Airways.
Around 4,500 people are currently part of the litigation against British Airways, and a further 3,000 will be added soon, Mr. Winterburn said. The law firm will run television advertisements regarding the lawsuit this month in the U.K. and expects more consumers to join soon, he added.
A different lawsuit against Marriott International Inc. was filed in the U.K. in August for a separate data breach, also revealed in 2018, which exposed information on 383 million people world-wide.
A spokesman for British Airways said the airline responded to the litigation order but didn’t comment further, and a spokeswoman for Marriott didn’t comment on the class-action litigation.
In October, the U.K. Information Commissioner’s Office fined British Airways £20 million, equivalent to $26 million, and Marriott International £18.4 million, equivalent to $24 million, for these breaches. The fines were sharply reduced from the ICO’s original proposal, which would have levied $230 million against the airline, and $124 million against Marriott. Spokespeople for both companies said they wouldn’t appeal the fines but didn’t admit liability.
Although it reduced its fine, the ICO said in its decision that it “does not accept BA’s assertion that no harm or damage was caused” by the airline’s cybersecurity failures. That decision could help the class-action case because it will be harder for the company to argue that it didn’t violate Europe’s General Data Protection Regulation, Mr. Winterburn said. EU countries started applying the privacy law known as the GDPR in 2018. The U.K. left the EU this year but still applies the law.
Because European class-action lawsuits over privacy breaches are rare, it is unclear how much compensation consumers might receive in a successful case, said Edward Machin, an associate in the privacy and cybersecurity group at law firm Ropes & Gray LLP. Such cases might be one effect of the two-year-old GDPR, which made Europeans more aware of their privacy rights. “It looks like the pendulum is starting to swing where we’re going to start seeing this more regularly,” he said.
Consumer organizations and law firms have recently taken an interest in similar legal action across Europe.
Organizations can file class-action lawsuits to European court systems, separately from a privacy complaint under the GDPR, which individuals and organizations submit to national data protection regulators. Initiating litigation is an easier and faster way to have any legal judgment in privacy cases because national regulators often take a very long time to investigate or issue decisions, said Romain Robert, a senior lawyer at Noyb, a privacy advocacy group based in Vienna.
Investigations can be especially lengthy in cases involving large companies that might have affected people in more than one EU country, because regulators are required to consult with their counterparts in other European states.
A new EU law will take effect in 2022 requiring all 27 member states to allow class action-style lawsuits. In those countries that allow such lawsuits, there are big differences in how much it could cost consumer groups to take a case to court, said Ernani Cerasaro, a legal officer working on consumer and digital policy at the European Consumer Organization, a nonprofit group based in Brussels.
Noyb is building a mobile app that will make it easier for individuals to sign on to class-action cases, Mr. Robert said. “Collective redress is a nice way to leverage power against companies. The claim for damages might be higher than the [regulators’] fines,” he added.
Write to Catherine Stupp at [email protected]
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
