The Supreme Court’s ruling in Lloyd v Google (on which we have previously blogged), coupled with the vast upfront costs of bringing claims via a group litigation order (GLO), is leading claimant law firms and funders to reconsider the way in which they bring mass claims in the data privacy space. One approach that recently emerged in the case of Beck v PFEW as an alternative to representative actions and GLOs is the ‘lead claimant’ model, where the common issues in the case are tested by reference to a handful of test claimants before any further claims are brought. This blog post considers this lead claimant model, and where it potentially leaves claimants seeking to bring data privacy mass claims in the future. We also explore the recent case of Gormsen v Meta and the possibility of claimants bringing data privacy collective proceedings in the CAT, in order to make use of its opt-out regime.
The ’lead claimant’ model
The ‘lead claimant’ model avoids the significant initial costs associated with GLOs, where all individuals who want to be in the group must be verified as ‘proper’ claimants, falling within the scope of the GLO, and placed on the group register maintained by the claimant firm. The same issue arises with representative actions, given the Supreme Court’s ruling in Lloyd v Google that data breach claims are unlikely to be amenable to being brought on an opt-out basis, and so the claimant book must be actively built and verified in a similar way. This can be a time-consuming, costly and burdensome exercise for both sides, especially in circumstances where there may be many thousands of claimants. And, notably, these costs must be incurred before the Court has been able to determine whether the claimants’ claims are even viable in principle, which is often in doubt in data breach claims.
Inevitably, the more claimants who come forward to be part of the group, the more costs go up. This is a vital consideration in the data privacy sphere, where cases may involve hundreds of thousands, if not millions, of potential claimants each claiming relatively small amounts. Given the number of individuals involved, there may be a serious proportionality concerns of using a GLO or representative action model in data breach cases.
By contrast, the lead claimant model seeks to avoids these upfront costs. Instead of building the group, the lead claimant model tests the common issues by reference to a handful of test claimants. The parties agree to be bound on any generic issues in the lead claims in respect of all other claims (which will be stayed pending the outcome of the court’s decision on the lead claims). If there is a partial judgment, a proportion of the other claims may be excluded, meaning that the overall pool of claimants is smaller – which is preferable from a proportionality and case management viewpoint.
The lead claimant model also means that both sides have potentially helpful benchmarking judgments on quantum, given that the Court will have determined what damages should be awarded in the test claims. The remaining claims are likely to be of low value and therefore more suitably disposed of in the County Court for individualised assessment. This position is supported by the recent data privacy case of Farley & Ors v Paymaster Ltd (trading as Equiniti), in which Nicklin J struck out 432 of 446 claims brought by police officers where their pension statements had been sent to old addresses. The remaining 14 claims survived the strike out on the basis that the claimants could advance a positive case (rather than an inferential one) that their pension statements had in fact been opened by third parties. Nicklin J held that if the defendant had admitted liability, leaving only an assessment of damages, the claims ought to have been heard in the County Court small claims track.
The court’s reaction to the lead claimant model
In March 2019, the Police Federation of England and Wales (PFEW) suffered two separate cyber incidents. The law firm, Keller Postman, filed an application for a GLO in October 2022 on behalf of 13,000 affected members and former members of PFEW. The GLO application was contested by PFEW, who instead proposed the lead claimant model early on in inter-partes correspondence. The claimants ultimately conceded that, whilst they felt the threshold for making a GLO had been satisfied, they were open to an alternative approach. The Court accepted the defendant’s lead claimant proposal, and on 29 March 2023, Senior Master Fontaine dismissed the claimants’ GLO application, awarding costs in the defendant’s favour on the basis that the claimants should “have recognised at an earlier stage that these proceedings may not be most proportionately managed by a GLO, and at least engaged with the Defendant’s proposal at an earlier point”.
Senior Master Fontaine came to her decision on the basis that a “very large proportion of claims fell into a category of less serious data breaches” where individual damages were likely to be less than £1,000, if successful at all. The claimants’ evidence was that 82% of claims fell into the ‘moderate’ and ‘less severe’ categories, while 1% could be categorised as ‘severe’ and 17% as ‘moderately severe’. Senior Master Fontaine held that “until there is some guidance by way of trials of various lead Claimants’ claims for damages, it will not be known what value such claims are likely to have, or indeed how many claims in that c. 82% of claims will be likely to be viable”. As a result, there were legitimate concerns about incurring the substantial upfront costs of establishing and maintaining the group register, advertising, and providing individual particulars of claim or schedules of information. This meant that the defendant’s ‘lead claimant’ method was likely to be a more proportionate method of managing the claims than the claimants’ (abandoned) GLO proposal.
The future of data privacy mass claims
In the wake of Senior Master Fontaine’s order in Beck v PFEW, there is now a real question of whether GLOs can ever be justified in the data privacy mass claims sphere. Claimant firms might seek to distinguish Beck v PFEW on the basis that the defendant admitted liability early on in inter-partes correspondence; however, even if liability had not been admitted, a court might be swayed by the proportionality argument, given the significant and arguably disproportionate costs involved in GLOs and representative actions.
Another potential alternative avenue for claimants may be to pursue data privacy claims on an opt-out basis in the Competition Appeal Tribunal (CAT),taking inspiration from the case of Gormsen v Meta. In this case, the CAT initially refused to certify the claim, in part because part of the claim was “extraordinarily difficult to pigeonhole as an abuse of a dominant position…These allegations seem to us not to be competition law infringements at all”. At the first certification hearing, the CAT also found other deficiencies, for example in the claimants’ expert methodology.
However, in February 2024, the CAT found that following a “branch and root” reformulation of the claim with very little (if anything) of the original methodology remaining, the case should be certified to proceed as a collective action on the basis the abuses articulated are arguable and triable. This is likely to give hope to claimants that, if they can frame data privacy claims as an alleged abuse of the defendant’s dominant position, they may be able to bring an opt-out collection action in the CAT.
