The ICO appears to have nodded off this year when it comes to regulatory action, with its ad tech investigation on pause and notices of intent against Marriott and BA still not having progressed beyond an intention over a year later. But lawyers backed by litigation funders have been beavering away. Inspired by the Information Commissioner's work to date, and doubtless encouraged by the Court of Appeal's decision in Lloyd v Google, they've been hard at work assembling group claims which pick up where the regulator has seemingly drifted off. And in August, while most of us were trying to avoid face mask tan-lines, the heat was turned up with 2 'class actions' being launched: one related to ad tech, and the other a data breach.
The first claim is against Oracle and Salesforce where it's alleged that the defendants breached "GDPR rules by facilitating sales via harmful ads, holding personal information that consumers did not proactively consent to sharing, and inconsistently securing personal data." It's the brain child of The Privacy Collective, a not for profit based out of the Netherlands which anticipates that the combined claims could exceed €10b (yes, that's a 'b' not an 'm'). Readers will recall that Oracle was already in regulatory crosshairs as a data broker targeted by Privacy International in its complaint filed with regulators across the EU (including the ICO) back in 2018. The lead claimant in the intended UK action is Dr Rebecca Rumbul, head of research at mySociety - a not for profit focused on enabling greater civic participation through online technologies. Claimant lawyers, Cadwalader, are better known across the pond for defending class actions for financial institutions rather than bringing them.
Oracle’s GC is said to have characterised the claim as “meritless” and a “shake-down through litigation filed in bad faith”. All the same, reports have emerged in recent days of Oracle apparently contacting its clients to inform them that it will stop offering third party targeting services across the EU from 15 September. Take from that what you will.
The second claim is brought by another US firm with EU outposts: the litigation specialist, Hausfeld. It follows the ICO's notice of intent last summer to fine Marriott nearly £100m for a cyber incident exposing 39m guest records globally (7m of whom were UK residents) which was notified in 2018. Hausfeld plainly fancy their chances given the assertion by the ICO that its "investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems." The lead claimant is Martin Bryant, the founder of technology and media consultancy Big Revolution.
Unlike the BA data breach class action which is being brought pursuant to a 'Group Litigation Order', the claims against Marriott and Oracle/Salesforce are 'representative actions'. This means that everyone with the same interest as the lead claimant is included in the claimant class, unless they opt out. That's what makes the numbers stack up, and piques the interest of litigation funders. (For more on the differences between these types of claim, see here).
As a board member of The Privacy Collective reminds us: "Claiming damages in a class action is an important enforcement tool in the GDPR." Indeed, resource-poor regulators will doubtless rejoice at the prospect of claimants relying on their rights to effective judicial redress and compensation to police the GDPR in their stead.
And make no mistake: it's not just the 'chancers' we've become accustomed to that are bringing data privacy claims (you know, the firms that 'specialise' in claims for Japanese knotweed, personal injury and data breaches). The big guns are now rolling in with their war chests full to the brim, and they're unlikely to take any prisoners. So if you're putting off data privacy compliance and are thinking that you're okay to swallow a fine if the regulator comes knocking - it's time perhaps to have a rethink.
It was announced on Friday 14th August 2020 that legal claims were being filed against Oracle and Salesforce in the UK and Netherlands for breach of GDPR. The claims concerned the use of Third Party AdTech tracking cookies (BlueKai and Krux), the ‘Real-Time Bidding’ processes used to target adverts to individual users, and the implications for personal data. The claims are being taken forward in the form of ‘class actions’, which means that the named representative claimants are bringing the claim not only for themselves, but on behalf of everyone in the jurisdiction that is affected.