Data breach class actions - be careful what you Which? for
Should somebody tell the Consumer’s Association - the august campaigning charity and publisher of Which? - about the law of unintended consequences? In particular, should it rethink its calls to make it easier for third parties to pursue class actions on behalf of consumers following a data breach?
In an opinion piece published this week in The Times, Alex Neill, managing director of home products and services at Which?, suggested that the Data Protection Bill should be amended to give a legal footing to organisations like his being able to pursue companies that lose data on behalf of customers.
He wrote: “[Under GDPR] these actions can be brought without consumers needing to know they were affected, to know their rights, or even to opt in to the claim. Ministers should amend the bill to put these powers on a proper legal footing.”
That should set an alarm bell ringing for anybody that has followed the interwoven strands of data protection regulation, unsolicited telemarketing and class action legislation over the last decade. In particular, Neill’s suggestion could directly replicate the mess around payment protection insurance (PPI).
While PPI was a product that was deliberately sold to consumers who might never be able to make a claim, data breaches and losses are an inadvertent consequence of the datafication of business. When criminals and hackers take advantage of systems or human weakness to gain access to personal information, it can have a significant impact on those data subjects. According to CIFAS, identity fraud makes up 56% of all the cases its members report.
So the consequences can be more significant in a way that paying for a service you can’t benefit from isn’t, even if both should not happen in the first place. With PPI, regulators insisted that the insurers and banks set aside billions of pounds to compensate consumers for the premiums they had paid. As a result, spam PPI texts and calls exploded as claims management firms looked to benefit from collecting fees by finding claimants to work for. They became of of the most complained about issues of the Noughties.
Not surprisingly, the Consumer’s Association put constant pressure on the Government, Ofcom and the Information Commissioner’s Office to act, leading eventually to a change in the law in 2015 which gave the ICO far stronger powers. A critical part of that was shifting the evidential requirement from showing individual harm to demonstrating the total level of nuisance caused. The ICO continues to crack down hard on the worst offenders.
That same year also saw the Consumer Rights Act introduce class actions, which until then had not been possible. PPI activity has dwindled as a result.
Yet here we are with the defender of consumers and their data rights arguing for the right to pursue cases without the individual’s knowledge or consent. Which?’s argument is that GDPR allows third parties to launch class actions, so the new Bill should replicate this.
What would inevitably follow is a new wave of unsolicited marketing urging consumers to sign up in order to get their share of the compensation once a data breach class action has been launched. White hats like Which? may intend to do this with the best of intentions, but there are plenty of bad actors who will see this as their next gravy train. For people already exposed to fraud by having their data lost or stolen, endless calls and texts urging them to claim is surely not the way forward.