The last 12 months have been a roller coaster for group actions in the UK with some highs, some lows and the odd false start. Whilst there have been some decisions which provide optimism that the English Courts are willing to allow claimants to make use of the limited tools at their disposal to bring group claims, there is still some way to go.
The first decision was that of the Court of Appeal in VM Morrison's Supermarkets PLC v Various Claimants ( EWCA Civ 2339) handed down on 22 October 2018. The claim arose from the criminal actions of one of Morrison's employees, Andrew Skelton, who uploaded personal data relating to nearly 100,000 Morrison's employees to a file sharing website. The data was then provided to three UK newspapers. The claimants obtained a GLO in November 2015 and the claim came before Langstaff J in October 2017. Whilst he dismissed the primary claims (relating to breaches of the Data Protection Act 1998, misuse of private information and/or breaches of confidence) he held that Morrison's was vicariously liable for Skelton's misuse of private information and/or breaches of confidence. Morrison's appealed but the Court of Appeal agreed with Langstaff that Skelton's unlawful activities took place during the course of his employment and therefore Morrison's was vicariously liable for those acts. Whilst this decision was worrying for many employers who fear being held responsible for misuse of data by disgruntled employees, it was a positive step in that this was the first case where a group claim had succeeded in respect of a data leak or hack in the UK. However, that may be short lived, as in April this year, the Supreme Court granted permission to Morrison's to appeal the CA decision.
The next decision was that of the Court of Appeal's in Walter Merricks CBE v Mastercard Incorporated & Ors ( EWCA Civ 674) to overturn the CAT's first instance decision to deny Mr Merricks a CPO. The claim is a follow on claim brought by Mr Merricks as class representative issued on an opt out basis under the CAT's collective action regime brought in by the Consumer Rights Act 2015. Mr Merricks acts on behalf of an estimated 46.2 million individuals and the claim relates to MasterCard's default multilateral interchange fee (“MIF”), a fee charged by the cardholder’s bank to the merchant’s bank when a consumer pays for goods or services using a MasterCard payment card. In December 2017, the European Commission found that MasterCard's MIF restricted competition in breach of EU competition law. Merricks alleges the MIF was passed onto consumers almost entirely and absent the infringement, the consumers would have paid a lower price for goods or services. At first instance the CAT refused to grant a CPO on the basis that i) the claims were not suitable for an aggregate award of damages due to a lack of data and ii) there was "no plausible way of reaching even a rough-and-ready approximation of the loss suffered by each individual claimant". This decision meant that the bar had been set high for any opt out claim wishing to proceed in the CAT. However, the Court of Appeal's judgment considered that the CAT had demanded too much of Mr Merricks at such an early stage of the proceedings, criticizing the CAT for effectively carrying out a "mini trial". Importantly, the Court observed that if Merrick's action was not certified, follow-on damages claims by consumers against MasterCard would be a practical impossibility. The judgment has the effect of substantially reducing the threshold for initial verification for a CPO, therefore potentially providing a pathway to more collective actions.
However, in late July 2019 the Supreme Court gave Mastercard permission to appeal and so for now, the threshold for CPO applications remains uncertain. This means that four other claims in the CAT are also on hold whilst the Merricks claim proceeds to the Supreme Court. The "trucks cartel" litigation involves two separate proposed collective actions that relate to the European Commission's finding of an EEA wide cartel that was operated by various trucks manufacturers between 1997 and 2011. The first is a proposed opt-in action brought by the Road Haulage Association ("RHA") (Case No 1289/7/7/19: Road Haulage Association Limited v Man SE and others). The second is a proposed opt-out or opt-in action brought by special purpose vehicle UK Trucks Claims Ltd (UKTC) (Case No 1282/7/7/18: UK Trucks Claim Limited v Fiat Chrysler Automobiles N.V. and others).
The other two CPO applications are standalone opt out claims brought in February 2019 against the UK rail operators relating to losses suffered by a large number of rail passengers as a result of alleged double charging arising from so-called "boundary fares" (Justin Gutmann v London & London Easter Railway Limited (Case No 1305/7/7/19), Justin Gutmann v First MTR South Western Trains Limited and another (Case No. 1304/7/7/18)). It is also worth noting that Michael O'Higgins FX Class Representative Limited has also issued an application for a CPO in relation to a proposed opt-out collective proceedings in relation to the European Commission's decisions in relation to two cartels that operated in relation to FOREX. It is expected that as with "trucks cartel" and "boundary fares" litigation, the CAT will not hold the substantive CPO hearing until the Supreme Court has handed down its judgment in Merricks.
The trucks litigation has raised some interesting issues around funding. In June 2019, the CAT had a hearing on the preliminary issue of whether the authorisation of UKTC and/or RHA as class representatives should be refused on the grounds of their respective funding arrangements. The hearing focused on two issues. The first is the extent to which the funding agreements proposed by UKTC and RHA should be categorized as damages based agreements ("DBA") because they essentially amount to the provision of claims management services. Such agreements would not meet the criteria of the DBA Regulations, therefore making them unlawful. Even if they did meet the criteria, in the case of the UKTC's proposed opt-out proceedings, such an agreement would fall foul of the ban on DBA's in opt out proceedings in the CAT. The second issue was whether certain alleged deficiencies in the funding arrangements, including the adequacy of UKTC's and RHA's ATE insurance, were serious enough for the court to recommend the claimants should not be granted a CPO. Judgment is awaited.
Whilst the practical utility of the CAT's new regime remains to be seen, the GLO regime continues to be utilised, albeit tentatively. The claim against Volkswagen arising out of the emissions scandal is proceeding in the High Court and following a case management conference in March this year, a pretrial hearing will take place at which the Court will determine whether software installed in the VW cars constituted a "defeat device". However, GLO's have their limitations: they can be extremely drawn out and very expensive. For many cases, such as data breaches, they are simply not economically viable when the damages figures per capita can be very low. It is also noteworthy that whilst the Morrison's GLO may progress, of the 100,000 employee effected, only 5000 signed up to the claim.
An alternative is the little used representative action procedure under CPR 19.6 by which a representative can bring a claim essentially on an "opt out" basis on behalf of anyone with the "same interest". Take for example, the high profile case of Lloyd v Google LLC ( EWCA Civ 1599). The claim, in which Mishcon represent the claimant, arose out of allegations that Google unlawfully collected personal data on individuals via Apple's web browser, Safari, on their iPhones between 2011 and 2012. Collection of the data enabled Google to categorise consumers within groups based on their internet preferences and sell this information to their advertising network. By bringing a representative action, Mr Lloyd hoped to open the door to redress in mass data breaches where individuals are unable to act on their own. Whilst Mr Lloyd's claim was brought to a halt at first instance by Mr Justice Warby in a judgment described by Mr Lloyd as an "analogue decision in a digital age", that judgment has recently been overturned by the Court of Appeal. In a unanimous and ground breaking decision, the Court of Appeal granted Mr Lloyd permission to serve the proceedings on Google in California thereby opening the door for the use of representative actions to hold large tech companies to account and establishing a new procedural framework for the conduct of mass data breach claims. Importantly, the judgment recognises that an individual's personal data has a value and that the loss of control of that data can give rise to a right to compensation without the need to demonstrate pecuniary loss or distress. It also recognises that victims of data breaches can have the "same interest" for the purposes of r19.6.
Another active area for group actions in the UK is in the securities litigation space, with a number of actions being launched in 2017 making use of s.90A FSMA- see for example, the RBS Rights Issue Litigation and the Tesco Investor Claims. To date, fear that this may lead to an American style class action system, with frequent securities litigation, have so far been unfounded: a combination of the UK adverse costs regime, the opt in nature of claims and the due diligence carried out by the third party funders who are often backing the claims, significantly tempers that risk. There is also as yet no case law on the meaning and interpretation of s.90 (prospectus claims) and s. 90A (statement to the market claims), another fact which causes uncertainty and a reluctance to bring these claims. However, we are seeing a growing interest in the UK in these claims.
So where does this leave the group action regime in the UK? The group action procedures in place and the increasing availability of third party funding for such claims provides access to justice for investors and individuals with smaller losses who would not otherwise be in position to bring a claim on an individual basis. However, significant barriers remain. The UK regime is underdeveloped and in part, untested. Whilst the appetite for bringing these kinds of claims is strong amongst practitioners and funders, to date the government has been unwilling to introduce the kind of reforms that are needed. For example, the implementation of GDPR through the Data Protection Act 2018 provided an opportunity for the government to legislate for a cost effective and administratively efficient mechanism for opt out data breach claims, like that provided by article 80(2) GDPR,. which states that national law may allow for Representative Bodies to bring proceedings on behalf of individuals, without their authorisation i.e. an opt out collective action. The government declined to do so, instead providing for 30 month review of the merits of exercising powers under section 80(2) GDPR. It is to be hoped that judgments such as that of the Court of Appeal in the Lloyd v Google case will encourage much needed legislative change in this area.