Tech Matters: The True Road to Damascus – Arbitrating Class Action Data Breaches?

Tech Matters: The True Road to Damascus – Arbitrating Class Action Data Breaches?
29 Oct 2019


The True Road to Damascus – Arbitrating Class Action Data Breaches?

In the Tech Matters Series, Shaun Leong, Partner based in Eversheds Sutherland’s Singapore office, Eversheds Harry Elias, considers the latest in technology disputes and trending challenges faced by technology companies.

The Awakening  

The real awakening to alter businesses’ and enterprises’ conduct that respects personal data and data security may not be the fines and penalties imposed by governmental authorities all over the world in the past couple of years, but by way of “private regulation” where victims find a platform to seek remedy en masse for the losses they have suffered.

Earlier this month, the English High Court granted a Group Litigation Order, allowing half a million British Airways customers to commence legal action against the airline for data breaches arising from a formjacking hack in 2018 where customers were diverted to a fake booking webpage which gathered data illegitimately. The information leaked included credit card details and personal contact information. More than half a million claimants could join in the litigation as the court granted 15 months for victims to join in the action. The potential damages from this class action would sit in addition to the £183 million fine ordered by the Information Commissioners Office.

At the same time, on 2 October 2019, the English Court of Appeal allowed the class action against Google to proceed, commenced by one Mr Richard Lloyd representing a class of over 3 million Apple iPhone users (Richard Lloyd v Google LLC [2019] EWCA Civ 1599). It was alleged that Google had without users’ consent, used for commercial purposes information gathered from Apple iPhone users generated from the Safari browser. The Court of Appeal took the view that victims would have the right to recover damages for loss of control of his data without needing to demonstrate pecuniary loss or distress, under the Data Protection Act 1998.

These are the first few class action cases that arose since the General Data Protection Regulation (GDPR) came into force in May last year. There have been many major data breaches by large corporations recently in Singapore and this part of Asia, and it would not be surprising if similar class actions follow suit from breaches of the Singapore Personal Data Protection Act (PDPA). If data is the new oil, we are now witnessing a global battle for (the use of) oil.

Class Action Litigation

In Singapore, the PDPA preserves the right of private action pursuant to section 32. Court action may however be commenced only by a person “who suffers loss or damage directly as a result” of the data breach. This suggests that a person who suffers loss or damage indirectly may not be entitled to sue under the PDPA. This places pressure on the definition of “loss”, which could open to interesting debate in the realm of data protection. Judging from the Lloyd v Google case, loss could be read widely to account of loss of control over your own data.

The class action model in Singapore differs from the US framework and is termed a “representative action” captured under Order 15, Rule 15 of the Rules of Court. The claimants in the action must demonstrate that they share the same interest, and the Court has the discretion to decide whether such action should be allowed to proceed. One of the biggest class action cases in Singapore was the Raffles Town Club dispute (which Eversheds Harry Elias worked on), where several thousand club members commenced action in breach of contract and misrepresentation and were awarded over S$40 million in damages.

Cross Border Class Action Arbitration

The relevant cause of action may not necessarily be founded upon express personal data protection legislation (such as the GDPR or PDPA), but rather be shaped around private rights and obligations, even if the legislation continues to provide good guidance on the nature of such rights. As a start, it would not be difficult to contemplate the existence of an implied term in the private contracts that businesses and people make every day, for the contracting party not to improperly use or disclose personal data to third parties without consent.

Where the alleged victims of the data breach come from all over the world, international arbitration may be the selected mode of dispute resolution, given that an award can be enforced in more than 200 countries under the New York Convention.

In addition, the confidentiality of the arbitral process, as opposed to open court proceedings, may be very comforting to all parties involved. Arising from the leak of personal data may involve evidence around the nature of the loss, which may be private and sensitive. At the same time, corporations and enterprises would prefer their rivals or investors not to know about the vulnerabilities of their internal systems which resulted in the data breach (notably the leak of business data would invariably invite business litigation).

There are mechanisms under the major arbitral rules which would allow for consolidation of disputes and joinder of parties. For example, under Article 7 of the ICC Rules, parties could be joined with the agreement of parties. Article 10 allows for the consolidation of arbitrations where parties have agreed. There are similar provisions in the SIAC Rules. When faced with the real prospect of going to open court, it would not be uncommon for parties to have a post-dispute agreement to arbitrate and consolidate.

Corporations can afford to dedicate some resources to manage the risk of class action suits arising from data breaches. The potential damages award arising from these actions, sitting in addition to the regulatory fines, could very well cripple a business. There are key decisions that need to be made at an early stage of a dispute, and strategies, including appropriate cross border jurisdictional challenges, that corporations can take to mitigate the impact of a class action.

At the same time, victims who suffered losses should be apprised of their legal rights and the platforms that they can avail themselves to, in order to seek redress for their losses.

Shaun Leong, Partner based in Eversheds Sutherland’s Singapore office, Eversheds Harry Elias, regularly advises and represents clients in technology related disputes. He has experience representing a global biotech company in a class action, crisis management matter in South Korea where he was substantially engaged in all aspects of legal and strategic work around the civil claims filed by victims, mediation, settlement and compensation, forensic investigations work in cooperation with authorities, criminal defence work in relation to charged executives, and strategic, legal advice regarding communications with media and stakeholders.

For further information, contact:

Shaun Leong

Partner, Eversheds Harry Elias

+65 6361 9369                              

For more information, please contact our Business Development Manager, Ricky Soetikno at