Data breaches, cyber and privacy-related issues are a growing area for securities class action litigation in the US. Now the EU’s General Data Protection Regulation (GDPR) has been added to the mix, tighter rules on data privacy and compliance are impacting earnings.
In August, a number of class action lawsuits were filed against Nielsen Holdings, a US media data company, over the impact of the GDPR on its growth prospects and business model. The lawsuits are not the first shareholder actions to cite the EU’s new data protection laws. In July, investors filed a securities suit against Facebook after the technology group’s quarterly results were allegedly affected by GDPR, which was implemented on 25 May 2018.
On 8 August 2018, US law firm Robbins Geller Rudman & Dowd (RGRD) filed a class action suit against Nielsen Holdings, its chief executive and chief finance officer. The filing makes a number of allegations, but essentially accuses the media ratings firm of making false or misleading representations around the impact of the GDPR on its business.
According to RGRD, Nielsen repeatedly assured investors that its business model was strong, earnings forecasts were on track and that GDPR would not impact its business. However, on 26 July 2018, Nielsen announced that it had missed revenue and earnings targets for the second quarter of 2018 and that GDPR was affecting its partners and clients. Following the disclosure, Nielsen’s share price declined more than 25%.
To date, the focus on D&O liability, with regards to cyber, has been around data breaches and the board’s duty to maintain appropriate levels of cyber security. As the D&O Diary highlights, the Nielsen lawsuit shows the potential for privacy-related concerns to become a significant source of corporate liability. A securities suit has also been filed against Facebook following the misuse of the social media platform’s users’ data by Cambridge Analytica.
The Facebook and Nielsen lawsuits demonstrate how privacy-related issues can lead to D&O claims, while the latest securities action against both organisations demonstrates the potential for GDPR related D&O lawsuits.
Interestingly, the most recent lawsuits have focused on failure to disclose the impact of GDPR on financial performance. Tougher privacy laws may challenge the business models of companies that store, process or use personal data. These two companies are unlikely to be the only organisations to have been affected by the tighter data protection laws in Europe. When disclosing its quarterly earnings, Nielsen said its financial performance was affected by problems its partners and clients were having with GDPR compliance.
According to law firm HWL Ebsworth, Australia is also fertile ground for securities class actions arising from data breaches, cyber incidents or privacy matters. Unlike the US, Australia has yet to see such actions, but the country is a relatively litigious society and one where securities class actions have been increasing at a faster pace than any other jurisdiction outside the US.
However, HWL has seen a number of developments that could combine to increase the likelihood of privacy and data breach class actions in Australia in the not too distant future. These include; greater awareness of cyber risk, a greater regulatory focus on cyber risk disclosure and Australia’s recently implemented Notifiable Data Breaches (NDB) scheme.
Australia is also home to a number of litigation funders, who have shown growing interest in privacy-related actions. In July, litigation funder and law firm IMF Bentham launched a collective action against Facebook following the misuse of personal data by Cambridge Analytica. The firm has lodged a collective complaint with the privacy regulator, the Office of the Australian Information Commissioner. Depending on the Commissioner’s response, Bentham may launch a class action lawsuit.
While the Nielsen lawsuits focus on disclosure, future litigation could also follow privacy-related incidents triggered by notifications and regulatory enforcement. It is early days for enforcement of GDPR, but initial indications are that data breach notifications have increased in the first months of the regime. Other countries have since followed the EU and introduced tougher data privacy regulations – most recently Brazil and the US state of California – suggesting that tougher privacy rules for personal data are spreading.
India looks set to become the latest country to introduce a sweeping data privacy law. A landmark decision by the Supreme Court of India last year concluded that privacy is a “fundamental right” under the Indian Constitution, calling on the Indian government to introduce a comprehensive regime for data protection.
As a result, the Indian government convened an expert panel to draft a new data privacy law. The resulting Personal Data Protection Bill of 2018 was published in July and has been out for consultation until the end of September. The proposed legislation shares many of the characteristics of the EU’s GDPR – it would require companies to obtain consent before processing personal data, as well as giving consumers the right to access or delete their data. The draft law would also introduce new obligations for companies, such as conducting data privacy impact assessments and notifying data breaches that carry the risk of causing significant harm to individuals.