Hong Kong’s Cathay Pacific faces first collective legal action over massive data breach, with 200 customers poised to make claims
- Potential claimants mainly from Hong Kong, some from mainland China and some from Britain, lawyer says
- Airline is also under close scrutiny by city’s government, with threat of punishment if it fails to cooperate with privacy watchdog
Cathay Pacific Airways is facing its first collective legal action in the wake of a massive data breach after about 200 customers expressed their intention to make claims over the leak, the Post has learned.
Hong Kong’s flagship carrier is also under tight scrutiny by the local government, with acting chief executive Matthew Cheung Kin-chung threatening on Tuesday to punish the airline if it failed to cooperate with the city’s privacy watchdog.
Cathay Pacific divulged last Wednesday that – in what the privacy commission described as Hong Kong’s largest scale of data leak so far – personal details belonging to 9.4 million customers had been illegally accessed. The revelation came months after the breach was discovered in March and confirmed in early May.
Cheung, who spoke before chairing Tuesday’s Executive Council meeting on behalf of Chief Executive Carrie Lam Cheng Yuet-ngor, said the government was highly concerned about the breach.
“If Cathay Pacific is not cooperative, the [privacy] commissioner is entitled to take legal action under the ordinance, which carries penalties,” he said. “[Cathay] has to obey the instructions and fully cooperate with our investigation.”
On Monday, Privacy Commissioner Stephen Wong Kai-yi accused the airline of ignoring the watchdog’s request for information six days after the leak was made public.
Cheung said both the Office of the Privacy Commissioner for Personal Data and the police force had looked into the matter, and time should be allowed for the investigation at this stage.
A Cathay Pacific spokeswoman said the airline had notified police and the privacy commissioner’s office about the incident.
"We are cooperating and will continue to cooperate with the authorities in their investigation," she said.
Following a police search for evidence at Cathay Pacific’s headquarters in Chek Lap Kok on Monday, the Post learned that about 200 customers had expressed their intention to make a claim against the airline.
“They are mainly from Hong Kong, some from mainland China and some from the United Kingdom,” Tom Goodhead, a partner and barrister at SPG Law, said in an email reply to questions from the Post.
The law firm set up a compensation website on October 25 after Cathay Pacific disclosed that data from 9.4 million passengers had been leaked, including names, passport numbers, ID numbers, travel history and credit card numbers.
Goodhead earlier told the Post that the firm would file “multiple, separate actions and then seek to reach settlement with Cathay”.
The group action planned in Britain would be restricted to European Union residents. On the website, the firm said the claimants had a right to compensation from Cathay Pacific for the data leak under Article 82 of the European Union General Data Protection Regulation (GDPR).
For other claimants, like those in Hong Kong and mainland China, Goodhead said the firm would file separately in the Netherlands, which “provides a mechanism [by which a] stichting, or a foundation, can represent claimants worldwide on a class action basis”.
He said the relevant Dutch law, WCAM – also called the Collective Settlement procedure – had been used in a number of high-profile transnational cases.
The law firm is seeking to claim up to £1,500 (HK$15,000) for each person and possibly more based on individual cases.
Legal experts in Hong Kong questioned if the overseas collective action would mean a better chance for local residents to seek compensation from the airline.
Cathay Pacific declined to comment on the collective legal action.
Gary Meggitt, an expert in professional liability and the director of the Asian Institute of International Financial Law at the University of Hong Kong, warned that passengers ran the risk of having to pay legal costs, even if the law firm bought insurance for them.
“If the airline wins, the airline is not paying its costs, and the costs would be on the passengers bringing the claim,” he said, adding that depending on the policy, there could be a cap to how much passengers were insured for.
Although claimants typically do not have to pay lawyers’ fees, passengers might still have to pay for expenses and be charged for a success fee or bonus, depending on the how the contract was structured, Meggitt said.
And while Hong Kong runs a similar common law system to Britain, particularly on commercial disputes, he said, passengers should be aware that the actual operation of evidence or the trial could still vary.
The Consumer Council and the Office of the Privacy Commissioner both have mechanisms to provide legal advice to consumers or victims of data breach, or even to bring the matter to court in cases involving actual damage.
Individual claimants can also take any monetary dispute involving no more than HK$50,000 (US$6,375) to the Small Claims Tribunal. For a fair trial, lawyers are prohibited from representing either side.