Compromised data included names, passport numbers, ID numbers, travel history and credit card numbers.

“You have a right to compensation from Cathay Pacific for this data leak under Article 82 of the European Union General Data Protection Regulation (GDPR). You can be compensated for inconvenience, distress and annoyance associated with the data leak,” the firm said on its website.

Lesson from the Cathay breach: time to talk about data classification

It sought to claim up to £1,500 (HK$15,000) for each person and possibly more based on individual cases.

Tom Goodhead, a partner and barrister at SPG Law, said in an email reply to the Post that the GDPR would be applicable to the Cathay case despite the regulation only coming into force on May 25.

“Whilst the data breach may have been discovered in March, [customers were] not notified until after the coming into effect of the GDPR. The prevailing understanding of the GDPR is that it will apply in such circumstances,” Goodhead said.

He said the firm would be collating information from their first claimants over the weekend, and expected “tens of thousands of people worldwide” to seek representation. Clients were primarily expected to come from Britain, mainland China, Hong Kong and the United States.

Goodhead explained the firm would file “multiple, separate actions and then seek to reach settlement with Cathay”. But the group action planned in Britain would be restricted to EU residents.

“Victims in Hong Kong, [mainland China] and elsewhere will be able to be represented in proceedings in the Netherlands that we will file,” he added, without elaborating why.

Cathay passengers ‘don’t feel secure’ after massive data leak

Legal experts in Hong Kong questioned if the overseas collective action would mean a better chance of seeking compensation from Cathay.

Craig Choy Ki, convenor of the Progressive Lawyers Group, said it was unlikely that the GPDR would be applicable, because the detection and confirmation of the data leak took place before the EU regulation began being enforced.

“There are significant hurdles to filing a collective action in Britain,” Choy said, adding that in a recent case there it was ruled that representative action in a data breach required that victims suffer actual damage from the incident.

Cathay should have reported leaks of passengers’ data sooner than it did

Choy said Hongkongers could also file lawsuits in the city and seek civil claims on the grounds such as “damage or injury to feelings” if Cathay was found to have violated the city’s Personal Data (Privacy) Ordinance.

Lawyer Dominic Wai Siu-chung said it would be hard to determine whether a group action would mean a greater chance to seek claims.

“The damage to an individual may be unique and limited only to his or her case ... meaning it can’t be handled in a group action,” Wai said.

He added it was possible to seek compensation in Hong Kong under the ordinance only if the data that was leaked had been stored in the city, and if claimants could prove they suffered emotionally from the incident.

Some of the affected passengers said taking collective action might strengthen their cause.

“The power of ordinary citizens is limited. It would be better if there is collective action by a certain number of people,” said Jenny Cheng, who had eight data items compromised in the breach.

Another affected passenger, Michael Chan, who suspects he lost 70,000 Asia Miles points in April from the leak, said he was interested to know more about the collective action.

Simone Chen said individual lawsuits would be costly and time-consuming, but she would only consider group action if the Hong Kong government did nothing.

“If the government penalises Cathay and stands up for Hong Kong people, I will not consider a lawsuit,” she said.