Floodgates open on class actions in data protection

• United Kingdom

• Privacy, data protection and cybersecurity

15-10-2019

Court of appeal overturns High Court judgment in Lloyd v Google LLC [2019] EWCA Civ 1599

Court of Appeal judgment

The Court of Appeal has given the go-ahead for a representative claim to be served on Google LLC in the U.S. for alleged data breaches, overturning the High Court’s decision which had refused permission to serve out.

The Court of Appeal’s judgment is ground breaking in two respects. Firstly, it held that damages can be awarded to compensate for an individual’s loss of control of personal data, without the need to establish financial loss or distress, overturning the High Court’s decision which had found that the damage had to be something separate to, and caused by, the infringement.

Secondly, the decision has the potential to open the floodgates to U.S.-style class actions by representative Claimants on behalf of classes of affected data subjects. The Court of Appeal gave the green light to a claim for data breaches on behalf of some 4 million iPhone users. The High Court had balked at the practicalities of identifying those in the class.

Background to the Case

The background to this case was explained in our previous article.

As a brief reminder of the facts, Richard Lloyd, formerly Executive Director for the consumer champion Which?, wanted to bring a class action against Google LLC. This was as a result of the so-called “Safari Workaround” which enabled Google to plant third party cookies on approximately 4 million iPhone user devices, without their knowledge or consent.

Since Google is based in California, Mr Lloyd needed permission to serve out of the jurisdiction.

The issue in question for the High Court was whether the impact of the Safari Workaround on the represented class caused or counted as “damage” for the purposes of paragraph 3.1(9) PD 6B of the Civil Procedure Rules, the tort jurisdictional gateway, which provides that a claimant may serve a claim form out of the jurisdiction with the permission of the court, where a claim is made in tort, where:

“a) damage is sustained within the jurisdiction, or b) damage is sustained from an act committed within the jurisdiction.”

Richard Lloyd was claiming damages under section 13 of the Data Protection Act 1998 (applicable at the time, since replaced by the Data Protection Act 2018) which provides compensation for contravention of its provision by a data controller. The section also allows damages for distress.

The High Court had ruled that there was no basis for awarding damages in the absence of evidence of damage – i.e. evidence of either pecuniary loss or distress. It said it was circular to claim that the damage was loss of control of the information, since that was merely a description of the tort itself. Not every infringement was considered to have caused damage. Not everything that happens to a person without their prior consent was considered to cause significant or any distress. As noted by Warby J: “Some people enjoy a surprise party. Lasting relationships can be formed on the basis of contact first made via a phone number disclosed by a mutual friend, without asking first”.

Whilst the judgment of Warby J was accepted by the Court of Appeal as “cogent and well-reasoned”, permission to appeal was granted on the grounds of the novelty of the claim and the procedure for dealing with it, the public interest in data breaches and the potential number of persons affected as well as the potential sums of money involved.

Decision

The Court of Appeal dealt with three issues:

Issue 1: in order to be compensated under data protection law, do you need to prove pecuniary loss or distress?

The Court of Appeal did not agree that it was circular to say that infringement was loss of control over data, rather than a consequence of it which could give rise to damages. Characterisation of the loss as loss of control or loss of personal autonomy over personal data was considered key to the claim.

It was clear that the data which Google LLC obtained had economic value. Google was able to sell it to advertisers. Accordingly, loss by a person of control over that data also had a value. As to whether this kind of loss of control over data could properly be considered “damage” in the legal sense used in section 13 DPA, the Court of Appeal considered the judgment in Gulati in which damages were famously awarded to celebrities for “loss of control” over their information as a result of phone-hacking - claims for misuse of private information. The torts had common origins – they were both about protecting privacy. “it would be odd if they approached the legal nature of damage differently”, noted the Court of Appeal. It was common ground that the threshold of seriousness for claims to get off the ground applied to section 13 DPA as much as to misuse of private information claims. That threshold was considered met here. This was not a case about a one-off data breach, quickly remedied. On the case pleaded, every member of the represented class had had their data deliberately and unlawfully misused, for Google’s commercial purposes and without their consent, in violation of the established right to privacy. Whilst some people might not object, the Court of Appeal considered that was not the point. They had all lost control over their data.

The Court of Appeal noted that case authorities in which minors had been awarded damages for misuse of private information or breaches of the data protection act, supported this position: In AAA v. Associated Newspapers Ltd [2012] EWHC 2103 (QB) and Weller v. Associated Newspapers Ltd [2014] EMLR 24 substantial awards of damages were given to children for misuse of photographs taken without their consent. The children were too young to have suffered any distress or other immediate adverse effect.

In R (Lumba) v. Secretary of State for the Home Department [2012] 1 AC 245 at [97-100] it was found that it was wrong in principle to make an award of vindicatory damages, merely to mark the commission of the wrong. The Court of Appeal said this rule did not come into play. These were compensatory damages, not vindicatory damages.

The Court of Appeal declined to decide whether “user damages” i.e. the likely negotiated fee a claimant might charge to waive the right infringed, could be used as a basis for calculating damages, but considered it was arguable.

In conclusion, the Court of Appeal found that damages were in principle capable of being awarded for loss of control of data under section 13 DPA (and article 23 of the originating directive), even if there was no pecuniary loss and no distress, in contrast to Warby J’s High Court decision.

Issue 2: did the members of the class have the “same interest” under CPR Part 19.6(1) and were those members identifiable?

In short, yes. The Court of Appeal held that Warby J had applied too stringent a test of “same interest”. It considered that this was probably because of his determination as to the meaning of “damage” (with which the Court of Appeal disagreed). The matter was more straightforward on the Court of Appeal’s assessment of loss: all claimants had had their data – something of value – taken by Google without their consent in the same circumstances and during the same period. There was therefore a commonality of interest.

The members of the class were not seeking to rely on any personal circumstances affecting any individual claimant (whether distress or volume abstracted).

While this reduced the damages to the lowest common denominator – it did not mean there was no common interest.

Nor was the Court of Appeal concerned that some more deserving members of the class might miss out by adopting this approach. Since the limitation period for bringing a claim had expired, they were not prejudiced.

Warby J had relied on the difficulties of identifying those in the class. The Court of Appeal said the practical issues did not affect the formal ability to identify the class.

Issue 3: should the Court have exercised its discretion to allow this representative action to proceed?

As a result of its finding on the first two issues, the Court of Appeal determined that the action should be allowed to proceed, adding the following note of caution for Google:

“The case may be costly and may use valuable court resources, but it will ensure that there is a civil compensatory remedy for what appear, at first sight, to be clear, repeated and widespread breaches of Google’s data processing obligations and violations of the Convention and the Charter.”

Comment

This is big news. The Court of Appeal judgment opens up the possibility of claims for damages based on contravention alone (strictly speaking, loss of control over data which has value), as well as permitting class actions to pursue claims of this nature.

While the Court applied the provisions of the now superseded Data Protection Act 1998, there is no reason to doubt that the same result would be reached under the 2018 Act and the GDPR. The protections being afforded to privacy are only strengthening under the stewardship of the EU. As mentioned in our previous article, the GDPR turbo-boosts data subject rights. The decision to award compensation for “loss of control” over data could be said to be consistent with the duty in the GDPR to provide data subjects with an “effective remedy” for breaches of their data rights.

While the “same interest” requirement in CPR 19.6 continues to apply and has historically been a barrier to large-scale representative actions, the Court of Appeal allowed an action based on the lowest common denominator, which will no doubt make such claims easier in the future. Representative actions, according to the applicant’s legal representative, “are essential for holding corporate giants to account.” The stages of litigation so far have been about getting off the starting blocks and serving Richard Lloyd’s claim out of the jurisdiction on Google. With such a large class action now proceeding, if pursued the damages awarded in the event of a finding against Google could be record-breaking. We understand the Court of Appeal has refused Google permission to appeal but, given the significance of this judgment, it seems likely that Google will be making an application for permission to appeal to the Supreme Court.