Richard Lloyd, a “champion of consumer protection” and former director of the consumer rights group Which?, is seeking to bring a representative damages claim against Google, on behalf of more than four million iPhone users. The English Court of Appeal has recently granted Mr Lloyd permission to pursue his claim in the English Courts as a representative action. Google intends to seek permission to appeal to the Supreme Court.
This decision is of interest because:
- It has potentially significant implications for the U.K. class action landscape. The wide reading the Court of Appeal has given to the meaning of “same interest” for the purpose of establishing the representative class may encourage more privacy/data protection representative actions in the future.
- It confirms that damages may be claimed for “loss of control” of an individual’s personal data even if the individual does not suffer pecuniary loss or distress.
Mr Lloyd alleges that Google tracked the internet activity of iPhone users in the U.K., between August 2011 and February 2012, by developing a workaround to the settings in Apple’s Safari browser that blocked third party cookies. This so-called “Safari Workaround” allowed Google to track and collect individuals’ “browser generated information” (BGI), without their knowledge or consent. He claims that Google was thereby able to obtain or deduce individuals’ personal data, including sensitive personal data such as their ethnicity, age, health, gender, sexuality and financial position, and that this enabled Google to sell targeted advertisements to those iPhone users.
The United States Federal Trade Commission fined Google $22.5 million in August 2012 (a record at the time) in connection with the Safari Workaround.
Mr Lloyd issued his representative action in May 2017 against Google on behalf of the four million U.K. iPhone users affected at the time (the “affected iPhone users”). The claim is for breach of statutory duty by Google for infringement of the affected iPhone users’ data protection rights and loss of control over personal data.
Mr Lloyd seeks damages on a per capita basis under section 13 of the Data Protection Act 1998 (DPA) but does not allege the affected iPhone users suffered any pecuniary loss or distress. Section 13 of the DPA implemented Article 23 of the Data Protection Directive (95/46/EC) (the “Directive”).
The key issues for determination were whether:
- the claimant class had suffered damage; and
- the affected iPhone users constituted a representative class for the purposes of CPR 19.6 and if it did, whether the court should then exercise its discretion to allow the claim to continue as a representative action.
The High Court’s Decision
On the key points above, the High Court decided that:
- The claimant class suffered no damage within the meaning of the Directive or the DPA. The wording of section 13 and Article 23 required a causal link between the infringement and damage and that no such causal link had been identified. Additionally, a per capita damages claim was essentially a notional damages claim and did not cross the relevant materiality threshold; e.g. some claimants would not have minded their data being used as it was. The High Court said that it is for the regulator or criminal law to censure such breaches and not the court to fashion a penalty on the basis of an artificial notion of damage.
- The affected iPhone users were not a representative class for the purposes of CPR 19.6. There was no viable method of identifying individuals that fit within the class and a risk of honest (and dishonest) unfounded claims being made. Balancing the “overriding objective” and the “modest at best” compensation that each claimant would recover, against the litigation costs and court resources required to achieve it, the Court would in any event have declined to exercise its discretion to allow the action to proceed.
The Court of Appeal overturned each of the High Court’s findings and the exercise of its discretion. It decided as follows.
The Claimant Class Could Recover Damages Without Proving Pecuniary Loss or Distress
- The Court answered the question on the key premise that the fundamental right to data protection is contained in Article 8 of the EU Rights Charter, and that article confirmed the protections in the Directive and applied to the rights under the DPA. Section 13 (and Article 23) had to be interpreted as a matter of EU law, including by reference to the precept that EU law is interpreted “autonomously” (i.e. EU law concepts do not necessarily accord with domestic law principles or interpretations). If it were a matter of English law interpretation, the legislation would require actual damage to be caused by the data protection infringement. But the Court held that the loss of control over personal data itself was the loss in this case. On that basis, given the data is protected under EU law and that it has economic value — Google could sell the BGI to advertisers — the control of the data has value and therefore so does any loss of that control.
- As to whether loss of that value was damage in the required sense, the Court considered its earlier decision in Gulati v MGN Limited  EWCA Civ 1291 (CA). In that case loss of control over telephone data was found to be damage for which compensation could be awarded. The Court said that it would be at odds with the EU law principle of equivalence — domestic rules governing actions for safeguarding rights under EU law (e.g the DPA) must be no less favourable than those governing similar domestic actions (e.g. misuse of public information) — to approach damage differently in this case to the way it did in Gulati, particularly as they both derive from a common European right to privacy. The effectiveness principle also requires Member States not to make it practically impossible to exercise rights granted under EU law. What counted as damage in Gulati must therefore also be damage for the purposes of the present case.
- The Court noted that although they are not strictly relevant to this case, the GDPR (and Data Protection Act 2018) accord with awards of damages for loss of control of personal data: Article 82.1 of GDPR provides that a person who has suffered “material or non-material damage as a result of an infringement of GDPR should have the right to receive compensation for the damage suffered,” Recital 85 refers to “loss of control” over personal data as an example of physical, material or non-material damage and section 169(5) of the Data Protection Act 2018 includes a definition of damage which is “financial loss and damage not involving financial loss.”
The Affected iPhone Users Were a Representative Class for the Purposes of CPR 19
As to whether there was a representative class, the Court of Appeal said the High Court had applied too stringent a test of “same interest.” All members of the class had suffered the same loss, being the loss of control of their personal data. That data was taken without consent by Google in the same circumstances and throughout the same period in respect of each potential claimant in the class. Google seemingly could not raise any defence to one claimant that did not apply to all the others. The Court also rejected the notion that there were verification issues in defining the class - it would be possible to determine whether a person has the “same interest” as the class by self-identification or disclosure of information in the possession of Google.
The High Court Should Have Exercised Its Discretion to Allow the Representative Action to Proceed
The Court of Appeal considered that the High Court’s exercise of discretion was influenced by its findings on damages and “same interest.” It was right to take account of the modest compensation that was likely to be recoverable, the high costs of the litigation and absence of complainants. But contrary to what the High Court concluded, the class was identifiable and it was irrelevant that the members of the class had not authorised the claim.
What Impact Will the Case Have?
The impact of Lloyd v Google may be felt most in the context of U.K. “class actions”:
- Having to prove specific damage for each individual in a class has hitherto been a major barrier for representative litigation in the U.K. This judgment removes that barrier, at least insofar as claims for loss of control of personal data are concerned.
- By allowing a “lowest common denominator” approach to loss to inform a broad interpretation of “same interest” under CPR 19.6, the decision may well embolden litigation funders to pursue more claims in the future where such an approach is available on the facts (of which data protection breaches are at least one example). While this may substantially reduce the amounts received by individual claimants in such cases, it will provide little comfort to defendants who may find themselves faced with large class sizes (and thus large total damages pay-outs), more often.
The case’s impact on data protection claims may, however, be more limited:
- The current GDPR data protection regime requires all data controllers and processors to obtain user consent or otherwise rely on other limited gateways to permit the lawful processing of personal data. The chances of a fact pattern similar to Lloyd arising again are limited: companies that collect and trade in substantial amounts of personal data are now very mindful of their obligations under GDPR. Deliberate and persistent misuses of personal data on a large scale — as the Safari Workaround is alleged to have been — will likely be rare.
- Lloyd v Google does not seem to go much further than what the GDPR now appears expressly to provide. Indeed, the GDPR provides a mechanism for not-for-profit bodies to lodge complaints on behalf of data subjects and to receive compensation on their behalf.
What is clear, though, is that the English Court takes seriously data protection and the obligation on EU Member States to provide effective redress for the infringement of data protection rights. That is unlikely to change any time soon, as the GDPR will continue to apply when the U.K. leaves the EU.