"Google You Owe Us” class action blocked – Richard Lloyd v Google LLC
Do you need to show relevant damage for a claim under the Data Protection Act 1998 (DPA)? Can a class action succeed if the members of the class cannot be readily ascertained or be said to share the same interest? Put another way, what are the restrictions on bringing an action for damages under the DPA?
Richard Lloyd (former Which? Director) sued Google on his own behalf and on behalf of others as leader of the Google You Owe Us group. He alleged that Google had secretly tracked and collated browser-generated information from iPhone users, using the Safari workaround, between June 2011 and February 2012, and then sold that information to advertisers. This allegedly included the user’s geographical location, IP address, browsing history, race, ethnicity, social class, political and religious views, gender, health and financial position.
Lloyd claimed that this secret tracking breached Section 4(4) DPA. He claimed damages under Section 13 DPA, but no particulars of individual damages were pleaded. Indeed, no financial loss or distress was even alleged.
The Safari workaround was the basis of the Vidal-Hall claims, which had been settled by Google. Lloyd was seeking permission to serve the proceedings on Google LLC out of the jurisdiction.
To establish permission to serve out of the jurisdiction, Lloyd had to establish that:
- the claim had a reasonable prospect of success;
- there was a good arguable case that each claim fell within one of the jurisdictional gateways, and
- England was clearly or distinctly the appropriate forum to try the claim.
There was no dispute that England was the appropriate forum in which to bring the claim, as the class was confined to residents in England during the period. However, the court concluded that the claim did not disclose the basis for seeking compensation under the DPA. The statutory right to compensation arose if (a) there was a contravention of a requirement of the DPA and (b) as a result, the claimant suffered damages.
But Lloyd did not identify the damage resulting from the contravention. Equally, the court cannot make a “vindicatory” award of damages.
As to whether the claim had a reasonable prospect of success, the court concluded that the essential requirements for a representation action were absent. The lead claimant and the class did not have the “same interest” under CPR 19.6(1). The alleged breach was not uniform across the entire class, as some affected individuals were heavy internet users, while others engaged only lightly. There were also serious practical difficulties in ascertaining whether any individual was a member of the class in question.
Consequently, the application to serve outside the jurisdiction was refused.
Why is this important?
Although the DPA has been replaced by the GDPR, the principles underpinning the right to compensation remains largely unchanged under Article 82 GDPR and Section 168 of the Data Protection Act 2018. Therefore this case serves as an important examination of how a claim would be considered by the courts.
The court made it clear that individuals need to have suffered actual damage as a result of any breach of data protection law. The decision confirms that the English courts will not entertain frivolous actions from individuals who find that their data protection rights have allegedly been infringed but have not been negatively impacted. It remains to be seen whether this judgment curbs the number of data breach claims moving forward.
Any practical tips?
Beware the class action for data breach! It may seem odd to say this in light of Lloyd’s failed case (albeit he is looking to appeal). However, what if Lloyd had chosen a case where he could easily prove actual damage or distress? For example, a case involving a breach of sensitive personal data? At a modest £750 per claimant (a figure suggested as a guide in this case), the maths is pretty horrifying: £750 x 1,000 = £750,000. £750 x 100,000 = £75,000,000!