Landmark judgment in representative data protection action
Lloyd v Google
Is it possible to bring a representative action for a breach of data protection? Can damages be awarded without proof of pecuniary loss or distress?
The key takeaway
Compliance with data protection should be a higher priority than ever. Class actions and damages for loss of control have the potential to make data breaches even more expensive, potentially to a crippling degree.
In May 2017, Mr Richard Lloyd, a former executive director of Which, filed a class action against Google for its use of the so called “Safari Workaround” during 2011 and 2012.
The Safari Workaround circumvented the privacy settings in place on the browser and allowed Google to place a third party cookie on the iPhone of any user that visited a website containing “DoubleClickAd” content. Information on the individual’s browsing habits (browser generated information (BGI)) would be collected via the cookie. BGI was then sold to third parties, enabling them to target their advertising towards consumers with specific interests or attributes.
Google was fined $22.5m by the United States Federal Trade Commission for its use of the Safari Workaround. Mr Lloyd brought the opt-out class action in the English courts on behalf of approximately 4.4m iPhone users. In order to bring the claim against Delaware-based Google, Mr Lloyd had to obtain permission of the court to serve proceedings out of the jurisdiction.
At first instance, Warby J refused the application. The reasoning for the decision was three-fold:
- the claimants in the representative class had not suffered damage within the meaning of s13 of the Data Protection Act 1998 (DPA);
- the claimants did not have the “same interest” for the purpose of CPR 19.6(1) because they were likely to have suffered different types of harm (if any at all);
- Warby J exercised his own discretion under CPR 19.6(2) to prevent the claim from proceeding. He considered it “officious litigation on behalf of others who have little to gain from it, and have not authorised the pursuit of the claim, nor indicated any concern”.
The Court of Appeal unanimously overturned the decision of the High Court. The leading judgement was given by Sir Geoffrey Vos.
The Court found that it was possible to award damages for “loss of control” of an individual’s data, despite claimants not having suffered pecuniary loss or distress. Whilst data was not property, it had economic value as it had been sold to third parties. Following that reasoning, losing control of your data has a value. In reaching its conclusion, the Court looked to previous case law on loss of control of private information.
The Court ruled that the claimants in the representative class had the same interest. Each had suffered the same harm, as they had experienced loss of control of their data. However, the loss suffered by each in the class was the “lowest common denominator”.
In relation to the final point, the Court exercised its discretion and allowed the claim to proceed. The fact that the claimants had not been specifically identified or authorised the claim did not mean that the claim should be halted.
Why is this important?
Google has announced its intention to appeal the decision to the Supreme Court. Given the Court of Appeal’s reference to the “lowest common denominator”, damages may be minimal even if Mr Lloyd is successful. However, issues of quantum and liability remain to be decided. The eventual outcome of this landmark case is likely to dictate whether we see more attempts to bring representative actions for data protection legislation in the near future.
The decision on damages for loss of control has potential implications for claims under the General Data Protection Regulation (GDPR) as well as the DPA. The Court of Appeal referred to the fact that the GDPR specifically mentions loss of control. The introduction of such damages means that in certain cases, claimants will not have to prove loss or distress. The Court found that they would only be available beyond a certain “threshold of seriousness”. Future case law is likely to dictate where this threshold is set.
Any practical tips?
Don’t just think fines when it comes to breaches of the GDPR. Representative class actions are becoming a real and present danger to organisations in the UK and to a degree that may eclipse the level of a regulatory fine.