In May 2017 Richard Lloyd, former Executive Director of Which?, filed a claim against Google on behalf of more than four million Apple iPhone users on the basis that Google had allegedly taken these individuals’ browser generated information (BGI) without their consent and in breach of section 4(4) of the Data Protection Act 1998 (the DPA 1998). Google, Mr Lloyd alleges, secretly tracked users’ internet activity for commercial purposes and those users are due damages pursuant to section 13 of the DPA 1998.
Mr Lloyd brought his claim as a representative action, pursuant to Civil Procedure Rule 19.6 (CPR 19.6) and claimed damages on the basis of a uniform, per capita amount for each class member. Mr Lloyd suggests damages should be available without a requirement to allege or prove any distinctive facts affecting the individual claimants, save that each did not consent to the abstraction of their data.
In November 2017, Mr Lloyd applied for permission to serve the proceedings outside of the jurisdiction on Google LLC, a Delaware corporation. Following a hearing in May 2018, the High Court in October issued a ruling dismissing Mr Lloyd’s application on the grounds that none of the represented claimants had suffered “damage” as defined in Section 13 of the DPA 1998, and the members of the represented class did not have the “same interest” within the meaning of CPR 19.6(1).
The Court of Appeal's decision
The Court of Appeal reversed the High Court’s decision on both of the above grounds. First, in relation to the damage suffered, the Court of Appeal found that control over data is an asset that has value. The Court also held that it is clear that a person’s BGI has economic value: “The underlying reality of this case is that Google was able to sell BGI collected from numerous individuals to advertisers who wished to target them with their advertising. That confirms that such data, and consent to its use, has an economic value. Accordingly, in my judgment, a person’s control over data or over their BGI does have a value, so that the loss of that control must also have a value.”
Furthermore, the loss of control over data can be considered damage, on the basis of the decision in Gulati v MGN Limited, a case concerning the misuse of private information. The Court held that the rights upon which the DPA 1998 and the concept of the misuse of private information are based are themselves founded upon the same principle, that privacy be protected (stemming from Article 8 of the European Convention on Human Rights).
As to the nature of the damages, the Court held that damages arising from loss of control are properly to be regarded as compensatory in nature, as opposed to being in some way vindicatory. With regard to how those damages might be assessed, the Court deliberately avoided engaging- as the High Court had done - “with the possible artificiality of the exercise of assessing a fee for the notional release of the right.” However, the Court did suggest that, in principle, it could see no reason why damages might be assessed on a ‘user basis’ and, importantly, ruled that the claimants do not need to prove pecuniary loss or distress to recover damages. The Court held that it is only by construing section 13 of the DPA 1998 in this way that individuals can be provided with an effective remedy for the breach of their right to privacy.
Furthermore, the Court went on to say that – again, contrary to Warby J - Mr Lloyd could be entitled to claim a uniform, per capita sum in respect of the loss of control of data sustained by each class member.
With regard to the criteria for the claim to proceed as a representative action, the Court found – contrary to the High Court’s ruling – that the claimants had the “same interest” for the purposes of CPR 19.6. The Court held that Warby J had applied too stringent a test to assessing the “same interest” requirement and that this was partly due to Warby J’s determination as to the meaning of “damage”. The Court ruled that: “Once it is understood that the claimants that Mr Lloyd seeks to represent will all have had their BGI – something of value - taken by Google without their consent in the same circumstances during the same period, and are not seeking to rely on any personal circumstances affecting any individual claimant (whether distress or volume of data abstracted), the matter looks more straightforward. The represented class are all victims of the same alleged wrong, and have all sustained the same loss, namely loss of control over their BGI.” The Court continued: “…it is impossible to imagine that Google could raise any defence to one represented claimant that did not apply to all others. The wrong is the same, and the loss claimed is the same.”
As to whether or not the class members are identifiable, the Court overruled Warby J in this respect too, finding that each member of the class would in theory know whether or not they met the relevant criteria and also that Google, by virtue of the data in its possession, would also be able to determine who is in, and who is not in, the class.
At the time of writing, it is not known whether Google might seek permission to appeal the Court of Appeal’s ruling to the Supreme Court. If Google does not seek to appeal, the claim will be served on Google out of the jurisdiction and will proceed to trial. If indeed a trial ensues, it will be particularly interesting to see how the court assesses quantum.
Following Warby J’s ruling at first instance last year, this ruling is very significant as it signals a potential change in direction to the UK courts’ approach to damages claims based on data and privacy violations. The Court of Appeal’s more progressive line on damages stemming from data breaches is welcome, and it is equally positive to see the courts putting to use mechanisms for bringing claims on a collective basis, allowing for the vindication of rights which would otherwise be lost and therefore greater access to justice.
With thanks to Alexandre Predal and Alix Taverne for their assistance with this blog.