The Court of Appeal has handed down judgment in Lloyd v Google LLC  EWCA Civ 1599, a decision with significant implications for data protection law and practice. Brought on behalf of an estimated 4.4 million iPhone users, this representative claim concerns Google’s gathering and exploitation of browser generated information (“BGI”) on Apple’s Safari browser.
In the judgment Sir Geoffrey Vos C characterises the case as seeking “to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit”. In October 2018, Warby J ( EWHC 2599 (QB)) dismissed Mr Lloyd’s application for permission to serve Google outside the jurisdiction. The Court of Appeal (Dame Victoria Sharp P, Sir Geoffrey Vos C and Davis LJ) unanimously allowed Mr Lloyd’s appeal (with the Chancellor giving the only substantive judgment), granting him permission to serve out.
Following the seminal case of Google Inc v Vidal-Hall  EWCA Civ 311, this is the second significant piece of litigation arising from Google’s use of the so-called “Safari Workaround” in 2011-2012. Google used something called the “DoubleClick Ad cookie”, a third party cookie (i.e., a cookie that is placed on a device not by the operator of a website visited by the browser but by a third party, such as Google, whose content is included on that website), to enable the delivery of adverts tailored to the user on the basis of their browsing history. The Safari Workaround bypassed Safari’s blocking of third party cookies so as to enable Google “to set the DoubleClick Ad cookie on a device, without the user’s knowledge or consent, immediately, whenever the user visited a website that contained DoubleClick Ad content implemented” (Warby J’s judgment at ).
This meant that Google could identify and collect information about devices/users visiting any website displaying adverts from the corporation’s advertising networks. The information gathered included details of the times and frequency of visits by given devices, their IP addresses and the advertisements viewed. It is alleged by the claimant that the exploitation of BGI enabled Google to “obtain or deduce information relating not only to users’ internet surfing habits and location, but also about such diverse factors as their interests and habits, race or ethnicity, social class, political or religious views or affiliations, age, health, gender, sexuality, and financial position” (Warby J’s judgment at ).
In May 2017 Mr Lloyd commenced representative proceedings (under CPR 19.6) on behalf of all individuals who, at the material time, inter alia, used particular versions of Safari on certain versions of the iPhone and did not change the default security settings (the class is defined in full at  of Warby J’s judgment). Mr Lloyd argues that Google’s tracking and collation of the BGI was in in breach of the first (fair and lawful processing), second (no processing for purposes that are incompatible with those for which the data was obtained) and seventh (the requirement for appropriate technical and organisational measures to prevent unauthorised/unlawful processing) data protection principles contained in Schedule 1 to the Data Protection Act 1998 (taken with section 4(4) to the Act).
Mr Lloyd contends that each member of the class is entitled to compensation under section 13 of the DPA 1998 for the infringement of their data protection rights, the commission of the wrong and the loss of control over their personal data. Alternatively, he seeks so-called “negotiating damages” on the footing that the claimants are all “entitled to be compensated for what they could reasonably have charged for releasing the Defendant from the duties which it breached” to be assessed on the basis of profits. In each case this is to be calculated by reference to a uniform per capita figure. There is no claim for material damage and, unlike in Vidal-Hall, there is no claim for distress. This action does not depend on the individual characteristics or experiences of any claimant.
Since Google LLC is domiciled in the United States, Mr Lloyd required permission to serve out under CPR 6.36, relying on the gateway contained in CPR PD6B – 3.1(9) i.e., claims in tort where damage was sustained, or will be sustained, within the jurisdiction.
The judgment at first instance
Mr Justice Warby refused permission to serve out. He held that the claim did not disclose a basis for seeking compensation under the DPA 1998 because the claimant and other members of the class had not suffered damage within the meaning of section 13 of the DPA. The claimant’s reliance on the reasoning in Gulati v MGN  EWCA Civ 1291 (a claim in the tort of misuse of private information – “MPI” – arising from mobile phone hacking) in respect of the award of damages for the loss of control of private information was rejected. Despite their common origins in Article 8 of the European Convention on Human Rights (“the Convention”), the tort of misuse of private information and a claim for a breach of data protection legislation are not coterminous (at ). In any event, Warby J stated that he did “not believe that the authorities show that a person whose information has been acquired or used without consent invariably suffers compensatable harm, either by virtue of the wrong itself, or the interference with autonomy that it involves” (at ). The claimant’s alternative argument based on “user damages” (compensating the wrongful use of another’s property which has not caused pecuniary loss) was also rejected.
While this conclusion was dispositive of the application, Warby J went on to consider whether the requirements of CPR 19.6 for a representative claim were satisfied. He held that they were not. First, he concluded that the members of the class did not have the “same interest” primarily because they were likely to have suffered different types of damage (or no damage) depending on their individual circumstances, including the scope and nature of their internet use (at  – ). The judge rejected as “unprecedented” and “unprincipled” the proposed use of a tariff based on the proposition that all members of the class had only suffered a loss of control of their data or based on a hypothetical release fee (at ). Second, the judge accepted Google’s submission that, on the evidence, it was not possible to identify and exclude unaffected users (within the class) because, for example, a person already had the DoubleClick cookie on their device before the start of the relevant period or had changed their settings to prevent the cookie being implemented. Warby J considered there would be significant issues with verifying whether any given individual fell within the class (at  – ). Finally, Warby J went on to exercise his discretion under CPR 19.6(2). Declining to permit the representative action to proceed, his Lordship held that the Claimant “should not be permitted to consume substantial resources in the pursuit of litigation on behalf of others who have little to gain from it, and have not authorised the pursuit of the claim, nor indicated any concern about the matters to be litigated” (at ).
Unusually, permission to appeal was granted (by Lewison LJ) on the basis of the “some other compelling reason for the appeal to be heard” limb of CPR 52.6(1), having regard to the novelty of the claim and the procedure for dealing with it, the public interest in data breaches, the number of people affected and the potential sums of money involved.
The Court of Appeal’s decision
The claimant raised three grounds of appeal which are reflected in Sir Geoffrey Vos C’s summary of the issues to be determined:
“[Issue 1: the interpretation of damage under section 13 DPA 1998] whether the judge was right to hold that a claimant cannot recover uniform per capita damages for infringement of their data protection rights under section 13 of the DPA, without proving pecuniary loss or distress,
[Issue 2: same interest /identification of the class] whether the judge was right to hold that the members of the class did not have the same interest under CPR Part 19.6(1) and were not identifiable, and
[Issue 3: the CPR 19.6 discretion] whether the judge’s exercise of discretion can be vitiated” (at ).
Issue 1: the interpretation of damage under section 13 DPA 1998
Section 13 of the DPA 1998 lies at the heart of this appeal. It provides that:
(1)An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—(a)the individual also suffers damage by reason of the contravention, or (b)the contravention relates to the processing of personal data for the special purposes.
Section 13 purports to transpose Article 23(1) of the Data Protection Directive 1995, which provides that: Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.
In Vidal-Hall, the Court of Appeal held that “damage” in Article 23 was not limited to pecuniary damage (at  of the judgment in Vidal-Hall). Accordingly, it disapplied section 13(2) and held that section 13(1) applied so as to permit the recovery of compensation for any damage (see  of the judgment in Vidal-Hall).
The starting point in Lloyd is that Article 23 of the Directive and section 13 of the DPA 1998 fall to be construed on the basis that they were giving effect to one aspect of article 8 of the Convention and article 8 (taken with Article 47) of the Charter of Fundamental Rights (“the Charter”) (at ).
Sir Geoffrey Vos C considered that “the key” to this case is “the characterisation of the class members’ loss as the loss of control or loss of autonomy over their personal data” (at ). Notwithstanding the fact that data is not recognised as property in English law, it is clear that BGI has economic value and a person’s loss of control over such data has a value (at  – ). This quasi-proprietary approach underpinned his analysis of what constitutes damage.
The application of Gulati was central to the appeal. That case established that in the tort of MPI, damages can be awarded for the loss of control of private information regardless of whether compensation is claimed for distress. Gulati was particularly relevant, Sir Geoffrey Vos C held, because “the underlying rights on which MPI and infringements of the DPA are based are themselves founded on the same principle: namely, that privacy be protected” (at ). His Lordship went on to observe that these causes of action are “two parts of the same European privacy protection regime” (at ) and therefore “it would be prima facie inappropriate for the court to apply differing approaches to the meaning of damage” (at ).
Although Lloyd is a DPA 1998 case, the Court derived assistance from a definition of damage contained in the GDPR. In particular Recital 85 (which deals with the notification of breaches to supervisory authorities) lists “the loss of control over personal data” as an example of damage. Sir Geoffrey Vos C also noted that section 169(5) of Data Protection Act 2018 (concerning compensation for breaches of data protection legislation other than the GDPR) is non-exhaustive in its listing distress as an example of damage not involving financial loss (at 65]).
The Chancellor concluded that “when read in the context of the Directive and of article 8 of the Convention and article 8 of the Charter, and having regard to the decision in Gulati”, “damages are in principle capable of being awarded for loss of control of data” under section 13 of the DPA 1998, even if there is no pecuniary loss and no distress (at ). Such an interpretation was required to ensure that an effective remedy is available. It mattered not that other non-compensatory remedies may in principle be available; no such remedies would be available in this case.
Sir Geoffrey Vos C declined to decide the issue of whether the claimants could recover user damages but he expressed the view that this was at least “fairly arguable” (at  – ).
Issue 2: same interest and identification of the class
In a representative action all of those represented must have the same interest in the litigation at all stages of the proceedings; it must be possible to say of any particular person whether or not they qualify for membership of the represented class of persons by virtue of having “the same interest” as the representative claimant (see Emerald Supplies v British Airways  EWCA Civ 1284).
In respect of whether class members had the same interest as Mr Lloyd, Sir Geoffrey Vos C held that Warby J had applied too stringent a test. Because the claimants had disavowed any reliance on facts specific to individuals (and were claiming a uniform per capita sum), it could be said that all claimants sustained the same loss, i.e., the loss of control of over their BGI (at  and ). The Chancellor concluded that it was “impossible to imagine that Google could raise any defence to one represented claimant that did not apply to all others” (class members would not have the same interest if defences were available in answer to claims by some but not others) (at ).
Sir Geoffrey Vos C dismissed Warby J’s concerns about identification, holding that each affected person would, in theory, know whether they satisfied the terms of membership of the class (with data held by Google assisting in this exercise) (at ). Possible practical difficulties including people not being able to remember relevant information or wrongly claiming to meet the criteria did not mean that the test in Emerald was not satisfied.
Issue 3: the judge’s exercise of discretion
The Chancellor held that in exercising his discretion not to permit the claim to continue, Warby J was not justified in taking into account either an alleged inability to identify the members of the class or the fact that the members of the class had not authorised the claim. The class was identifiable for the reasons Sir Geoffrey Vos C gave and class members do not have to authorise a representative claim (at ). Accordingly, his Lordship exercised the discretion afresh and concluded that the claim should be permitted to proceed as a representative action. The Chancellor noted that it is not “disproportionate to pursue such litigation in circumstances where … there will, if the judge were upheld, be no other remedy” and notwithstanding the high costs and use of court resources, the representative claim “will ensure that there is a civil compensatory remedy for what appear, at first sight, to be clear, repeated and widespread breaches of Google’s data processing obligations and violations of the Convention and the Charter” (at ).
This is a decision of profound importance for data protection law and practice for two main reasons. First, the Court of Appeal has recognised that compensation can be awarded for breaches of data protection legislation, leading to a loss of control of personal data, without proof of distress or any material damage. This has the potential to widen significantly the circumstances in which data protection claims may be brought. Second, the Court accepted that a representative action may be an appropriate means by which a large number of alleged victims of data misuse can seek redress.
The Court’s decision has come as a surprise to many data protection lawyers primarily because (as the Chancellor recognised) the wording of section 13 of the DPA 1998 and Article 23(1) of the 1995 Directive does not, on its face, encompass compensation for the loss of control of data. There is, however, considerable force in the argument that the common origins and overlapping protection of privacy and data protection rights mean that the remedies available for infringements of these rights should be aligned. Ensuring coherence or alignment between related causes of action has been a consistent theme of recent media and information law judgments (e.g., Khuja v TNL  UKSC 49 and NT1 & NT2 v Google LLC  EWHC 799 (QB)).
Arguably more important is the requirement under the Convention and the Charter for an effective remedy for the infringement of rights. Absent the availability of compensation for the loss of control of personal data, there are likely to be many scenarios in which data subjects have no remedy if they cannot show distress (particularly in respect of historic breaches where compliance orders or injunctive relief are unlikely to be of assistance). There may be many reasons for which a data subject cannot claim to have suffered distress. A particularly stark example is persons who, by reason of age or illness, are unable to experience distress. For no compensation to be available to such persons may be regarded as unprincipled and may amount to discrimination within the meaning of Article 14 of the Convention and/or Article 21 of the Charter. It is unsurprising that the Chancellor made reference to privacy cases in which loss of control damages have been awarded to children who were too young to suffer distress (AAA v Associated Newspapers  EWHC 2103 (QB) and Weller v Associated Newspapers  EWCA Civ 1176).
However, the decision does not appear to be authority for the proposition that, in absence of distress, data subjects can claim damages for any infringement of data protection legislation/data subject rights. The Chancellor was careful to emphasise that the decision is confined to what he termed “loss of control damages”, i.e., compensation for a misuse of personal data leading to the loss or diminution of the data subject’s right to control that information. This reflects the position in the law of privacy.
There is scope for debate regarding what breaches of data protection legislation are capable of giving rise to damages for the “loss of control” of personal data. While it is not difficult to envisage loss of control damages arising from breaches of many (and perhaps all) of the principles in Article 5(1) of the GDPR, it is less clear that such damages could be awarded for mere breaches (without distress) of the data subject rights in Chapter 3 of the GDPR (including the rights of access, erasure and to object). The availability or otherwise of loss of control damages for breaches of each of the data protection principles in Article 5(1) of the GDPR and for breaches of data subject rights will almost certainly be the subject of further litigation.
Many data controllers will be concerned that permitting data protection claims on the basis of the loss of control of personal data alone could open the floodgates to claims arising from trivial breaches of data protection law. Sir Geoffrey Vos C rejected the concern raised by Google that, without any requirement to show distress and without the checks built in to the tort of MPI, compensation could be claimed for any breach of data protection legislation regardless of its triviality or inconsequentiality (at ). The Court noted that there is a de minimis or “threshold of seriousness” which applies to loss of control damages claims in data protection, as it applies in privacy claims (at  and ). It remains to be seen how such a threshold will be defined in cases involving single or small numbers of claimants. Of greater interest will be the application of this threshold in the context for claims for data breaches (where there is no deliberate attempt by the data controller to profit from the misuse of the data) involving very large numbers of people but relatively banal information, such as names and addresses.
In addition to praying in aid the “threshold of seriousness”, data controllers faced with trivial claims for loss of control damages could seek to strike out such claims as an abuse of process on the basis of the Jameel principle (see Dow Jones v Jameel  EWCA Civ 75), i.e., there has been no real and substantial tort. Reliance on the Jameel principle in data protection claims seems likely to increase.
This case establishes that a representative action (supported by a litigation funder) may be an appropriate and viable vehicle to use when seeking redress in respect of breaches of data protection law affecting multiple people. Representative actions relying on distress as the “damage” caused are problematic because data subjects will almost certainly have suffered different levels of distress and may therefore be said not to have the same interest in the litigation. The availability of loss of control damages means that this issue need not arise and a representative action can be founded on a type of “damage” which is common to persons whose data has been misused in a particular context.
Litigating relatively low value data protection claims is often not financially viable. In some cases the value of the claim may be such that it is allocated to the Small Claims Track in the County Court, where costs are not generally recoverable. More importantly, ATE insurance premiums are not recoverable in data protection claims. Many would-be claimants cannot take the financial risk of litigating a data protection claim without such protection. Yet ATE insurance premiums will almost certainly outstrip any damages awards to a small group of litigants.
Given what is a stake, it is very unlikely that the Court of Appeal’s judgment will be the final word on this issue. The Court of Appeal has refused Google permission to appeal but it seems likely that Google will be making an application for permission to appeal to the Supreme Court.