On 28 and 29 April 2021, the Supreme Court (Lord Reed, Lady Arden, Lords Sales, Leggatt and Burrows) heard the long awaited Google appeal against the Court of Appeal’s 2 October 2019 decision ( EWCA Civ 1599).
That Court granted permission for a representative claimant (Richard Lloyd) permission to serve a representative claim for millions of pounds of “loss of control” damages out of the jurisdiction.
The Court of Appeal’s finding that damages are in principle capable of being awarded for loss of control of data’, without the claimant having to prove pecuniary loss or any material damage, significantly widened the scope for claims to be brought in respect of a failure to protect data and had led to numerous copycat claims, all of which are on ice pending the outcome of the appeal. The importance of the case cannot be underestimated and the virtual hearing will no doubt have been watched live by many on the Supreme Court’s streaming service, a recording of which is now available.
We attempt in this note neutrally to summarise the arguments of both sides without guessing which way the wind is blowing from the many interventions from the Justices, who clearly revelled in putting Antony White QC and Hugh Tomlinson QC through their paces on this highly complex topic.
The Supreme Court hearing
The Supreme Court granted permission to appeal on three grounds, which were formulated into the three issues for the appeal:
- Issue 1 – Interpretation of “damage” – whether a “uniform per capita” amount of compensation can be awarded for “loss of control” for a non-trivial breach of the DPA even if the breach causes no pecuniary loss or distress.
- Issue 2 – “Same interest” – The meaning of the “same interest” requirement under CPR 19.6(1) including the test for identification of the class.
- Issue 3 Discretion – Whether the Court of Appeal was wrong to interfere with the Judge’s discretionary ruling that in any event the claim should not be permitted to proceed under CPR 19.6.
The helicopter view
The positions painted by both sides were obviously in stark contrast.
Antony White QC (“AWQC”) on behalf of Google was keen to point out the creative and novel way in which the claimant’s legal team (backed by a litigation funder and without input from the claimant group itself) has sought to interpret the provisions of CPR 19.6 so as to be able to bring a multi-million pound class action in relation to events that are now out of limitation, despite the UK Government having specifically chosen not to legislate to create such a right.
On the other hand, Hugh Tomlinson QC (“HTQC”) painted the case as all about access to justice – whether the Courts can fashion a remedy in cases where a very large number of people are affected by breaches of their data protection rights but where it is otherwise not economically viable to bring such claims given the disparity between large legal costs and likely low level of damages.
Issue 1 – Interpretation of “damage”
The Claimants’ case is that compensation should be payable to the data subjects affected by Google’s breach for the “commission of the wrong”, irrespective of whether they can show any pecuniary damage or distress. It is put in two alternative ways:
(1) that each member of the class is entitled to “loss of control” damages in a uniform sum; or
(2) that each member of the class is entitled to a sum by way of a “notional licence fee” for the right to use their personal data.
A key premise appears to be that once data is out of the control of the data subject, no one is able to confirm what has happened to it. It may or may not be used for nefarious purposes, and may or may not put a data subject at risk. That “loss of control” is something the claimants say should be subject to compensation provided the “de minimis” threshold is met.
Google reject the suggestion that the severity of a ‘breach’ itself is the appropriate touchstone for assessing damage, arguing instead that compensation related to the damage caused by the breach. It argued the following.
- The Court of Appeal had wrongly interpreted “damage” in s.13 of the DPA is impossible to reconcile with the language and purpose of the statute and the corresponding European Directive. AWQC drew attention to both domestic and European statutory language which drew a distinction between “contravention” and “damage” caused by the contravention. He pointed out that the Court of Appeal had relied on unstated principles of European law to effectively collapse that distinction in order to find for the Claimants.
- The Court of Appeal wrongly interpreted and relied on the case of Gulati v MGN, which found that “loss of control” damages were available for persistent phone-hacking. AWQC pointed out that misuse of private information and unlawful data processing claims are not directly comparable and in any event the Gulati case required individual consideration of claims – it was not authority for a “tariff” of compensation in data protection claims. He relied on three examples provided by Arden LG (as she then was before her elevation to the Supreme Court) in the Court of Appeal as to how individual claimants lost control of their data in that case.
- The Court of Appeal erroneously relied (of its own motion) on the EU principles of equivalence and effectiveness (neither party had made submissions on these issues at either first instance of appeal).
- The Court of Appeal had erroneously approached the de minimis threshold (which both sides accepted existed in data protection claims). AWQC argue that the de minimis principle relates to the damage caused by the breach and not the seriousness of the breach itself. He also pointed out that the “lowest common denominator” approach adopted by the claimants for the calculation of the tariff was at odds with the de minimis principle because certain members of the class (e.g. a person who was exposed to the effect of the “Safari workaround” on a single occasion and suffered no damage would almost certainly fall below the de minimis threshold).
- The Court of Appeal erroneously concluded that the claim is not, in substance, a claim for vindicatory damages, which are not available in tort claims.
- The Court of Appeal erroneously approached the availability of “user damages” in data protection cases (reasonable licence fee for use of the data). AWQC argued that Warby J was correct to rely on Murray v Express Newspapers Plc  EMLR 22 which found that such damages were not available in data protection claims because the law regulated how the data is processed and does not give the data subject any kind of property right. He also pointed to the discussions in Douglas v Hello!  QB 125 concerning the artificial way that such damages are calculated.
In response to these arguments, HTQC on behalf of the Respondent clearly adopted the reasoning of the Court of Appeal. In particular, he argued the following.
- Google is wrong to distinguish between the “commission of a wrong” and “consequent loss/harm”. He pointed to torts actionable per se (e.g. trespass) as examples of where the mere interference with the right is sufficient to found an action.
- It would be wrong and inconsistent with the EU Charter to leave data subjects (including children who can’t show pecuniary loss or distress) to have no ability to obtain compensation.
- The tort of misuse of private information and unlawful data protection essentially have the same common objective of protecting privacy rights and so are directly comparable such that Gulati v MGN was correctly applied to this case.
- The nature of the contravention correlates to and is constitutive of the relevant damage in unlawful data processing claims such that the seriousness of wrongdoing (including any dishonesty, cynicism and profiteering) are relevant to the “threshold of seriousness” (de minimis principle). This therefore meant that there was no inconsistency between the “lowest common denominator” approach and the de minimis principle.
Issue 2 – “Same interest”
Google’s position is essentially that the impact of the breach on the claimants in the class would vary considerable and that it cannot be said that they had the “same interest”. AWQC’s submissions on this point included the following:
- Unlike Warby J, the Court of Appeal disregarded binding case law which restricts the availability of representative actions for damages (notably Duke of Bedford v Ellis  AC 1 and Markt & Co. Ltd v Knight Steamship Co. Ltd  2 KB 1021). He emphasised the words of Fletcher Moulton LJ in the Markt case where he said “To my mind, no representative action can lie where the sole relief sought is damages, because they have to be proved separately in the case of each plaintiff, and therefore the possibility of representation ceases.” In that case the plaintiffs were the owners of goods which had been transported on a vessel that was sunk by a Russian warship. The case was repeatedly referred to during the hearing.
- The Court of Appeal erroneously concluded that the “same interest” requirement can be met by disavowing reliance on any individual circumstances. AWQC said the Court of Appeal was wrong to rely on Emerald Supplies v British Airways  CH 345 and that Warby J rightly described the claimants’ claim for a per capita award as an “artificial device” which is “unprincipled“, “unreal” and “unprecedented“. An interesting discussion was had as to the impact of this device on the claimant who had a higher claim than the tariff amount. AWQC argued that such a claimant would be bound by the action unless he found out about it and applied to the court to be excluded from it. He also pointed out the wider market consequences of apply similar devices in other cases.
- The proposed claim is in effect an “opt out” collective proceeding of a type that the Government and Parliament have twice deliberately chosen not to enact (firstly following a review in 2015 and more recently following the implementation of the GDPR).
- Any “opt-out” collective proceedings required primary legislation and rigorous safeguards (as in the competition law arena).
In responding to these arguments, HTQC argued that the placing of DoubleClick cookie without the consent of a user means that something of value was taken from the data subject. Spotify was used as an example to demonstrate the difference between a free service relying on adverts for revenue, as against a premium model where a user pays not to have adverts which puts a value directly on the decision not to have adverts. If that choice has been taken away by Google, each of that class has been deprived of that value. The representative class has then suffered the same wrong, and is subject to the same loss. Therefore every member of the class would have the ‘same interest’, and should be compensated with a “uniform per capita” amount for that alleged loss.
HTQC’s central argument was that a statutory regime was not necessary. He relied on a speech by Lord Cottenham LC 180 years ago where he said “it is the duty of this Court to adapt its practice and course of proceedings to the existing state of society, and not by too strict an adherence to forms and rules, established under different circumstances, to decline to administer justice, and to enforce rights for which there is no other remedy.” (Wallworth v Holt 41 E.R. 238).
HTQC also relied on Commonwealth authority to support his client’s position and accepted that the Supreme Court was essentially being asked to fashion a new remedy to provide access to justice in this case (and other similar cases). But he also observed that the “historical twists and turns” of domestic case law on “same interest” in representative actions were not consistent and so the Court of Appeal was right not to pay too much attention to this line of authority. He also argued that Markt was wrongly decided and took too restrictive an approach to the meaning of “same interest”.
HTQC responded to Google’s suggestion that Group Litigation Orders were the appropriate mechanism for cases such as this by pointing to the administrative complexity of such cases and to the floodgates argument by way that the Court retained discretion to prevent unmeritorious cases.
Issue 3 – Discretion
The matter of discretion relates to the various factors considered at first instance and by the Court of Appeal which do not bare repeating here. In essence, Google’s position is that the Judge didn’t take into account any irrelevant factors, and that the Court of Appeal did not have a proper basis to reverse his discretionary judgement. On the contrary, Lloyd argue that the Court of Appeal was correct to overturn the Judge’s discretionary judgement, and that although the proposed use of the CPR 19.6 procedure is novel and innovative, it is a proper way of using that procedure.
The above summary does not do justice to the detail and depth of both sides submission in both oral and written form. It is easy to forget that this is an appeal for permission to serve out of the jurisdiction, and that a great deal of the case has not yet been pleaded, including that disclosure has not taken place and that the factual circumstances surrounding the use of data by Google are not yet before the court. Various questions, such as the basis for the ‘lowest common denominator’, are necessarily theoretical at this stage.
However, the lively engagement of the Justices was evidence of the important of the case and its wider impact. A few issues stood out in the discussion.
- Legislation or representative action. A fundamental issue in the appeal is whether English law is ready for data protection opt out class actions, and if so whether CPR 19.6 representative actions are the appropriate vehicle or whether this should be left for legislation. Mr Lloyd’s position was that without class actions, it is not feasible to pursue widespread, but individually minimal, harm. As English law stands, without representative action under CPR 19.6 there is no mechanism to bring such claims. Group Litigation Orders were expressed to be too expensive for a group of this size. Conversely, Google make the case that it is not appropriate for the Court of Appeal to fashion a new opt out action class procedure from a rule that was never intended for that purpose, and that any such development in would be rightly dealt with in legislation.
- The suitability of the “uniform per capita” award. Lord Leggatt was particularly vocal in questioning whether it was appropriate to have a standard award for a level of damage above the trivial, when the damages were perfectly capable of being assessed on an individual basis. His Lordship queried how the common law provided a basis for each person to get the same award, for varying levels of harm, when damages are meant to be compensatory. On the other hand, Lady Arden appeared to be comfortable with the premise that, for the CPR 19.6 structure to work, assumptions might need to be made about damages.
- Litigation funding. The court also appeared concerned with the legal basis for litigation funders to obtain a first share of any award payment, particularly in circumstances where the individuals did not authorise their involvement in the class. HTQC argued that it was a practical necessity, to obtain the funding to bring such claims at all.
It may be at least the Summer by the time the judgment is handed down but let’s hope it’s not too long before the Supreme Court puts us all out of our misery.
Ashley Hurst and Philip Kemp, a Partner and Senior Associate respectively in the Cyber and Contentious Data Protection team at Osborne Clarke.