This short blog post considers only one – so far largely disregarded – aspect of the decision of the Supreme Court in Lloyd v Google LLC – its rejection of the argument that since Article 8 ECHR underlies both data protection and the tort of misuse of private information (MPI), the two actions should provide the same level of protection for private information.
The decision was far from turning only on rejection of that argument, but given that Article 8 provides a common source of principle that underlies the previous Data Protection Directive and has already driven the development of the tort, it is of interest to consider the basis for the Supreme Court’s stance, and the implications for the future in relation to the UK GDPR and Data Protection Act 2018. In rejecting the ‘common source’ argument, has the Supreme Court stifled the use of data protection actions in future in relation to certain threats to online private information emanating from the tech companies?
A representative claim as to collection of browser-generated information
Lloyd v Google LLC concerned an alleged breach of Google’s duties as a data controller under section 4(4) of the Data Protection Act 1998. The claim alleged that, for several months in late 2011 and early 2012, Google secretly tracked the internet activity of millions of Apple iPhone users without consent via the ‘Safari workaround’ and used the data collected in this way for commercial purposes without the users’ knowledge or consent ([1]). The novelty of the claim arose since Lloyd was not just claiming damages in his own right; the claim was brought as a representative action, representing everyone resident in England and Wales who owned an Apple iPhone at the relevant time and whose data were obtained by Google without their consent. Lloyd made the claim on behalf of a class of more than 4 million Apple iPhone users, seeking a finding as to entitlement to recover compensation on behalf of all those people ([13]); the compensation would have amounted to £750 per person, at a cost of almost £3 billion to Google.
The Court of Appeal decision: an expansive approach to data protection
In respect of the compensation claimed due to this collection of browser-generated information (BGI), it had been questioned on behalf of Google whether “damage” had been suffered according to DPA 1998 section 13 and Article 23(1) Directive 95/46/EC to warrant compensation. The Court of Appeal found: ‘The actions in tort for MPI and breach of the DPA both protect the individual’s fundamental right to privacy; although they have different derivations, they are, in effect, two parts of the same European privacy protection regime’ ([53]). The Court went on to find, based on the EU principles of equivalence and efficacy, that remedies under relevant EU law – in that instance, under data protection – should be enhanced to be no less favourable to claimants seeking to protect the fundamental right of respect for private information, than remedies aimed at the same objective under the tort of misuse of private information ([52]). Clearly, Article 7 of the EU Charter is couched in materially similar terms to Article 8 ECHR. The claimant successfully relied on Gulati v MGN, claiming compensation on the basis – loss of control of data – that would have been available under the tort. The Court of Appeal found therefore: ‘the characterisation of the class members’ loss [was] as the loss of control or loss of autonomy over their personal data’ ([45]), finding that ‘the same approach [should be] adopted to the legal definition of damage in the two torts which both derive from a common European right to privacy’ ([57]). The Court thus found that the data subjects were entitled to recover damages pursuant to section 13 DPA, based solely on the loss of control of their personal data; section 13(2), limiting damage to financial loss, was disapplied. The Court therefore determined that since the two actions have a common source, they would therefore be expected to provide similar levels of protection for privacy.
The data subjects represented in the claim were found to have the same interest for the purposes of C.P.R. 19.6 ([78]); the Court also exercised its discretion under C.P.R. Part 19.6(2) to allow the representative claim to proceed ([84]-[85]). The Court viewed the litigation as providing the only way of obtaining a civil compensatory remedy for what, if proved, was a ‘wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit’ ([86]).
This was an expansive interpretation since in reliance on what the Supreme Court later referred to as the ‘common source’ argument, it transferred the principle under the tort of recovery purely for loss of control of personal data across to the data protection context, opening the way potentially to enable all the persons represented by the action to recover, even though, had the claim been brought under the tort, each of the persons who were part of the representative action would have had to prove, individually, a reasonable expectation of privacy, precluding use of the tort action, given the opt-out basis of those claims (SC [30]). In other words, the Court found that a principle established under the tort in relation to damages could be carried across to the data protection context even where the claim would not have succeeded under the tort. That appeared to be part of the stumbling block for the Supreme Court ([113]), underpinning its decision to reject the ‘common source’ argument.
The Supreme Court decision: rejection of the expansive approach
The Supreme Court examined the claimant’s ‘common source’ argument, based on finding that the two claims (under data protection, and under the tort) ‘although not coterminous, have a common source. Both seek to protect the same fundamental right to privacy guaranteed by article 8 of the Convention. This objective is expressly referred to in Recital 10 of the Data Protection Directive…’ ([111]). On that basis it was noted that the claimant was arguing that, ‘given that the tort of misuse of private information and the data protection legislation are both rooted in the same fundamental right to privacy, it would be wrong in principle to adopt a different approach to the nature of the damage which can be compensated under the two regimes’ ([112]). But the Court – to a surprisingly comprehensive extent – rejected the ‘common source’ argument. It was very clearly unpersuaded by the argument that the tort and data protection were both reflective of Article 8 and so should be approached consistently ([113]).
Rejecting the ‘common source’ argument, the Court found: ‘It does not follow, however, from the fact that two different legal regimes aim, at a general level, to provide protection for the same fundamental value that they must do so in the same way or to the same extent or by affording identical remedies’ ([124]). The Court found that the instance in question could be viewed as falling within the margin of appreciation accorded to member states: ‘the choice of the means calculated to secure compliance with article 8 of the Convention in the sphere of the relations of individuals between themselves is in principle a matter that falls within the contracting states’ margin of appreciation’, referencing the Grand Chamber in Bărbulescu v Romania ([125]). The Supreme Court had found in Nicklinson that if a margin of appreciation would be likely to be afforded, or had already clearly been accorded, that would render the question to be resolved one for domestic authorities to decide for themselves ([70]). The demands of Article 8 in relation to the award of compensation were therefore a matter for the Supreme Court to determine for itself in Lloyd. It determined the matter on the basis that since the actions under data protection and under the tort were dissimilar ([130]), the principle of equivalence did not apply; therefore there was no necessity to harmonise the basis for awarding damages as between the two. Therefore the basis under the former action for awarding damages could remain as it was previously – loss of control of data would not be sufficient ([138]). The decision will obviously restrict the use of data protection in relation to similar representative actions and also in relation to actions brought by a single claimant who was unable to show a loss other than such loss of control.
The future – moving towards an expansionist position?
This decision was reached under the previous data protection regime. Data protection has now of course entered a new and enhanced iteration in the form of the General Data Protection Regulation 2016 (GDPR), applicable domestically under the European Union (Withdrawal) Act 2018: the GDPR forms part of EU law retained as domestic law following the end of the post-Brexit transition period as the “UK GDPR”, and reflected in the Data Protection Act 2018 (DPA). It is quite possible that this decision as to the basis for loss would not be followed under the GDPR/DPA in a similar case, and the Court deliberately did not comment on its applicability in such an instance ([16]).
Article 82 of the UK GDPR provides for compensation in circumstances involving ‘material and non-material damage’ but does not define those terms. Recital 85 (which is an explanatory note rather than part of the legislation itself) lists the ‘loss of control over personal data’ as an example of non-material damage in the context of a data security breach: ‘A personal data breach may, if not addressed in an appropriate and timely manner,
result in physical, material or non-material damage to natural persons such as loss of control over their personal data…’. Although the Recitals are not binding, they can clarify and expand any provisions of the UK GDPR that are not clear; the wording is also consonant with the position under the tort. That wording could aid in prompting the Supreme Court in future to reconsider the ‘common source’ argument, but in relation to the GDPR/DPA. It could accept that in principle the basis for an award of damages/compensation should be no less favourable under data protection than under the tort on the basis that, although the definition of personal data under the UK GDPR (very similar to the previous definition) is broader (Article 4(1)) than the definition of private information under the tort, the two actions are de facto close equivalents; that is apparent since they have often arisen in the same claims (eg Vidal-Hall v Google). Actions under data protection similar to the one in Lloyd are very unlikely to take advantage of the breadth of the definition of ‘personal data’ and in practice are likely to target invasions of privacy that could also be targeted under the tort. That similarity in terms of claimant privacy concerns relates to the core Article 8 value underlying both the tort and data protection – preservation of informational autonomy. If a future Supreme Court showed greater appreciation of that commonality, it might be less inclined to emphasise and reinforce differences between the tort and data protection. Thus the ‘common source’ argument could be reinstated; therefore compensation for the loss at stake in Lloyd could be found to be available in principle in a future similar case. Representative actions of this nature, where variable levels of harm have arisen, however, will be ruled out.
If, however, the Supreme Court in future upholds this decision as to the need to show non-material harm other than loss of control, claimants in this situation, affected by unconsented-to BGI collection, would clearly still have various routes to redress. Each individual affected, who chose to do so, could bring a claim against the service provider under the tort; it is arguable that they would be able to demonstrate in each or most instances that a reasonable expectation of privacy did arise (Vidal-Hall v Google). Claimants who considered that they could show non-material harm going beyond loss of control of data could rely on the GDPR/DPA, if it was clear for purposes of a representative action that those affected by the breach of the data protection principles had had the same interest ([SC:72]) and had suffered the same level of harm going beyond the ‘loss of control’ basis. But the precise scope of those cases where the class in question would be accepted as having suffered uniform damage or distress is not fully clear.
The result of the Supreme Court’s decision, especially in respect of the ‘common source’ argument, will not give succour to those seeking to meet the challenges posed by a number of forms of misuse of private information by seeking to expand the scope of both the tort and data protection in the digital age. But, as indicated, this decision is not necessarily the last word on the subject.
Helen Fenwick is Professor of Law, Durham Law School, University of Durham
Helen Fenwick and Fiona Brimblecombe are the authors of “Protecting private information in the digital era: making the most effective use of the availability of the actions under the GDPR/DPA and the tort of misuse of private information” (2022) 73 NILQ
The EU Charter of Fundamental Rights contains two different provisions regarding this matter.
Article 7 protects private and family life, whereas Article 8 is about personal data protection. A systematic reading of the provisions under the EU legislation would not allow to include data protection under the umbrella of private and family life.
Of course, the ECHR is not bound to the EU law. Nonetheless, extending Article 8 of the ECHR up to include data protection would miss the difference between the two domains. Data protection (a EU-native legal creation) is about making data circulate freely on a need-to-know basis and other safeguards. EUCHR Article 8 is ‘fence-based’, meaning that its enforcement is about keeping others away from the personal domain.