In Lloyd v Google the Court of Appeal allowed a class action on behalf of more than four million potential individuals to continue after it had been struck out at first instance. The finding has potentially far-reaching ramifications in respect of the hurdles which Claimants have to overcome in order to bring a claim for breaches of the Data Protection Act 1988 (DPA 1998), and by analogy the GDPR.
The group of Claimants led by Mr Lloyd had all had their personal data, in the form of browser generated information (BGI), collected by Google by the use of third party cookies. This was done without the consent of anyone using Safari as their internet browser, as these cookies would not have been automatically disabled.
A class action application was made under CPR 19.6(1) on behalf of up to 4 million iPhone users to serve proceedings on Google in the USA. An undisclosed “uniform” figure for damages was claimed on behalf of each potential Claimant.
At the time, s13 (1) DPA 1998 was in force and contained the following wording:
An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
Broadly speaking, in considering the application the issues which the Court had to decide were:
- whether a claim for damages could be made under s13 DPA 1998 without proof of pecuniary loss or distress; and
- whether the four million iPhone users did have the same interest in the claim under CPR 19.6(1).
Findings at First Instance
At first instance the application was dismissed.
Warby J explained that the right to compensation under s13 DPA 1998 was a two part test: (i) there must be a contravention of a requirement of the DPA 1998; and (ii) as a result of that contravention, the Claimant must have suffered damage. The contravention and the damage were two entirely separate concepts.
Although the Court found that the first part of the test was satisfied, it held that none of the Claimants had suffered “damage”, stating as follows:
“I do not believe that the authorities show that a person whose information has been acquired or used without consent invariably suffers compensatable harm, either by virtue of the wrong itself, or the interference with autonomy that it involves. Not everything that happens to a person without their prior consent causes significant or any distress. Not all such events are even objectionable, or unwelcome. Some people enjoy a surprise party.”
The Court also held that the four million iPhone users did not have the same interest in the claim under CPR 19.6(1), as even if damage had been suffered, the impact of Google’s alleged contraventions across the class would probably have varied greatly.
The Court concluded that even if it was wrong on the first point in relation to damages, Mr Lloyd should not “be permitted to consume substantial resources in the pursuit of litigation on behalf of others who have little to gain from it, and have not authorised the pursuit of the claim, nor indicated any concern about the matters to be litigated”.
The key issue on appeal was whether a claim for damages under s13 DPA 1998 can be brought without any proof of monetary loss.
The Appeal Court considered a number of previous cases, but of particular use was the judgment in Gulati v MGN, a phone-hacking case involving the tort of misuse of personal information. In Gulati, the Court held that general damages could be awarded in a claim for misuse of personal information on account of the loss of control of the Claimant’s personal information.
Applying the Gulati decision, the Appeal Court held that personal data, in the form of BGI, was capable of having an economic value. The Court noted the provision of personal information in exchange for free WiFi as a common example. It also confirmed that the approach to general damages outlined in Gulati did not have to be confined to the tort of the misuse of personal information, and could be applied by analogy to the DPA 1998, as both causes of action relate to the right to privacy.
The Court concluded that “a person’s control over data or over their BGI does have a value, so that the loss of that control must also have a value”.
The Court went on to consider whether all members of the class action had the “same interest” in the claim under CPR 19.6(1). The Appeal Court again disagreed with the Judge at first instance, holding that “the claimants that Mr Lloyd seeks to represent will all have had their BGI – something of value - taken by Google without their consent in the same circumstances during the same period”, and concluding that they did therefore all have the same interest.
The action was therefore allowed to proceed.
The Future of Data Breach Claims
The Appeal Court’s decision stopped short of providing a standard value for the loss of personal data in each claim. The Court did however reassuringly explain that the threshold for succeeding in this type of claim “would undoubtedly exclude, for example, a claim for damages for an accidental one-off data breach that was quickly remedied”.
However, given the size of data sets which are often the subject of breaches, it is not difficult to foresee that group claims in the hundreds, or even just in double figures, would allow Claimant law firms the security of ensuring that the claim is allocated to the fast track without having to back up each one of those claims with evidence from a psychiatrist as if it were a personal injury claim. This could result in much greater claims exposure for data controllers who hold large amounts of personal data, such as local authorities, insurance companies and the NHS.
That said, it should also be noted that the Appeal Court justified giving scope to grant damages in this claim on the basis that there was a deliberate and unlawful use of personal information without consent, for commercial gain, and where, without the Court’s intervention, there would be no other available remedy. It remains to be seen if the same approach would be considered in an accidental data breach.
Google has said that it will appeal the decision, so this story isn’t over yet. What is clear is that if this claim does progress, it has the potential to significantly increase exposure for data controllers following a breach of the GDPR.