In a devastating judgment the Court of Appeal in Lloyd v Google  EWCA Civ 1599 has unanimously overturned a High Court decision that threw out a representative action brought by Mr Lloyd on behalf of millions of users of Apple’s Safari browser against Google and has allowed the claim to be pursued.
Crucially, the Court of Appeal has said that the fact that someone has lost control of their data as a result of the actions of a third party who has used that data without their knowledge or consent has suffered a wrong that can be compensated whether or not they have suffered any damage and irrespective of whether or not the breach has caused them any distress. The only qualification imposed by the Court of Appeal is that the breach must not be a “trivial” one.
This stunning (and unanimous) judgment transforms cases that were previously thought to be hopeless claims into viable cases. Claimant law firms will be “licking their lips” at the prospect of a vast new realm of claims opening up before them and the fees that they will be able to charge as a result.
In essence the claim arises as a result of the fact that the Safari browser on Apple devices was designed to prevent most cookies working on it. However, Apple had some exceptions to the default settings (as otherwise they would have prevented the use of some popular web functions). Google spotted this and developed a cookie which could circumvent the Apple/Safari block on cookies. In effect it enabled Google to set a cookie up on a device without the users' knowledge or consent whenever a user visited a website that contained the relevant Google ad content. As a result Google were able to collect vast amounts of information (known as Business Generated Information or “BGI”).
In the UK there are two types of what are often referred to as “class” actions, group actions and representative actions. Group actions are, in essence, easier bring but are “opt-in” and affected individuals therefore need to proactively take steps to join a group action. Representative actions are “opt-out” in the sense that all of the affected individuals start off being entitled to be a party to the proceedings and they have to take active steps to lose or give up that entitlement.
In circumstances where the allegation in Lloyd was that at least four million people were affected (and possibly more) this meant that the starting point was that there was not just one claimant (in the form of Mr Lloyd) but at least four million.
However, Mr Lloyd faced a challenge in that the rules applying to representative actions appear to be quite strict, requiring the ability to identify all of the individuals affected and for those individuals to have the same interest.
In the High Court all of these factors militated against Mr Lloyd. The Judge was concerned this was simply a fee generating exercise on the part of the lawyers who were the ones who stood to make substantial sums in circumstances where individual claimants were likely to get little more than a very modest sum. Equally, the Judge was unimpressed by the fact that the estimates of the potential number of claimants varied enormously and by the fact that their interests seemed quite varied. The Judge was clearly conscious that there might be some people who were very happy to have specific adverts targeted at them whilst others might be extremely upset (and might indeed suffer specific damage as a result and that many might fall between these groups and not mind one way or another). The Judge also noted that following a successful claim in relation to exactly the same activity in Vidal Hall v Google no other claimants had stepped forward to pursue claims. All of these points were robustly dismissed by the Court of Appeal.
The Court of Appeal said that the starting point was Article 8 of the Charter of Fundamental Rights of the European Union which said “Everyone has the right to the protection of personal data concerning him or her”. The next point to consider was Article 82.1 of the GDPR which provided that a person who had suffered “material or non-material damage as a result of an infringement of this regulation” was entitled to compensation for the damage suffered. Even more significantly the court drew attention to recital 85 to the GDPR which said “The personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal damage or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned”. The reference to “loss of control” proved significant.
From this platform the court then looked at the approach which had been taken in claims for misuse of private information involving phone hacking, particularly the decision in Gulati v MGN.
The court said that the approach taken in the phone hacking cases was important because both privacy and data protection rights stemmed from Article 8 of the Charter. In Gulati the court had held that damages could be awarded for misuse of private information even in the absence of material loss or distress. The court in Gulati had said that the activities of the phone hacking newspapers had “adversely affected the claimants’ ability to exercise control over information about themselves, and thus the value of their right to exercise such control”. The Court of Appeal said that “The essential principle is that, by misusing their private information, MGN deprived the respondents of their right to control the use of private information … the Respondents are entitled to be compensated for the loss of control of information as well as for any distress …”.
In Lloyd the Court of Appeal said that since misuse of private information and breach of the Data Protection Act were similar actions it would be inappropriate to take different approaches.
Whilst it could potentially have said that it considered the approach taken in Gulati was wrong it instead adopted that approach.The Court said that
(1) misuse of private information and compensation under the Data Protection Act derive from the same core right to privacy;
(2) since loss of control over telephone data was damage for which compensation could be awarded in Gulati it would be wrong in principle if loss of control over browser/BGI data could not also be compensated.
The fundamental consequence of these findings was encapsulated in one sentence in which the Court of Appeal said “I would conclude that damages are in principle capable of being awarded for loss of control of data under Article 23 section 13, even if there is no pecuniary loss and no distress”.
Having reached that decision the court found it straightforward to conclude that all of the claimants who Mr Lloyd was seeking to represent had the same interest. They had all had their BGI taken by Google without their consent in the same circumstances during the same period.
Mr Lloyd and his legal team had conceded that they would not seek to pursue different claims for different individuals (and therefore any claimant within the action who had suffered particular distress as a result of Google’s activities would not be able to pursue a claim in relation to them) and as a result the represented class were all victims of the same alleged wrong and had all sustained the same loss.
The court considered whether control of the data was an asset that had value. It cast to one side suggestions that data was not technically property in English law on the basis that data protection under EU law was clear. The court also said that it was clear that an individual’s BGI had economic value as it could be sold. In particular the court said that:
“The underlying reality of this case is that Google was able to sell BGI collected from numerous individuals to advertisers who wished to target them with their advertising. That confirms that such data, and consent to its use, has an economic value. “
The court went on to say:
“Accordingly, in my judgment, a person’s control over data or over their BGI does have a value, so that the loss of that control must also have a value.”
The court also opened the door to the possibility that damages could be assessed on a “user” basis.This derived from a judgment in a case called Onestep in which the court said “The courts have treated user damages as providing compensation for loss, albeit not loss of a conventional kind”. They arose where “the person who makes wrongful use of the property prevents the owner from exercising his right to obtain the economic value of the user in question, and should therefore compensate him for the consequent loss”. The court said “Put shortly, [the defendant] takes something for nothing, for which the owner was entitled to require payment”. The Court of Appeal in Lloyd clearly felt that had, in principle, application to the use of BGI.
To add the “final nail in the coffin” the court said “….this case, quite properly if the allegations are proved, seeks to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit … the case may be costly and may use valuable court resources, but it will ensure that there is a civil compensatory remedy for what would appear, at first sight, to be clear, repeated and widespread breaches of Google’s data processing obligations and violations of the convention and the charter”.
The only tiny crumb of comfort for the defendants was that the court accepted that there was a “de minimis” threshold for finding an infringement. The court said “it was common ground,in this context, that if the court decided that the infringement of the directive and the DPA was trivial or de minimis it would be entitled to refuse to make an award of ….“loss of control damages”.
In terms of the threshold the court said “That threshold would undoubtedly exclude, for example, a claim for damages for an accidental one-off data breach that was quickly remedied.”
Where do we go now?
On the face of it this case represents a dramatic shift in favour of claimants. Gulati was a devastating judgment in its own right in relation to claims for misuse of private information, leading to record awards of damages. In practical terms it is no surprise that the defendant newspaper in Gulati was on the receiving end of a robust judgment bearing in mind the very unfavourable underlying facts. However, whilst those facts opened the door to the introduction of concepts of control of private information, the introduction of those concepts to claims for breach of the Data Protection Act is unwelcome for any organisation that uses personal data (which is likely to be all organisations) and the impact is likely to be dramatic. Whilst claimants will argue that the parallels are similar (selling information obtained for phone hacking in newspapers is, they will argue, no different to selling information obtained from harvesting BGI through people’s online search activities) the practical consequence is that a raft of individuals who have suffered no harm or distress whatsoever are going to be placed in a position where they have a legal entitlement to compensation. In some instances there is a very real prospect (as identified by the judge whose judgment was overturned in Lloyd) that individuals who may have welcomed targeted advertising (for example individuals looking for retail goods or holidays) who may well have been pleased to have been targeted with offers for cheap refrigerators or cheap holidays will nonetheless be entitled to compensation. The fact that actions could potentially be brought as representative actions rather than group actions could potentially lead to vast class actions in relation to every data breach in the UK. The contrast with the position from 2000 (when the Data Protection Act 1998 came into force) until 2015 (during which period no substantive group actions were started) and even to the present date (where the only group actions are the Morrisons action involving 5,000 out of 100,000 claimants and a recent Bt action) could not be greater.
Whilst it remains to be seen what damages will be awarded to individual claimants this judgment is potentially a disaster for anyone who deals with data (and their insurers).Those defending such claims at present and who may face the prospect of such claims in the future will need to re-evaluate their position as a result of this judgment.
The only silver linings are that (i) the nature of this judgment is such that it seems almost inevitable that it will be taken the Supreme Court who may yet revert to the approach taken by the High Court (ii) there is now an even greater incentive to establish where the “de minimis” threshold is.Whilst the Court of Appeal clearly frowned upon Google’s actions there is plainly scope to continue to defend those cases where the breach was a “one-off” and limited in effect and to argue that in such cases the de minimis threshold is not met. Equally there is likely to be further argument about what “remedial” action will be enough to prevent a successful claim being pursued.
However, in the intervening period, claimant lawyers are already beginning to seize on the judgment and will continue to do so unless (and until) it is overturned.
Finally, quantum remains to be determined. Mr Lloyd has suggested £750 per claimant (producing a figure of £3billion based on the lower estimate of 4 million affected users).
As every pound of damages per individual translates into millions of pounds quantum is also likely to be highly contested. Watch this space!