On 2 October 2019, the Court of Appeal (“CoA”) in Richard Lloyd v. Google LLC handed down a decision which marks – at least potentially – a significant development for the prospect of class actions based upon data protection breaches. While the case was decided under the Data Protection Act 1998 (“DPA 1998”), there is no obvious reason why the CoA’s decision should not also be applied under the updated regime (i.e.. the Data Protection Act 2018 and GDPR).
Background
Richard Lloyd (a former director of Which?) alleged that Google had, for commercial purposes, between 2011 and 2012 tracked the internet activity of more than 4 million Apple iPhone users, without having obtained their consent. He sought to bring a claim for damages in the UK under section 13 DPA 1998 on behalf of that class of iPhone users against Google.
iPhones include Apple’s Safari browser which, at the relevant time was set by default to block third party cookies. Google had deployed what was referred to in the case as the ‘Safari Workaround’ which enabled Google to set its DoubleClick Ad cookie on a user’s iPhone device when that user visited a website containing DoubleClick Ad content. As a consequence, browser generated information relating to those iPhone users (e.g., the date and time of the visit to the website, duration of the visit, which ads were viewed) was received by Google.
The High Court had refused Mr Lloyd the permission that he necessarily required to serve his claim on Google outside of the UK’s jurisdiction. It did so on three principal bases, namely:
- none of the represented class of iPhone users had suffered damage under section 13 of the DPA 1998;
- the class of iPhone users did not have the same interest to justify a representative action by Mr Lloyd; and
- the judge exercised his discretion against allowing the claim to proceed.
Decision
The CoA allowed Mr Lloyd’s appeal against the High Court’s decision and granted him permission to serve his claim on Google outside of the UK’s jurisdiction. There were two key elements to the CoA’s decision.
First, the CoA was of the view that a claimant can, subject to a de minimis threshold, recover damages for loss of control of their data under section 13 of the DPA 1998, without having to prove pecuniary/financial loss or distress. Mr Lloyd had not claimed for pecuniary loss or distress; he was only claiming for what were referred to in the case as ‘loss of control’ damages. The CoA’s view was that a person’s control over their data (including browser generated information) has a value and, as such, the loss of control must also have a value. It also drew an analogy with the decision in Gulati v. MGN Limited where damages were awarded for the loss or diminution of a right to control formerly private information, noting that both misuse of private information and section 13 of the DPA 1998 derive from the same core right to privacy in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms.
Second, in contradistinction to the High Court, the CoA decided that the 4 million or so iPhone users did in fact have the same interest and were identifiable. Each of those users had lost control of their browser generated information during the same period and were not seeking to rely on personal circumstances (e.g. , distress suffered, volume of data extracted) that would differentiate their interests. This finding was somewhat consequential to the CoA’s decision on the ability of a claimant to recover ‘loss of control’ damages as that was common to all members of the class.
It remains possible that Google will seek permission from the Supreme Court to appeal this decision.