Lloyd v Google: data breach class actions, have the floodgates opened?
16 October 2019
The Court of Appeal has granted permission for a US-style (opt-out) “class action” to be brought on behalf of 4.4 million unidentified iPhone users against Google, to be served out of the jurisdiction. Mr Lloyd’s claim seeks uniform damages for unlawful use of browsing data without proof of damage for each individual. This ground-breaking decision overturns the High Court decision and sets the scene for the first UK class action for misuse of data.
To get the claim started, the claimant representative, Mr Richard Lloyd had to make an application to serve out of the jurisdiction against Google LLC, based in the USA, for allegedly collecting and selling browser generated information (“BGI”) without the user’s consent for a period between 2011 and 2012.
The application was dismissed in October 2018 by the High Court on the grounds that Mr Lloyd failed to establish that the users suffered “damage” (under s.13 of the Data Protection Act 1998 (“DPA”)), and the members of the class do not have the “same interest” in the action under CPR 19.6(1) to justify allowing the claim to proceed as a representative action.
On 2 October 2019 the Court of Appeal overturned the decision, concluding that having control over data has value and so the loss of that control should be compensated.
Whilst the case of Lloyd v Google was brought under the old regime of the DPA, interpretation of the principles of the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 is still likely to be similar.
So what is the Safari Workaround?
The so-called “Safari Workaround” circumvented blocks in place on the Safari browser, allowing Google’s DoubleClick Ad cookie to track BGI related to an individual on a device without a user’s consent. It is alleged that the BGI collected could contain information such as:
- the date and time of any visit by a user to a given website;
- how long the user spent there;
- which pages were visited for how long;
- what ads were viewed for how long; and
- in some cases, by means of the IP address of the browser, the user’s approximated geographical location,
allowing Google to obtain or deduce information relating not only to users’ surfing habits and location, but also about their interests or habits and special category data as defined under the GDPR.
The Safari Workaround has been the subject of high-profile litigation before in Vidal-Hall v Google [2014] EWHC 13 QB, where three individual claimants successfully claimed compensation for distress and anxiety for misuse of private information. The key difference here, however, is that Lloyd v Google is a representative claim on behalf of millions of unknown users and so issues arise in relation to identifying the class members, if they have the same interest and what damage, if any, they have suffered.
Issues for the Court of Appeal to decide
Issue 1: can a claimant recover damages without proving pecuniary loss or distress?
In short, yes.
• In Gulati v MGN Ltd, substantial damages were awarded without proof of pecuniary loss or distress for the tort of misuse of private information in the form of phone-hacking data. It would be prima facie inappropriate for the court to apply differing approaches to the meaning of damage and so deny damages for loss of control of data where both rely on the same fundamental right in Article 8 of the Charter of Fundamental Rights of the European Union.
• The Court of Appeal considered the meaning and objective of Article 23 of the Data Protection Directive (the “Directive”) and s.13 DPA applying the EU legal principle of equivalence to determine if control over data is in itself an asset that has a value, to which they concluded it does.
Article 23 of the Directive provides: “a Member State shall provide that any person who has suffered damage as a result of an unlawful processing operation … is entitled to receive compensation …for the damage suffered.”
Section 13 of the DPA provides: “An individual who suffers damage by reason of any contravention by a data controller … is entitled to compensation from the data controller for that damage.”
The Court used the analogy of the provision of free Wi-Fi at an airport in exchange for customers providing their personal data, whereby if they decline they have to pay for the Wi-Fi usage. This analogy served to demonstrate that a person’s BGI has economic value.
Issue 2: do the class members have the “same interest” and are they not identifiable?
Yes they have the “same interest”, given that control over browsing data has value.
- Same Interest
In order to bring a class action under CPR Part 19.6, the claimants must have the “same interest” in the claim. The High Court held the impact on each class member will vary greatly, as some may not care at all that their data is being used and others will find it distressing.
In contrast, the Court of Appeal held that as BGI is considered as something of value and had been collected by Google without the users’ consent in the same period, the class members had sustained the same loss: “The represented class are all victims of the same alleged wrong, and have all sustained the same loss, namely loss of control of their BGI”.
- Identification of the Class
The court must also be satisfied that the class members can be identified by an appropriate class definition (Emerald Supplies v British Airways PLC).
The judges agreed with Google that some person’s memories may be at fault and there could in theory be abuse, however, the issues were merely practical considerations and do not mean that the class members are not identifiable or do not have the same interest under CPR 19.6(1).
Issue 3: Can the judge’s exercise of discretion be vitiated?
Yes, it was appropriate in the circumstances.
- A judge exercising their discretion under CPR 19.6(4) to find that a person may not act as a class representative, must do so with regard to the overriding objective. Warby J, in exercising his discretion, based his reasons in particular on the significant costs the litigation would incur and the recovered amounts for the users being “modest”. A further consideration was the fact that in the 6 years since the first publication of the Safari Workaround claim none of the millions of affected individuals had come forward, and so it was difficult to identify the class.
- The Court of Appeal considered it was appropriate to exercise its discretion afresh as it had concluded the class was identifiable and it was not disproportionate to pursue such litigation in the circumstances, even though it would be costly and a draw on valuable court resources.
- The Court of Appeal held that if the allegations are proved, it seeks to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit.
What is the potential impact of this case?
Although Google intends to appeal the decision, this decision could have a huge impact for litigants and organisations alike if Google’s appeal is unsuccessful.
First, this case will be seen as a major development for class actions in the UK, officially known as ‘Representative Actions’, which require members to “opt-out” rather than “opt-in”. Such actions are common in the USA but rare in the UK, and this is partly due to the need to identify the claimants and to prove they have the same interest. This can be time-consuming and expensive and therefore rarely find their way to court unless they are very well funded. Following this decision, courts can be expected to take the right to privacy and data protection very seriously. Significantly, this case has confirmed that again there is no absolute requirement to prove pecuniary loss or distress to recover damages, and the tests for identification of class members and the need for the ‘same interests’ in class actions should be construed less stringently going forward.
Further, if this type of class action can progress, the risks for organisations who commit a data breach will have never been higher. Not only could a data breach result in a significant fine (which this summer has proven the ICO is not afraid to issue) but also a significant class action could result in multiple pay-outs that would dwarf any potential fine issued by a regulator.
While Google appeals this decision, it will be interesting to see how this decision will impact the fate of existing high profile data breaches and whether the floodgates will now be opened.
Lloyd v Google LLC [2019] EWCA Civ 1599 is available here.