Data protection representative “class” action gets the go ahead
22 October 2019
Did you have an iPhone in 2011/2012? I still had a BlackBerry. If I had had an iPhone, I would have been a member of the class of more than four million users on whose behalf Mr Lloyd makes this claim. It is alleged that Google tracked, surreptitiously, some of the internet activity of those users, so infringing rights protected by data protection legislation. The litigation is interesting for two reasons: it shows that you can claim damages under data protection legislation without proving any financial loss or even distress; and, it considers what is required for a representative action to be brought for this claim: Lloyd v Google LLC  EWCA Civ 1599
Google’s “DoubleClick Ad” cookie
At the time Apple’s Safari web browser, by default, blocked all third party cookies. However this prevented some popular websites from working. Consequently Apple introduced some exceptions. Google, it is alleged, used these to enable its “DoubleClick Ad” cookie to be put on a user’s device without their knowledge or consent whenever the user visited a site with Google's content. This, according to the judge, allowed Google to tell, among other things, the date and time of any visit, how long the user spent there, which adverts were viewed and for how long, and the approximate geographical location of the user (from the IP address). Over time, it seems, Google was able to build up profiles of the users who were grouped as, for example, "football lovers", or "current affairs enthusiasts".
Was damage sustained by iPhone users in the UK?
The backdrop to the case is that Lloyd was seeking permission to serve the claim out of the jurisdiction on Google in the U.S.. To do that he had to show that the claim had a reasonable prospect of success, that there was a good arguable case that the claim advanced fell within one of the jurisdictional gateways, and that England was the appropriate place to try the claim. The jurisdictional gateway in question – for the tort of breach of statutory duty – required that damage be sustained in the jurisdiction. The question for the Court of Appeal therefore was whether the impact of the Safari workaround meant that there was a good arguable case that damage was sustained within the jurisdiction.
Damage was loss of control of data
A previous decision of the Court of Appeal, also about the Safari workaround (but not a representative action), had held that damages for distress were recoverable (Google v Vidal-Hall). But Lloyd’s argument here was that you did not need to show distress, as the breach alone was sufficient.
The Court of Appeal stated that the question of whether or not the claimants had “suffered damage” under the Data Protection Act 1998 and the Data Protection Directive 95/46/EC that stood behind it (this being a pre-GDPR cause of action) was an autonomous question of EU law that could differ from domestic law.
Having analysed case law on misuse of personal information, referencing the importance of there being a damages award for breach of data protection legislation, and the GDPR, the court held that damages were capable of being awarded for loss of control of data under the Data Protection Directive 95/46/EC and the Data Protection Act 1998 even if there was no pecuniary loss and no distress.
In principle, the court said, the damages claimed could be assessed as “negotiating damages” under the principle set out by the Supreme Court in One Step v Morris-Garner: a fee for the notional release of the right. In other words the court could ascertain what price the iPhone user would reasonably have asked for ceding control of their personal data.
Who is in the class?
Once the court had analysed the claim as one of compensation for loss of control of browser-generated information, many of the concerns of the judge at first instance – about whether there was the “same interest” as is required to bring a representative action – fell away. Lloyd had deliberately framed the claim as one that would not take account of any special or individual circumstances.
The judge had also been troubled by how the class would be identified. He described the idea of relying on disclosure by Google as “Micawberite” and felt that self-certification by iPhone users was open to honest error and abuse.
The Court of Appeal disagreed. The data that Google held would identify who was within the class and each affected person would know whether they satisfied the criteria.
Discretion in favour of allowing claim to proceed
The court held the judge was justified in observing that the main beneficiaries of the claim would be funders and lawyers, that litigation would be costly and individual compensation modest, and that none of the millions of the class had come forward to complain. However the judge had been wrong to say that you could not identify the class and to require that the class authorise the claim (since there was no such requirement).
On this basis the Court of Appeal granted permission to serve proceedings out of the jurisdiction on Google.
In Morrisons (which is going to the Supreme Court), the mechanism for gathering together claimants, for a breach of data protection legislation, was a Group Litigation Order. The number of claimants was around 5500 employees. Here, the claimants are using the representative action mechanism to create a sort of opt-out class with over four million members.
The finding in relation to damages is, perhaps, less surprising, at least when viewed from an EU data protection perspective as opposed to a common law one.
The combination of these two elements is no doubt encouraging to the "plaintiff bar" that is increasingly active in the UK.
This case summary is part of the Allen & Overy Litigation and Dispute Resolution Review, a monthly publication. If you wish to receive this publication, please contact Amy Edwards, firstname.lastname@example.org.