Every now and then, a judgment emerges that threatens – or promises, depending on your perspective – a sea change in data protection litigation. The recent Court of Appeal judgment in Lloyd v Google  EWCA Civ 1599 is the most recent example, with particular relevance to large-scale class actions seeking compensation for the fact of a data protection breach alone, without needing even to assert distress or pecuniary loss.
The case concerns the so-called “Safari Workaround”, by which Google allegedly set its DoubleClick Ad cookies to track and collect iPhone users’ browser-generated information or “BGI” in 2011-12 unlawfully and without their knowledge or consent. Google was able to obtain and deduce information about users’ internet surfing habits and location, as well as things like their political or religious views, age, health and financial situation. By aggregating the information into groups, such as “Football lovers” Google’s DoubleClick service was able to offer for sale the interest groups to advertisers, so that they could better direct their advertisements.
With a litigation funding vehicle in place, Mr Lloyd has brought a representative action under CPR Part 19.6, with himself as the representative claimant of a “class” of users with the “same interest” (the test under CPR Part 19.6). The Class is envisaged to contain several million individuals, with a total compensation bill of between £1bn and £3bn in the offing.
Strikingly, the proposed venture does not involve actually identifying the other members of the Class up front. Litigate first (with opt-outs for affected Safari users who want nothing to do with it) to secure the compensation pot, then invite people to come forward to demonstrate that they are entitled to a slice of it. The pot would be divided uniformly among the Class.
Equally strikingly, Mr Lloyd is not saying that he or anyone else in the Class has suffered any financial loss, concrete harm or even distress as a result of Google’s alleged actions. Compensation is said to flow from the contravention of the Data Protection Act 1998 (DPA 1998) itself, given that it involved a loss of control over affected individuals’ personal information (their BGI). At first instance, Warby J was having none of this. He refused to grant permission for the claim to be served on Google outside the jurisdiction (in the US) and for it to proceed as a representative action under CPR Part 19.6 (see Legal update, Representative action for DPA 1998 claim for compensation against Google denied (High Court)). Mr Lloyd appealed, and prevailed.
The Court of Appeal has overturned the High Court’s judgment on every issue, effectively green-lighting the class action – subject of course to anything that the Supreme Court may have to say (see Legal update, Representative action for DPA 1998 claim for compensation against Google appeal allowed (Court of Appeal)).
This appeal raises some important issues that were not decided by the Court of Appeal in Vidal-Hall v Google Inc  EWCA Civ 311 (see Legal update, Supreme Court grants part permission to appeal Google v Vidal-Hall).
There were three issues for the Court of Appeal to determine here:
Issue 1: to be compensated under data protection law, do you need to prove pecuniary loss or distress?
Warby J’s answer was yes, you do. Sir Geoffrey Vos, Chancellor of the High Court, giving judgment for the Court of Appeal, took the opposite view. This issue turns on what is meant by ‘damage’ under the DPA 1998 and the Data Protection Directive (95/46/EC) – and, for that matter, Article 82 of the General Data Protection Regulation ((EU) 2016/679) (GDPR), to which the Lloyd judgment is equally relevant. ‘Damage’ here has an autonomous meaning, that is, the meaning under EU law rather than domestic law.
As the Court of Appeal put it,
“the key to these claims is the characterisation of the class members’ loss as the loss of control or loss of autonomy over their personal data” (para 45).
This was essentially the touchstone used in the Gulati litigation, which concerned damages for misuse of private information nefariously obtained via phone hacking (see Legal update, Court assesses damages in phone hacking claims (High Court)).
The Court of Appeal in Lloyd held that the Gulati analysis applies equally to data protection: where a contravention causes the individual to lose or control or autonomy over their personal data, the individual is entitled to be compensated, regardless of any pecuniary loss or distress.
This is particularly so given that BGI has economic value, for example in respect of targeted advertising. If BGI has value, then a loss of control over one’s BGI should be compensated. Claimants face a de minimis threshold that “would undoubtedly exclude, for example, a claim for damages for an accidental one-off data breach that was quickly remedied” (paragraph 55), but that threshold was easily passed in this case.
The Court of Appeal also considered, on an obiter basis, that data protection contraventions could in principle also result in “user damages” (see One Step (Support) Ltd v Morris-Garner  UKSC 20: where a defendant takes something for nothing, the owner is entitled to payment) (see Legal update, Landmark decision on Wrotham Park damages (Supreme Court)).
The Court of Appeal bolstered its conclusion on damage by reference to Recital 85 of the GDPR, where “loss of control” over personal data is given as an example of the kind of “physical, material or non-material damage” that might be caused to natural persons as a result of a data breach. So, while Lloyd is a case under the DPA 1998, its logic applies even more clearly under the GDPR.
Issue 2: did the members of the class have the ‘same interest’ and were those members identifiable?
The representative action under CPR Part 19.6(1) could only proceed (and permission to serve proceedings on Google in the US could only be granted) where the individuals, intended to make up the class of claimants, have the ‘same interest’.
The High Court concluded that, in this case, they did not – the individuals were likely to have been affected by Google’s alleged contraventions in different ways. As Warby J had put it: some people like surprise parties. The Court of Appeal held that he had gone wrong in law, in part because of the error on what was meant by ‘damage’ (you can’t really assess if people suffered the same ‘damage’ if you aren’t sure what ‘damage’ means) and that he had applied the ‘same interest’ test in an unduly stringent way.
If a class action is not based on the specific facts of how the individuals were affected, it is necessarily pared down to the lowest common denominator, but that can be enough common ground to pass the ‘same interest’ test. And, said the Court of Appeal,
“it is impossible to imagine that Google could raise any defence to one represented claimant that did not apply to all others. The wrong is the same, and the loss claimed is the same” (paragraph 75).
Whereas Issue 1 opens up the prospect of damages based on the contravention alone (or more accurately, a loss of control over something of value), Issue 2 paves the way for US-style class actions, by making it much easier to identify a big enough cohort with enough common ground.
Issue 3: should the Court have exercised its discretion to allow this representative action to proceed?
Again, the High Court’s answer was no, but the Court of Appeal’s was yes. This polarised judicial impression of Mr Lloyd’s venture is neatly summed up at paragraph 86:
“… this representative action is in practice the only way in which these claims can be pursued. I do not accept the judge’s characterisation of this claim as “officious litigation”. To the contrary, this case, quite properly if the allegations are proved, seeks to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit. It is not disproportionate to pursue such litigation in circumstances where, as was common ground, there [would] be no other remedy. The case may be costly and may use valuable court resources, but it will ensure that there is a civil compensatory remedy for what appear, at first sight, to be clear, repeated and widespread breaches of Google’s data processing obligations and violations of the Convention and the Charter.”
The final word may well be for the Supreme Court, but for now, the outlook is clear: misuse of personal information of value can in principle sound in damages – for individuals and large groups – regardless of whether any harm or distress was caused. That is a major change to the way in which data protection compensation claims can – and will(?) – be approached in the UK.