Lloyd v Google LLC – A Reboot for Data Privacy?

Published: 25/11/2019

Last Month, the Court of Appeal published its landmark judgment in the case of Lloyd v Google LLC [2019] EWCA Civ 1599 granting Richard Lloyd, acting as a representative claimant, permission to serve proceedings out of jurisdiction on Google, in relation to a class action potentially worth £3 billion.

The decision focuses on the statutory duty of Google to comply with the data protection principles in relation to personal data, set out in section 4(4) of the Data Protection Act 1998 ("the DPA"), but its implications could be more significant.

Facts

Mr. Lloyd, who was the executive director of Which? until 2016, represents a class of more than 4 million iPhone users who did not change their default security settings and whose internet activity was allegedly tracked by Google for commercial purposes over a six month period in 2011 and 2012. He claims that Google acted in breach of the DPA and that each member of the class is entitled to compensation under section 13 of the DPA, alternatively "negotiating damages" on the basis that the Claimants are entitled to be compensated for what they could reasonably have charged for releasing Google from the duties it breached. Mr Lloyd does not contend that any of the members of the class suffered pecuniary loss or that the gathering of their data had caused them distress, focusing instead on the infringement of data protection rights, the fact of the commission of the wrong and the loss of control over their personal data.

The breach by Google arose in relation to the Safari browser developed by Apple. Apple devised certain security exceptions to the default settings, to improve the functionality of certain web pages. These exceptions enabled Google to set a third party cookie on a device, without the user's knowledge or consent. This became known as the 'Safari Workaround'. As such, Google was able to obtain or deduce information about the user, such as his/her race or ethnicity, financial position, interests and social class. This information is often described as Browser Gathered Information, or "BGI". It is then alleged that this information was used to create targeted groups for advertising and was subsequently offered to subscribing advertisers. Google has already paid a civil penalty of $22.5 million to the United States Federal Trade Commission and settled a consumer based action in the US in the sum of $17 million in relation to the Safari Workaround.

The issues

In order to bring a claim on behalf of the class of users affected by the Safari Workaround, Mr Lloyd was required to bring an application for permission to serve Google (incorporated in Delaware and with its principle place of business in California) with proceedings out of the jurisdiction.

Mr Lloyd’s application failed at first instance on the basis that it failed to meet the test in CPR 6.37(1) because (i) none of the represented class had suffered "damage" within the meaning of section 13 of the DPA and (ii) the members of the class did not have the "same interest" to justify allowing the claim to proceed as a representative action.

Warby J, hearing the case in the High Court, also elected to exercise the discretion under CPR Part 19.6(2) not to allow the claimant to act as a representative in the claim.

Unusually, permission to appeal was granted on the basis of "some other compelling reason for the appeal to be heard," taking into account a number of factors, including the novelty of the claim and the public interest in data breaches. Sir Geoffrey Vos delivered the unanimous decision of the Court of Appeal, which focused on these three issues: (1) the definition of damage under section 13 DPA; (2) the identification of the class and whether the Claimants had the "same interest"; and (3) the Judge’s exercise of discretion.

The interpretation of "Damage"

Section 13 of the DPA is at the heart of the Court of Appeal’s decision. It purports to transpose Article 23(1) of the Data Protection Directive 1995. Both section 13 and Article 23 have their origins in Article 8 of the European Convention on Human Rights.

In an earlier decision of the Court of Appeal, Vidal-Hall v Google Inc [2015] EWCA Civ 311, also concerning the Safari Workaround and also against Google, the Court of Appeal had held that "damage" under Article 23 was not limited to pecuniary damage and could extend to any damage. However, unlike in Lloyd, the Claimants in Vidal-Hall were identifiable individuals who had identified the distress they had suffered as a result of receiving targeted advertising.

At first instance the Claimants had sought to rely on Gulati v MGN Ltd [2015] EWHC 1482 (Ch), a phone hacking case concerning the loss of control over personal data, to show that there had been damage. Gulati established that in the tort of misuse of private information (or "MPI"), damages can be awarded regardless of whether compensation is claimed for distress. Warby J took the view that that decision was "exceptional" on its facts, and that for damages to be awarded the breach must go beyond just a misuse of personal information to "a significant or material adverse effect on the claimant’s valuable right to choose how, when and to whom their significant personal information was disclosed." Hence, in his view the claim against Google did not meet this criteria.

The Court of Appeal disagreed with these findings. Sir Geoffrey Vos stated that Gulati was particularly pertinent, because "the underlying rights on which MPI and infringements of the DPA are based are themselves founded on the same principle: namely that privacy be protected." There should be no distinction between the misuse of private information obtained through phone hacking and that caused by the loss of control of information obtained through third party cookies.

The Court of Appeal focused on the similarity of the victims’ "loss of autonomy over their personal data." His Lordship stated that these causes of action are "two parts of the same European privacy protection regime" and therefore “it would be prima facie inappropriate for the court to apply differing approaches to the meaning of damage."  The Court agreed with Arden LJ’s analysis in Gulati that "the damages are an award to compensate for the loss or diminution of a right to control formerly private information," and as such found that a claimant can recover damages for loss of control of their data under section 13 of the DPA without proving pecuniary loss or distress. The Court found that a person’s BGI had a clear economic value, and therefore that a person’s control over their BGI must have a value. Hence, "the loss of that control must also have a value."

However, the Court did make the point that a de minimis applied such that trivial infringements of the DPA would not attract damages.

"Same interest"

The Court at first instance also held that the class did not share the "same interest" within the meaning of CPR 19.6(1), because affected individuals in the class could range from "super users" – heavy internet users made victim of multiple breaches - to those who engaged little in the way of internet activity. As such a representative action would not be legitimate.

The Court of Appeal held this was "too stringent a test". Sir Geoffrey Vos noted that "every member of the represented class has had their data deliberately and unlawfully misused, for Google’s commercial purposes, without their consent and in violation of their established right to privacy." Therefore, all members were victims of the same wrong, had sustained the same loss (that is loss of control over their BGI), in the same circumstances during the same period, meaning the Court of Appeal found that the Claimants did share the same interest.

The Court of Appeal found that while the varying impact of Google’s breach on the individuals within the class may affect the quantum of damages, each victim of the breach would still be entitled to compensation.

Discretion

At first instance, Warby J went on to say that irrespective of the position under CPR19.6(1), he would nevertheless have exercised his discretion under CPR 19.6(2) to refuse to permit Mr Lloyd to act as a representative for the Data Subjects, as he found that the potential Claimants in the class action had shown insufficient interest in the claim and, hence, Mr Lloyd should not be permitted to waste the Court’s time and money bringing a claim on their behalf.

Sir Geoffrey Vos found that Warby J was not justified in exercising his discretion in this way. In exercising the Court’s discretion afresh he held that the claims should proceed to "ensure that there is a civil compensatory remedy… to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit."

Conclusion

Only time will tell whether this case is largely confined to the facts of the Safari Workaround and the Court’s distaste for Google’s repeated and widespread breaches of its data processing obligations. Parts of the Court of Appeal’s judgment would certainly appear to suggest that this is the case. There must nevertheless be at least a possibility that the door has now been opened to representative actions being brought in other areas.

The Judgment clearly demonstrates a shift in the English court’s view of the right to data protection and privacy, which appears to mirror the shift in the public consciousness. It is a stark warning to companies handling large quantities of personal data, emphasising that data must only be used within the scope and for the purposes to which users consented and it cannot be overlooked.

Google has appealed the decision to the Supreme Court.

Enyo Law legal assistant Alex Jenkins assisted with the drafting of this article. 

Sign up to our newsletter