Lloyd v Google LLC

In May 2017, Mr Lloyd (“C”) issued a claim against Google on behalf of a class of over four million Apple iPhone users. C alleged that Google had secretly tracked some of the internet activity of those iPhone users for commercial purposes, known as the “Safari Workaround”, over a six-month period between 9 August 2011 and 15 February 2012.

The Safari Workaround enabled Google to place a ‘DoubleClick Ad’ cookie on a device, without the user’s knowledge or consent, whenever the user visited a website that contained DoubleClick Ad content. This enabled Google to collect ‘browser generated information’ (BGI), which was aggregated into segments such as ‘football lovers’ or ‘current affairs enthusiasts’ and then offered to subscribing advertisers.

To get the claim off the ground, C first had to apply for permission to serve the proceedings outside the jurisdiction on Google in the United States. That application was contested by Google and heard between 21 and 23 May 2018. Warby J dismissed the application for permission to serve Google outside the jurisdiction on three bases:

1.  First, although England was clearly the appropriate place for the claim to be tried (since the representative class was restricted to those in England and Wales), none of the represented class had suffered “damage” under section 13 of the Data Protection Act 1998 (the “DPA”). As a result, the claim disclosed no reasonable basis for seeking compensation under the DPA. Warby J described the pleaded case as “circular” because it asserted that the commission of the tort had caused compensatable damage, consisting of the commission of the tort.

2.  Second, notwithstanding the decision on damage, the members of the class did not in any event have the “same interest” within CPR r19.6(1) so as to justify allowing the claim to proceed as a representative action. The amount of compensation for any individual depended on the facts; it was not credible that all the specified categories of data were obtained by Google from each represented claimant. Warby J agreed with Google’s submission that it was not possible to identify and exclude unaffected users.

3.  Third, the judge could of his own initiative exercise his discretion under CPR r19.6(2) against allowing the claim to proceed. In so doing, Warby J took into account the overriding objective, the likely costs and court time required, and the fact that the compensation that each represented individual was likely to recover would be “modest at best”. It was not unfair to describe the action as “officious litigation”.

The claimant applied for permission to appeal the judgment of Warby J.

Lewison LJ granted permission to appeal on 21 January 2019, on the grounds of the novelty of the claim and the procedure for dealing with it; the public interest in data breaches; the potential number of persons affected; and the potential sums of money involved.

1.  Whether the judge was right to hold that a claimant cannot recover uniform per capita damages for infringement of their data protection rights under section 13 of the DPA, without pecuniary loss or distress.

2. Whether the judge was right to hold that the members of the class did not have the “same interest” under CPR r19.6(1) and were not identifiable.

3.  Whether the judge had erred in exercising his discretion under CPR r19.6(2) such that his exercise of discretion could be vitiated.

Allowing the appeal:

1.  A claimant can recover damages for loss of control of their data under section 13 of DPA, without pecuniary loss or distress:

a.  The language of both section 13 of the DPA and article 23 of the Directive are to be construed as a matter of EU law, and both are to be construed as giving effect to Article 8 of the Convention [42]. It would be odd to approach the legal nature of damage differently in section 13 claims to misuse of private information claims as they are two parts of the same European privacy protection regime [53].

b.  A person’s control over their BGI does have a value such that the loss of that control has a value. The court did not agree with Warby J’s characterisation of the pleading as “circular”: the key to the claims is that the class members’ loss is the loss of control or loss of autonomy over their personal data [45].

c.  Applying Gulati by analogy (where in that case, loss of control over telephone data was held to be damage for which compensation could be compensated), it would be wrong in principle if the represented claimants’ loss of control over BGI data could not be compensated under the DPA. [57]

2.  The members of the class C sought to represent did have the same interest under CPR r19.6(1) and were identifiable [81]. Warby J had applied too stringent a test of “same interest” and the factors considered were “practical” factors, not factors affecting the formal ability to identify the class [80]. The ‘straightforward’ position was that the members of the class had all had their BGI taken by Google without consent in the same circumstances during the same period; they are all victims of the same alleged wrong and have all sustained the same loss of control over their BGI [75].

3.  The court could exercise its discretion to allow the claim to proceed as a representative action [87].

The Court of Appeal’s decision was significant in two key respects:

First, the Court’s decision was one that emphasised the alignment between privacy and data protection. The decision was rooted in the common origins of these two causes of action, which were described as being “two parts of the same European privacy protection regime”. This approach paved the way for the Court’s decision on damage, making available damages for loss of control of data under article 23 and section 13 (loss of control of private information already being available in misuse of private information claims). The fact that loss of control of personal data can constitute damage for the purposes of a data protection claim has the potential to significantly widen the circumstances in which such claims can be brought.

Second, by deciding that the action could seek a uniform amount of damages without needing to prove damage for each individual, the Court established that a representative class action can be a viable and practicable route for those seeking redress following a significant data breach. The Court of Appeal noted that although a uniform sum of damages based on a loss of control of personal data may well be much less than it would be had individual circumstances been taken into account, it would “not be nothing” [77]. In other words, the Court appeared to take a pragmatic approach: that it was better for the class action to be able to proceed founded on a type of damage common across the class (being loss of control of personal data), than for the action to be founded on damage suffered at different levels across the class (being distress) such that the action could not proceed.

The Court of Appeal has not had the final word on these issues. On 11 March 2020, the Supreme Court granted Google permission to appeal. That appeal is outstanding.