The Court of Appeal has allowed an appeal in Lloyd v Google LLC [2019] EWCA Civ 1599. Claimant L sought damages against the defendant Google LLC on behalf of a class of more than 4 million Apple iPhone users. It was alleged that Google secretly tracked some of the Apple users’ internet activity, for commercial purposes, between 9 August 2011 and 15 February 2012.
The first instance judge dismissed L’s application for permission to serve Google outside the jurisdiction because: (a) none of the represented class had suffered “damage” under section 13 of the Data Protection Act 1998, (b) the members of the class did not have the “same interest” under CPR Part 19.6(1) justifying allowing the claim to proceed as a representative action, and (c) the judge of his own initiative exercised his discretion under CPR Part 19.6(2) against allowing the claim to proceed.
The main issues raised by the appeal were: (a) whether the judge was right to hold that a claimant could not recover uniform per capita damages for infringement of their data protection rights under section 13 of the DPA, without proving pecuniary loss or distress; (b) whether the judge was right to hold that the members of the class did not have the same interest under CPR Part 19.6(1) and were not identifiable; and (c) whether the judge’s exercise of discretion could be vitiated.
Issue 1: was the judge right to hold that a claimant cannot recover uniform per capita damages for infringement of their data protection rights under section 13 without proving pecuniary loss or distress?
Google was able to sell browser generated information collected from numerous individuals to advertisers who wished to target them with their advertising. Therefore such data, and consent to its use, has an economic value. Accordingly, a person’s control over data or over their browser generated information does have a value so that the loss of that control must also have a value. The court considered if such loss of control over data could properly be considered damage in the legal sense in which the term “damage” is used in article 23 of the Data Protection Directive 95/46/EC and section 13 of the DPA.
The court considered various case law and in particular Gulati v MGN Limited [2015] EWHC 1482 (Ch) (Mann J), [2015] EWCA Civ 1291 (CA), even though that case dealt with misuse of private information rather than data protection. As loss of control over telephone data was held to be damage for which compensation could be awarded in Gulati, the court said that it would be wrong in principle if the represented claimants’ loss of control over browser generated information data could not, likewise, for the purposes of the DPA, also be compensated. In addition, the EU law principles of equivalence and effectiveness pointed to the same approach being adopted to the legal definition of damage in the two torts which both derive from a common European right to privacy. Privacy breaches leading to loss of control over data ought to be compensated without proof of distress or pecuniary loss.
The judge noted that one cannot interpret a directive by reference to the regulation that replaced it. However, it was helpful to consider how the GDPR deals with damage. Article 82.1 of the GDPR provides that a person who has suffered “material or non-material damage as a result of an infringement of this Regulation” should have the right to receive compensation for the damage suffered. In addition, in recital 85 “loss of control” over personal data is given as an example of the kind of “physical, material or non-material damage” that might be caused to natural persons as a result of a data breach. Therefore he could see no reason in principle why it is not fairly arguable that damages, might in this case, be assessed on the user basis.
For those reasons he concluded that damages are in principle capable of being awarded for loss of control of data under article 23 and section 13 even if there is no pecuniary loss and no distress.
Issue 2: was the judge right to hold that the members of the class did not have the same interest under CPR Part 19.6(1) and were not identifiable?
The persons represented in a claim brought under CPR Part 19.6 must have the “same interest” in the claim. The Court of Appeal stated that the first instance judge had applied too stringent a test of “same interest”. The represented class are all victims of the same alleged wrong and had all sustained the same loss, namely loss of control over their browser generated information.
The first instance judge had considered the problem as one of verification and determined that the class was not identifiable because he held that the class definition had to be “workable” in addition to “conceptually sound”. The Court of Appeal stated that the only applicable test was that it must be possible to say of any particular person whether or not they qualify for membership of the represented class of persons by virtue of having the same interest as L “at all stages of the proceedings, and not just at the date of judgment”: there was no reason why the test was not satisfied in this case. Every affected person would, in theory, know whether they satisfied the conditions that L had specified. Also, the data in Google’s possession could identify who was, and who was not, in the class. The number of claimants could not itself affect the ability to use the representative procedure. Consequently, the first instance judge ought to have held that the members of the represented class had the same interest under CPR Part 19.6(1) and that they were identifiable.
Issue 3: Could the judge’s exercise of discretion be vitiated?
It was open to the Court of Appeal to exercise its discretion afresh. The court said that the case sought to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, which was undertaken with a view to commercial profit. It was not disproportionate to pursue such litigation in circumstances where, as was common ground, there would have been no remedy if the first instance judge’s decision were upheld. The case might be costly and may use valuable court resources but it would ensure that there is a civil compensatory remedy for what appeared, at first sight, to be clear, repeated and widespread breaches of Google’s data processing obligations.
Therefore the appeal was allowed and the case will be allowed to proceed, potentially opening the way for similar cases.
