On 2 October 2019 the Court of Appeal allowed an appeal in Lloyd v Google1, a significant case in the continued evolution of the UK class action and data protection regimes.
The Court of Appeal held that:
- Damages are, in principle, capable of being awarded for loss of control of data under section 13 of the Data Protection Act 1998 (the DPA), even if there is no pecuniary loss and no distress. Although this case relates to the old DPA regime, the new GDPR and Data Protection Act 2018 are likely to be interpreted in the same way.
- Whilst Lloyd's use of the representative action procedure pursuant to CPR 19.6(1) to bring an opt-out-style class action is “unusual”, it is permissible. The members of the represented class all had their browser generated information (BGI) taken without their consent, in the same circumstances and in the same period. They are all victims of the same alleged wrong and all sustained the same loss.
- The High Court ought to have exercised its discretion to allow this representative action to proceed.
Richard Lloyd is bringing a US-style (opt-out) “class action” against Google in the English courts, relying on the representative claims procedure set out in Civil Procedure Rule (CPR) 19.6. He brings his claim on behalf of more than 4 million Apple I-Phone users; allegedly affected by Safari Workaround in the period from 9 April 2011 to February 2012. Lloyd’s innovative claim seeks a uniform amount of damages without seeking to prove damage for each individual, significantly reducing the complexity and cost of the claim.
Before this claim can get off the blocks, Lloyd requires permission to serve his claim out of the jurisdiction, on Google in the US. In October 2018, the High Court refused permission, finding that Lloyd’s claim failed to identify a basis for the members of the represented class to claim compensation under the DPA. The High Court judge also held the claim had no real prospect of success and should not be permitted to continue as a representative action. Lloyd appealed.
On 2 October 2019, Lloyd’s appeal was permitted and permission to serve out (and continue the claim) has been granted (see above).
What is the Safari Workaround?
The Safari Workaround enabled Google to set the DoubleClick Ad cookie on a device, without the user’s knowledge or consent, whenever the user visited a website that contained DoubleClick Ad content. It is alleged that this enabled Google to ascertain the date and time users spent on any given website; what pages were visited and for how long; and which adverts were viewed. Sometimes Google was also able to collect data on the approximate geographical location of the user. This data is referred to as “browser generated information” (BGI).
Google aggregated this data into audience segments and labelled it eg. “football lovers”. Google’s DoubleClick service then offered these audience segments to subscribing advertisers, allowing them to choose the type of people to whom they wanted to direct their advertisements.
Damages for non-pecuniary loss and distress
Reversing the decision of Warby J at first instance, the Court of Appeal held that damages are, in principle, capable of being awarded for loss of control of data under the DPA, without proving pecuniary loss or distress. In doing so it relied on:
- Gulati v MGN Ltd2 - a claim based on the tort of misuse of private information, in which damages were awarded without proof of pecuniary loss or distress; and
- the fundamental right to data protection contained in Article 8 of the Charter of Fundamental Rights of the European Union 2012/C 326/02, reinforced by article 47 of the European Union (EU) Data Protection Directive (95/46/EC).
The High Court held that members of Lloyd’s representative class did not share the “same interest” (required by CPR 19.6(1)) because the nature and extent of the breach and the impact it had on individual class members would have varied greatly depending on their personal circumstances; and some may not have suffered any damage at all.
In contrast, the Court of Appeal held that the members of Lloyd’s represented class had all had their BGI (something of value) taken without their consent, in the same circumstances and in the same period. They were, therefore, all victims of the same alleged wrong and had all sustained the same loss (loss of control over their BGI). The court also considered it was “impossible to imagine that Google could raise any defence to one represented claimant that did not apply to all others”.
CPR 19.6(2) allows the court, exercising its discretion, to direct that a person may not act as a representative. At first instance, Warby J exercised this discretion. In doing so, he had regard to the overriding objective and, in particular: the significant costs and court time that would be involved as compared to the modest compensation likely to be recoverable; the fact that in the five or six years since the Safari Workaround was first publicised almost none of the millions of people in the class had come forward to complain or to bring a claim; and the difficulties of identifying the individuals within the class.
The Court of Appeal considered it was appropriate for it to exercise this discretion afresh and concluded that this case “quite properly, if the allegations are proved, seeks to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit. It is not disproportionate to pursue such litigation in circumstances where, as was common ground, there will, if the judge were upheld, be no other remedy. The case may be costly and may use valuable court resources, but it will ensure that there is a civil compensatory remedy for what appear, at first sight, to be clear, repeated and widespread breaches of Google’s data processing obligations”.
What does all this mean?
English law still has a long way to go to match US style “opt-out” class actions, but this decision is a significant milestone. English civil procedure rules have acted as an effective barrier to group litigation to date requiring claimant lawyers and funders to build a specific group of claimants with the same interest. This can be extremely costly and time consuming deterring all but the most determined and well-funded.
Having to prove specific damage for each individual in a class has also acted as a very effective deterrent to group litigation. This decision which allows damages to be awarded without proving pecuniary loss or distress removes another barrier to class actions. That said, another key question remains open which is what the quantum of damage should be in this scenario. Similarly, case law assessing damages in data protection claims for distress are few and far between so some uncertainty remains for claimant lawyers and their backers.
What is abundantly clear is that Lloyd’s substantive claim (which can now progress) has the potential to significantly increase exposure for organisations following a data breach or other breach of the European GDPR.
1 Lloyd v Google LLC  EWCA Civ 1599
2  EWHC 1482 (Ch) (Mann J)