On 28 and 29 April 2021, the UK Supreme Court heard the much-anticipated appeal by Google LLC (Google) against the Court of Appeal’s judgment of 2 October 2019. The case is a landmark in the evolution of UK class actions for data protection matters, so final judgment (which is expected in Autumn 2021) is much anticipated.
This article highlights the key issues heard before the Supreme Court and the intervention of the Information Commissioner’s Office (ICO) and gives an insight into the developing legal position.
Richard Lloyd, a consumer rights activist and the former director of Which? magazine, alleges that Google breached the core data protection principles with respect to the data that it processed in relation to more than four million Apple iPhone users over a period between April 2011 and February 2012. He seeks damages from Google on behalf of those four million individuals. DLA Piper’s report on the Court of Appeal’s judgment and further background on the case can be found here.
Three key questions for the Supreme Court
The three issues for determination by the Supreme Court were:
- Are damages recoverable for loss of control of data under section 13 of the Data Protection Act 1998 (DPA98), even if there is no pecuniary loss or distress?
- Do the four million individuals share the “same interest”, which is a requirement for a representative action to proceed in England and Wales?
- If the “same interest” test is satisfied, should the Court exercise its discretion and disallow the representative action proceeding in any event?
The Supreme Court Hearing
Issue 1 – Damages
It was common ground in this case that, if the court decides the infringement of the DPA98 was trivial or “de minimis” it would be entitled to refuse to make any award for what has been termed "loss of control damages".
Counsel for Lloyd argued that the seriousness of the breach itself is a relevant consideration in determining whether that threshold has been crossed. Counsel for Google argued that the threshold ought to relate to the damage caused by the breach and therefore the seriousness of the breach and/or the consequences are irrelevant.
Whilst the Court of Appeal held that damages are, in principle, capable of being awarded for loss of control of data under the DPA98 without proving pecuniary loss or distress, the Supreme Court explored the concept of harm. They drew an analogy with a tort that is actionable per se, giving the example of a battery which might result from the mere touching of a person’s arm, for which an individual might only expect to recover nominal damages. Lord Leggett, one of the six judges hearing the matter in the Supreme Court, stated that applying the same principle to data protection would mean there will be cases where a breach of the data protection laws would result in only nominal damages being appropriate to recover. A hypothetical figure of GBP5 was given by way of example.
As there is currently limited judicial guidance on the level of damages in cases of minor data protection breaches (i.e. where there is no serious harm to the individual), any commentary within the judgment on this issue will be welcome for organisations facing an increasing number of these types of claims.
Issue 2 – the same interest in a representative action
The Court of Appeal reversed the High Court’s decision in determining the four million iPhone users had the same interest as it considered that too stringent a view had been taken as to the concept of “damage”.
In the Supreme Court, it was accepted that if uniform damages cannot be awarded in this case, the representative action cannot proceed. It was in this context that the Court explored the notion of the over-zealous iPhone user , whose harvested data would have an intrinsically higher value, than the user of an iPhone who purchased their phone one day before the workaround was stopped and only visited one website to check the weather. Google would have obtained a much richer data-set relating to the former individual compared to the latter.
Google sought to draw this distinction in highlighting the impact of the breach on the claimants in the four million user-class would vary considerably and therefore it cannot be said that they all would have had the same interest and therefore that a representative action is not appropriate.
Conversely, counsel for Lloyd argue that every member of the class has the same interest because the whole class had suffered the same wrong. Notwithstanding this, it was accepted by Counsel for Lloyd that “what we are dealing with here are mass consumer claims for very small amounts of money”. This may prove pivotal in the Supreme Court’s decision on the third issue; discretion.
Issue 3 – Discretion
The final hurdle Lloyd must overcome if his representative action proceeds is the Court’s discretion to allow such a claim to continue. The Court of Appeal, reversing the decision of the High Court, had exercised its discretion and allowed the claim to proceed.
Counsel for Lloyd raised the issue of the impracticality of any claim being brought against Google if the representative action was not allowed to proceed. It was highlighted that, whilst it was open to Lloyd and others to bring individual claims, or bring a claim via a Group Litigation Order (GLO) (and no objection could be made to that), it was contended that neither of those options was viable.
Counsel for Google argued that an individual claim or a GLO being impractical should not mean that the Court should automatically permit a representative action to proceed. It was stated that a lacuna in potential access to justice is a matter for the legislature to remedy through legislation and it is not for the Courts to go further than the legislature intended.
The Supreme Court’s main concern on the issue of discretion appeared to focus on the fact that none of the four million individuals, aside from Lloyd, had authorised the representative action and significant expense. It was evident that the Court was troubled by the notion of a significant proportion of any damages that might ultimately be awarded being paid firstly to lawyers and litigation funders, who would then have to use some of the money to identify and engage with the members of the group, leaving a significantly reduced pot of damages for the ultimate user who had their data protection rights infringed.
The ICO’s Intervention
The ICO’s submissions emphasised its view that the right to control personal data is a right that has its own intrinsic value. It was stated that data privacy rights are central to other fundamental rights and robust data protection laws are necessary to guarantee the right to freedom of thought, assembly and life. Incidences of loss of control of data undermine the principles of fairness and transparency at the heart of data protection law. Considered in its wider context, a loss of control causes harm in itself – to the subject and society at large, whether or not an individual suffers distress.
In this context, the ICO’s submissions were that a loss of control of personal data is a distinct harm and is a form of damage in itself. However, a loss needs to be of a certain seriousness to justify compensation and, in some cases, that may be met – not every breach of legislation gives rise to compensation. That view may be welcomed by organisations facing a wave of “loss of control” claims.
Whether Google succeeds in overturning the Court of Appeal’s decision or not, the judgment of the Supreme Court will become the leading authority on damages for breaches of data protection law of any size and scope, and on the ability for representative actions to proceed in England and Wales. The consequences of the decision are likely to have significant implications for organisations and data subjects alike. A report on the Judgment and its implications will be posted by DLA Piper on the day of its release.