What's the issue?
Mr Lloyd had brought a representative action (a US–style class action) under CPR19, against Google. The claim related to Google's 'DoubleClick' cookie, used as a workaround for the block on third party cookies on Safari. Using the cookie allowed Google to collect browser generated information (BGI) from iPhone users without their knowledge or consent between 9 August 2011 and 15 February 2012, in breach of s4(4) Data Protection Act 1998.
Mr Lloyd is seeking the same amount of damages per class member. The intention is to secure the compensation and then invite claimants to come forward and demonstrate their entitlement to a portion of the damages.
In October 2018, Warby J, in the High Court, turned down Mr Lloyd's application to serve outside the jurisdiction, holding:
- There had to be proof of pecuniary loss or distress in order to recover damages under the DPA98. It was not sufficient to show there had been a loss of control over the personal data.
- The members of the class action (which is being brought on an 'opt-out' basis) could not be shown to have the same interests and were not identifiable so it could not be determined who did and did not fall within the class of claimants.
- The Court should exercise its discretion to determine the action should not proceed.
What's the development?
The Court of Appeal has overturned the High Court's decision and found that the Claimant, Mr Lloyd, can serve proceedings outside the jurisdiction in the US against Google, effectively giving the go-ahead to the action.
The Court of Appeal disagreed with the High Court on every count. It held that:
- There is no need to prove pecuniary loss or distress in order get compensation under the DPA98. What constitutes "damage" must be given an EU law meaning rather than a purely domestic one. Loss of control or loss of autonomy over personal data attracts a right to compensation (subject to de minimis considerations). This is because, under EU law, personal data is protected. It is also clear that BGI has an economic value (in this case, Google was able to sell it to advertisers). In addition, while not directly relevant given the claim is under the DPA98 not the GDPR, Recital 85 of the GDPR directly cites loss of control over personal data as a type of damage which might be suffered as a result of a data breach.
- Due to the different way it had interpreted "damage" in this case, the High Court had also wrongly applied the 'same interest' test in an unduly stringent way. The members of the class Mr Lloyd is seeking to represent do have the same interest – they all had BGI taken without their consent in the same circumstances and during the same period. They had, consequently, all been victims of the same breach; the wrong is the same and the loss claimed is the same. Moreover, they are identifiable. The Court of Appeal said: "it must be possible to say of any particular person whether or not they qualify for membership of the represented class of persons by virtue of having [the same interest as Mr Lloyd] at all stages of the proceedings and not just at the date of judgment". This makes it fairly easy to identify a sufficiently large cohort of claimants.
- The High Court had exercised its discretion as to whether the action should proceed as a representative action on the wrong basis and the Court of Appeal could exercise it to allow the action to proceed.
What does this mean for you?
The Claimant did not claim that the data protection breach had caused either financial loss or distress (thereby distinguishing it from Vidal-Hall). The contention was that the damage was caused by the data subjects' loss of control over their data. This approach has now been supported by the Court of Appeal in terms of breaches of both the DPA98 and the GDPR.
Does this open the floodgates to data breach class actions? That remains to be seen but it is clear that representative actions can be used in these situations to secure a compensation pot for an indeterminate number of affected individuals.
For businesses facing these sorts of claims, the amount of damages an individual might secure for loss of control of data may be small, but they can mount up very quickly. It is suggested this action, if successful, could cost Google as much as £3bn.