Paving the way for data breach group actions
Group actions are now considered to be one of the main risks associated with a data breach; the volume of potential claimants can mean that the totality of damages claimed could be significant. A recent case has reinforced the validity of group actions relating to the unlawful processing of personal data where there is no physical damage or distress suffered.
On 2 October 2019, the Court of Appeal's decision in Lloyd v Google LLC  EWCA Civ 1599 not only allows an opt-out style representative action to proceed, but has the potential to considerably increase an organisation's accountability for privacy breaches. A key feature of this case is that, at the time, those affected did not know that their data had been processed in this way.
Reversing the High Court's decision to dismiss the claim, described by Warby J as "officious litigation", the Court of Appeal unanimously held that:-
- Even where there is no pecuniary loss or distress, damages are in principle capable of being awarded for loss of control of personal data;
- The members of the represented class all had the same interest; and
- The High Court should have exercised its discretion to allow this claim to proceed.
Richard Lloyd (a consumer rights champion) has brought a representative action against Google on behalf of more than four million Apple iPhone users in England and Wales allegedly affected by the Safari Workaround between 9 April 2011 and 15 February 2012.
The Safari Workaround enabled Google to collect personal data, without the knowledge or consent of the individual, by bypassing the default privacy settings on Safari and placing tracking cookies linked to its vast advertisement network. By doing so, Google could tell the date and time of any visit to a website, which pages were visited, and what advertisements were viewed and how long the person spent on each. Further, Google was also able to approximate an individual's geographical location and over time, it is alleged, could deduce for example a person's race or ethnicity, age, sexuality and financial position.
Google aggregated the personal data into similar audiences, such as football lovers and current affairs enthusiasts, and offered these audiences to subscribing advertisers. This allowed the subscribing advertisers to select the type of people they wanted to direct their advertisements to.
Reducing the cost and complexity of the claim, Lloyd seeks uniform damages without the need to prove damage for each individual who is a member of the representative class. The opt-out style of representative class means that the claim is made on behalf everyone who is a member of a particular class of claimant rather than requiring individuals to become a party to the litigation.
Permission for service outside the jurisdiction
Lloyd, however, first required permission to serve the claim on Google outside the jurisdiction in the United States. Permission was refused by the High Court, finding that the claim did not disclose a basis upon which the members of the represented class could seek compensation and the members did not have the same interest. Warby J went further using judicial discretion to decline to permit the representative action to proceed.
Damages without proving pecuniary loss or distress
Reversing the decision of the High Court, the Court of Appeal held that damages are in principle capable of being awarded for the loss of control of personal data, despite there being no pecuniary loss or distress under the Data Protection Act 1998. The very fact that Google could offer the collated personal data to third parties meant that the personal data clearly had economic value. The loss of control over that personal data must therefore equally have value: something was taken for nothing, for which the owner was entitled to require payment. The decision emphasises the need to provide an effective remedy where an individual's rights have been infringed, otherwise such breaches would go unremedied.
The same interest
The Court of Appeal dismissed the finding by the High Court that the nature and extent of the breach meant that the individual members of the representative did not share the same interest. The High Court reasoned that the impact on each individual would vary depending on their personal circumstances. In his judgment, Sir Geoffrey Vos C described the use of the representative procedure to bring an opt-out class action as both "unusual and innovative". The members of the represented class all had their personal data taken without their consent, in the same circumstances, in the same period and are therefore all victims of the same alleged wrong, sustaining the same loss of control over their personal data. The members of the representative class have the same interest and are identifiable.
It was also considered that "it is impossible to imagine that Google could raise any defence to one represented claimant that did not apply to all others."
The Court of Appeal allowed the claim to continue as a representative action, and exercised its discretion afresh. It was concluded that this claim, if the allegations are proved, "seeks to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit." It was noted that it is not disproportionate to pursue litigation in circumstances where there would, if the judge were upheld, be no other remedy. Notwithstanding the high costs and use of court resources, the Court of Appeal concluded that the representative claim "will ensure that there is a civil compensatory remedy for what appear, at first sight, to be clear, repeated and widespread breaches of Google's data processing obligations".
The decision of the Court of Appeal is significant and perhaps surprising. The Civil Procedural Rules had successfully acted as a barrier to representative litigation, requiring that all members of the class have proven specific damage and the same interest. The Court of Appeal has, however, recognised that an opt-out representative action may be an appropriate vehicle to enable a large number of alleged victims of data misuse to seek redress. The decision accepts that compensation can be awarded for breaches of data protection legislation, which leads to a loss of control of personal data, without proof of any material damage or distress. The loss of control of personal data is common to all persons within the representative class.
The question that remains, however, is what the quantum of damage should be in this claim. But the overarching message is that organisations must be prepared for at least the threat of third party claims in the event of a data breach or incident. Please contact the team if you would like to discuss this judgment or any associated issues.