On 2 October 2019, the Court of Appeal ruled that a claim brought on behalf of over 4 million iPhone users in relation to the alleged misuse of their personal data without their consent, can go ahead.

Background

Between 2011 and 2012, Google are alleged to have been able to bypass a block on Apple's Safari browser, which prevented third parties from monitoring users' online activity. Google allegedly collected users' browser generated information which included what websites had been visited and from which a variety of personal details could be deduced. This information was then sold on to third parties to use for targeted advertising.

In 2017, former Which? Director, Richard Lloyd, issued a representative claim against Google regarding this "Safari Workaround". Mr Lloyd was seeking a uniform payment for each user as a result of the alleged unlawful extraction of their data. The total value of the claim has been stated to be £1bn - £3bn.

High Court

In 2018 the High Court refused to allow the claim to proceed on the basis that the users:

  • were claiming a breach of data protection law but were not claiming financial loss or distress and so there was no damage; and
  • did not each have the same interest in the claim to allow a representative action to be brought on their behalf.

In addition, the judge exercised his discretion not to allow a representative claim to proceed taking into account the scale of the litigation in the Court system, the anticipated legal costs and ATE premiums and the benefit to each potential data subject which was likely to be "modest at best".

Court of Appeal

However on 2 October 2019 the Court of Appeal reversed the High Court's decision entirely. The Court of Appeal held that:

  • Damages can be recovered for the loss of control of personal data without there being any financial loss or other distress.

In particular, the Court decided that "a person's control over data or over their [browser history] does have a value, so that the loss of that control must also have a value". The Court noted Google's ability to sell the users' browser history onto advertisers when considering the economic value of the personal data.

  • The claim was suitable for the representative action regime in the Civil Procedure Rules.

The class of claimant users had all suffered the same alleged wrong and the same loss as the claim did not seek damages based on any individual circumstances but instead a level payment per data subject. Therefore the class of claimants did all have the same interest in the proceedings.

Finally, the Court of Appeal felt that there was no injustice in allowing the claim to proceed as a representative action primarily because individual claims would not be viable and so the breach of duty alleged could go unremedied.

What's next?

The spectre of mass claims by the victims of data breaches has long haunted data controllers, processors and their insurers. This decision is significant and is likely to be seen as a green light to mass claims by claimants (and their lawyers).

While it was clear that damages for distress could be claimed without pecuniary loss, it was not clear whether infringement of data protection rights alone could trigger an award for damages. The Court of Appeal has confirmed that it can even, when there has been no financial loss and no distress caused to data subjects.

However this does not mean that every infraction of data protection law will generate a claim. The Court of Appeal still viewed any damages as compensatory because something of value to the data subject had been lost, in this case the loss of control of personal data. The Court stressed that damages were not just to punish an infraction. It is notable that in this case, and the authorities relied on by the Court, personal data was deliberately exploited for gain.

In addition, the Court of Appeal acknowledged that trivial data breaches will not found a claim for damages, as a de minimis threshold must be met. This threshold is not however defined in the decision.

The fact that the Court accepted that over 4 million iPhone users were part of the same class for the purposes of a representative action will be significant for many large data holders. The Court of Appeal's decision means that a US-style class action is feasible in data breach cases.

However this is likely to level down the damages award to a standard figure per data subject and will not allow individual circumstances such as real financial loss or acute distress to be claimed.

The Court was not concerned with quantification of damages but interestingly suggested that the "user fee" basis might be applied which is mainly used in intellectual property infringement claims.

Data controllers and processors need to be aware of their obligations under data protection legislation, and be more careful than ever in their treatment and management of personal data. Press reports have suggested that Google is planning to appeal further.

Data holders and their insurers should expect claimants to apply more pressure for more compensation for settlement of data related claims on the back of this decision. While the decision is definitely better for claimants than the first instance judgment, defendants should not panic and should seek advice on how best to resist that pressure.