This month Britain’s Civil Procedure Rule (CPR) Committee and the judiciary launched a quiet revolution for data privacy litigation. They introduced three measures in the first week of October that could lead to a significant increase in data privacy litigation in the UK.
Designated specialist list of the High Court
The first measure was to streamline, specialise, and categorise data privacy litigation in the English High Court.
Before 1 October it was possible to issue misuse of private information and data protection claims in a variety of lists and divisions of the High Court, which meant that a number of judges got to turn their hands to this type of litigation. Cases often appeared, for instance, in the Business List of the Chancery Division.
The CPR Committee, an advisory non-departmental public body sponsored by the Ministry of Justice, amended the The Civil Procedure (Amendment No. 3) Rules 2019 from 1 October however. Now a High Court claim must by law be issued in the Media and Communications List of the Queen’s Bench Division (QBD) of the High Court if it is or includes a claim in data protection law or for misuse of private information.
The significance of this should not be understated. Data privacy claims can relate to matters such as automated facial recognition, digital surveillance, tracking, hacking, cookies, opt-ins, opt-outs, machine learning, artificial intelligence, metadata, the internet of things, digital marketing, augmented reality, virtual reality, digital fabrication, smartphones, coding, blockchain, electronic communications, and automation. It is important for the High Court to understand clearly how these radical, quick-paced technologies work, and to be able to interpret evidence confidently to discern whether they are being used by the private and public sectors in a lawful fashion.
Data privacy law itself is also rapidly changing to keep pace with technological advancements. For instance, the still developing cause of action of misuse of private information only mutated out of breach of confidence cases about 15 years ago, the General Data Protection Regulation was introduced last year, as was the UK’s revised Data Protection Act, and last month the European Council published its recommended amendments to the Proposal for a Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications (the Draft ePrivacy Regulation).
The funnelling and concentration of data privacy claims in the Media and Communications List (a list that in itself is designed to deal with evolving societal and technological changes) signals that the English courts intend to apply the most appropriate expert minds within the judiciary to these highly technical cases.
On 2 October the Court of Appeal reversed a High Court judgment and handed down a decision allowing a representative data protection claim against Google to proceed in the Media and Communications Court in London. Google’s estimate of the potential liability, if some of the claimant’s per capita figures for damages are accepted, is between £1bn and £3bn. A case of this nature has never been seen before in the UK.
Contrary to what the High Court had decided, the Court of Appeal permitted an individual called Richard Lloyd to bring this representative action against Google, which is based in the USA. Mr Lloyd makes the claim on behalf of a class of more than four million Apple iPhone users. The allegation against Google is that it secretly tracked some of these people’s internet activity, for commercial purposes, between 9 August 2011 and 15 February 2012.
Unlike in the US, class actions are rare in the UK. Now the English Court of Appeal is trying to push through a class action system to protect people’s data privacy rights. The Court of Appeal clearly does not intend this use of the representative action system to be a one off. Its judgment in the Lloyd case said: “It seems to me that allowing a representative action in a case of this kind is not so much an exception to the rule… but rather an application of the rule.”
If, and it is a big “if”, Google fails to appeal this decision successfully in the Supreme Court of the UK, the Lloyd judgment is likely to open the door to class actions in England against corporates that breach data privacy law, including those where a defendant is based outside of this jurisdiction.
The scope of the market for these types of claims would seem to be immense, bearing in mind the regularity and volume of data privacy breaches by large and profitable organisations. When scrolling through the news, it seems as if data breaches now happen within days of each other, with many companies paying large fines that are a fraction of their turnover or market capitalisation. Being hit by regulatory fines and huge civil litigation compensation awards would form a double whammy. This could cause some financial shocks in the corporate world, particularly for some companies where people’s data and private information are their main assets – think of some large technology, media, and communications corporates.
A raft of data privacy representative actions would also almost certainly be a game-changer in terms of the percentage of total litigation in the QBD of the English High Court that is dealt with by the specialist Media and Communications Court. Defamation claims, which are also dealt with by the Media and Communications Court, last year already made up six percent of all QBD claims.
If this month’s Court of Appeal decision is followed, data privacy representative actions should also be fairly straightforward for claimant litigators to establish, because:
1.Only one claimant is required to bring a claim on behalf of a large number of people. There is no need at the outset to take instructions from the other potential claimants who have the same interest as the representative claimant. Put broadly, Rule 19.6 of the CPR provides for people to be represented in civil proceedings by another legal person.
2. The Court of Appeal ruled in the Lloyd case that a data privacy claim for compensation can be brought without having to prove pecuniary loss or distress. Each member of the represented class of people would be entitled to recover damages for the loss of control of their data.
Mr Hugh Tomlinson QC, leading counsel for Mr Lloyd, relied on an analogy with the decisions of the High Court and the Court of Appeal in the misuse of private information phone hacking case of Gulati and others v MGN Limited to argue that, if damages are available without proof of pecuniary loss or distress for the tort of misuse of private information, they should also be available for a non-trivial infringement of UK data protection laws.
The Court of Appeal in Lloyd agreed with Mr Tomlinson’s analogy and said: “Since the torts of [misuse of private information] and breach of the [Data Protection Act] are undoubtedly similar domestic actions, it would be prima facie inappropriate for the court to apply differing approaches to the meaning of damage.”
The Court of Appeal added in Lloyd: “On the case pleaded, every member of the represented class has had their data deliberately and unlawfully misused, for Google’s commercial purposes, without their consent and in violation of their established right to privacy.”
As to how much damages would be for each member of the class in Lloyd, the Court of Appeal said: “It will take into account, at least, the facts of the tort proved against Google generically, and the effect, in terms of loss of control of personal data, that the breaches would have on any person affected by Google’s unlawful actions.”
The Lloyd case relates to factual events pre-dating the introduction of the General Data Protection Regulation and the Data Protection Act in 2018. As such, the Court of Appeal made its decision on damages under the older, less strict, previous data privacy legal regime in the UK. Nevertheless, a reading of the judgment makes plain that the Lloyd decision is intended to set a precedent for the current data protection regime also when damages are considered. The decision refers expressly to the GDPR and the Data Protection Act 2018 in a section entitled “Other factors”.
3. The Court of Appeal’s judgment said that the class that Mr Lloyd seeks to represent had the same interest as one another and were “identifiable”, even though they had not yet been identified.
Despite this, the Court of Appeal said in its judgment: “… the only applicable test is that ‘it must be possible to say of any particular person whether or not they qualify for membership of the represented class of persons by virtue of having’ the same interest as Mr Lloyd ‘[a]t all stages of the proceedings, and not just at the date of judgment’. I cannot see why that test is not satisfied here. Every affected person will, in theory, know whether he satisfies the conditions that Mr Lloyd has specified.
“Also, the data in possession of Google will be able to identify who is, and who is not, in the class. Both exercises can be undertaken at any time. It is true that some persons’ memories may be at fault, and that there could, in theory, be abuse, but those factors are practical ones, not ones that affect the formal ability to identify the class. It has repeatedly been said that the number of claimants cannot itself affect the ability to use the representative procedure.”
Group Litigation Orders
Before the ink was dry on the Court of Appeal judgment in the Lloyd case, the High Court followed with a hard-hitting data privacy decision of its own.
On 4 October 2019 it granted a group litigation order (GLO) in a data privacy case against British Airways. Last year, the personal data of half a million people was, it is claimed, left exposed when there was a cyber-attack on British Airways’ systems.
The Information Commissioner’s Office said in July 2019 that it intended to impose a record fine of more than £183m on BA for the cyber incident.
Litigation lawyers are now representing various claimants in the High Court civil case, who are seeking compensation.
GLOs are a very different beast from representative actions. A GLO is a mechanism the court uses to manage multi-party claims that are linked by common or related issues of fact or law in a coordinated way to expedite the claims by issuing binding judgments on common issues.
The GLO procedure has not been widely used in data privacy actions, but it has been applied before, most notably in a case on behalf of 1,200 blacklisted construction workers that settled earlier this year for a total of £35m in compensation. It is important to note also that in that GLO case the claimants did not solely sue for breach of data protection but also misuse of private information, defamation, and breach of confidence. If the claims had been issued now, they would have been issued in the Media and Communications Court.
An October revolution has taken place with regard to how the English High Court is to deal with large-scale, complex or high value data privacy breaches. In summary, the new position is:
- All such cases must be issued and put before specialist judges in the High Court’s Media and Communications List,
- If the Court of Appeal’s decision in Lloyd is not overturned by the Supreme Court, a new class action regime has effectively been launched in the UK for data privacy claims, and
- Where there are a number of claimants but class actions are not appropriate, the courts look increasingly willing to process data privacy claims as group actions.
With the above three developments this month in mind, a significant increase in data privacy litigation looks likely in the near future. This is something for all companies to consider, but particularly in the media (including social media), technology, and advertising space, where personal data and private information are key components of their businesses. Potential fines from regulators may have risen massively since the introduction of the GDPR last year, but these could soon be less worrisome to corporates than civil compensation claims when they start coming down the pipeline in ever greater volumes.