The Supreme Court has recently granted Google permission to appeal the Court of Appeal’s decision in the case of Lloyd v Google LLC ([2019]) EWCA Civ 1599). The class action brought against Google by Richard Lloyd, the former editor of consumer protection rights group “Which?”, relates to the alleged tracking of personal data by Google of 4.4 million iPhone users and subsequent selling of the users’ data to advertisers, without the users’ knowledge and consent. Google is now appealing the Court of Appeal’s decision granting Mr Lloyd permission to serve his representative action on Google. This landmark case is of particular importance as it has the potential to significantly widen the scope for claims to be brought in respect of a failure to protect data under the GDPR.

Court of Appeal’s decision

Last October, the Court of Appeal ruled that Richard Lloyd could represent 4.4 million iPhone users in a lawsuit alleging that between 2011 and 2012 Google had used its “DoubleClick cookie” technology to track the internet activity of its iPhone users and then collate, use and sell the data to advertisers, in breach of the former Data Protection Act, 1998 (“DPA”). It is alleged that this enabled Google to ascertain the date and time users spent on any given website, what pages were visited and for how long, and which adverts were viewed. Google aggregated this “browser generated information” (“BGI”) into audience segments and offered these audience segments to subscribing advertisers.

The issue has already been the subject of litigation in the English courts in the matter of Vidal-Hall v Google in 2015 and regulatory action in the U.S., including Google’s settlement payment of $22.5m to the U.S. Federal Trade Commission. In contrast to the decision in Vidal-Hall, however, Mr Lloyd did not allege any financial loss or distress as a result of the alleged infringement. Instead, he argued that damages should be awarded for the infringement of the claimants’ data protection rights leading to the loss of control of personal data.

Three grounds of appeal

There are three main grounds considered by the Court of Appeal which are the subject of the appeal to the Supreme Court.

  1. Whether a non-trivial infringement of the DPA which does not cause any material damage or distress can amount to “uniform per capita” damages being awarded for “loss of control” of personal data.

The Court of Appeal considered what is meant by “damage” under section 13 of the DPA and held that damages should be available even without material damage or pecuniary loss as “control over data is an asset that has value.” The Court explained that “[a] person’s BGI has economic value: for example, it can be sold [to advertisers] … That confirms that such data, and its consent to its use, has economic value”. The Court therefore concluded that, since the claimants’ control over their data has value, any loss of control over that data must also have value. Furthermore, the Court relied on Gulati v MGN Ltd (a 2015 phone-hacking case brought on the basis of the tort of misuse of private information) in which damages were awarded as compensation for the loss of control of private information, without proof of pecuniary loss or distress.

In addition, the Court of Appeal emphasised the need to set in place a “threshold of seriousness” when determining the extent of the “damages” and explained that this threshold would “undoubtedly exclude, for example, a claim for damages for an accidental one-off data breach that was quickly remedied.”

  1. Whether it is required that the members of a class can be identified in order to demonstrate the “same interest” when pursuing a representative class action, under Civil Procedure Rule (“CPR”) 19.6(1).

According to the Court of Appeal, as damages were claimed on a per capita basis, all claimants had suffered the same loss (i.e., the loss of control over their data) and, therefore, shared the “same interest” and were identifiable.

  1. Whether the High Court judge was correct to exercise his discretion in ruling that the claim should not be permitted to proceed under CPR 19.6 as a representative action.

CPR 19.6(2) allows the court, exercising its discretion, to direct that a person may not act as a representative. The Court of Appeal considered it was appropriate for it to exercise this “discretion afresh” and concluded that this case “quite properly, if the allegations are proved, seeks to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit.” Thus, the Court exercised its own discretion to allow the case to proceed and, in doing do, determined that the class members were identifiable and did not need individually to authorise a representative claim.

This case is of significant importance for data protection law and practice for two main reasons: first, the Court of Appeal accepted that damages may be awarded for a loss of control of financially valuable data even without any material damage, personal distress or actual pecuniary loss. This has potentially opened the floodgates for further data privacy damages claims in the English Courts. Second, the Court of Appeal accepted that a representative action may be an appropriate means by which a large number of alleged victims of data misuse can seek redress.

The appeal is not expected to be heard by the Supreme Court until late 2020 or early 2021. Given the potential implications for US-style “opt-out” class actions in data protection, the appeal will no doubt be closely followed by many.

You can read the full Court of Appeal judgment of Lloyd v Google LLC here.