In its recent judgment in Lloyd v Google, the Court of Appeal has allowed an “opt-out” class action claim to proceed that relates to an alleged data protection infringement affecting 4.4 million iPhone users. By determining that damages can be awarded for a loss of control of data (even in the absence of financial loss or distress), the Court of Appeal has potentially opened the floodgates for further data privacy damages claims in the English courts.
Richard Lloyd’s class action
Richard Lloyd, a former editor of “Which” and current board member of the Financial Conduct Authority, alleges that Google breached data privacy legislation by its collection, collation and sale to advertisers of iPhone users’ internet browsing data without consent. The issue has already been the subject of litigation in the English courts (Vidal-Hall v Google in 2015) and regulatory action in the US (including Google’s 2012 payment of $22.5m to settle charges brought by the US Federal Trade Commission). Lloyd claimed damages representing an equal “tariff” of £750 per person whose data privacy rights had allegedly been infringed.
Given that the alleged infringement took place in 2011 and 2012, Lloyd’s claim was brought under the Data Protection Act 1998 (the predecessor to the GDPR and the DPA 2018). Lloyd argued that Google had infringed a number of the data protection principles in the DPA 1998 and was therefore required to compensate the claimants. By contrast with Vidal-Hall, however, Lloyd was not arguing that the claimants had suffered financial loss or distress as a result of the alleged infringement. Instead, he argued that damages should be awarded for the mere infringement of the claimants’ data protection rights and for their loss of control over their data.1
The Court of Appeal’s decision
The Court of Appeal’s unanimous judgment in favour of Lloyd, overturning the decision of Warby J in the High Court, was given by Sir Geoffrey Vos. The Court of Appeal considered that data is an asset that has economic value; it can, for example, be sold to advertisers. The Court therefore concluded that, since the claimants’ control over their data has value, any loss of control over that data must also have value. Furthermore, Gulati v MGN (a 2015 phone-hacking case brought on the basis of the tort of misuse of private information) had established that damages could be awarded as compensation for the loss of control of private information. The Court of Appeal concluded that, since the tort of misuse of private information and the provisions of the DPA 1998 that Lloyd relied on were both derived from the same core right to privacy, damages could be awarded to compensate a claimant for a loss of control of both private information and personal data. This was even the case if no financial loss or distress had been alleged.
“Loss of control” – A lower threshold for claimants and an increased risk for firms
Unless overturned by the Supreme Court (Google has already indicated that it will appeal), the Court of Appeal’s finding that damages can be obtained for a mere loss of control of personal data is likely to have important ramifications. The decision significantly lowers the threshold for claimants in data privacy cases and, combined with the increasing popularity of class actions and litigation funders’ growing willingness to fund them, increases the risk that firms will face damages claims relating to data privacy infringements in the English courts.
Whilst the infringements under scrutiny in Lloyd were not related to a cyber security incident, the argument that compensation should be awarded for a loss of control of customers’ data (without needing to prove loss or distress) is particularly concerning to firms that handle large amounts of customer data. The risk are arguably amplified in certain sectors. For example, in the regulated financial services sector the risk is increased by financial regulators’ continued focus on cyber security and operational resilience and the recent high-profile data breaches at a number of banks and insurers. For example, 2 million people are said to have been affected by the IT issues at TSB Bank in 2018 that resulted in customers being given access to other customers’ data.
Lloyd was decided under the DPA 1998 so does not directly apply to data privacy cases brought under the GDPR, which has had effect since May 2018. However, it is arguable that “loss of control” cases are even more likely to be brought under the GDPR. As the Court of Appeal noted in Lloyd, the GDPR supports the idea that a victim of a data privacy infringement should be entitled to claim for “loss of control over…personal data”, although arguably the reference relied on by the Court of Appeal is narrower than has been applied in this case.
The role of regulators and private law actions
Lloyd also raises some interesting questions about the respective roles of the regulators and the courts in sanctioning firms for regulatory breaches and compensating customers for losses connected to those breaches.
Censuring and sanctioning firms has traditionally been seen as the responsibility of regulators. While they may take customer detriment into account (in their calculation of any financial penalty, for example), regulators are able to initiate enforcement action where there has been no such customer detriment. They might do so because it is in the public interest to send a signal to other firms about the consequences of a particular regulatory breach.
By contrast, the long-established principle in English law is that private law actions for damages are essentially compensatory; they compensate claimants for the loss caused by the breach of contract or the tort by putting them in the position they would have been in had the breach and resulting loss not occurred.
In Lloyd, Warby J in the High Court demonstrated that he was aware of this distinction when he stated that “[c]ensure is the role of the regulator…there have been regulatory responses to the breaches, which have resulted in consequences for Google. If those responses are perceived to be inadequate, I do not believe the remedy is to fashion a means of imposing a further penalty by bringing a class action for compensation, based on an artificial notion of damage”.
However, by determining that damages are capable of being awarded in a data privacy case even where there is no financial loss or distress (and in many cases no consequences of which the claimants were actually aware), the Court of Appeal risks eliding the roles of the regulators (which censure and sanction firms in the public interest in furtherance of their statutory objectives) and the courts (which consider private law actions only in the context of the particular case being heard).
Availability of “user damages” or “negotiating damages” in data privacy cases
Lloyd is also significant because it shows the English courts grappling with a relatively novel basis for awarding damages in a data privacy context. One of the arguments advanced by Lloyd was that the principle of “user damages” (also called “negotiating damages”) should apply. Such damages can be obtained where A has wrongfully used B’s property without causing B financial loss; B would be awarded damages representing what a reasonable person would have paid for the right of use.
Although the High Court dismissed this argument, the Court of Appeal was more supportive of this approach, referring to the Supreme Court’s decision last year in One-Step v Morris-Garner (which did not concern an alleged data privacy infringement) and concluding that damages in Lloyd were capable of being awarded on a “user damages” basis. In One-Step, the Supreme Court held that damages can be awarded where “the person who makes wrongful use of the property prevents the owner from exercising his right to obtain the economic value of the use in question”. It concluded that where a person “takes something for nothing…the owner is entitled to require payment”.
However, many types of data (including the internet browsing information that was the subject of Lloyd) are non-rivalrous assets. Such data can be used simultaneously by a number of people without preventing the original owner from obtaining economic value from the asset (or indeed finding out about the simultaneous use). Indeed, it is possible that the Supreme Court’s statement in One-Step that an owner whose asset is “taken” requires compensation simply does not apply to such non-rivalrous assets.
Furthermore, although the Court of Appeal in Lloyd confirmed that data is not technically regarded as property under English law, the fact that it stated that user damages (which are typically given in property cases) could be awarded and confirmed that data is protected under EU law as an asset that has an economic value may suggest that the English courts are moving towards protecting data as a property right.
Even if the English courts begin awarding user damages for data privacy infringements, questions are likely to remain around the appropriate level of damages to be awarded. While there is limited case law on this point, it is arguable that the £750 “tariff” per person in Lloyd would be significantly in excess of what should notionally be taken as an appropriate figure. In any event, given the complexity of the issues, Lloyd’s “tariff” approach to damages may be unworkable in practice for opt-out class action claims for data privacy infringements.
Impact of Brexit
The Court of Appeal’s reasoning in Lloyd, which relied on the EU’s conception of data as an asset with economic value and a number of principles of EU law such as equivalence and effectiveness, also highlighted some of the open questions that surround the UK’s impending departure from the EU. The English courts will not be strictly required to comply with these principles of EU law after Brexit. However, they are likely to remain guided by these principles to ensure that the UK’s data protection regime is sufficiently aligned with the EU’s such that an adequacy decision is achieved and retained.2
Although its determination on the issue of “loss of control” is unlikely to be helpful to firms, the Court of Appeal’s judgment in Lloyd is merely one of a number of recent developments that will further increase companies’ focus on compliance with data protection legislation. Most notably, procedures akin to class actions now exist or are being developed in a number of other European countries (such as Germany, the Netherlands, Italy and Spain, with the EU having also proposed its own Directive on representative actions), while the GDPR itself provides for EU member states to implement a representative action procedure.
The maximum possible damages award of £3.3bn in Lloyd is highly likely to be an outlier in data privacy claims in England. Since there are few products as commonly used as iPhones, it will only be very infrequently that as many as 4.4 million individuals will be potentially affected by the same alleged data protection infringement. In practice, it is likely that in Europe (in contrast with the US) the risks of regulatory action in this area, and the resulting fines, will continue to outweigh the risks posed by litigation. The risk of large regulatory fines (which under the GDPR can be as high as 4% of a company’s worldwide turnover) was demonstrated by the UK’s Information Commissioner’s Office in July this year when it declared its intention to fine British Airways £183m for GDPR breaches.
Nevertheless, the global trend of greater interplay between litigation and regulatory actions is likely to continue. Firms will therefore be required to continue grappling with the question of how to deal with regulatory investigations co-operatively and to the satisfaction of those regulators without increasing their litigation exposure.
Whether the Supreme Court allows Google’s appeal, and its reasoning on the issues highlighted by Lloyd, will be closely followed.
The full judgment in Lloyd v Google is available here.