Last week the Court of Appeal permitted service out of the jurisdiction of an unusual form of class action against Google (Richard Lloyd v Google LLC  EWCA Civ 1599), overturning Warby J’s High Court decision. We commented on the High Court judgment in a previous Law-Now article. This ruling potentially opens the door to more class actions, particularly for data breaches.
In May 2017 Richard Lloyd filed a claim seeking damages under section 13 of the Data Protection Act 1998 (“DPA98”) for infringement of data protection rights. It was alleged that over a period of six months in 2011-2012, iPhone customers had their internet activity tracked by Google using the “Safari Workaround.” The “Safari Workaround” utilised an advertising cookie which could be activated on an iPhone without the user’s consent, whenever the user visited certain websites. This advertising cookie allowed Google to gather browser-generated information which could indicate the date and time when a website was visited, how long the person spent on the website, and which pages they viewed as well as what adverts they watched and for how long. If an IP address was obtainable, the user’s broad geographical location could potentially be identified. This information would allow Google to direct advertising to the user tailored to his or her interests.
The headline grabbing element of this case is that Richard Lloyd’s claim is not merely filed on his own behalf. Rather, he is seeking to utilise Rule 19.6 of the Civil Procedure Rules, to pursue a representative action which is a rarely used class action device whose parameters are potentially very broad. The proposed class comprises an estimated four million iPhone users. Importantly, as used here, CPR 19.6 is an “opt-out” mechanism whereby persons within the parameters of the class are automatically included in the class (including a very large number of users who have no knowledge of the claim) unless they proactively choose to leave the group, i.e., they “opt-out”. Opt-out mechanisms are powerful procedural devices for aggregating claims which are individually low in value, and where there is limited incentive for class members to participate in “opt-in” mechanisms.
The issues before the Court of Appeal were whether Richard Lloyd should be granted permission to serve the claim out of the jurisdiction on Google in the United States, and whether the claim should be permitted to proceed under CPR 19.6. To answer these questions the Court had to consider whether class members had suffered damage under section 13 of the DPA98 and whether the class members had the “same interest” in the claim.
The question of damage
The Court of Appeal ruled that damages could be awarded to claimants under section 13 of the DPA98, simply for loss of control of data caused by the actions of Google. This goes beyond the previously established entitlement to damages if a data breach causes distress. The Court of Appeal’s reasoning was significantly impacted by its earlier ruling in Gulati v MGN Limited  EWCA Civ 1291 that, in claims for the tort of misuse of private information, damages could flow from the misuse itself and that claimants were not required to show pecuniary loss or distress. Although the cause of action in Gulati differed, the Court of Appeal noted that both the tort of misuse of private information and claims under the DPA98 are “founded on the same principle: namely, that privacy be protected”. Having regard to the EU principles of equivalence and effectiveness, the Court of Appeal concluded that the loss of control of personal data did sound in damages under section 13 of the DPA98.
For the purposes of CPR 19.6, all of the claimants must have the “same interest” in order to qualify as members of the class. Historically, the English courts have policed the parameters of the “same interest” test strictly: Emerald Supplies Ltd v British Airways Plc  EWCA Civ 1284.
In the High Court, Warby J decided that the iPhone users did not have the same interest because they would have suffered different levels of damage, including possibly no damage at all.
The Court of Appeal took a different approach, noting that the breach had had a common impact on all members of the class, namely “the right to control their private [browser generated information]”, and that it was not necessary to consider a person by person review of the “impact (if any) of the use of their data.” Having decided that each class member had suffered the same damage, namely control over their personal data, the court concluded that the “same interest” test was met. Furthermore, the Court decided that it was sufficiently clear whether a given individual was a member of the class or not.
It has been reported that Google will seek permission to appeal to the Supreme Court. If the ruling stands, then data controllers may face increased civil exposure following data breaches. Relevant companies should consider their mitigation and response measures, both technical and non-technical (e.g., ensuring they have adequate cyber liability insurance). Although this claim was brought under the DPA98 which has now been repealed, enterprising claimant law firms may seek to bring similar claims under the Data Protection Act 2018 which replaced DPA98 and the GDPR. In its ruling, the Court of Appeal noted that Recital 85 to the GDPR identifies “loss of control” of data as a type of damage which may be caused by a data breach.
The ruling gives little guidance on the quantum of damages, and this will be a matter for trial. However, individual losses may be low. In order to meet the “same interest” test, “damages that [were] claimed [were reduced to] the lowest common denominator”. That said, the danger of opt-out mechanisms for defendants is that they aggregate claims which are individually low value, into an overall claim which can be very significant.
Helpfully, the Court of Appeal confirmed that, as was agreed between the parties, there is a de minimis threshold to claims of this sort, and the circumstances of any data breach and the breach response will be relevant. The Court noted that the “[de minimis] threshold would undoubtedly exclude, for example, a claim for damages for an accidental one-off data breach that was quickly remedied.”