Conduct in relation to data is under ever greater scrutiny from competition and data protection regulators on both sides of the Atlantic. Alongside those competition questions, the use and misuse of data is increasingly a focus for private enforcement. The recent decision of the Court of Appeal in England and Wales, Richard Lloyd v Google LLC  EWCA Civ 1599 (“Lloyd v Google”), represents a major development in this field, with international implications.
There are three dimensions of the decision that are especially interesting. First, the decision sets out a legal basis for damages for the loss of control of data, without proof of monetary loss or distress. Put another way, there is now a price to pay for taking a person’s data unlawfully.
Second, the decision opens the door to class actions for data breaches in the UK. The finding breathes new life into a form of collective litigation that has existed for many years but has been little used - the representative action under s.19.6 of the Civil Procedure Rules (“CPR”). This is a form of class action in England and Wales that extends beyond pure competition claims. Following the introduction of opt-out collective proceedings for competition claims under the Consumer Rights Act 2015, this is another development in England and Wales facilitating collective redress for claims that would otherwise be impractical to bring.
Finally, of interest to international practitioners, this was an application for service out of the jurisdiction by a UK class representative on a US based defendant – for which permission was granted. The defendant has stated its intention to appeal to the Supreme Court. If the case is upheld on appeal, we are likely to see more cases of international companies - including US based tech companies - being held to account in the courts of England and Wales via private enforcement, even in circumstances, such as these, where the UK regulator has taken no action.
The Background Facts
The case relates to alleged breaches of the UK data protection rules, arising from Google’s “Safari Workaround.” Google operated the Safari Workaround between 1 June 2011 and 15 February 2012, harvesting browser generated information (“BGI”) when iPhone users with the Safari browser visited a website that included content from Google’s Doubleclick domain. Google had devised a workaround to Safari’s security settings that enabled third party cookies from Doubleclick to be deployed immediately on a user’s device, without the user’s knowledge or consent, whenever the user visited a website that contained DoubleClick Ad content. This cookie then enabled Google to gather data about the user’s internet use, and in particular sites visited over time, to enable the delivery to the user of advertisements tailored to the interests demonstrated by that user’s browsing history. It was alleged by the representative claimant that this information included not only users’ internet surfing habits and location, but also diverse factors such as race or ethnicity, political or religious views or affiliations, age, health, gender, sexuality and financial status.
At the time, a PhD researcher, Jonathan Mayer, discovered Google’s activity and publicized it in a series of blog posts and, on 17 February 2012, in the Wall Street Journal. The US Federal Trade Commission (“FTC”) then took action, leading to a $22.5million settlement by Google in August 2012. In November 2013, Google further paid out $17million to settle consumer-based actions brought by the attorneys general of 37 US States and the District of Columbia.
Interestingly, despite the FTC and state attorneys general settlements, no action was taken by the Information Commissioner in the UK. Instead, in the absence of regulatory intervention, private claimants have taken up the mantle and brought two claims based on this infringement: (i) Vidal-Hall v Google Inc  EWCA Civ 311 – brought by three claimants for distress suffered as a result of the intrusive data breach (which has now settled), and (ii) Lloyd v Google, a claim brought by Richard Lloyd, a long-standing advocate for consumer protection, and former Executive Director of Which?, on behalf of the class of persons affected.
The Lloyd claim was brought via the UK representative action procedure, on behalf of all individuals based in the UK with a relevant device who had their data illegally processed via the Safari Workaround. The class has been alleged to comprise 4.4million users, and damages were estimated in the letter before claim at £750 per user (although no specific figure has been pleaded, and ranges instead have been suggested). Google’s estimate of potential liability, if some of the claimant’s figures are accepted, is between £1 and 3 billion – a very substantial sum on any view.
The First Instance Lloyd Decision
The Lloyd claim has been brought by Mr. Lloyd for breach of duty under the UK Data Protection Act 1998 (“DPA”), giving rise to a claim for compensation under s.13(1) of the DPA. No monetary loss is alleged, and the claim is for a standard ‘tariff’ award to each represented person, to reflect the infringement of their right, the loss of control over their data, and the commission of the alleged wrong by Google. The claim has not yet progressed as far as a merits hearing. Given that the defendant – Google LLC – is a Delaware corporation with its principal place of business in California, for the action to proceed Mr. Lloyd first needed the permission of the English court to serve the proceedings out of the jurisdiction on the defendant.
To obtain permission, Mr. Lloyd needed to satisfy three criteria: (i) that the claim has a reasonable prospect of success (CPR Part 6.37(1)(b); (ii) that there is a good arguable case (i.e. the better of the arguments) that the claim could pass through one of the “gateways” to jurisdiction - the relevant gateway in this case being the ability to show that there is a “claim in tort where damage was sustained within the jurisdiction or the damages sustained resulted from an act committed within the jurisdiction”; and, (iii)that England is clearly or distinctly the appropriate place to try the claim (CPR Part 6.37(3).
Item (iii) is not disputed: Google accepts that, if the claim is to be brought, England is the right place for it. The critical question – which relates to (i) and (ii), is whether the Safari Workaround involves “damage” for the purpose of relevant gateway.
Section 13(1) of the DPA - which needed to be analyzed to assess whether the claim passes through the gateway - provides as follows: “an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”.
The judge at first instance found that the Safari Workaround involved no damage as articulated by DPA 13(1). The judge said that the statutory provisions required a causal link between the breach and damage suffered for the right to compensation to arise.
As noted above, an earlier case, Vidal-Hall, had been brought for damages based on the Safari Workaround. In that case, however, the claimants sought damages for distress, rather than a flat tariff arising from the breach. The Court of Appeal held in that case that the meaning of damage needed to be interpreted autonomously (i.e. not by reference to national rules – a point to which we return below). On that basis, in the Vidal-Hall case, distress damages were not limited by other provisions of the DPA (in particular s.13(2)), and could still qualify as ‘damage’ for the purposes of 13(1) of the DPA. The Court of Appeal therefore found that the claim could pass through the relevant jurisdictional “gateway,” as there was a cause of action for damage as provided for in the DPA, and gave permission to serve out on that basis (following which the case settled).
In Lloyd, however, distress was not pleaded (and it is difficult to see how distress could easily be pleaded on a representative basis on behalf of such a large class), and so the judge was not bound to follow the approach in Vidal-Hall. Instead, the claim for damage was for the tort itself – the breach. The judge held that the argument was circular. In the judge’s view, no harm had been suffered in a case such as this, and therefore there was no damage for the purposes of s.13(1) DPA. The repeated or bulk delivery of advertising that flowed from the data breach might in theory cause some degree of harm, but that was not even pleaded. The judge also considered that it was relevant that no member of the class, other than the claimants in Vidal-Hall and Lloyd, appeared to have complained about the breach.
The judge at first instance then considered the Court of Appeal decision in Gulati v MGN Ltd  EWHC 1482 (Ch). That case involved an egregious set of facts relating to the sustained and systematic hacking of the voicemails of celebrities by Mirror Group news journalists who had illegally sourced the basis for stories about those celebrities or related parties. The Court of Appeal explicitly ruled that compensation could be given for commission of the wrong itself. The case related to the tort of misuse of private information rather than breach of data protection, but the principles were similar. The claimant in Lloyd relied heavily on this authority, but the judge rejected this argument as based on national law. Taking the principle of the autonomous interpretation of EU law as his guide, he suggested that the approach, of following national law in seeking to interpret the DPA, was flawed.
Given his decision on the failure of the claim to satisfy the requirements for service, the judge did not need to consider whether the claim could proceed as a representative action under s.19.6 CPR. Nevertheless, he went on to find explicitly that it could not. This was on the grounds that all the members of the class had not suffered the “same” damage – namely the degree to which they were affected by the data transfer was different – and the defenses available to Google in respect of different members of the class might be different. Further, the definition of the class was uncertain, and there were practical difficulties with identifying all its members, and avoiding the risk that individuals not entitled to compensation would recover.
The Court of Appeal
The Court of Appeal disagreed with the judge at first instance’s analysis at almost every step.
Loss of Control Damages
First, the Court of Appeal considered whether a claimant could recover damages for breach of the DPA, even without showing monetary loss. The claim was for loss of control over the users’ data, and so the first question was whether that control was an asset with value. In the first of its groundbreaking findings, the Court of Appeal decided that it plainly was. While data was not “property,” it was protected under EU law and had an economic value. It could be sold (for example in return for free WIFI at airports) and Google was also in turn able to sell to advertisers the BGI it collected from class members. Accordingly, the data, and consent to its use, had an economic value. It followed that loss of control of that data also had a value.
Having established that point, the Court of Appeal next considered the legal interpretation of damage under s.13(1) DPA. Here, the Court concluded that its decision in Gulati was not only relevant, but also instructive. Even though Gulati related to the tort of misuse of private information, the rights under consideration were based on the same fundamental principle as in Lloyd – namely that privacy be protected. As loss of control over telephone data was held to be damage – in and of itself – for which compensation could be awarded, it would be wrong in principle if loss of control over BGI data could not also be compensated for the purposes of the DPA.
Further, the EU law principles of equivalence and effectiveness indicated that the legal definition of damage for the two torts ought to be treated in a similar way, as both derived from a common European right to privacy. Accordingly, infringement of a right that was sustained and serious could be a matter for compensation, even though it was not measurable in money terms. This was explicitly held to be a compensatory measure of damages – not a vindicatory measure (which is to say that it was not intended to vindicate a right that had been infringed). Vindicatory damages were not available in private actions, but the basis for damages in the case before the Court was strictly compensatory.
Not content with opening the door to damages for non-monetary loss for data breach, the Court of Appeal went on to make another potentially groundbreaking – although obiter – finding. The Court explained that there was an arguable basis for another form of loss arising from a breach of data privacy such as the Safari Workaround. This is in reliance on ‘user’ or ‘negotiating’ damages – namely the price that one could have negotiated for the use of a valuable item, which has been taken without permission for nothing by the defendant. This is a form of damages under English law, in an evolving area of law. As such, it would have been open to the Court to say that it did not necessarily factor into an autonomous analysis of the proper interpretation of the DPA under EU law principles.
Nevertheless, the Court said in terms that, in its view, it thought it fairly arguable that damages might in the Lloyd case be assessed on the user basis. The legal context in which these damages arise is in unlawful use of property. The unlawful use prevents the owner from exercising the right to obtain the economic value of the use in question. The defendant “takes something for nothing, for which the owner was entitled to require payment,” and is therefore liable to compensate the claimant. The potential future relevance of this kind of loss to cases such as this, where data has been misappropriated and then monetized by the misappropriating party, is clear.
As noted above, the judge at first instance in Lloyd had ruled out the possibility of permitting the action to proceed on a representative basis. In his view, the class did not have the “same” interest in the claim, as the nature of the infringement might vary from person to person, and defenses available to Google might be different – alongside more practical considerations in relation to the Court’s ability to identify the class and avoid abuse from claimants who were not properly class members. The Court of Appeal dismissed these concerns.
In their view, the judge had applied too stringent a test of “same interest” when assessing whether the action was suitable to be brought on a representative basis. The claim as pleaded was that BGI – something of value – had been taken from all the claimants without consent during the same period. The claim did not rely on personal circumstances affecting any individual claimant (whether distress, or volume of data abstracted, or anything else). The same wrong was alleged in all instances – namely loss of control over BGI – and reliance on any particular facts affecting any particular claimant was disavowed.
The effect of this approach on the ‘tariff’ claimed was to reduce its value to the “lowest common denominator” of the damage suffered. Put another way, the price of being able to bring the claim on a group basis was that the claim had to be pitched at the lowest level available to every class member. However, given that constraint, there was no reason why the claim should not proceed on a representative basis. In a competition claim, such a constraint might mean that alternate means of seeking collective redress, such as a collective proceeding, might be preferable in the particular circumstances of a case. In circumstances where it is possible to bring a group claim without a ‘lowest common denominator’ tariff, it would be logical to use the more flexible mechanism. However, the more liberal approach to the application of the test for non-competition claims will certainly be encouraging in other data cases, and could re-energize the s.19.6 CPR procedural mechanism more broadly.
As to the practical considerations identified by the judge – as to whether or not the class could be verified – the Court of Appeal was untroubled. The Court referred to the test articulated in Emerald Supplies Ltd. V British Airways plc  Ch 345 – a competition case – where it was held that “at all stages of the proceedings…it must be possible to say of any particular person whether or not they qualify for membership of the represented class of persons”. In these circumstances, the Court found that it was not only possible for any given represented party to identify whether he or she fell within the class, it was also possible for the defendant to check that point, and that exercise could be undertaken at any time. The judgment also went on to say that the size of the class was irrelevant – and so practical concerns as to management of the class, notice ,and distribution do not appear to be barriers to the use of this procedure. This is analogous to the scope of the jurisdiction under development for competition collective proceedings before the CAT – where there is no concern regarding the numerosity of a class – and it seems likely that, from a practical perspective, similar procedures for notice and administration of the class would be deployed for representative actions as for collective proceedings.
Lloyd is a Court of Appeal decision, and so it is possible that it will be reconsidered on an appeal to the Supreme Court. If the Court of Appeal’s ruling is upheld, the outlook for representative claims for damages for data breaches in England is promising.
This ruling is particularly timely in an environment where concerns over use of data are increasing, and the regulators (both in the competition and data protection spheres) are grappling with the appropriate remedies for data misuse. Where data has an economic value, and where data breaches are clearly established, facilitating private enforcement to enable compensation to be paid to the parties directly impacted makes sense. The decision in Lloyd v Google represents an important step towards a legal framework that will enable that to happen.