On 2 October 2019, the Court of Appeal overturned Warby J’s judgment dismissing an application by the Claimant, Richard Lloyd, for permission to serve a representative action out of the jurisdiction on Google LLC (“Google”).

Although the Court of Appeal’s judgment merely permits Mr Lloyd to serve proceedings out of the jurisdiction on Google, and there is still a long road ahead before these proceedings reach trial, it is nonetheless extremely significant.

Subject to being overturned on appeal, the Court of Appeal’s judgment opens the floodgates to US-style class actions by representative Claimants on behalf of classes of affected data subjects.

These claims may lead to damages awards which dwarf even the eye-watering fines which the ICO has recently threatened against British Airways and Marriott International, both of which exceeded £100m.

Factual background

Between August 2011 and February 2012, Google took advantage of an Apple-devised exception to cookie blockers, the “Safari Workaround”, which allowed Google to harvest, without consent, browser generated information (“BGI”) of Apple iPhone users. This BGI, which constituted personal data for the purposes of the Data Protection Act 1998 (the “DPA”), gave Google unprecedented insight into the habits and preferences of more than 4 million Apple iPhone users (the “Data Subjects”) which it packaged and sold to advertisers, allowing them to target marketing specifically at the Data Subjects.

Google has already been subject to individual claims before the English Court as a result of these activities, which gave rise to the critical judgment in Vidal-Hall v Google [2015] EWCA Civ 311 which established that damages for non-pecuniary loss were, in principle, available under s.13 DPA.

The proceedings

Mr Lloyd, the former executive director of Which, and a consumer rights activist, is pursuing a representative claim on behalf both of himself, and other affected Data Subjects, under r.19.6 of the Civil Procedure Rules 1998 (the “CPR”), seeking damages under s.13 DPA for breaches of s.4(4) DPA.

Before the claim can proceed in earnest, amongst other things, Mr Lloyd requires the English Court’s permission to serve the proceedings out of the jurisdiction on Google.

The first instance judgment: Lloyd v Google LLC [2018] EWHC 2599 (QB)

At first instance, Warby J refused to grant permission to Mr Lloyd to serve the proceedings out of the jurisdiction, as he considered that Mr Lloyd’s claim did not have a real prospect of success as, amongst other things, he had failed to demonstrate that the Claimants had either: (a) suffered "damage" for the purposes of s.13 DPA; and, in any event (b) had either the "same interest" within the meaning of CPR 19.6(1)1, or were ascertainable as members of a specific class.

Warby J also noted that in the years since the Safari Workaround had come to public attention, none of the Data Subjects who were based in England had come forward either to seek compensation, or even complain, other than Mr Lloyd and the Claimants in Vidal-Hall. In such circumstances, Warby J said that “it would not be unfair to describe this as officious litigation” and that Mr Lloyd should not “be permitted to consume substantial resources in the pursuit of litigation on behalf of others who have little to gain from it, and have not authorised the pursuit of the claim, nor indicated any concern about the matters to be litigated2. Accordingly, Warby J considered that if the test at CPR 19.6(1) was satisfied, he would exercise his discretion under CPR 19.6(2) to refuse to permit Mr Lloyd to act as a representative for the Data Subjects.

The Court of Appeal’s judgment: Lloyd v Google [2019] EWCA Civ 1599

In summary, Sir Geoffrey Vos, Chancellor of the High Court, giving the leading judgment, with which Dame Victoria Sharp, President of the Queen’s Bench Division, and Davis LJ agreed, found to the contrary on each of these issues, holding that: (a) the Data Subjects were entitled to recover damages pursuant to s.13 DPA, based on the loss of control of their personal data alone, regardless of whether they had suffered pecuniary loss or distress[3]; (b) the Data Subjects represented in the claim did, in fact, have the same interest for the purposes of CPR 19.6(1); and (c) the Court should exercise its discretion to permit Mr Lloyd to act as a representative for the Data Subjects.

Issue 1: Are damages recoverable pursuant to s.13 DPA where there is no evidence that Claimants have suffered either pecuniary loss or distress?

In summary, Sir Geoffrey Vos’ view was that where a breach of data protection law occurs causing an affected data subject to lose control over their personal data of a non-trivial nature, that data subject is entitled to be compensated under s.13 DPA, regardless of any pecuniary loss or distress.

How should s.13 DPA be interpreted?

Sir Geoffrey Vos considered that the starting point when considering this issue was the interrelationship between domestic and European law. Article 8 of the European Convention for the Protection of Human rights and Fundamental Freedoms (the “Convention”) recognised the right to privacy, and this objective was given effect in the Data Protection Directive 95/46/EC (the “Directive”) and the Charter of Fundamental Rights of the European Union (the “Charter”) which provided, at Article 8, that “everyone has the right to the protection of personal data concerning him or her”.

He agreed with the Court of Appeal’s reasoning in Vidal-Hall4 that, in line with EU law, an autonomous meaning should be given both to Article 23 of the Directive and s.13 DPA5 (as they were both giving effect to Article 8 of the Convention and Article 8 of the Charter).

Does loss of control over personal data have a value?

Sir Geoffrey Vos agreed with Warby J that a “domestic approach to statutory construction would point towards the conclusion that section 13 and article 23 required proof of both a contravention and consequent damage, whether pecuniary or non-pecuniary6.

However, he disagreed with Warby J’s characterisation of the claims, holding that a person’s control over data does have a value, so that the loss of that control must also have a value. In reaching this conclusion he placed reliance on the fact that: (a) “even if data is not technically regarded as property in English law, its protection under EU law is clear7; and (b) the fact that individuals’ personal data can be sold (and indeed, in this case, was sold by Google to advertisers) demonstrated that it has an economic value.

Does loss of control over personal data constitute “damage” for the purposes of s.13 DPA?

In Gulati v MGN Limited [2015] EWHC 1482 (Ch), which concerned a claim for misuse of private information (“MPI”), Mann J held that where a Defendant had helped itself to large amounts of personal and private information and treated it as its own to deal with as it thought fit, there was a serious infringement of a right8.

Sir Geoffrey Vos considered that this approach should also apply to claims for breaches of the DPA, and that, accordingly, damages should be available for loss of control over personal data, noting that: “since the torts of MPI and breach of the DPA are undoubtedly similar domestic actions, it would be prima facie inappropriate for the court to apply differing approaches to the meaning of damage9.

In reaching this view, he also relied on recital 85 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), which identifies “that ‘loss of control’ over personal data is… an example of the kind of ‘physical, material or non-material damage’ that might be caused to natural persons as a result of a data breach10, as well as other provisions of the GDPR, emphasising that s.13 DPA had to be interpreted in light of the context which they provided.

However, he emphasised that a de minimis threshold of “seriousness” applied to both damages claims for MPI and for breaches of the DPA (thereby excluding, for example, a claim for damages for loss of control of personal data arising out an accidental one-off data breach that was quickly remedied).

Nevertheless, on the facts, this threshold had clearly been passed as “every member of the represented class has had their data deliberately and unlawfully misused, for Google’s commercial purposes, without their consent and in violation of their established right to privacy11.

Issue 2: Should the claim be permitted to proceed as a representative action pursuant to CPR 19.6?

Did the Claimants have the “same interest” for the purposes of CPR 19.6(1)?

Sir Geoffrey Vos held that Warby J had applied “too stringent a test of ‘same interest’12. Applying Mummery LJ’s test from Emerald Supplies Ltd. v British Airways plc [2010] EWCA Civ 128413 he could not “see any injustice in the pleaded claim proceeding as a representative one14 as: (a) all of the Claimants whom Mr Lloyd represented had had their BGI taken by Google without their consent, in the same circumstances and during the same period; (b) the Claimants were not seeking to rely on any personal circumstances affecting any specific individual (i.e. the lowest common denominator applied to the Claimants’ claims); and accordingly: “the represented class are all victims of the same alleged wrong, and have all sustained the same loss, namely loss of control over their BGI15; and (c) there was no practical difficulty in identifying whether a given individual was a Data Subject; “[e]very affected person will, in theory, know whether he satisfies the conditions that Mr Lloyd has specified. Also, the data in possession of Google will be able to identify who is, and who is not, in the class. Both exercises can be undertaken at any time.”16

He also disagreed with the weight accorded by Warby J to potential differences in the amount of data removed from the Claimants without consent and the differing impact on individual represented Claimants, emphasising that “the wrong is the same, and the loss claimed is the same” and that “it is impossible to imagine that Google could raise any defence to one represented claimant that did not apply to all others17.

Exercise of discretion under CPR Part 19.6(2)

Sir Geoffrey Vos also disagreed with Warby J’s exercise of discretion in deciding not to allow the representative claim to proceed. This was not, in his view, “officious litigation”; the case may be costly and use valuable Court resources but preventing it from proceeding would deprive the Claimants of any remedy. It was right that the claims should proceed to “ensure that there is a civil compensatory remedy… to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit18.

Appeal to the Supreme Court?

It is understood that the Court of Appeal denied Google's request for leave to appeal. Therefore, leave to appeal will therefore need to be obtained from the Supreme Court if the Court of Appeal’s judgment is to be reversed.

It remains to be seen whether this will be granted. However, given the wider significance of the issues in dispute, there is a serious prospect that leave to appeal will be granted.

Practical points of note arising from the Court of Appeal's decision

Whilst the Court of Appeal’s judgment only permits Mr Lloyd to serve proceedings out of the jurisdiction on Google, and there is still a long road ahead before these proceedings reach trial, it is nonetheless extremely significant.

Subject to being overturned on appeal, the Court of Appeal’s judgment opens the floodgates to US-style class action by representative Claimants on behalf of classes of affected data subjects in relation to breaches of data protection law as the significant impediments to doing so which were established by Warby J’s judgment have now been removed.

We can therefore expect a raft of similar claims emerging from: (a) high profile data breaches (particularly those affecting significant numbers of data subjects) such as those which have affected, amongst others, British Airways, Marriott International, Cathay Pacific and Uber; and (b) other breaches of data protection law, such as those which are alleged against Facebook (e.g. relating to the Cambridge Analytica scandal) and Google (in relation to real-bidding); once any appeal has been determined or leave to appeal has been refused.

This is particularly so given that funders and Claimant law firms are well aware of the potentially lucrative opportunities which such claims present.

Organisations that hold significant volumes of personal data were already on notice of the enhanced regulatory sanctions that they may face arising from data governance issues post-GDPR by virtue of the recent notices of intention to fine served by the ICO on British Airways and Marriott International each of which totalled over £100m.

In light of the Court of Appeal’s decision, they should now be on notice that they may potentially face even larger exposures as a result of civil claims arising out of the same issues.

By way of example, if Mr Lloyd’s claim succeeds and all affected data subjects join the Claimant group and each recover £750, the damages payable by Google would be approximately £3bn.

Accordingly, if the ICO’s recent enforcement activity was not enough to ensure that data governance was at the top of the C-suite’s agenda, this decision emphasises that it should be.