A recent case heard in the Court of Appeal, Lloyd v Google, involves a myriad of issues with points touching on Data Protection law(s) and the development of the 'UK class action'. It will be of interest to professionals whose day-to-day work involves the retention of their client's data and/or private information. The decision recognises a right to claim damages arising out of the loss of control of data, even if there is no pecuniary loss and no distress. It also gives the green light for representative action in such claims.
The appeal follows Mr Richard Lloyd, a former director of Which?, who sought to bring about a representative claim on behalf of himself and 4 million iPhone users, all of whom were allegedly affected by Google’s use of ‘cookies’ between 9 August 2011 and 15 February 2012.
‘Cookies’ are a file created by a website that is stored in the user’s computer, enabling the placer of the cookie to identify and track internet activity undertaken by means of that device.
What did Google do with the cookies?
It is alleged that in taking advantage of a relaxed default setting on the Safari web browser, Google was able to place a cookie of its own on iPhone devices, without the user's knowledge or consent – a phenomenon known as the ‘Safari Workaround’. Up until the system was changed by Apple, it is alleged Google collected information on users, as to the order in which and the frequency with which they visited various websites.
Lloyd argued that in tracking and collating this information, Google was allowed to obtain information relating to users' internet usage, and simultaneously their interests, race or ethnic origin, social class, political or religious views as well as their age, health, gender, sexuality and even their financial position. Google is said to have aggregated this information into groups with labels, offering these groups to subscribing advertisers, allowing them to choose the type of people that they wanted to direct their advertisements to – ‘data harvesting’.
The Claim or ‘Class Action’
The legal basis of the claim brought by Lloyd, was that Google processed personal data in breach of the statutory duty imposed by section 4(4) of DPA.
In reliance on the supposed breach by Google, the claim was framed as one seeking damages for all concerned under s13(1) of the DPA, which provides:
“An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.”
At the previous first instance decision, the Court dismissed Lloyd’s case against Google, on the basis that:
1. None of the class he represented suffered damage within the meaning of s13 of the DPA, failing to prove pecuniary loss or distress; and
2. The members of the class did not have same interest needed to form a class under Civil Procedure Rule 19.6 and were not identifiable.
The Court of Appeal was asked to revisit the reasoning for the original dismissal of the Lloyd’s action and reversed the decision in respect of both issues.
On the issue of damage, the Court of Appeal ruled that the loss of control of Lloyd’s (and others) individual data did have an intrinsic value, and tangible pecuniary loss or distress did not need to be demonstrated to satisfy this element of the claim.
The first instance decision on the necessary ‘same interest’ was also overruled. The Court of Appeal was of the view and held that all the members of this class had their information taken without their consent, with such information being extracted over the same period and by the same method.
This case should serve as a warning to any business or self-employed professional whose work involves the use or safeguarding of an individual’s personal data – as well as potentially their insurers. Whilst Google is likely to appeal the decision, the current position following this case suggests there is increased exposure for such organisations or persons, in circumstances where an individual’s personal data is either ‘lost’, compromised or is used outside the scope of their consent. Loss of control of data can result in a claim for recoverable damages, even where no immediate tangible loss can be demonstrated by a Claimant. The Court of Appeal recognising this in conjunction with the representative or ‘class’ actions, emphasises the need for both strict compliance and caution in this regard.