Case comment: Lloyd v Google LLC [2018] EWHC 2599 (QB) http://www.bailii.org/ew/cases/EWHC/QB/2018/2599.html

Summary

What does “damage” mean, under Section 13(1) of the Data Protection Act 1998 (“DPA”)? This was the question for the Court in Lloyd v Google LLC.

Two previous cases had laid the groundwork: Vidal-Hall, opened the way for compensation awards for “non-pecuniary loss” such as distress and anxiety caused by breaches of the DPA and in Gulati Mr Justice Mann seemed to award compensation to reflect the infringement of the claimants’ privacy rights themselves, as well as to compensate the claimants for injury to their feelings.

With these two cases paving the way, the scene was set for Lloyd v Google LLC to test two propositions – 1) compensation under the DPA can also be awarded for infringement of the right itself (as in Gulati); and 2) without the need to prove individual loss, class actions may be brought to compensate large groups of people – in this case, millions of Apple iPhone users.

An affirmative answer in respect of these two propositions would have opened the “floodgates” of litigation. In fact, the court in Lloyd v Google LLC firmly shut those floodgates.

Whether the reasoning will hold in the post-GDPR landscape is another question, which we address below.

Background

Lloyd v Google concerns an application to serve proceedings outside the jurisdiction on Google, in respect of a compensation claim arising from the “Safari Workaround”.

The Safari Workaround allowed Google to place cookies on devices running Safari (the browser developed by Apple) working around a Safari block on all third party cookies. The use of cookies on users’ devices allowed Google to obtain so-called “browser generated information” (“BGI”), which, it was claimed, included private information and personal data: users' internet surfing habits and location and by extension, users’ interests and habits, race or ethnicity, social class, political or religious views or affiliations, age, health, gender, sexuality, and financial position. Google aggregated BGI from browsers displaying similar patterns, creating groups with labels such as “football lovers” or “current affairs enthusiasts” and offered these groups to advertisers, to allow them to target their advertising.

The Claim

In this claim Mr Lloyd, formerly Executive Director for the consumer champion Which?, sought to bring a representative claim against Google on behalf of all individuals in England and Wales said to have been affected by the Safari Workaround (the “Class”). The basis of the claim was that Google, the data controller, processed personal data in breach of the statutory duty imposed by section 4(4) of DPA. The Claimant claimed damage under s13(1) of the DPA which provides:

An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.”

Service out of the jurisdiction

Google LLC is based in California. The Court was therefore concerned with whether or not to grant the Claimant permission to serve the claim on Google out of the jurisdiction.

The burden is on the Claimant. It has to establish:

  1. that the claim has a reasonable prospect of success (CPR 6.37(1)(b));
  2. that there is a good arguable case that each claim advanced against the foreign defendant falls within at least one of the jurisdictional "gateways" (paragraph 3.1 of Practice Direction 6B). This is essentially a claimant being able to demonstrate that it has a viable cause of action in the jurisdiction;
  3. that England is clearly or distinctly the appropriate place to try the claim (CPR 6.37(3)).

Mr Justice Warby took the points in reverse. On point (3), he was satisfied that England was the proper place to try the claim since the Class was confined to residents of England and Wales. That point was not in dispute between the parties.

The real issue was under points (1) and (2), which are closely linked. The Court needed to determine whether or not the damage pleaded by the Claimant constituted damage for which compensation was payable under s13 DPA. If it was, then subject to whether or not the Court could permit the claim to continue as a representative action (which was also determined by Warby J), the Claimant would have both a claim falling within a relevant “jurisdictional” gateway and a reasonable prospect of success.

Compensation for “damage”

In Vidal-Hall v Google, the Court of Appeal had established that compensation could be awarded to individuals under English law if they suffered non-material, non-pecuniary loss such as distress arising from a breach of data protection legislation.

In this case, however, the Claimant did not contend that any of the members of the Class had suffered pecuniary loss, or non-pecuniary loss, i.e. that the gathering of their personal data had caused them distress. Rather, the pleaded claim for damages was said to arise in three different ways: (i) for infringement of data protection rights; (ii) for the commission of the wrong itself; and (iii) loss of control over personal data. i.e. the Claimant was claiming damages for the infringement itself, rather than any identified damage flowing from it.

The Court deconstructed the wording of s13 of the DPA. The statutory right to compensation arose where (a) there was a contravention of a requirement of the DPA; and (b) as a result, the Claimant suffered damage. The right was defined as a right to compensation "for that damage". The infringement and the damage were therefore presented as two separate events, connected by a causal link. An interpretation of these provisions presupposed that some contraventions of the DPA would not result in damage, or call for a compensatory remedy. Warby J identified scenarios where incorrect data was held by a data controller but nothing happened to it. It was not used or disclosed. In those circumstances, the DPA envisaged other remedies than damages – rectification, blocking and erasure.

Warby J said that the damages identified at (i) and (ii) of the pleaded claim were merely descriptions of the infringement itself. The argument was circular. To say that a Class member had “lost control” over his or her personal data was another way of saying that the Defendant had acquired and used the data without the Class member’s consent. It was claimed that the infringement had caused damage, and the damage was the infringement itself.

In support of the damages claim identified at (iii), the Claimant relied on the judgment of Mr Justice Mann in the phone-hacking case of Gulati v MGN Ltd. In that case, Mann J had awarded the claimants damages inter alia for commission of the wrong itself. This was upheld in the Court of Appeal where it was held that a claimant was entitled to compensation for “loss of control” by the unpermitted use of private information.

Warby J distinguished Gulati on three grounds:

  1. The claims in Gulati were in the tort of misuse of private information, not data protection.
  2. Gulati was not authority for the proposition that damages must be awarded for the infringement of the right itself. Mann J held that compensation can be awarded for commission of the wrong itself, so far as the commission impacts on the values protected by the right.
  3. It was clear law that the Court cannot make an award of “vindicatory” damages merely to mark the commission of the wrong. Mann J and the Court of Appeal took great care to distinguish the awards they made from a merely vindicatory award. It was clear that the awards were intended to compensate for the misuse of private information, depriving the claimants of their right to control the use of private information. The Court of Appeal illustrated the point by reference to a number of examples one of which was where “hacking pre-empted disclosure of the decision of one claimant to leave a well-known television show”. The Court of Appeal said the claimants were entitled to be awarded for that loss of control.

The Court of Appeal decision in Gulati, should not be read as approving the award of substantial damages for the abstract fact that a person has had their personal information misused. The facts of Gulati were exceptional and involved significant personal information. Nothing comparable was alleged here.

Warby J was bolstered by two submissions made on behalf of Google.

  1. If the Claimant’s case was accepted, it would mean that damages would be payable for the most trivial infringements. This could not be right. The tort of misuse of private information contained built-in thresholds for the award of damages. In order to be actionable, an interference had to reach a certain level of seriousness (McKennitt v Ash [2008] QB 73 [12]). Secondly, the process of deciding a misuse case involved a balancing exercise, including an assessment of the proportionality of the interference with free speech, which success for the claimant would involve.
  2. The Defendant pointed to authorities that held that the right to compensation for distress pursuant to s13 DPA was also subject to a threshold of seriousness.

Consequently, the court held that not everything that happens to a person without their prior consent causes significant or any distress. Warby J noted that some people enjoy a surprise party. Lasting relationships can be formed on the basis of contact first made via a phone number disclosed by a mutual friend, without asking first.

In short, the question of whether or not damage had been sustained by an individual as a result of the non-consensual use of personal data about them must depend on the facts of the case. On the bare facts pleaded in this case, which were in no way individualised, there was no "damage" within the meaning of DPA s 13.

It was finally argued by the Claimant that affected users were entitled to “user damages” reflecting

the market value of the data which was misused by Google, i.e. a notional licence fee. Warby J rejected any analogy with property rights. He said that it was “wholly artificial to envisage some sort of bargaining process involving such individuals”. Google does not offer a fee to its users for this information: what it offers instead is the opportunity to receive targeted communications. If the user does not wish to accept this, their only realistic option would be to refuse consent. Following this the premise of the “hypothetical negotiation” is unworkable.

Accordingly, Warby J found that damage could not be shown by the Claimant and as a result compensation would not be awarded to the Claimant. On that basis, the claim failed the test to serve out of the jurisdiction at the first and second hurdles, (1) and (2), listed above of the burdens upon the Claimant. The claim had neither a real prospect of success nor was there a good arguable case on the facts that damage had been caused within the jurisdiction. The Claimant’s application for permission to serve out of the jurisdiction and therefore to proceed with its claim failed.

Representative action

Warby J also separately found that the claim had no reasonable prospect of success because the court should not permit it to proceed as a representative action.

In order for a representative action to be brought in the English courts, the representative party and those whom that party represents need to have “the same interest in” the claim. In the present case the claim may include some people for whom the alleged breach does amount to “damage”, however the class will also, inevitably, include some for whom no “damage” had been suffered.

Further, it was not possible to identify the class with sufficient certainty since there was no viable method of identifying which users had the Safari Workaround placed on their device during the relevant period.

GDPR and the current legal landscape

This case was brought under the 1998 Data Protection Act and therefore refers to the pre-GDPR legal landscape.

The relevant sections now are Section 82 GDPR and Section 168(1) of the Data Protection Act 2018 2018 (which fills the gaps which the GDPR leaves to be filled by Member States).

  • Article 82 GDPR “Right to compensation and liability” gives “any person who has suffered material or non-material damages as a result of infringement” the right to receive compensation for the damage suffered.
  • Section 168(1) of the Data Protection Act confirms that “non-material damage” includes distress.

Would Warby J’s reasoning hold good if the case were brought today? Possibly not.

First, the GDPR turbo-boosts data subject rights.

  • Article 79 GDPR “Right to effective judicial remedy against a controller or processor” provides that each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under [GDPR] have been infringed.

Article 79 GDPR makes no mention of damage. Warby J’s reasoning in Lloyd v Google LLC arguably deprives data subjects of an “effective judicial remedy” where their rights have been infringed but they have suffered no damage beyond the mere infringement of the right itself. In future, the court might think it appropriate to award nominal damages in these cases - small sums that can be awarded where a tort is actionable per se (for example trespass to land) but the claimant has suffered no loss. Nominal damages are important because they are the peg on which to hang costs.

The case for awarding vindicatory or exemplary damages to punish the defendant – where infringing conduct is motivated by the pursuit of profits, for example - was given short shrift here. It is possible that future cases will distinguish those relied on here.

Second, the GDPR seems to encourage class actions with the inclusion of the following provision:

  • Article 80 GDPR “Representation of data subjects” gives data subjects the right to mandate not-for-profit bodies active in the field of data protection to exercise their rights to receive compensation on their behalf.
  • Section 168(2) and (3) of the Data Protection Act 2018 provides for compensation awarded to be paid to a representative body or any person the court thinks fit.

We saw in Lloyd v Google LLC that the consumer champion Which?, a registered charity, looked to bring a class action. Article 80 GDPR may well now encourage more not-for-profit organisations to actively pursue claims on behalf of a significant group of individuals.

Learning points

Judgment in this case was eagerly anticipated. It had been feared (or hoped, depending on your perspective) that the combination of the relaxation of Section 13 DPA to include damage for non-pecuniary loss in Vidal-Hall, together with the judgment in Gulati, would open the floodgates for group claims for damages as a result of breaches of the DPA of themselves (with or without loss).

This case serves to shut the floodgates, for now. It is not inconceivable that a similar action could succeed, organised as a Group Action rather than a representative action, where claimants set out in more detail the damage caused. For now, whilst still to be tested post GDPR, it appears that unless a claimant can identify specific details as to how alleged unlawful use of their data has caused them distress or actual damage, compensation will not be awarded.