Norton Rose Fulbright - Data Protection Report blog

A judgment handed down today by the English High Court will be welcomed by UK data controllers. Lloyd v Google [2018] EWHC 2599 represents a corollary to recent case law expanding the circumstances in which litigation may be brought in relation to breaches of data protection legislation.

Most notably, the case:

  1. reinforces the need for “damage” to be proven by claimants before compensation can be obtained in these circumstances; and
  2. makes clear that the courts will not permit representative claims to be brought on behalf of a potentially large population of claimants without close scrutiny of the basis of those claims.

Recent discussion in the UK relating to data breach-related litigation has largely been focussed on the increasing risk of large-scale litigation arising from data breaches. While that risk has undoubtedly grown in the past few months due to recent case law and the implementation of GDPR, Lloyd serves as an important reminder that not all claims brought in these circumstances will be viable.

Background facts: the Safari Workaround

Lloyd v Google concerns an application to serve proceedings out of the jurisdiction on Google, in respect of a claim for compensation arising from the “Safari Workaround”. The Safari Workaround was a well-known means by which Google allegedly obtained private information about internet usage through its use of cookies without individuals’ knowledge or consent, via the Safari web browser used on Apple iPhones. According to the plaintiffs, this information enabled Google to provide information to advertisers to help in targeting or tailoring of advertisements to internet users.

The Safari Workaround was essentially the subject-matter of Vidal-Hall v Google Inc  [2015] EWCA Civ 311 [2016] QB 1003. This was a high-profile case which established that compensation could be awarded to individuals under English law if they suffered non-pecuniary loss such as distress arising from a breach of data protection legislation.

The nature of the claim in Lloyd v Google

The representative claimant sought compensation arising from alleged breaches of the data protection principles set out in the Data Protection Act 1998 (the “Act”), committed by the implementation and operation of the Safari Workaround. In bringing the claim, the claimant relied on s13 of the Act which provides data subjects with a means of obtaining compensation should they suffer damage as a result of a contravention of the Act by a data controller. Warby J accepted that there may well have been an actionable breach committed as a result of the Safari Workaround, which could form the basis of a claim for compensation under the Act.

The “damage” requirement

Where the claimant’s position fell down, however, was their inability to demonstrate “damage” as a result of the alleged [tort] – which is a necessary element for any compensation to be awarded pursuant to the Act.

In this regard, the claimant would need to demonstrate material (i.e. pecuniary) loss, or emotional harm such as distress. However, the claimant sought to do neither—relying instead on the commission of the alleged tort (rather than its consequences) as the basis for seeking compensation. The judgment rejected the claimant’s position in stating as follows:

Even if the data controller had no justification for its conduct, and was thus in breach of duty, the remedy which the law requires does not have to be the remedy of compensation, if no consequences followed from the breach.

The judgment goes on to distinguish Lloyd from Vidal-Hall, in which the Court of Appeal concluded that compensation may be awarded where distress has been suffered as a result of a breach of duty. The Lloyd judgment makes clear that no such compensation can be awarded when a breach of duty has caused neither material loss nor emotional harm, and has had no other consequences for the data subject. In referring to previous case law in this area, the Lloyd judgment states as follows:

I do not believe that the authorities show that a person whose information has been acquired or used without consent invariably suffers compensable harm, either by virtue of the wrong itself, or the interference with autonomy that it involves… In short, the question of whether or not damage has been sustained by an individual as a result of the non-consensual use of personal data about them must depend on the facts of the case. 

It is clear from the above that any claims brought for compensation of this nature in future will need to be supported by compelling evidence of the damage incurred as a result of the alleged breaches of the legislation.

Representative actions

The claim was brought by the claimant on the basis that it should serve as a representative of a very broad class of potential claimants – which would potentially include all individuals who used the Safari browser in England & Wales while the Safari Workaround was ongoing. Estimates as to the size of this class vary but it is accepted that it would encompass several million individuals.

In order for a representative action to be brought in the English courts, the representative party and those whom that party represents need to have “the same interest in” the claim. In this case, the representative claimant and the potential class of claimants were not deemed to have the same interest in the claim—many claimants would not have suffered any damage at all and those who had suffered damage would not be considered to have suffered the “same” damage, given that each person’s position is inherently fact-specific. A representative claim could not therefore be brought on this basis.

In addition, the reasoning in the judgment was influenced by the fact that there had been essentially no interest from the purported class of claimants in seeking redress in respect of the Safari Workaround. This indicated that whatever the technical position as to the viability of a representative action, such an action would not serve as a means of avoiding a large number of similar claims clogging up the courts. On the contrary, the judgment found as follows:

“It would not be unfair to describe this as officious litigation, embarked upon on behalf of individuals who have not authorised it, and have shown no interest in seeking any remedy for, or even complaining about, the alleged breaches…. the Representative Claimant should not be permitted to consume substantial resources in the pursuit of litigation on behalf of others who have little to gain from it, and have not authorised the pursuit of the claim, nor indicated any concern about the matters to be litigated”

Similar reasoning would most likely have been applied to the case had the claimant sought a Group Litigation Order in respect of the claim, which is another means by which the claims could have been pursued on a collective basis in the English courts.

Applicability to GDPR and the Data Protection Act 2018

It will be apparent from the above that Lloyd v Google was brought under the 1998 Act and therefore refers to the pre-GDPR legal landscape. However, the reasoning set out above would appear to apply equally to Art 82 GDPR and s168 of the Data Protection Act 2018, each of which contemplate compensation only in circumstances where “material or non-material damage” has been suffered. The judgment therefore appears to be of equal relevance to the new legal landscape as to the old.