Lloyd v Google LLC  EWCA Civ 1599
To read the judgment click here.
The Court of Appeal has overturned the High Court’s decision, which had refused permission for Mr Richard Lloyd to serve proceedings on Google for the alleged secret collection of browser-generated information from Apple iPhone users. Mr Lloyd had brought the claim on behalf of more than 4 million UK users. Permission was refused on the basis that it is not possible to bring a representative action (‘class’ action) for ‘per capita’ compensation under section 13 of the Data Protection Act 1998, without proving pecuniary loss or distress to the individual.
Under the CPR 19.6 procedure, instead of requiring claimants to take steps to be part of the litigation, the represented class can automatically be joined as parties to the action. There is however a strict ‘same interest’ test, which requires that the claimants’ losses must be uniform, and the defence to the claim singular. This means that there can be no variation between the individual claimant’s circumstances.
The key question was whether the ‘loss of control’ of data could be classified as ‘damage’ for the purpose of the Data Protection Directive and the Charter of Fundamental Rights of the European Union. The starting point taken by the Court of Appeal was that a person’s browser-generated information has economic value and therefore control over that data is an asset that has value. The Court of Appeal then went on to consider Gulati v MGN Ltd  EWCA Civ 1291.
Gulati was a case concerning the tort of the misuse of private information rather than data protection (listen to my summary of Gulati here). However because the underlying rights in Gulati and in this present case are both based on the principle that privacy should be protected, and both involve the loss of control of personal data, the Court of Appeal considered it highly relevant.
Gulati established that damages for misuse of private information were available to compensate for loss of control of information, without proof of pecuniary loss or distress. The Court of Appeal highlighted the principle of ‘equivalence’: “the detailed procedural rules governing actions for safeguarding an individual’s rights under EU law must be no less favourable than those governing similar domestic actions” [paragraph 52], concluding that it would be inappropriate for a court to apply different approaches to the meaning of damage.
Other points made by the Court of Appeal was that the GDPR also provides a right to compensation for ‘non-material damage’ as a result of a data protection breach (Article 82.1) and recital 85 to the GDPR specifically identifies loss of control over personal data as a type of damage, albeit in reference to the need to notify authorities of data breaches.
This is a significant decision by the Court of Appeal. These types of claims are often difficult to bring to court because such data breaches do not often lead to financial loss, and in most cases claimants will not have suffered ‘distress’ as they would have been unaware of the breach. If claimants are able to seek damages for ‘loss of control’ of their personal data, the measure will be uniform across the group, making it possible and financially viable to bring ‘class’ action data breach claims.
However it was made clear by the Court of Appeal that loss of control damages will not be available for trivial, or de minimis, data protection infringements. The extent to which it can be applied to the different types of breaches of the data protection principles remains to be seen. The Court of Appeal refused Google permission to appeal, but it may make an application for permission to appeal to the Supreme Court.
If you are interested in any further information or advice, please contact my clerks on: 0300 0300 218