Much discussed among data protection types at the moment is the decision of the English Court of Appeal (CA) in Lloyd v Google. The decision, made earlier this month, makes it much easier to bring what are effectively class actions (or “representative claims” to give them their proper title) in the English Courts arising out of breaches of data protection law. This means that follow on damages claims after adverse regulatory rulings against organisations are much more likely, which in turn means that regulatory rulings (principally by the Information Commissioner’s Office) are almost certain to be hard fought and the process of dealing with them will need much greater care.
The case centred on Google’s alleged tracking of the internet activity of up to four million people and then marketing and selling the data derived from this to prospective advertisers. The court said Google’s actions caused the “loss of control or loss of autonomy” over individuals’ personal data which attracts a right to compensation per se under the Data Protection Act 1998 (DPA 1998). There is no need to demonstrate any pecuniary loss or distress. The Court of Appeal decided that this right to compensation is analogous with the right to compensation for misuse of private information, which was confirmed in the case of Gulati. That case had held that deprivation of the right to control the use of private information attracts compensation, with nothing more needed. However, Gulati did take into account the seriousness of that misuse of private information, giving the targets of phone hacking a remedy because of the “significant adverse effect” on them.
In terms of the representative claim, the court held that the claimant, Mr Lloyd, could proceed with such a claim as everyone affected has suffered the same basic deprivation of rights. Having said this, importantly, the claimant had to concede that he was representing people with claims at the lowest common denominator. If anyone was affected in an unusual way (e.g. because their more sensitive data had been used) then this could not be covered in the claim. So that is in one sense a small crumb of comfort to Google, and by extension to another defendant data controllers who may face such claims.
In addition, the court recognised that there is a minimum threshold of seriousness for a claim. In this case it was plainly satisfied. However, the court gave an example of an accidental data breach which is quickly remedied (which would undoubtedly lead to the temporary “loss of control” over personal data for the affected individuals) as an act of processing that is not sufficient to satisfy this threshold. By contrast, it noted that Google’s alleged use of individuals’ internet browsing information without their consent was deliberate, sustained, and for Google’s monetary gain. It also noted that personal data, and consent to its use, has an economic value which the individuals in this case had been deprived of.
Importantly, the Court of Appeal said its reasoning would not only apply to claims made under the DPA 1998 (as Mr Lloyd’s case was because the alleged activity occurred in 2011/2012), but also under the DPA 2018 adopting the GDPR. Indeed, the court noted that the recitals to the GDPR expressly acknowledge that “loss of control” is an example of the kind of “physical, material or non-material breach” that might be caused to individuals as a result of a data breach. So, if anything, we can expect to see many more claims like Mr Lloyd’s under the DPA 1998 and/or under the DPA 2018 and GDPR – unless, of course, the Supreme Court finds in favour of Google should that Court be persuaded to hear a further appeal. This is just the first stage in the case (to decide whether there is a viable claim which justifies serving the English proceedings on Google in the United States), so we wait to see how questions of liability and compensation play out, including crucially how an English court might set “lowest common denominator damages” for four million individuals.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, October 2019