This article has been written by Kazi Ashique Azfar, pursuing a Diploma Programme in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho.

Introduction

Richard Lloyd (Lloyd), a consumer law advocate in 2017, filed a claim alleging Google LLC (Google) had failed to fulfill its obligation and breached its duties as a data controller under the Data Protection Act (DPA) 1998. The reason behind this claim was that the “Safari Workaround” or “DoubleClick cookie”, the technical workaround Google used to bypass the cookie settings of the Safari browser, was without the consent or knowledge of individuals to track their internet activities for commercial purposes during 2011-12.

Mr. Lloyd brought a representative action against Google for this breach and had claimed compensation on behalf of all the affected individuals in England and Wales. This is possible because of the structure of “opt-out” litigation which allows a claim to be brought on behalf of all the individuals who belong to a particular class of claimant without their expressed interest to participate. While Mr. Lloyd suggested an approximated compensation of around £750 to each individual, but for Google, it stood at a total of £3 billion liability.

The court at the first instance had dismissed Lloyds’s application to serve Google outside the jurisdiction in the USA, stating that none of the represented class had suffered damages under the DPA, 1998 and that the members of the class did not have the same interest. Thus, according to the court, it requires the damage from breach to be proved for identifiable individuals and follows the policy of not permitting opt-out class action like in the United States. The Supreme Court, however, on appeal allowed Llyod to serve his class representative action on Google.

Understanding the importance of the decision

Google allegedly, through this breach of privacy, was able to track the date and time users spent on any website, the pages they visited and for how long they stayed on it, and advertisement-related data, etc. This “browser-generated information” (BGI) was aggregated by Google and offered to advertisers for commercial gains.  

This issue has already been litigated in the U.K. in Vidal-Hall v. Google in 2015, where it was argued that the claimant had faced distress because of the infringement and is regarded as a landmark decision because it established that pecuniary damages were not a requirement for damages claim. Google also had a setback in the U.S where the Federal Trade Commission (FTC) fined it a whopping $22.5 million for its malpractices. 

As opposed to Vidal-Hall, Llyod, in the current case, argued for a uniform amount as damages for each individual within the defined class of affected parties “without seeking to allege or prove any distinctive facts affecting” them, except for the individual who decides to opt-out of the class action. This kind of class action suit is more common in the U.S as opposed to the U.K., where an opt-in class action is a norm. The difference between the two is that in opt-out claims, the members of a class are regarded to be participating in the class-action lawsuit by default, and in opt-in claims, the individual will have to consent to be a part of the lawsuit proactively.

Opt-out class action lawsuit is a recent development under English law and was introduced as late as 2015 through amendments to the Competition Act, 1998 by the Consumer Rights Act, 2015. The executive and the legislature have agreed and allowed on the class action lawsuits in case of competition law without ruling out its extension. While discussions were on to include such a provision for DPA, 2018, the legislature at the end decided otherwise. Therefore, the trend has been to disallow opt-out claims in other areas of law. While the Civil Procedure Rules (CPR), Rule 19.6 provides for bringing representative action lawsuits on behalf of a defined class of individuals who share the same interest in the claim, such claims are rare. The reason being the narrow interpretation of ‘shared interest’ which made it next to impossible. 

The court allowing the appeal is seen as a significant departure to the trend that has the potential to widen the scope for claims to be brought in respect of a failure to protect data under the DPA and GDPR. Without such a collective means of redress, the companies such as Google would go scot-free for such breaches, which does not cause any specific financial loss or distress because, for each individual, the compensation will be such low value that for the victims, it will not be worth the wick to bring a claim individually.

The High Court blocking the collective claim 

The court decided not to allow Llyod to bring a class action suit basing its decision on mainly two factors. It dealt with the two questions – 

• Whether there was a basis for compensation under the DPA, 1998? 
• Whether there was a real prospect that the court would permit the claim to continue as a representative action under CPR Part 19.6.” 

Reasonable basis for compensation

The court held that the claim did not have a reasonable basis for compensation as there was no link between the infringement and damage claimed as required by Section 13(1) of the DPA and Article 23 of the Directive. It stated that Llyod had failed to establish any damage for the purpose of compensation, which need not have been pecuniary but even emotional distress like in the case of Vidal-Hall. On behalf of all affected individuals citing the breach by Google and the resulting loss of data control over their personal data, Lloyd had claimed compensation, but the court rejected this claim. 

The court discussed the case of Gulati v. MGN Limited to differentiate between cases “deserving of substantial (as opposed to nominal) compensation.” The court stated that even though Gulati allowed the claim of damage in the absence of “material loss or distress”, it was an exceptional case. Further, allowing Llyod to bring such a claim would open floodgates to trivial data breaches where there is nothing to compensate.

Appropriateness of a representative action

The court stated that if there was no damage as it found, then there was no scope for a representative action under Rule 19.6 of CPR. However, expecting an appeal, the court still discussed and decided on if the case fulfilled the requirements of the Rule 19.6 of CPR. It held that there was no reasonable prospect of it being permitted to proceed as a representative action.

According to the court, the fundamental requirement to sustain a representative action is that the class must all have the same interest in the claim, and the present claim does not qualify because the members of the class do not share the “same interest”. Instead, the nature and extent of the breach would have affected the individual member very differently – depending on how frequent a user they were and their measures to protect their personal data. It was also stated that it would be practically impossible to identify the members of the class. It was not possible to exclude an unaffected person who comes forward to claim compensation. Even though the definition of the class was changed to exclude some people who could not have been affected, it was not enough because the issue was one of verification and lack of viable identification methods.

The court, on its initiative, exercised the discretion under CPR Part 19.6(2) to not allow the claimant to act as a representative, mainly finding that the proportional value of allowing such a claim which would yield benefit to the victims against the cost and time of the court to be “modest at best.”

The Court of Appeal : reversal of High Court’s decision

The Court of Appeal has overruled the High Court’s decision and allowed Llyod to serve his class representative action on Google. The main grounds considered in the appeal and based on which the claim was allowed:

Control over data as an asset 

The Court of Appeal found that the meaning of “damage” under Section 13 of DPA includes damages that are non-material and not pecuniary in nature. It further stated that even though data is not regarded as property under English law, it is protected. The fact that BGI has economic value is clear from the fact that Google could sell the data to interested advertisers, and similarly, the “consent to its use” also has value. Thus, the control over the data has value, and it follows that the loss of control must have a value. The court further relied on the Gulati case to establish that the loss of control over information has economic value even without any pecuniary loss or distress. The court, however, stated that there was a minimum threshold of seriousness and accidental one-off cases of such breach shall not amount to a claim of loss of control. 

Same interest and identification of class 

The Court of Appeal deriving from John v. Rees (1970) that the test for “same interest” is not stringent but flexible, and the fact that Llyod does not seek to rely on any personal circumstance affecting individual claimant qualifies the class in the test. The represented class have all suffered the same loss, the loss of control over their BGI. This means that the damage that can be claimed is the “lowest common denominator” of all the individual members of the class but does not mean that the class does not have the “same interest.”

On the matter of identification, the court stated that problems identified by the High Court were practical difficulties but did not affect the “formal ability to identify the class.” It stated that all the members of the class would, in theory, know if he falls within the definition and data in possession of Google can be used to identify the member or verify them.

Correctness of the High Court’s decision

The third ground which was looked into by the Court of Appeal was the correctness of the High Court’s decision to exercise discretion and bar the claim from being proceeded under the CPR 19.6 as a representative action. It decided to “exercise its discretion afresh”, rejecting the High Court’s characterisation of the claim as “officious litigation.”

Conclusion

The case is yet to reach its conclusion, Google had already appealed against this decision. The court has heard the arguments but is yet to publish its judgment. However, the current decision’s stand establishes the seriousness of the breach of the fundamental right to privacy and data protection. It also hints at representative class action gaining acceptability even though the Court of Appeal quickly conditioned it with the threshold of seriousness. Further, as a result of this decision, the businesses can expect to be subjected to be met with group claims amounting to huge pecuniary value on data privacy infractions, irrespective of the final outcome.

Reference

• Lloyd v Google: A good day for claimant lawyers; a bad day for Google and organisations defending privacy group litigation | Insights | DLA Piper Global Law Firm
• U.K. – Lloyd v Google: A one-off or the floodgates opening for privacy class actions? | DigiLinks | Linklaters
• Lloyd v Google – English High Court blocks collective data breach claim | Morrison & Foerster (mofo.com)
• Vidal-Hall v Google: A new dawn for data protection claims? | Fieldfisher
• Google to pay a record $22.5m fine to FTC over Safari tracking | Google | The Guardian
• Lloyd v. Google LLC [2019] EWCA Civ 1599 *Court of Appeal Judgment Template (bailii.org)
• The increase of data privacy group litigation – Lloyd v Google LLC | Womble Bond Dickinson

Students of LawSikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.