High Court blocks £1-3bn data protection claims against Google

In a recent decision relating to the violation of consumer data privacy, the Court has set out helpful guidance regarding claims brought under the Data Protection Act 1998, as well as in respect of the conditions which must be satisfied for a representative action for breach of data privacy to be brought (Lloyd v. Google LLC [2018] EWHC (QB) 2599).

The claim arose from the alleged unlawful collection of personal data by Google between 2011 and 2012, and the secret tracking of the internet activity of iPhone users for the purpose of selling that accumulated data. Such data was collected via a ‘cookie’ which was installed on a large number of iPhones without the users’ knowledge or consent, breaching the Data Protection Act 1998 (DPA). Google faced regulatory sanction for this in the US in 2012, paying a $22.5m penalty.

The Claimant, Richard Lloyd, was the former director of the consumer rights association Which? Mr Lloyd sought to bring a representative action on behalf of a class of millions of end-users in the UK whose mobile browser data was collected by Google in breach of the DPA (the “Class”). The Class was envisaged to include several million iPhone users, totalling a potential compensation pot of £1-£3bn. In order to advance the proceedings, Mr. Lloyd needed the Court’s permission to serve his claim on Google in the USA. In the application for permission to serve out of the jurisdiction, the Court was required to determine, among other things, whether the Claimant could show a good arguable case that the members of the Class had suffered “damage”.

The Substantive Claim

The difficulty for Mr Lloyd, however, was that the members of the Class did not suffer “damage”. Although, he sought to argue that damage was suffered for: (1) infringement of data protection rights, (2) the commission of the wrong itself, and (3) loss of control over personal data, this was not sufficient. It was held that under the DPA actual damage must be sustained from a breach; mere contravention was not enough. Although damage need not be pecuniary – the Court gave an example of damage caused by distress suffered by receipt of unwanted advertising – this was not pleaded.

The Representative Action

The Court also considered whether the conditions for a representative action under CPR 19.6 were met, i.e. whether the representative claimant, Mr Lloyd, and the Class had “the same interest” in the claim.

In this regard, Warby J held that the essential conditions for a representative action under CPR 19.6 had not been satisfied, and that there was no reasonable prospect of the claim being permitted to proceed as a representative action, as:

1. The members of the Class which Mr Lloyd was seeking to represent did not all have the “same interest” in the claim; whereas certain iPhone users  would have a good case in respect of damages, clearly others would not (e.g. heavy internet users compared with an occasional internet user, the former having had much more data “tracked”).
2. Even if a Class could be defined, there would be insurmountable practical difficulties with ascertaining if a given iPhone user were a member of that Class. For instance, people may not remember iPhone behaviours or usage over a specific period and, in any case, such a procedure of ascertaining internet usage would be ripe for abuse by cynical members of the public.

So where does this decision leave collective claims for data breach? The theme running throughout Warby J’s judgment was that even if there was a technical breach of the data protection rules, it did not automatically follow that a person whose information has been acquired or used without consent invariably suffers compensatable harm. Proving actual damage is therefore key; mere infringement of a data protection right is not enough if there is no negative impact suffered by identifiable individuals.

Mr Lloyd has expressed an intention to appeal what he calls an “analogue decision in a digital age”, calling for new legislation to confer upon consumers “affordable collective redress”. The question indeed hangs in the air, in the context of rapid technological advancement increasingly being perceived to be outpacing legislative and procedural reform.