In a recent decision relating to the violation of consumer data privacy, the Court has set out helpful guidance regarding claims brought under the Data Protection Act 1998, as well as in respect of the conditions which must be satisfied for a representative action for breach of data privacy to be brought (Lloyd v. Google LLC [2018] EWHC (QB) 2599).
The claim arose from the alleged unlawful collection of personal data by Google between 2011 and 2012, and the secret tracking of the internet activity of iPhone users for the purpose of selling that accumulated data. Such data was collected via a ‘cookie’ which was installed on a large number of iPhones without the users’ knowledge or consent, breaching the Data Protection Act 1998 (DPA). Google faced regulatory sanction for this in the US in 2012, paying a $22.5m penalty.
The Claimant, Richard Lloyd, was the former director of the consumer rights association Which? Mr Lloyd sought to bring a representative action on behalf of a class of millions of end-users in the UK whose mobile browser data was collected by Google in breach of the DPA (the “Class”). The Class was envisaged to include several million iPhone users, totalling a potential compensation pot of £1-£3bn. In order to advance the proceedings, Mr. Lloyd needed the Court’s permission to serve his claim on Google in the USA. In the application for permission to serve out of the jurisdiction, the Court was required to determine, among other things, whether the Claimant could show a good arguable case that the members of the Class had suffered “damage”.
The difficulty for Mr Lloyd, however, was that the members of the Class did not suffer “damage”. Although, he sought to argue that damage was suffered for: (1) infringement of data protection rights, (2) the commission of the wrong itself, and (3) loss of control over personal data, this was not sufficient. It was held that under the DPA actual damage must be sustained from a breach; mere contravention was not enough. Although damage need not be pecuniary – the Court gave an example of damage caused by distress suffered by receipt of unwanted advertising – this was not pleaded.
The Court also considered whether the conditions for a representative action under CPR 19.6 were met, i.e. whether the representative claimant, Mr Lloyd, and the Class had “the same interest” in the claim.
In this regard, Warby J held that the essential conditions for a representative action under CPR 19.6 had not been satisfied, and that there was no reasonable prospect of the claim being permitted to proceed as a representative action, as:
So where does this decision leave collective claims for data breach? The theme running throughout Warby J’s judgment was that even if there was a technical breach of the data protection rules, it did not automatically follow that a person whose information has been acquired or used without consent invariably suffers compensatable harm. Proving actual damage is therefore key; mere infringement of a data protection right is not enough if there is no negative impact suffered by identifiable individuals.
Mr Lloyd has expressed an intention to appeal what he calls an “analogue decision in a digital age”, calling for new legislation to confer upon consumers “affordable collective redress”. The question indeed hangs in the air, in the context of rapid technological advancement increasingly being perceived to be outpacing legislative and procedural reform.