Groundbreaking UK claim against Google will proceed
December 2019 | SPOTLIGHT | DATA PRIVACY
Financier Worldwide Magazine
December 2019 Issue
The Court of Appeal of England and Wales has revived Lloyd v. Google LLC, a representative action against Google LLC – a decision that could have far-reaching, costly implications for the future of data privacy litigation in the jurisdiction. In October 2018, the High Court refused the claimant’s application for permission to serve proceedings out of the jurisdiction on Google in California. In its recent judgment, the Court of Appeal reversed this decision, giving the green light for the action to proceed.
What does the claimant allege?
According to the claim, Google covertly tracked, for commercial purposes, the browsing activity of more than four million iPhone users in England and Wales during a six-month period between 2011 and 2012. Specifically, Google is said to have intentionally bypassed the default privacy settings on the iPhone’s Safari browser and set ‘DoubleClick Ad’ cookies on certain users’ devices without their knowledge or consent.
Google allegedly used these cookies to collect significant ‘browser generated information’ (BGI), ranging from the date and time users visited websites and the time spent on the websites to the particular advertisements viewed, and even users’ geographic locations. From these browsing habits, Google was able to obtain or deduce information relating to users’ interests and habits, race or ethnicity, social class, political and religious views or affiliations, age, gender, health, sexuality and financial status. Google is then said to have aggregated the BGI to create groups of users that were sold to advertisers interested in targeting those groups.
This conduct, according to the claimant, violated multiple data protection principles in the UK Data Protection Act 1998 (DPA), which implemented the European Data Protection Directive 1998 – the predecessor of the European General Data Protection Regulation (GDPR). The claimant seeks damages of £3.2bn on behalf of himself and the proposed class. Google’s own estimate of the potential liability is between £1bn and £3bn.
Why did the High Court originally refuse the application?
Seeking to commence litigation, the claimant requested permission to serve proceedings on Google in California, outside of the English courts’ jurisdiction. Permission for extraterritorial service requires a claimant to demonstrate that each claim falls within at least one “jurisdictional gateway” set out in the Civil Procedure Rules, that the claim has a “reasonable prospect of success” and that England is the appropriate place to try the claim.
In the High Court’s view, the jurisdictional gateway requirement was not met, nor was there a reasonable prospect of success. The “tort gateway” applicable in this case requires that damage be sustained, or result from an act committed within the jurisdiction. So too is ‘damage’ required for there to be a reasonable basis for seeking compensation under the DPA, as required by the “reasonable prospect of success test”. This proved fatal to the claimant’s request, since, according to the High Court, the sale of users’ BGI, even without their knowledge and consent, does not constitute damage under English law.
Though acknowledging that a loss of control over personal data may rise to the ‘distressing’ threshold to constitute actionable damage, the High Court judge observed that distress was not alleged by the claimant. Instead, he sought damages based on the infringement of data protection rights, the commission of the wrong and the loss of control over personal data. Finding an absence of European authority demonstrating that these purported breaches, on their own, amount to damage, the High Court judge deemed the damage requirement unsatisfied.
Notwithstanding, the judge proceeded to consider the second hurdle of the “reasonable prospects of success” test: whether the claim might be allowed to proceed as representative action. This requires that each member of the class has the same interest in the claim, that the class is definable and that the court exercises its discretion in favour of allowing the action to proceed. Despite the claimant’s argument that “each member of the class has suffered the same damage as a result of Google’s infringement of the rights under the DPA”, the judge found that they did not have the same interest in the claim and that it was impossible to identify all of the class members.
The judge noted that, in any case, he would have exercised his discretion against allowing the claim to proceed. He found that the litigation would be costly and deplete valuable judicial resources, any recovery would be modest at best, and the majority of damages would go to lawyers and litigation funders. The judge was also persuaded by the fact that very few individuals of the millions in the purported class had complained or identified themselves as victims. With these considerations in mind, the judge remarked that “[i]t would not be unfair to describe this as officious litigation”.
What did the Court of Appeal decide?
The Court of Appeal unanimously reversed the decision of the High Court and granted the claimant permission to serve proceedings on Google out of the jurisdiction.
The Court of Appeal disagreed with the judge at first instance, concluding that Google’s alleged breaches could have caused ‘damage’ under the DPA, even absent allegations of pecuniary loss or distress. Control over data is itself an asset with economic value, which the court found was demonstrated by Google’s ability “to sell BGI collected from numerous individuals to advertisers who wished to target them with their advertising”. The Court of Appeal reached this conclusion on analysis of the DPA wording “[an] individual who suffers damage by reason of [a breach] is entitled to compensation” when read in the context of the Data Protection Directive, the European Convention for the Protection of Human Rights and Fundamental Freedoms, the Charter of Fundamental Rights of the European Union (EU), and the decision in Gulati v. MGN Limited.
Next, the Court of Appeal determined that the group of individuals which the claimant sought to represent did share the same interest: the loss of control of valuable BGI collected by Google without consent in the same circumstances during the same period. The claimant was not, the court noted, seeking to rely on any personal circumstances affecting specific individuals. As such, regardless of whether the volume of BGI collected from individuals differed or the collection distressed individuals to varying degrees, the recovery for each would be the same – essentially, “the lowest common denominator”. Further, any defence Google could raise would similarly apply to all group members. The Court of Appeal also disagreed as to the impossibility of identifying all the class members, observing that Google’s own data would permit identification.
Finally, determining that the High Court judge had erred in considering several factors irrelevant to his discretion, the Court of Appeal “exercise[d] its discretion afresh” and ruled that the claimant may proceed with service on Google. Though acknowledging “[t]he case may be costly and may use valuable court resources”, the court stressed that the litigation will “ensure that there is a civil compensatory remedy for what appear, at first sight, to be clear, repeated and widespread breaches of Google’s data processing obligations and violations of the Convention and the Charter”.
The Court of Appeal has refused Google permission to appeal, but Google is expected to appeal this refusal to the Supreme Court.
What should privacy practitioners and data controllers take away from the decision?
Though commonplace in the US, class action litigation has remained relatively rare in England and Wales. The absence of a US-style class action rule and factors such as ‘loser pays’ costs rules, bench trials in civil cases and the unavailability of punitive damages have typically inhibited class action litigation. The representative action mechanism used in the UK has not been applied to mass torts because the ‘same interest’ threshold test normally rules out such actions, which are typically characterised by multiple individual issues. So, what has changed?
The technology and legislative landscape of data privacy in the form of the DPA and the GDPR has changed significantly. Data breaches now carry very serious consequences. This, in turn, is changing the litigation landscape.
Lloyd is not the only example. Following the announcement by the UK Information Commissioner’s Office (ICO) that it intended to fine British Airways £183.39m for GDPR infringements following a 2018 data breach, group litigation proceedings for compensation have been commenced against the airline by individuals whose data was stolen. Plainly, the perils of non-compliance with data protection regulations like the DPA and the GDPR are no longer confined to regulatory fines and sanctions.
The finding will be of interest beyond England’s borders because in reaching its ‘damage’ conclusion, the Court of Appeal referred to the GDPR, specifically Article 82.1, affording the right to compensation to persons who have suffered either material or non-material damage as a result of a GDPR infringement, and Recital 85, in which ‘loss of control’ over personal data is provided as an example of the “physical, material or non-material damage” that a data breach may cause.
In light of the Court of Appeal’s ruling on damage and the finding that the representative action requirements were met in that the class members share the same interest, it would not be surprising to see Lloyd serve as the blueprint for lowest common denominator representative actions alleging encroachments on the fundamental right to data privacy and security. That is particularly so given the increasing availability in England of third-party litigation funding, which is generally based on contingency fees. It is worth stressing, however, that the claim in Lloyd was carefully framed to avoid implicating individual differences between class members. This would likely not be possible in the context of other mass torts.
For these reasons, this groundbreaking decision is certainly a matter of concern for companies, and the outcome of an appeal, if allowed, will be keenly awaited by all data privacy practitioners.
Kate Paine and Marisa Pearce are associates and Sarah L. Croft is the administrative managing partner at Shook, Hardy & Bacon LLP. Ms Paine can be contacted on +1 (813) 202 7151 or by email: kpaine@shb.com. Ms Pearce can be contacted on +44 (0)20 7332 4500 or by email: mipearce@shb.com. Ms Croft can be contacted on +44 (0)20 7332 4500 or by email: scroft@shb.com.
© Financier Worldwide
BY
Kate Paine, Marisa Pearce and Sarah L. Croft
Shook, Hardy & Bacon LLP