The Court of Appeal has held that an action for alleged data breaches using the CPR 19.6 representative action procedure can go ahead, overturning the High Court’s decision which had refused permission to serve the proceedings on the defendant in the US: Lloyd v Google LLC  EWCA Civ 1599.
The decision is significant in finding that damages can be awarded to compensate for an individual’s loss of control of personal data, without the need to establish financial loss or distress. That is contrary to the High Court’s decision, which had found that the damage had to be something separate to, and caused by, the infringement. Although the case is brought under the Data Protection Act 1998 (“DPA”), rather than the GDPR which has superseded it, it seems likely that a similar approach will apply to claims under the GDPR.
The decision is also of interest in establishing that claims for data breaches may be able to proceed on what is effectively an “opt-out” basis under the CPR 19.6 representative action procedure, instead of requiring claimants to use the group litigation order (or “GLO”) procedure. Unlike a GLO, which requires individual claimants to take steps to join the group action, there is no need under CPR 19.6 for the represented class to be joined as parties to the action or even to be identified on an individual basis. That means it is very much easier to get a financially viable claim off the ground.
It should not be assumed, however, that this decision will lead to a flood of mass damages claims being brought using the CPR 19.6 representative action procedure. The decision leaves intact the strict “same interest” requirement, which means that the procedure cannot be used where class members’ losses must be determined individually, or where there may be different defences to the claims. That requirement is very unlikely to be met for most causes of action, where there is likely to be some variation between individual claimants’ circumstances. Even in claims for data breaches, it is implicit in the decision that the CPR 19.6 procedure could not have been used if the claimants were seeking damages for financial loss or distress, as these will vary depending on personal circumstances.
Julian Copeman, Harry Edwards, Miriam Everett and Maura McIntosh consider the decision further below.
Richard Lloyd, a former executive director of the UK Consumers’ Association, has brought the present claim against the defendant Delaware-resident corporation on behalf of a class of more than four million UK-resident iPhone users. The claim alleges that the defendant secretly tracked some of their internet activity, for commercial purposes, in 2011/2012.
The claim seeks compensation under section 13(1) of the DPA, which provides as follows:
“An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.”
Under section 13(2), individuals can also bring claims for compensation for distress suffered as a result of such contravention, but the present claim does not seek compensation for distress under that provision. Nor is any financial loss alleged. Instead, the claim is for an equal, standard “tariff” award for each class member, to reflect the infringement of their rights and their loss of control over their personal data. In the alternative, there is a claim for user damages, based on the hypothetical fee class members could have charged for allowing the use of their data.
The claim is brought as a representative action under CPR 19.6, which allows a claim to be brought by (or against) one or more persons as representatives of any others who have the “same interest” in the claim.
The claimant applied for permission to serve the present proceedings on the defendant out of the jurisdiction, but the High Court refused permission on two bases:
- It found that a claim for compensation under the DPA requires proof of damage. In the present case, the claimant had failed to identify any harm caused as a result of the alleged breach, instead claiming compensation for the fact of the infringement, and associated loss of control over the personal data. The judge described the pleaded case as circular: it asserted that the commission of the tort had caused compensatable damage, consisting of the commission of the tort. The court also rejected the alternative claim for user damages, saying it was barred by authority, and in any event it was wholly artificial to envisage a bargaining process involving the claimants in this case, where the only realistic option open to them was to refuse consent.
- The court also found that the “same interest” requirement under CPR 19.6 was not met. A representative action could not be brought unless every member of the class had suffered the same damage, or their share of a readily ascertainable amount was clear. Nor could such an action be brought where different potential defences were available in respect of claims by different members of the class. Here, even if the judge was wrong about what amounted to damage for the purposes of section 13(1) of the DPA, the amount of compensation still depended on the facts, as neither the breach of duty nor the impact of it would be uniform across the entire class membership.
In any event, the judge said he would have exercised his discretion to refuse to allow the claim to proceed under CPR 19.6, taking into account the likely costs, the court time required, the fact that the compensation recoverable by each represented individual would be “modest at best”, and that the main beneficiaries of any award would be the funders and lawyers. It was also significant that, in the judge’s view, there was no real indication that those on whose behalf the claim was supposed to be brought actually cared very much about the relevant events.
The claimant appealed.
The Court of Appeal overturned the High Court’s decision and granted permission to serve the claim out of the jurisdiction. The Chancellor, Sir Geoffrey Vos, gave the leading judgment, with which Lord Justice David and The President of the Queen’s Bench Division, Dame Victoria Sharp, agreed.
Damages for infringement of data protection rights
The Chancellor noted that section 13 of the DPA was introduced to implement article 23 of the Data Protection Directive, and that the language of both must be construed as a matter of EU law. The right to the protection of personal data is also protected under article 8 of the Charter of Fundamental Rights of the European Union, and the right to an effective remedy for violation of EU rights is protected under article 47 of the Charter.
The Chancellor also noted that it was common ground in the present case that, if the court found that “loss of control” damages were available as alleged by the claimants, the court would be entitled to refuse to award damages for a trivial or de minimis infringement.
Against that background, the Court of Appeal found that damages are in principle capable of being awarded for loss of control of data under article 23 and section 13, even if there is no pecuniary loss and no distress. Even if data is not technically regarded as property in English law, its protection under EU law is clear. It is also clear that a person’s browser generated information, or “BGI”, has economic value and can be sold, and in fact the defendant had sold BGI collected from individuals to advertisers who wished to target them with advertising.
The Court of Appeal’s decision in Gulati v MGN Ltd  EWCA Civ 1291 was also relevant. In that case the court found that damages for the tort of misuse of private information were available to compensate for the loss of control of information, without proof of pecuniary loss or distress. Gulati was not strictly binding in the present case, as it was not a decision on the DPA, but it was relevant by analogy. The EU law principles of equivalence and effectiveness pointed to the same approach being adopted in the two torts, for misuse of private information and under section 13 of the DPA, as they both derive from a common European right to privacy.
The Chancellor said he also found it “helpful although not decisive” to consider how damage is dealt with under the GDPR, which replaced the Directive. In particular, article 82.1 of the GDPR provides a right to compensation for “material or non-material damage” resulting from infringement. It was also noteworthy that recital 85 to the GDPR lists “loss of control” over personal data as an example of the kind of damage that might be caused as a result of a data breach (though in the context of discussing the need to notify data breaches within 72 hours, not the provisions regarding compensation). That, the Chancellor said, accorded with his conclusion on the availability of damages for non-trivial data processing breaches in respect of loss of control.
It was not necessary to decide whether the claimants might also, or alternatively, be able to recover so-called user damages, but the Chancellor commented that he could “see no reason in principle why it is not, at least, fairly arguable that damages might in this case be assessed on the user basis”.
Same interest under CPR 19.6
The Court of Appeal held that the judge had applied too stringent a test of “same interest”, partly because of his determination of the meaning of damage under section 13.
The represented class were all victims of the same alleged wrong, and had all sustained the same loss, namely loss of control over their BGI. Significantly, they were not seeking to rely on any personal circumstances affecting individual claimants (such as distress or volume of data abstracted). The Chancellor noted that this concession would have the effect of reducing any damages that could be claimed to “what may be described as the lowest common denominator”. However, it meant it was impossible to imagine that a defence could apply to one represented claimant that did not apply to all others. The represented parties did, therefore, have the same interest in the relevant sense. As the Chancellor put it:
“If individual circumstances are disavowed, the representative claimant could be entitled to claim a uniform sum in respect of the loss of control of data sustained by each member of the represented class. The sum will be much less than it might be if individual circumstances were taken into account, but it will not be nothing…. It will take into account, at least, the facts of the tort proved against Google generically, and the effect, in terms of loss of control of personal data, that the breaches would have on any person affected….”
The Chancellor noted that he had considered whether there might be injustice in allowing the claimant to represent individuals who may have sustained significant pecuniary loss or distress as a result of the data breach alleged. But since the limitation period had now expired, and represented claimants could, at least in theory, seek to be joined as parties if they wished to claim additional losses, he could not see that there was any injustice in the claim proceeding as a representative one.
Exercise of discretion
The Court of Appeal accepted that the judge was entitled, in exercising his discretion under CPR 19.6, to take into account his view that the main beneficiaries of the claim would be the funders and the lawyers, that the litigation would generate significant costs and the amount recovered by each class member would be modest, and that none of the millions of affected individuals had come forward to complain.
However, he had also taken into account irrelevant factors, including that the members of the class had not authorised the claim. As a result, it was open to the court to exercise its discretion afresh, and it concluded that the representative action should be allowed to proceed, including because it was in practice the only way in which the claims could be pursued.