The Court of Appeal has held that an individual can claim for compensation under section 13 of the Data Protection Act 1998 where a breach of the DPA results in a “loss or diminution of a right to control” their personal data. A claim of compensation would not require the claimant to prove pecuniary loss or distress.
The case concerns a claim brought by Mr Lloyd against Google LLC on behalf of a class of more than 4 million iPhone users for damage suffered under section 13 of the Data Protection Act 1998 (“DPA”). It is alleged that between August 2011 and February 2012, Google had tracked the internet activity of these iPhone users and subsequently sold the data to advertisers, without user consent or knowledge.
The High Court and the Court of Appeal took opposing views on all principles considered, namely:
Proof of pecuniary loss or distress
Central to the judgments were:
On the first of the above points, it was clear to the court that a person’s browser generated information which was of value to Google because they were able to sell it to advertisers. Consent of the individuals to the use of such data therefore also has an economic value, and it followed, therefore, that the loss of that control must also have a value.
Whether or not this loss was something that could be compensated under the DPA, the Court of Appeal then looked to Gulati where it was held that damages for the common law tort of misuse of private information could be awarded in the absence of material loss or distress, for the “loss or diminution of a right to control formerly private information”.
Where the High Court had disapplied Gulati from the present case, the Court of Appeal took the opposing view. Firstly, it took the view that the domestic actions under the common law and breach of the DPA derive from the same European privacy and data protection regime such that it would be inappropriate not to align the approaches to damages. Secondly, given that a claimant could be compensated for a loss of control of telephone data, this should also apply to a loss of control of browser generated information. Following Gulati, compensation in the present case would not require a claimant to prove material loss or distress.
Tests for Group Litigation: same interests and identification
Although it was recognised that an individual may have personal attachments and attitudes towards data disclosure, the Court of Appeal did not consider this to mean that such individuals would not share the “same interest” for the purposes of group litigation under CPR 19.6.
The “same interest” test applied by the High Court judge was significantly diluted in the overruling judgment. In the Court of Appeal’s simple words: “The wrong is the same, and the loss is the same”.
By extension, the Court also found that the class description provided by Mr Lloyd was sufficient, not least because Google would also be able to identify who is (and who is not) in the class.
Consistent with its rhetoric in this case, the Court of Appeal exercised its discretion in allowing the claim to proceed. The court expressed a wider interest in ensuring that Google accounts for breaches of its data processing obligations and violations of the legal instruments that protect an individual’s right to privacy. It is implicit in the judgment that finding an appropriate remedy for this sort of damage should take priority over the potential costs and resources involved in bringing the claim.
The ruling demonstrates the tougher stance taken by the English courts against data handling activities contrary to the fundamental rights to privacy and breaches of data protection obligations.
What is also noteworthy is the Court of Appeal’s consideration of the provisions of the GDPR and the Data Protection Act 2018 in its ruling. The reference to current data protection laws for guidance on the interpretation of damages under the now-repealed DPA is a clear indication of the court’s future approach towards similar claims under the GDPR.
The sympathy afforded by the courts through a broader “same interest” test may have the effect of lowering the barrier with regards to group litigation. This would potentially increase an organisation’s exposure to representative action for breaches of data protection laws.
However, as alarming as the judgment may seem, some comfort can be found in the court’s acceptance that not all breaches would immediately result in compensation. There is a threshold of seriousness to be met and a balancing exercise that will be undertaken by the courts. For example, an accidental one-off data breach that is quickly remedied is very unlikely to result in a successful claim for damages.
Google is expected to appeal this case, and Waterfront Solicitors will be keeping track of updates (no consent required for this one) so watch this space.
Data breaches: Is personal data held in your systems secure?
European Commission launches process on personal data flows to UK
In these working from home days, where weekdays seem to blend into weekends which melt into weekdays again, most of us don’t have the luxury of offices at home. Space is at a premium. Desks or dining room tables are shared. Papers are strewn across the floor. We…
The Information Commissioner’s Office (ICO) has changed their guidance on subject access requests (SARs), as well as other data subject requests relating to their individual rights such as rectification, erasure and data portability. We have referred to them throughout as “data subject requests” or “DSRs”. So what’s changed?…