4 October 2019 Richard Cumbley  -  Georgina Kon  -  Julian Cunningham-Day DigiLinks

UK – Lloyd v Google: A one-off or the floodgates opening for privacy class actions?

The Court of Appeal has allowed a representative action against Google to proceed, thus potentially opening the way for opt-out class actions for privacy breaches. We consider the wider implications for privacy litigation.

Background

This case arose out of the “Safari Workaround” - essentially Google’s use of a technical workaround to bypass the cookie settings on the Safari browser and place tracking cookies without the individual’s knowledge or consent. This was a clear breach of privacy laws by Google which was fined by US regulators. 

Mr Lloyd launched a representative action against Google for this breach. The use of a representative action is important as it is a form of “opt-out” litigation - the claim is made on behalf of everyone who is a member of a particular class of claimant. It contrasts with a Group Litigation Order, such as that used in the Morrisons’ litigation (here), which is “opt-in” and requires individual claimants to decide to become party to the litigation.

This opt-out structure allowed Mr Lloyd to claim on behalf of more than 4 million affected individuals in England and Wales. This could lead to significant liability. Mr Lloyd suggested they should receive approximately £750 compensation each, which indicates a total liability for Google of up to £3 billion. 

Court of Appeal – Claim can proceed

The High Court dismissed the claim describing it as “officious litigation, embarked upon on behalf of individuals who have not authorised it, and have shown no interest in seeking any remedy for, or even complaining about, the alleged breaches”.

However, the Court of Appeal reversed this decision and allowed the representative claim to proceed. It has done so on the basis of three key findings:

  • Compensation for loss of control: The Court decided a claim for damage under data protection law includes a claim for “loss of control” of that data, even if there is no pecuniary loss and no distress. The data collected by Google clearly had an economic value (given Google’s ability to monetise that data) and so a loss of control over that data must equally have value. The Court left open the question of whether this type of breach might also provide a claim for “negotiation damages” following the principles in One Step v Morris-Garner [2018] UKSC 20. This conclusion draws heavily on the need to provide an effective remedy where fundamental rights are infringed. However, the court did say there was a threshold of seriousness and an accidental one-off breach might not give rise to such a “loss of control” claim.
  • Claimants have the same interest: This allowed the court to find that the claimants all have the “same interest” in the claim, which is essential for a representative action. That interest was for a claim for loss of control of their browsing information. There is no claim for damage or distress, which might vary greatly from claimant to claimant.
  • Case should proceed: Finally, the Court of Appeal decided it should exercise its discretion to allow the case to proceed. This is largely based on its conclusion there has been alleged “wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit”.
Quantum - Not worth the wick

While Mr Lloyd is claiming £750 per head, the Court’s findings might suggest a much lower figure. In particular, for the claimants to all have the “same interest” their claim must not only be limited to a claim for loss of control, but must also be based on the “lowest common denominator”.

In other words, it appears that the claim must be based on something like a single use of the Safari browser and a single instance of that user’s browsing data being unlawfully obtained by Google. While the Court states the damages “will not be nothing”, it remains to be seen if they will be next to nothing. There is a risk the litigation may turn out to “not merely not have been worth the candle, it will not have been worth the wick (Jameel v Dow Jones [2005] EWCA Civ 75).

A one-off or opening the floodgates?

The other important issue is whether this case is a one-off based on the exceptional circumstances of the Safari workaround or is the basis for representative actions to be brought in other cases.

Much of the judgment suggests that this may be peculiar to its facts. Vos LJ’s criticism of Google is trenchant referring to “clear, repeated and widespread breaches of Google's data processing obligations and violations of the Convention and the Charter” and the individuals’ personal data being “deliberately and unlawfully misused, for Google's commercial purposes, without their consent and in violation of their established right to privacy”.

Moreover, the Court clearly states that there is a threshold of seriousness. A claim for loss of control of personal data would not arise in relation to “an accidental one-off data breach that was quickly remedied”. Instead, in such a case, the individual would likely need to prove actual damage, non-material damage or distress.

Conclusions

Perhaps the most important takeaway from this judgment is how seriously the Court of Appeal takes the fundamental right to privacy and data protection.

Representative actions may well remain rare and limited to situations in which there is a deliberate and widespread misuse of data, but claims for breach of data protection in other contexts seem likely to find a sympathetic reception in the English courts.  For businesses who are subject to obligations to notify individuals about privacy failures – particularly long-term security breaches – there are likely to be representative actions brought against them, irrespective of their longer term merits, as a result of this decision.  US readers may well feel that is no more than a correction of UK practice, bringing the launch of privacy related class actions in the UK more into line with that of the US; but that won’t reduce the likely impact on UK plc.

Google have said they will appeal the decision. Even if that appeal is lost, there will need to be a substantive hearing to consider liability and, more importantly, quantum.

Lloyd v Google LLC [2019] EWCA Civ 1599 is available here.