This is a class action case led by Richard Lloyd against Google which has been appealed through the courts up to the Court of Appeal. The Claimant has made the claim on behalf of over 4 million Apple iPhone users who have had their data, which was under the control of Google, secretly tracked and sold for commercial purposes.
At all previous hearings the claim to serve Google outside the jurisdiction has been dismissed because (a) none of the represented class had suffered “damage” under section 13 of the Data Protection Act 1998 (the “DPA”), (b) the members of the class did not anyway have the “same interest” within CPR Part 19.6(1) so as to justify allowing the claim to proceed as a representative action, and (c) the judge of his own initiative exercised his discretion under CPR Part 19.6(2) against allowing the claim to proceed.
Specifically, the matter concerned the acquisition and use of browser generated information or “BGI”. This is information about an individual’s internet use which is automatically submitted to websites and servers by a browser, upon connecting to the internet. BGI will include the IP address of the computer or other device which is connecting to the internet, and the address or URL of the website which the browser is displaying to the user. As is well-known, “cookies” can be placed on a user’s device, enabling the placer of the cookie to identify and track internet activity undertaken by means of that device. Google used this information to sell on to advertisers so that companies could personalise advertising material to for each user based on their previous search results. Note, that all of this was being done behind the scenes without the authorisation of each individual user.
One of the big sticking points with this case has been the damage caused and then subsequent damages to be awarded if Google are found liable. At paragraph 40 of the Judgment it is explained that:
“the starting point is the distinction between EU law and domestic law. As the Court of Appeal said in Vidal-Hall at : “[i]t is a well-established principle of EU law that legal terms have an autonomous meaning which will not necessarily accord with their interpretation in domestic law”. In providing that “an individual who suffers damage by reason of any contravention” was entitled to compensation, section 13 was implementing the provision of article 23 to the effect that “any person who has suffered damage as a result of an unlawful processing operation is entitled to receive compensation”. Accordingly, the language of both is to be construed as a matter of EU law. The object of the Directive was to ensure that Member States should protect “the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data”, and to ensure an equivalent level of protection of the rights of individuals with regard to the processing of data. Accordingly, the objectives of article 8 of the Convention were given effect in the Directive. Article 8 of the Charter confirmed the protection of data rights covered by the Directive, by providing that everyone had “the right to the protection of personal data concerning him or her” and that “such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned”.
It was also considered that cases such as the Gulati case where loss of control over telephone data was held to be damage for which compensation could be awarded. It would be wrong in principle if the represented claimants’ loss of control over BGI data could not, likewise, for the purposes of the DPA, also be compensated. The judge concluded that “For the reasons, I have given, I would conclude that damages are in principle capable of being awarded for loss of control of data under article 23 and section 13, even if there is no pecuniary loss and no distress.” There is however no decision made on the type of damages to be awarded at this stage.
The identification of the class of persons was the other main issue. It was considered by the judge at paragraph 80 of the judgment that:
“The judge saw the problem as one of verification, and determined that the class was not identifiable because he held that the class definition had to be “workable” in addition to “conceptually sound”. In my judgment, the only applicable test is that “it must be possible to say of any particular person whether or not they qualify for membership of the represented class of persons by virtue of having” the same interest as Mr Lloyd “[a]t all stages of the proceedings, and not just at the date of judgment”. I cannot see why that test is not satisfied here.” It then went on to state: “Mr Lloyd contends that the judge took several matters into account that he ought not to have done, namely: (a) his view that the main beneficiaries of the claim would be the funders and the lawyers, (b) the fact that the litigation would generate significant costs and that the amount recovered by each class member would be modest, (c) that none of the millions of affected individuals had come forward to complain, (d) the inability to identify the members of the class, and (e) that the members of the class had not authorised the claim.”
It was concluded at paragraph 88-90 that a claimant can recover damages for loss of control, that the class issues were considered to have the same interest as Mr Lloyd and were identifiable and lastly that would allow the appeal and make an order granting permission to serve proceedings on Google outside the jurisdiction of the court.
This will now be watched closely to see if the precedent that has been set result in future cases having to change the way in which damages are calculated or how a class action is identified. Keep an eye on our analysis of some key points from this case such as Data Protection and right to privacy and damages where no damage is visible.
For the full judgment, see case citation Lloyd v. Google LLC  EWCA Civ 1599.