Class-action style compensation allowable in UK data protection cases if claims overcome specific hurdles
The number of significant data protection related cases which reach the law courts seems to be increasing (Google/DeepMind, Warren v DSG Retail Ltd, Rolfe & Ors v Veale Wasbrough Vizards LLP).
The UK Supreme Court’s judgement in Lloyd v Google LLC, given on 10 November, is a victory for Google in that Google does not have to pay compensation for its secret tracking of Apple users’ browsing patterns. It can also be seen as showing the pathway to claims for damages for harm and/or distress in future cases. So this judgement is much more nuanced than might first appear.
In the words of the Supreme Court’s official summary: “The claim is based on the factual allegation that, for several months in late 2011 and early 2012, Google secretly tracked the internet activity of some 4 million of Apple iPhone users in England and Wales and used the data collected without the users' knowledge or consent for commercial purposes (by enabling advertisers to target advertisements at users based on their browsing history).”
The court supported the use of a representative action, in principle, by way of a history lesson on the development of this instrument citing cases back to 1805. The use of such collective actions is specifically permitted in the Competition Act but was not in the Data Protection Act 1998. However, the courts retain flexibility to permit representative actions to achieve justice, their fundamental aim.
In this context, the Supreme Court noted with approval the acceptance of representative actions by the Supreme Courts of Australia, Canada, and New Zealand. The court noted “the development of digital technologies … have greatly increased the potential for mass harm for which legal redress may be sought.” In the UK, Richard Lloyd supported his case by basing it on rule 19.6 of the Civil Procedure Rules which allows a claim to be brought by (or against) one or more persons as representatives of others who have the "same interest" in the claim. The court stated that it “must in exercising its discretion seek to give effect to the overriding objective of dealing with cases justly and at proportionate cost.”
Why did Google win?
The Supreme Court agreed with Lloyd that it was possible to assert a claim for harm to individuals but to do so, the claim must be for damages in individual cases. In short, to succeed in winning compensation from Google, the claims must propose a monetary value to the damages in each individual case.
In 60 pages of the Supreme Court’s unanimous judgement, it is clear to me that the issues were examined wholly within the parameters of the text of the Data Protection Act 1998, the law applicable to the facts in 2011 and 2012. The current claim failed partly because Lloyd argued, supported by the Information Commissioner, that the 4 million users had “lost control” of their personal data, using a term not in the Data Protection Act 1998. The Information Commissioner’s support reflected an expansive interpretation of the Data Protection Act 2018 implementing the GDPR. But this “loss of control” argument was rejected by the court.
Who benefits from this judgement?
Data controllers will benefit from the likelihood that it will be difficult for claimants for damages to win investment in their cases from litigation funders, as in the Lloyd v Google LLC case, making many such cases unaffordable.
Data subjects will benefit from the clarity with which the Supreme Court has specified how claimants should approach such cases in the future.
One can expect fewer such claims for harm and damages, unless the law is amended to facilitate such claims in future data protection law related cases.
From one point of view, both Google and Lloyd (with financial backing from Therium Litigation Funding IC, a commercial litigation funder) can be regarded as performing a public service taking this case up to the Supreme Court. As a result, the law on compensation for damages in data protection law cases is settled, for now.
It remains to be seen whether John Edwards, the new Information Commissioner is able to persuade the government and Parliament, to amend the Data Protection Act 2018 or use another provision to enable it to be used like the Competition Act to more specifically enable representative actions to be heard by the courts.
Best regards,
Stewart Dresner, Publisher
UK Report 118
Lead stories:
Government consultation on post-Brexit data protection reforms
Marta Dunphy-Moriel of Dunphy-Moriel Legal Services Ltd reviews the planned changes which will steer the UK further away from the GDPR.
Trends in GDPR enforcement across Europe and the UK
Analysis by Richard Jeens, William Doyle, Ross O’Mahony and Alex Buchanan of Slaughter and May.