Class action for data breach is "officious litigation": court sets out limits for data protection claims

United KingdomScotland

In Lloyd v Google LLC [2018] EWHC 2599 (QB), the High Court has set out clear limits for the bringing of class actions in the context of data protection.

Background

The claimant, Richard Lloyd, sought to bring a class action against Google on behalf of iPhone users affected by Google's exploitation of the "Safari Workaround" – a method of using cookies to covertly track internet activity via Apple's Safari browser and also the subject of Vidal-Hall v Google Inc [2014] EWCA Civ 311. Taking advantage of the Safari Workaround, Google (without the user's knowledge or consent) placed a cookie on iPhones when their owners visited a site containing content related to the cookie. This then enabled Google to track the user's internet activity and use the information for targeted advertising.

The case was a clear attempt by Mr Lloyd, a prominent consumer rights campaigner, to expand on the scope of Vidal-Hall by seeking damages for a greatly enlarged class of individuals whose personal data had been exploited. The letter of claim had advanced an equal award of £750 to each claimant as compensation, and therefore group litigation was the only economical route for pursuing the claims. The claimant estimated the class as 4.4m people and Google's estimate of potential combined liability was £1–3bn.

Mr Lloyd brought the claim under the old data protection regime: s 13(1) of the Data Protection Act 1998 (the "DPA 1998") provides that an individual who suffers damage as a result of a breach of any requirements of the DPA 1998 is entitled to compensation.

Warby J's judgment (in what was an application by the claimant to serve proceedings on Google out of the jurisdiction) has important implications for both damages and representative actions in a data protection context.

Damage

A key difference between Lloyd and Vidal-Hall was in relation to the damages being sought. In Vidal-Hall, the claimants claimed, and were awarded, damages for the distress that Google's breach of their data protection rights had caused. However, in Lloyd, the court found that, even though there had been an actionable breach of the DPA 1998, the claimant could not demonstrate that any actual damages within the meaning of the legislation had been suffered.

The claimant claimed that damage had arisen as follows:

  1. For infringement of data protection rights;
  2. For the commission of the wrong itself; and
  3. As a result of the claimants' loss of control over their personal data.

However, Warby J found that the first two arguments simply constituted descriptions of the tort committed by Google, and therefore dismissed them. As for the claimants' alleged loss of control, the court distinguished between data protection claims and claims for misuse of private information. In relation to the latter, claimants in Gulati v MGN Ltd [2015] EWHC 1482 (Ch) had been awarded damages for loss of control of their private information, which was of real value to them. However, the data over which the claimants' alleged they had lost control in Lloyd was of a different nature, and Warby J confirmed that the court cannot and should not award "vindicatory damages" simply on the basis that a defendant has committed a breach. Accordingly, the damage required for an award of compensation under s 13(1) DPA 1998 had not been made out.

Class actions

The court further found that the claim was not suitable to be brought as a representative action. Under CPR 19.6(1), a representative claimant may bring a claim on behalf of a class of others where they all have the "same interest". However, this could not be said of the proposed class of claimants in Lloyd – that is, all iPhone users who had been affected by the Safari Workaround. In particular, Warby J found that the claimants would inevitably have suffered different levels of damage, including no damage at all.

The court also had concerns about the practicalities of determining whether a given iPhone user had the relevant cookie installed on their device at the time in which the Safari Workaround was in operation and therefore would form part of the class.

Even if he was found to be wrong in relation to damage suffered (see above), Warby's view was that Mr Lloyd should not be allowed to "consume substantial resources" by pursuing the claim. He was seeking to bring the claim "on behalf of others who have little to gain from it, and have not authorised the pursuit of the claim, nor indicated any concern about the matters to be litigated", and this constituted "officious litigation".

Implications

Mr Lloyd's attempt to hold Google to account for its exploitation of consumer's personal data ultimately failed. Given the court's condemnation of Mr Lloyd's attempt to bring litigation on behalf of individuals who have shown little interest in the matter (and may not even be identifiable), the case acts as a warning for those seeking to bring actions on behalf of large classes of individuals under the new data protection regime. Even if individuals can be shown to have suffered actual damage, unless it is the same across the class (which becomes more unlikely as the class gets larger), they will not meet the "same interest" threshold.

Although the case focused on the old data protection regime, the judgment is likely to apply to claims made under the replacement legislation: Article 82 of Regulation (EU) 2016/679 (the GDPR) and section 168 of the Data Protection Act 2018. Claimants seeking compensation under these provisions must ensure that they can show that they have suffered actual damage (whether that is material or non-material, as allowed by Vidal-Hall).