Out-Law / Your Daily Need-To-Know

Court lowers bar for mass data protection claims

Out-Law News | 02 Oct 2019 | 12:00 pm | 2 min. read

Individuals whose data protection rights have been breached may be entitled to damages without needing to show financial loss or distress, the Court of Appeal has found.

The Court of Appeal’s judgment handed down today relates to Google's placing of advertising tracking cookies on iPhones using Apple's 'Safari' browser in England and Wales between June 2011 and February 2012.

The cookies tracked users' internet use when they visited websites participating in Google’s advertising network. The technical background to the claim is not straightforward. In essence, however, Google introduced certain changes as a result of rolling out what were known as 'social ads' on its Google+ service, which is now discontinued. Making these changes enabled the setting of cookies in a third party as well as a first party context, even though Apple’s stated policy at the time was that this would not be possible with the Safari browser. On that basis it is alleged that cookies were set without the consent of users. 

The claim against Google has been brought by Richard Lloyd, former executive director of consumer watchdog Which? Lloyd seeks to bring the claim on behalf of several million individuals who he says were affected. 

In a ruling last year the High Court said that the claim could not proceed on the basis that Lloyd had failed to show that those affected by the alleged breach had suffered 'damage'.  Lloyd obtained permission to appeal to the Court of Appeal and, following a hearing earlier this year, his appeal has been successful. 

The basis of the court’s latest finding was that, as a result of the tracking of some of their internet browsing, the affected data subjects had suffered a “loss of control” over their data. The court found that this loss of control could give rise to a right to compensation in non-trivial circumstances. Importantly, the court found that in these circumstances Lloyd’s claim to compensation for all of the represented class could proceed without obtaining evidence from each member of the class. Rather, the court said Lloyd could advance a claim to damages on the basis that each class member should be entitled to a uniform sum.

In the judgement the court accepted that this sum may be much less than it would have been in some cases had individual circumstances been taken into account, describing it as a “lowest common denominator” amount. Nevertheless, the judgment moves the law towards strict liability for data protection breaches, subject to potential counter arguments, for example where the loss suffered is trivial.

In addition, the court found that Lloyd’s claim should be allowed to proceed using the rarely-used “representative action” procedure in the Civil Procedure Rules. The procedure has been rarely-used because it requires that all of the represented class have the “same interest” in the claim. A requirement to prove individual financial loss or distress would undoubtedly take the claim outside those requirements, but the court’s approach to damages enabled it to look at the availability of the representative action procedure afresh.

The court's findings potentially open the way for representative actions in the context of other data protection claims where numerous data subjects have been affected, regardless of whether those data subjects were distressed by what happened, and regardless of whether they actually want to make a claim. 

The High Court ruling last year and today’s ruling in the Court of Appeal are concerned with whether the action should proceed beyond the initial jurisdictional phase.

Google has indicated that it is seeking permission to appeal to the Supreme Court, given the general importance of the matters dealt with in the judgment.

Pinsent Masons, the law firm behind Out-Law, act for Google in the case.

Editor's note 22/10/19: the judgment's position on strict liability was clarified.