In a novel decision, the Court of Appeal has granted permission for former Which? director, Richard Lloyd, to serve proceedings against Google LLC in the USA for alleged breaches under the Data Protection Act 1998 (“DPA 1998”). This decision is significant as it enables Lloyd to bring an unusual and innovative representative action for damages in a US-style “opt-out” class action. Does this now mean we are now likely to see more class actions for alleged data breaches in the English courts? We explore the key elements of the case and what this means for the landscape of privacy claims going forward.

Background

Between August 2011 and February 2012, Google allegedly secretly tracked the internet activity of more than 4 million iPhone users in the UK, without their knowledge or consent. Google bypassed the default privacy settings on Apple Safari’s browser (which were automatically set to block third-party cookies) to enable its “DoubleClick Ad” cookie on a user’s device whenever the user visited a website containing DoubleClick Ad content. This was referred to in the case as the “Safari Workaround”. Importantly, this third-party cookie was set on users’ devices without their knowledge or consent.

By deploying this cookie, Google was able to gather information about users’ internet activity (known as “browser generated information”), in particular the types of websites they had visited and the types of adverts viewed on the sites. Lloyd argues that Google was also able to deduce certain information about the users, such as their interests and habits, age, health, gender, sexuality and financial position. This in turn allowed Google’s DoubleClick platform to aggregate users’ information to create target audience groups with similar interests such as “football lovers” or “current affairs enthusiasts” which would then be sold on to subscribing advertisers.

The legal claim

In 2017, Lloyd issued a claim on behalf of the represented class of iPhone users alleging a breach of the purposes and security principles under the old UK data protection legislation. He sought compensation, by way of damages, on behalf of the represented class for the infringement of their data protection rights and the loss of control over their data. Lloyd was refused permission to serve the proceedings on Google in the USA because of the following reasons made by the High Court:

• Lloyd could not claim the same amount of damages for each affected iPhone user without proving financial loss or distress;
• The individuals in the represented class of affected iPhone users did not all have the same interest and were not identifiable; and
• The judge exercised his discretion to not allow Lloyd to act as a representative of the class of affected iPhone users.

Lloyd’s permission to appeal against the High Court’s decision was granted and the Court of Appeal have now (in October 2019) reversed the decision of the High Court. The Court of Appeal considered the arguments made by the High Court and rejected them on the following basis:

1. Damages for loss of control of data

Financial loss or distress is not a prerequisite for awarding damages in relation to the loss of control of personal data under the DPA 1998. The Court drew a parallel between the tort of misuse of private information and a non-trivial infringement of the DPA 1998, arguing that damages should be available for both claims as they are both derived from the same fundamental right to data protection in the Charter of Fundamental Rights of the European Union. In fact, the legislation has to be interpreted in this way in order for the affected individuals to be provided with an effective remedy in relation to the infringement of their privacy rights.

2. The same interest & identifiability

A fundamental requirement for a class action of this nature is that the individuals represented in the action all have the “same interest”. The Court of Appeal held that the members in this represented class do in fact have the “same interest” as they have all had their browser generated information taken from them by Google, without their consent or knowledge during the same time period. The judgment includes consideration that the information in question held economic value, with Google selling the users’ browser generated information to advertisers. It therefore also follows that an individual’s loss of control over their browser generated information is “something of value”. On this basis, the Court concluded that this group of affected iPhone users have the “same interest” in this claim as they are all victims to the same alleged wrongdoing by Google and have all suffered the same loss of control over their browser generated information.

The applicable test for identifying members of the represented class is they have the “same interest” as Lloyd, at all stages of the proceedings. The Court considered that every affected individual will be able to determine whether they have satisfied the conditions that Lloyd has specified in his claim. In addition, Google will be able to identify the affected individuals from the data it holds.

3. Judicial discretion

This class action is the only effective judicial way that this claim can be pursued to enable the affected individuals to obtain a civil compensatory remedy. The Court delivered a strong message stating that if the allegations against Google are proved, it will hold Google accountable for its “allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit”.

Next steps

Lloyd considered the outcome of the Court of Appeal’s decision as a success in holding large corporations accountable for their actions.

However, representatives of Google have already announced their intention to appeal to the Supreme Court claiming that “protecting the privacy and security of [its] users has always been [their] number one priority”. They argue that this incident took place a number of years ago and was adequately dealt with at the time, so there is no merit in Lloyd’s current claim.

Key takeaways

This decision is novel as we have not yet seen this US-style “opt out” class action in the UK courts. The fact that there does not need to be a specific class of individuals at the start of the proceedings and compensation can be awarded without having to prove financial loss or distress reduces significant financial and administrative hurdles for bringing a class action. The court judgment itself recognised the novelty of the claim and the representative procedure, as well as the public’s interest in data breaches, the potential number of affected individuals and the potential cost of compensation. This will be positive news for groups of individuals seeking to pursue compensation for large scale data breaches through the English courts and will be a warning to large scale corporations who have or may suffer large scale data breaches.

The case is also a timely reminder for organisations that topics such as cookie placement and targeted advertising continue to fall under the UK regulatory spotlight.

Firstly, Google’s DoubleClick Ad cookie is a third-party cookie (being set by a domain other than the one the individual is visiting). These types of cookies are used to collect information about an individual’s internet use and the sites they have visited in order to deliver tailored advertisements to that individual based on their assumed interests and browsing history. The Information Commissioner’s Office’s (the “ICO”) recent guidance on cookie rules and the recent CJEU Fashion ID decision emphasises that both the website provider and the third-party (in this case, Google) have a responsibility for obtaining consent from users in relation to third-party cookies and ensuring individuals are clearly informed about such cookies.

Secondly, Google’s secret online tracking and selling individuals’ personal data to advertisers constitutes “invisible processing”, being processing which was not brought to the attention of website users. The ICO considers such activities as high-risk which necessitates a data protection impact assessment in accordance with the GDPR. The selling of individuals’ personal data to online advertisers, as occurs in a process called “real-time bidding”, has been heavily criticised by the ICO in its recent report due to the lack of transparency of the process and the creation and sharing of individuals’ profiles without the individual’s knowledge or consent.

We await the decision on whether Google’s permission to appeal to the Supreme Court is successful, but for now, it is clear that the misuse of personal data has potentially far wider consequences than regulatory fines and reputational damage.

 

• Share this blog

• Twitter
• Facebook
• Linkedin