Lloyd v Google: Damages in Data Breach cases take a new twist that is sure to excite Claimant lawyers whilst sending insurers into a ratings scramble!
The Court of Appeal put the cat amongst the pigeons this week with a decision that is sure to have set claimant lawyers buzzing with excitement.
The Court of Appeal put the cat amongst the pigeons this week with a decision that is sure to have set claimant lawyers buzzing with excitement, and insurers scrambling for their cyber ratings models.
It concerns a representative class action initiated by Richard Lloyd, a consumer protection champion, on behalf of four million Apple iPhone users whose internet activity was secretly tracked and sold to advertisers by Google between August 2011 and February 2012.
Mr. Lloyd’s original application to pursue Google was dismissed at the first instance, on the basis that none of the class he represented had suffered damage; members of the class could not be identified; but even if they could be identified they would not all have had the same interest needed to form a class under the UK’s Civil Procedure Rules.
The Court of Appeal was asked to revisit the reasoning for the original dismissal of Mr. Lloyd’s application and has reversed it. Here’s why:
On the question of damage…
Section 13 of the Data Protection Act 2018 (“DPA”) provides that “[an] individual who suffers damage by reason of [a breach] is entitled to compensation”.
At the first hearing of Mr. Lloyd’s application the court held that because he had not suffered pecuniary loss or distress he had not suffered damage capable of justifying any award of compensation.
The appeal judges emphasised, however, that privacy is a fundamental human right, highlighting in particular comments made by Lord Nicholls in the case of Campbell v MGN:
“Privacy lies at the heart of liberty in a modern state. A proper degree of liberty is essential for the well-being and development of an individual.”
Underlying rights of individuals on which the tort of Misuse of Private Information and infringements of the DPA are based are founded on the same principle: that privacy is to be protected.
The sanctity of the right to privacy and the consequences of any breach are spelled out within the General Data Protection Regulation (“GDPR”). Take, for example, Recital 85 which states that:
”A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights”.
Google was able to sell the information it had gathered to advertisers wishing to target the individuals. That demonstrated the information, and consent to its use, had an economic value. It also demonstrated that the individuals’ control over their data had a value, so that their loss of that control must have a value too. As a result, that loss of control represents damage of the kind expressly envisaged by Recital 85 ,for which compensation may be awarded, and Section 13 must be read in that broader context.
In reaching their decision on this important point the appeal judges also noted that Section 169(5) of the DPA, implementing the GDPR into UK law, additionally provides that “damage” includes financial loss and damage not involving financial loss, such as distress. The wording of that provision is clearly intended to render it a non-exclusive definition, such that financial loss and distress are not the only types of damage that are compensable.
In summary, therefore, where an alleged breach of data protection law occurs that is more than trivial, an individual’s loss of control of their data as a result of the breach is damage for which compensation may be claimed under Section 13 of the DPA without needing to prove either pecuniary loss or distress. It bears mentioning also the appeal judges agreed that an equivalent position must also exist for tortious claims brought for misuse of private information. If that were not the position it would offend the EU law principles of equivalence and effectiveness, in circumstances where both statutory and tortious causes of action derive from the common European right to privacy.
On the question of identification…
Identification of each individual as a member of the class is necessary in order for any recovery of damages to be made. However, the appeal judges felt that, in practical terms that ought not to pose any difficulty. Google’s own records of the data it had tracked and sold would of course be sufficient to prove who was, and who was not, in the class.
On the questions of same interest…
The appeal judges further agreed that the court had approached the issue far too stringently the first time around. Looking at the situation in a far more straight forward manner is important. Fundamentally, each member of the class had their information – something of value – taken by Google without their consent, in the same circumstances and over the same period of time. They were all victims of the same alleged wrong and all sustained the same loss, namely loss of control over their personal information. As such, that was sufficient to satisfy the same interest requirement.
As to any doubt about this outcome due to the fact that some claimants might have suffered greater loss than others depending on, say, the degree of stress they may have suffered or the volume of their data which was taken, the appeal judges went on to note that any individual represented claimant could ask to be joined as a party to claim additional losses if they wished to do so. In other words, a representative class action has the effect of reducing the damages which may be claimed for each member of the class to the lowest common denominator, but that does not mean each individual claimant lacks the same interest in the claim. Any individual claimant within the class wanting to claim a greater sum need only apply to be joined as a named party and to seek whatever additional compensation may be appropriate in the particular circumstances of that individual.
Unsurprisingly, Google is not going to take this decision on the chin. The financial consequences were it to do so could be enormous, even for a business whose pockets are amongst the deepest in tech. It has already publicly stated that it intends to appeal to the Supreme Court. As to what level of damages will ultimately be awarded for each affected individual, therefore, we will need to wait for that appeal to run its course and, depending on the outcome, for the substantive action to conclude after that. It is a space worth watching, though, because this is a case that really will change the data breach compensation landscape; and if you were to put money on it, you would probably be reasonably safe to expect that when it comes to the crunch it will be Google who will be digging down into those deep pockets in due course.
As for the wider consequences of the case, the clear indication is that any business allowing personal data of individuals to be used or compromised in a manner outside the scope of the consent for which it was obtained could see a significant increase in exposure and the incidence of claims for loss of control. The stakes have never been higher, emphasising once again that first class data governance and, in particular, cyber resilience – deficiencies in which so often result in data breaches and compromise events - are essential.