Recent Developments in Data Protection Principles – Lloyd v Google LLC (2018)
The legal position established in 2015 by Vidal-Hall et al v Google Inc has recently been revised, clarifying the scope under which data protection compensation for the misuse of private information under section 13(2) of the Data Protection Act 1998 (DPA) is available. On 8 October 2018, Mr Justice Warby, the head of the High Court’s relatively new Media and Communications List, handed down judgment in Lloyd v Google LLC,reserved from 23 May 2018, dismissing an application for permission to serve proceedings in the USA against Google for its alleged breach of the DPA.
In Vidal-Hall the Court of Appeal determined that the misuse of private information constitutes a tort for which, without establishing any pecuniary loss or other material damage, compensation is available under section 13(2) of the DPA. Google had tried to argue, among other things, that the court should not bother with the claims because the damages claimed by the claimants were too insignificant for the court to take the time to address. The Court disagreed, noting that “the damages may be small, but the issues of principle are large.” Unfortunately for the claimant bringing the recent application, Mr Lloyd, Warby J did not appear to consider that the principles applied to the same extent.
Mr Lloyd contended that he acted in a representative capacity on behalf of Apple iPhone users in the UK whose online behaviour had been tracked by Google without their knowledge or consent using the Safari Workaround, with the accumulated data having been sold to advertisers, contrary to Google’s privacy policy. Mr Lloyd sought damages under section 13 of the DPA, but did not allege that he or anyone in the class of people he claimed to represent had suffered financial loss or distress. Rather, he argued that damages should be available because their data protection rights had been infringed and a wrong commissioned.
The application for permission to serve out of the jurisdiction included requiring the claimant to establish that there was a good arguable case that each claim fell within one of the permissible jurisdictional gateways of PD 6B para.3.1 of the Civil Procedure Rules (CPR) and that the claim had a reasonable prospect of success. Mr Lloyd sought to rely on the gateway in para.3.1(9), namely that it was a claim in tort where damage was sustained in the jurisdiction or resulted from an act committed within the jurisdiction. The arguable case and prospects of success elements of the Judgment overlapped somewhat and, although he acknowledged that Google’s “alleged role in the collection, collation, and use of data obtained via the Safari Workaround was wrongful, and a breach of duty“, Warby J did not consider that Mr Lloyd had established that any damage had arisen from the breach within the meaning of section 13 of the DPA.
Furthermore, although it was accepted in principle that a claimant bringing a representative action did not require the authority of those whom he or she represents, it was not accepted that in this situation the relevant class of persons had the “same interest” in the claim that is required by Part 19.6 of the CPR. Therefore, while some people would naturally have suffered distress, that would not be the same for all. As Warby J put it: “Some people enjoy a surprise party.”
Accordingly, the application was dismissed. Mr Lloyd, commenting that “this is an analogue decision in a digital age”, has already indicated that he, in his representative capacity, will be seeking to appeal. Any further developments will be closely watched by legal practitioners as, although the claim was brought under the DPA, the right to compensation under the old regime remains relevant, and the principles established would be largely the same for those seeking to recover compensation under the equivalent provision of Article 82 of the GDPR. The case serves as a reminder that the law in this area is novel and developing, and that actions brought will require detailed and imaginative arguments of the CPR to ensure that digital decisions can be obtained using the existing analogue system (to paraphrase Mr Lloyd). While those developments are ongoing, it is worth remembering that a claim for an injunction to restrain or reverse data protection breaches remains a remedy regardless of whether or not a quantifiable loss has been suffered, or to prevent loss occurring while the relevant arguments are worked through.
Do you want more information?
Rachel is a Partner and a member of our Litigation & Dispute Resolution department