What is this about?
Litigation to obtain compensation caused by data protection infringements (including concerning cookies) continues to be on the rise. In an important ruling today about class-action style claims and data protection breach compensation claims, the UK’s Supreme Court ruled out the use of a certain type of class-action claim because compensation was being claimed for each individual member of the represented class without attempting to show that any wrongful use had been made of personal data relating to that individual or that the individual suffered any material damage or distress as a result of a breach of the requirements of the UK data protection legislation in question. This article looks at the highlights of this case.
What is the background to the case?
In this case Mr. Lloyd brought a legal action (backed by a litigation funder) claiming that Google had breached its duties as a data controller under the UK Data Protection Act 1998 (“the DPA 1998”) which was in force at the time (and was later replaced by the Data Protection Act 2018) to several million Apple iPhone users over a period of some months in 2011-2012 during which time Google was able to collect and use their browser generated information.
Mr. Lloyd sued both on his own behalf and also on behalf of a “class” of other residents in England and Wales whose data was collected in this way, i.e. he brought a claim as a “representative” of others who have the “same interest” in the claim. This particular type of “representative” procedure is well-established having existed for many years and differs notably from the other class-action style procedures that exist under competition law.
Mr. Lloyd argued that the “same interest” requirement was satisfied in this case and that the “representative” procedure under UK civil proceedings can be used to recover a uniform sum of damages for each person whose data protection rights have been infringed, without having to investigate their individual circumstances. The sum of £750 was being claimed per person which, multiplied by the number of people whom Mr. Lloyd claimed to represent, would be for an award of some £3 billion in damages.
Because Google is a Delaware corporation (i.e. outside the UK) Mr. Lloyd had to apply for permission to serve the claim out of the jurisdiction. Google opposed the application on the grounds that the facts did not disclose any basis for claiming compensation under the DPA 1998, and the court should not in any event permit the claim to continue as a “representative” action.
The High Court ruled in Google’s favour and therefore refused permission to serve the proceedings on Google. The Court of Appeal then reversed that decision following which Google took the case to the Supreme Court.
What did the court decide?
The judges unanimously ruled in Google’s favour stating as follows:
- In this case a “representative” claim could have been brought to establish whether Google was in breach of the DPA 1998 as a basis for pursuing individual claims for compensation. But, this was not the approach in this case because, according to the court “doubtless because the proceedings would not be economic if it is necessary to prove loss on an individual basis”. Instead, Mr. Lloyd had argued that a uniform sum of damages could be awarded to each member of the represented class without having to prove any facts particular to that individual. In particular, Mr. Lloyd had argued that compensation could be awarded under the DPA 1998 for so-called “loss of control” of personal data constituted by any non–trivial infringement by a data controller of any of the requirements of the DPA 1998;
- These arguments were rejected by the court for two reasons. First, the claim was based only on section 13 of the DPA 1998, under which “an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”. According to the court’s interpretation, here “damage” means material damage, such as financial loss or mental distress, as caused by unlawful processing of personal data in contravention of the DPA 1998 (i.e. simply infringing the DPA 1998 does not in itself constitute “damage”). Second, in order to recover compensation under section 13 of the DPA 1998, it is necessary to prove what unlawful processing (by Google) of personal data relating to a given individual actually occurred;
- The attempt in this case to recover damages without proving either what, if any, unlawful processing of personal data occurred in the case of any individual, or that the individual suffered material damage or mental distress as a result of such unlawful processing, was therefore unsustainable.
In allowing Google’s appeal the Supreme Court restored the original order made by the High Court refusing Mr. Lloyd’s application for permission to serve the proceedings on Google outside the jurisdiction of the courts of England and Wales.
What are the takeaways?
The main takeaways are as follows.
Although this case was decided under the DPA 1998, given the right to compensation wording under UK GDPR the same reasoning would likely be applied by a UK court should a claim be framed in the way undertaken as the “representative” style of legal action brought by Mr. Lloyd (Article 82(1): “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”).
Make sure that you take any claims for compensation/damages seriously. Sometimes this starts with a formal “letter before action”. In other cases which we’ve handled the case might start another way e.g. by an informal claim letter or a Subject Access Request under UK GDPR. Treat even nuisance-style claims (such as those asking for £750 for alleged cookies breaches) seriously.
The Lloyd-Google judgment does not end data protection litigation. Whilst, on the one hand this ruling may well be a set-back for those seeking to bring class-action data protection infringement compensation cases trying to rely on the way Mr. Lloyd framed his claim as a “representative” style of legal action, which is good news for those on the receiving end of this style of claims as it reduces their class-action litigation risk, this doesn’t mean that people won’t continue to bring claims on an individual basis – in fact the judgment seems to indicate that individual cases can have good prospects of success.
When dealing with claims our experience is that your first response is critical. A good robust defence (if you have one) set out clearly might see off the claim. Conversely, a weak response or offer to settle may mean more claims follow. We have seen the nature of litigation in this area change in the last couple of years.
So, because data protection litigation is very much here to stay, organizations should consider the preparations that they might wish to make in case they are faced with a claim for compensation for an alleged data protection infringement, including the following:
- Make staff aware (including through training) of the risk that compensation claims can be brought not only where there has been malicious external activity such as a hack but also where internally staff have been careless e.g. by losing computer hardware. Also ensure that the Board is aware of compensation claim risks;
- Set up and undertake regular compliance audits or reviews in order to identify, rectify and prevent issues that could involve a compensation claim;
- Check the liability provisions in vendor agreements and revise them where appropriate, and, check in a given situation if your organization might be a joint controller with another organization and if so clearly set out your responsibilities (in an agreement);
- Check your insurance – policies should be reviewed to check that they provide the necessary cover for the full range of potential civil claims under UK GDPR;
- Consider setting up an ex gratia compensation scheme, which can be deployed quickly; and,
- In an internal investigation of a data related incident always consider legal professional privilege.
Cordery’s GDPR Navigator subscription service is an expansive set of resources and a community of peers helping companies deal with GDPR and related issues. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
See our general briefing about data protection breaches and compensation litigation here: http://www.corderycompliance.com/data-protection-breaches-and-compensation-litigation-issues-for-consideration/
The Supreme Court’s judgment can be found here https://www.supremecourt.uk/cases/uksc-2019-0213.html.
We wrote about the important Vidal Hall v. Google case concerning damages for distress here https://www.corderycompliance.com/vidal-hall-data-protection-class-action-appeal-settled/. We’ve recently written about data litigation issues here https://www.corderycompliance.com/ukdp-damages-claim-threshold/, here https://www.corderycompliance.com/cctv-audio-breaches-dpa-rules/, here https://www.corderycompliance.com/doorstep-ico-fine-reduced/ and here https://www.corderycompliance.com/scope-restrictions-data-breach-comp-claims/.
We report about data protection issues here https://www.corderycompliance.com/category/data-protection-privacy/.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|