Privacy & Information Security Law Blog

On October 2, 2019, the UK Court of Appeal handed down its judgment on the appeal in Richard Lloyd v. Google LLC, in which Richard Lloyd, a consumer protection advocate, seeks to bring a representative action on behalf of four million Apple iPhone users against Google LLC in the United States. Previously, the High Court had refused to grant permission for the proceedings to be served outside the UK. The Court of Appeal reversed the High Court’s judgment, granting permission for service outside the UK and allowing the representative action to proceed. The judgment is significant as it paves the way for representative actions (equivalent to class actions) for data protection infringements in the UK.

The factual background concerns allegations that Google infringed on the UK Data Protection Act 1998 by bypassing default privacy settings on Safari, the default browser used on iPhones, allowing DoubleClick Ad cookies to be set, and enabling tracking of iPhone users’ online behavior between 2011 and 2012. Lloyd claims that the browser generated information (“BGI”) available to Google from the DoubleClick Ad cookie included details of (i) which websites were visited, (ii) when and for how long they were visited, (iii) which pages were visited, and (iv) which advertisements were viewed on those websites and for how long. In some cases, it was also possible for geolocation data to be collected. Lloyd also alleged that Google used BGI to segment users, and through its DoubleClick service, allow advertisers to serve targeted advertisements. Lloyd’s claim seeks damages for infringement of data protection rights and loss of control over those rights.

In the High Court, Google successfully argued that the representative action should not be allowed to proceed because (1) there had not been any proof of causation and consequential damage suffered by members of the class, as required by Section 13 of the Data Protection Act; (2) the members of the class did not have the “same interest,” as required by the Civil Procedure Rules Part 19.6(1); and (3) that not all members of the class would have objected to Google’s use of their personal data.

On appeal by Lloyd, the Court of Appeal held that the representative action should be allowed to proceed, on the basis that:

• Since damages are available without proof of loss or distress in relation to the tort of misuse of private information, damages should be available on a similar basis when there has been a non-trivial infringement of the Data Protection Act. The court held that as collected BGI has an economic value to Google, a person’s control over use of that BGI has a corresponding value, so that a loss of user control over BGI is sufficient “loss” in principle to bring a claim for damages. It was not a prerequisite that there be pecuniary loss or distress.
• Once the court had determined that the loss of user control over BGI was sufficient “loss” in principle, it followed that all of the claimants represented by Lloyd had the “same interest” in the claim, as they had all suffered the same loss of control over BGI.
• Although not all members of the class would have objected to the use of their BGI, each member had nevertheless “lost something valuable, namely the right to control their private BGI.”

Google sought to argue that the claims in question did not reach the threshold level of seriousness required. The Court disagreed, noting that although this threshold would exclude a one-off, quickly remedied data breach, the circumstances in this case appeared to involve an alleged deliberate and unlawful misuse of data for commercial purposes, without consent and in violation of an established right to privacy.

Although the Court did not make any determinations of fact, the judgment is notable for the observation that a loss of control of personal data can, in principle, constitute damage under the Data Protection Act without the need to demonstrate specific economic loss or distress. Thus, this judgment potentially paves the way for further representative actions on behalf of affected data subjects in the UK under Part 19.6 of the Civil Procedure Rules.