No compensation for Google data breaches
10 October 2018
Lloyd v Google LLC  EWHC 2599 (QB) 8 October 2018 – read judgment
This is a novel form of action, but everything was new once (Warby J para 100)
Already today we are becoming tiny chips inside a giant data-processing system that nobody really understands. (Yuval Noah Harari, 21 Lessons for the 21st Century, p. 36)
Do people want privacy? Because they seem to put everything on the internet. (Elon Musk, interview on Joe Rogan podcast #1169 at 1.49)
Background facts and law
The representative claimant sought permission to serve Google with proceedings in the US. The claim alleged breach of the duty imposed by s 4(4) of the Data Protection Act 1998 (“DPA”). The allegation was that over some months in 2011-2012 Google acted in breach of that duty by secretly tracking the internet activity of Apple iPhone users, collating and using the information it obtained by doing so, and then selling the accumulated data. The method by which Google was able to do this is generally referred to as “the Safari Workaround”. The mechanism by which the Safari Workaround operated was to place a “DoubleClick Cookie” on a user’s iPhone when connected to the internet using the Safari browser and, thereafter, to track usage and collect “Browser Generated Information” by means of the DoubleClick Cookie.
The claimant argued that he and each member of the class he represented was entitled to damages “for the infringement of their data protection rights, … the commission of the wrong and loss of control over personal data” . No material loss or damage was alleged. Nor was there any allegation of distress, anxiety, embarrassment, nor any other individualised allegation of harm.
Google maintained that this claim was a contrived and illegitimate attempt to shoe-horn a novel “opt-out class action” into the representative action procedure, in circumstances where Parliament has not considered it appropriate to make such a claim available, since the DPA specifies limited instances where compensation is available.
As the judge noted, the burden of establishing that the necessary criteria for service outside the jurisdiction are met lies on the claimant. The claimant must identify each candidate gateway, and satisfy the court that there is a good arguable case that the claim falls within that gateway. “Good arguable case” in this context meant that the claimant has the better argument on the issue. The real issue, so far as jurisdiction is concerned, is whether the claim falls within the “tort” gateway provided for by Part 6 Practice Direction B. But where a question of law arises in the context of a dispute about service out of the jurisdiction, which goes to the existence of the jurisdiction, then the court will normally decide the question of law, as opposed to seeing whether there is a good arguable case on that issue of law. Thus there was a substantial overlap between the service question and the good arguable case question.
Warby J concluded that the representative claimant had failed to establish that the claim was one that had a real prospect of success, and permission to serve these proceedings on Google outside the jurisdiction was refused.
Reasoning behind the decision
The claim disclosed no basis for seeking compensation under the DPA. That Act did not envisage compensation for breaches of its provisions absent material damage or proven emotional harm. In an earlier decision on damages under the DPA, the claimants sought compensation for distress they had suffered when they learned that information about their “personal characteristics, interests, wishes or ambitions” had been used as the basis for advertisements targeted at them. In Vidal-Hall v Google Inc (Information Commissioner intervening)  EWCA Civ 311 the Court of Appeal concluded that the EU Charter of Fundamental Rights required the remedy of compensation where distress had been suffered as a result of a breach of duty. It could not realistically be said that the same was true in the instant case where the breach of duty had caused neither material loss nor emotional harm, and had had no other consequences for the data subject.
It might be said, in an individual case, that the use of personal data to enable the repeated or bulk delivery to a person of unwanted communications infringes the person’s right to respect for their autonomy, in a way which counts as damage for the purpose of DPA s 13, even if the content of the messages is innocuous.
A person who objected to receiving such material might say that its delivery caused irritation and/or that in any event it represented a material interference with their freedom of choice over how to lead their life. That, however, is not the case advanced by this Representative Claimant.
The tort of misuse of private information was of no avail to the claimants here because the whole question of compensation was covered by the statute. Gulati  EWHC 1482 (Ch)  FSR 12- which allowed damages for phone hacking – was not a DPA case.
I do not read Gulati as authority for a rule or principle that substantial damages are invariably recoverable and must always be awarded for misuse of private information, just because the tort has been committed, and regardless of the nature of the wrong and its impact on the individual claimant.
In any event the tort of misuse of private information contains built-in safeguards against claims for damages in respect of trivial or insignificant interferences with a protected interest. There is a threshold requirement: in order to be actionable, an interference must attain a certain level of seriousness (McKennitt v Ash  QB 73 , Ambrosiadou v Coward  EMLR 21 –). And the process of deciding a misuse case will always involve a balancing exercise, including an assessment of the proportionality of the interference with free speech which success for the claimant would involve.
If the Representative Claimant was correct, a right to compensation would flow from any breach of any requirement of the DPA, or at least from any breach of s 4(4), however trivial. But the Data Protection Act does not purport to give the data subject any property in his personal data but merely regulates the way in which it can be processed. The Court could not make an award of “vindicatory” damages, merely to mark the commission of the wrong; this was wrong in principle: see R (Lumba) v Secretary of State for the Home Department  1 AC 245 [97-100].
As for the representative action question, Warby J concluded that this claim did not serve the purpose of the relevant civil procedure rules. Members of the Class did not have the “same interest” within the meaning of CPR 19.6(1) and it was impossible reliably to ascertain the members of the represented Class. Even if the members of the Class did have the “same interest” in the technical sense in which that term is used in CPR 19.6(1), it was a “striking feature” of the case that in the five or six years since the Safari Workaround was identified and publicised,
none of the million(s) of such individuals in this jurisdiction has demonstrated any interest in the common sense of the term, by coming forward to claim, or complain, or to identify himself or herself as a victim – other than Ms Vidal-Hall, and her co-claimants (if they fall within the Class), and Mr Lloyd.
This ruling is an important comment on the intersection of the law and one of the most important trends of modern times: the flow of data from the individual to big processors who will soon know us better that we know ourselves. Offensive though this process may seem, it will not be halted or even slowed down by creating an ad hoc right to compensation for individuals. As Yuval Noah Harari remarked,
Every day I absorb countless data bits through emails, phone calls and articles; process the data; and transmit back new bits through more emails, phone calls and articles. I don’t really know where I fit into the great scheme of things, and how my bits of data connect with the bits produced by billions of other humans and computers. I don’t have time to find out, because I am too busy answering emails. (FT, August 26 2016)