Browser Generated Information: “loss of control” entitles search engine users to compensation
4 October 2019
The Court of Appeal has ruled that a claimant can recover damages for loss of control of their data under section 13 of Data Protection Act 1998 without proving pecuniary loss or distress. The first instance judge, Warby J, had dismissed Mr Lloyd’s application for permission to serve Google outside the jurisdiction in the USA, so preventing the claim getting under way.
The following paragraphs are based on the Court of Appeal’s own summary of the judgment.
The central question was whether the claimant, Mr Richard Lloyd, who is a champion of consumer protection, should be permitted to bring a representative action against Google LLC, the defendant, a corporation based in Delaware in the USA. Mr Lloyd made the claim on behalf of a class of more than 4 million Apple iPhone users. He alleged that Google secretly tracked some of their internet activity, for commercial purposes, between 9th August 2011 and 15th February 2012.
Arguments before the Court
The appellant claimed that Google was able to identify visits to any website displaying an advertisement from its vast advertising network, and to collect considerable amounts of information. It could tell the date and time of any visit to a given website, how long the user spent there, which pages were visited for how long, and what advertisements were viewed for how long. In some cases, by means of the IP address of the browser, the user’s approximate geographical location could be identified. Over time, Google could and did collect information as to the order in which and the frequency with which websites were visited.
Mr Lloyd argued that this tracking and collating of Browser Generated Information (“BGI”) enabled Google to obtain or deduce information relating not only to users’ internet surfing habits and location, but also about such diverse factors as their interests and habits, race or ethnicity, social class, political or religious views or affiliations, age, health, gender, sexuality, and financial position. In addition, it was said that Google aggregated BGI from browsers displaying sufficiently similar patterns, creating groups with labels such as “football lovers”, or “current affairs enthusiasts”. Google’s DoubleClick service then offered these groups to subscribing advertisers, allowing them to choose the type of people to whom they wanted to direct their advertisements.
Issues before the Court
The appeal raised important issues that were not decided by the Court of Appeal in Vidal-Hall v. Google Inc  EWCA Civ 311 (see Dominic Ruck Keene’s post on that case here). Although Vidal-Hall was argued on the basis of analogous underlying facts, there was one crucial difference. In that case, the individual claimants claimed damages for distress as a result of Google’s breaches of the DPA. In this case, Mr Lloyd claimed a uniform amount by way of damages on behalf of each person without seeking to prove any distinctive facts affecting any of them, save that they did not consent to the abstraction of their data.
The court relied on the decision in the phone hacking case of Gulati v. MGN Limited  EWCA Civ 1291 (CA) to decide that, if damages are available without proof of pecuniary loss or distress for the tort of misuse of private information, they should also be available for a non-trivial infringement of the DPA, as both claims are derived from the same fundamental right to data protection contained in article 8 of the Charter of Fundamental Rights of the European Union 2012/C 326/02:
[e]veryone has the right to the protection of personal data concerning him or her.
The Court’s conclusions
- First, that a claimant could recover damages for loss of control of their data under section 13 of Data Protection Act 1998 (“DPA”), implementing article 23.1 of the Data Protection Directive (the “Directive”), without proving pecuniary loss or distress;
- Secondly, that the members of the class that Mr Lloyd sought to represent did have the same interest as one another under Part 19.6(1) of the Civil Procedure Rules and were identifiable; and
- Thirdly, that the judge below ought to have exercised his discretion to allow the action to proceed as a representative action.
The Court of Appeal rejected Google’s main argument that both article 23.1 of the Directive and section 13(1) of the DPA required proof of causation and consequential damage. The words in section 13 “[an] individual who suffers damage by reason of [a breach] is entitled to compensation” justified such an interpretation, when read in the context of the Directive and of Article 8 of the European Convention on Human Rights and Article 8 of the Charter, and having regard to the decision in Gulati. Only by construing the legislation in that way could individuals be provided with an effective remedy for the infringement of such rights.
The claim was an unusual use of the representative procedure, but the Court held that it was permissible on the authorities. The claimants that Mr Lloyd sought to represent all had their BGI – something of value – taken by Google without their consent in the same circumstances during the same period, and were not seeking to rely on any personal circumstances affecting any individual claimant (whether distress or volume of data abstracted). The represented class were all victims of the same alleged wrong, and had all sustained the same loss, namely loss of control over their BGI. Mr Lloyd’s concession that he would not rely on any facts affecting any individual represented claimant had the effect of reducing the damages that could be claimed to the lowest common denominator. But it did not mean that the represented claimants did not have the same interest in the claim. It was impossible to imagine that Google could raise any defence to one represented claimant that did not apply to all others.
The Court of Appeal reversed the judge’s decision and gave Mr Lloyd the right to proceed with his representative proceedings against Google in the Media and Communications Court in London.
This decision is something of a landmark in data protection. As counsel for Google pointed out, the authorities prevent a representative claim for damages save in exception circumstances which did not exist in this case. According to Anthony White QC,
Allowing such a claim would be an inadmissible use of the procedure; only Parliament could introduce a new regime to allow such a claim. The judge had been right to hold that the definition of the represented class had to be conceptually sound and workable. Actions could not be pursued on behalf of persons who were not identifiable before judgment and perhaps not even identifiable then.
Warby J had considered the CPR rules on serving a claim outside the defendant’s jurisdiction. He observed that the claimant must establish that the claim has a reasonable prospect of success (CPR Part 6.37(1)(b)), that there is a good arguable case that each claim advanced falls within one of the jurisdictional gateways in paragraph 3.1 of CPR PD 6B, and that England is clearly or distinctly the appropriate place to try the claim (CPR Part 6.37(3)).
There was a substantial overlap between the gateway question and the requirement that the claim should have reasonable prospects of success. The latter raised two questions: first, whether the claim disclosed any reasonable basis for seeking compensation under the DPA, and the second, whether there was a real prospect that the court would permit the claim to continue as a representative action under CPR Part 19.6. Warby J said he had not been shown any European authority that the pleaded types of loss in Mr Lloyd’s case counted as damage. Gulati , in his view, was an exceptional case, and he did not read the Court of Appeal decision as holding that “damages must be awarded for the infringement of the right, in and of itself”. R (Lumba) v. Secretary of State for the Home Department  1 AC 245 at 97-100 had held that it was wrong in principle to make an award of vindicatory damages, merely to mark the commission of the wrong.
There was a threshold to be crossed, and Mr Lloyd’s case did not reach this bar. As Warby J observed, some of the claimants would not have minded their data being used as it was, so that the question of whether an individual claimant had suffered damage as a result of the non-consensual use of personal data depended on the facts. It was, the judge said, for the regulator or the criminal law to censure such breaches, not for the court to fashion a penalty based on an artificial notion of damage.
So does this ruling by the Court of Appeal take us back to a pre-Kuddus world of exemplary, or punitive damages? The landscape has indeed changed since Kuddus was decided by the House of Lords, with the advent of the Charter of Fundamental Rights and Freedoms and its requirement under Article 47 that everyone whose EU rights are violated has “the right to an effective remedy before a tribunal.”
The key to the question of triviality of harm is whether control over data is an asset that has value. Of course it does, said the Court of Appeal:
Even if data is not technically regarded as property in English law, its protection under EU law is clear. It is also clear that a person’s BGI has economic value: for example, it can be sold. It is commonplace for EU citizens to obtain free wi-fi at an airport in exchange for providing their personal data. If they decline to do so, they have to pay for their wi-fi usage. The underlying reality of this case is that Google was able to sell BGI collected from numerous individuals to advertisers who wished to target them with their advertising. That confirms that such data, and consent to its use, has an economic value. [para 46]
Can this kind of loss of control over data can properly be considered damage in the legal sense in which the term “damage” is used in the Data Protection Directive and DPA? In the Court of Appeal’s view, damages in consequence of a breach of a person’s private rights are not the same as vindicatory damages to vindicate some constitutional right. The EU law principles of equivalence and effectiveness should not be forgotten. The principle of equivalence provides that the detailed rules safeguarding an individual’s rights under EU law must be no less favourable than those governing similar domestic actions. And, on the case pleaded,
every member of the represented class has had their data deliberately and unlawfully misused, for Google’s commercial purposes, without their consent and in violation of their established right to privacy. [para 55]
Furthermore, Article 82.1 of the GDPR provides that a person who has suffered “material or non-material damage as a result of an infringement of this Regulation” should have the right to receive compensation for the damage suffered. “Loss of control” over personal data is given in that Regulation as an example of the kind of “physical, material or non-material damage” that might be caused to natural persons as a result of a data breach.
In summary, Sir Geoffrey Vos C was of the view that both human rights law and EU law clearly required damages in this situation.
damages are in principle capable of being awarded for loss of control of data under article 23 and section 13, even if there is no pecuniary loss and no distress. The words in section 13 “[an] individual who suffers damage by reason of [a breach] is entitled to compensation” justify such an interpretation, when read in the context of the Directive and of article 8 of the Convention and article 8 of the Charter, and having regard to the decision in Gulati. Only by construing the legislation in this way can individuals be provided with an effective remedy for the infringement of such rights. [para 70]