Class actions and privacy
Earlier this year, the Supreme Court heard Google’s appeal against the Court of Appeal’s finding that it should answer a claim for breach of the UK Data Protection Act 1998 (DPA). With its decision set to have significant ramifications for the bringing of class actions in the UK, we take a look at how matters reached this stage and the issues that the Supreme Court will have to consider in reaching its judgment.
In 2017, a former executive director of "Which?" magazine sued Google for breach of the DPA. The director alleged that between August 2011 and February 2012, the software giant had used a so-called “Safari Workaround” to bypass default privacy settings on iPhones and track users’ internet activity or “browser generated information” (BGI) without their knowledge or consent and in direct contravention of the DPA.
The director claimed that Google’s actions allowed it to identify users who had visited websites displaying one of its advertisements and could even tell when such a visit was made, how often that user visited a particular website, and how long the user spent on each website. That information, it was alleged, allowed Google to deduce those users’ age, gender, interests, habits, political views, and even their financial position and thereafter categorise each user into groups such as “football lovers” or “current affairs enthusiasts”. The results of that classification were then sold to advertisers, to allow them to direct their adverts accordingly.
Service out of the jurisdiction
In May 2017, proceedings were issued against Google in the High Court. The claim was filed on behalf of the director and also on behalf of an entire class of iPhone users in England and Wales whose BGI had been gathered in that manner, estimated to be around four million people in total.
Given Google’s US domicile, permission was sought to serve the claim outside the jurisdiction. In doing so, it had to be established:
- That the claim has a reasonable prospect of success (CPR 6.37(1)(b))
- That there is a good arguable case that each claim advanced against the foreign defendant falls within at least one of the jurisdictional "gateways" in paragraph 3.1 of Practice Direction 6B
- That England is clearly or distinctly the appropriate place to try the claim (CPR 6.37(3)
At first instance, Warby J dismissed Mr Lloyd’s application. In reaching his decision, he concluded that the director and the other members of the class had not suffered “damage” within the meaning of section 13 of the DPA and as such, that the claim had failed to disclose a basis for seeking compensation. In doing so, he rejected the attempt to rely on the argument – advanced in phone-hacking case of Gulati v MGN  EWCA Civ 1291 – that the class were entitled to damages for the “loss of control” of their private information, caused by Google’s actions as data controller.
Warby J further ruled that the requirements of CPR 19.6, which claimants issuing on behalf of others must satisfy, had not been met because the users in question did not have the “same interest” and could not easily be identified as falling within the class. Exercising his discretion under 19.6(2), the judge directed that the director could not act as a representative of the class. This was appealed and the case came before the Court of Appeal.
Court of Appeal
Allowing the appeal in its entirety, the Court of Appeal concluded that:
- Damages were recoverable where a claimant had suffered a “loss of control” under DPA section 13, irrespective of whether that claimant had suffered pecuniary loss or distress
- The users that the Director purported to represent did have the “same interest” for the purposes of CPR 19.6 and were readily identifiable as members of that class (using data held by Google)
- That Warby J had erred in exercising his discretion to prevent the claim from continuing, noting that the members of a class do not have to authorise a representative claim
In reaching its decision, the court pointed to Google’s sale of the users’ BGI as being indicative of the fact that control over data, capable as it was of being sold, was an asset of value. It therefore followed that loss of that control must also have a value and it was on that basis that the court ruled each member of the class should have the right to receive compensation for the “damage” suffered.
Google appealed the decision, leading to last month’s denouement on the issue of whether the director should be granted to serve outside the jurisdiction...
The issues the Supreme Court has been tasked with deciding are:
- Whether a non-trivial infringement of the DPA, which does not cause pecuniary loss or distress can result in damages being awarded for “loss of control” of personal information
- Whether members of a class have to be identified to demonstrate that they have the “same interest” for the purposes of pursuing a representative class action
- Whether the court should exercise its discretion and prevent the director from acting as a representative of the four million-odd iPhone users he seeks to speak for
The potential impact of the Supreme Court’s decision cannot be overstated. The Courts of England and Wales have traditionally been reluctant to allow representative class actions brought on behalf of individuals who have the “same interest”, interpreting that requirement narrowly and thus rendering claims of that nature rare in the UK.
Should the Supreme Court agree with the Court of Appeal and decide that the four million iPhone users the Director seeks to represent do indeed have the same interest, it will likely open the floodgates for US-style “opt-out” class actions to become far more prevalent on this side of the pond.
At the Supreme Court hearing, counsel for Google, Antony White QC, argued that a decision with such significant and wide-ranging implications for class actions in the UK should only be taken by Parliament. He further argued that the identification of class members in representative actions posed a real practical problem, which would be exacerbated if such claims were allowed in the future.
Counsel for the Director, Hugh Tomlinson QC, instead sought to frame the case as a question of access to justice, arguing that the Court of Appeal’s decision was the only way in which Mr Lloyd and those in the class he represented would be able to obtain a remedy.
The Supreme Court Justices raised the question of class members being stopped from pursuing their own claims, in reply to which Mr Tomlinson referenced the availability of the opt-out system mentioned above and the fact that such issues would be far outweighed by the potential benefit to millions of future class members. Whether that “greater good” argument will carry sufficient muster is unclear but it is one of many considerations the Supreme Court will have to give credence to when reaching its decision.
The decision is also likely to impact upon litigation funding, with the majority of representative claims likely to require funding in place to get off the ground.
In February this year, the UK government concluded that an opt-out procedure for data protection cases was unnecessary in light of the current regime. Should the Supreme Court rule in Mr Lloyd’s favour, it would seemingly go against that policy pronouncement. Whether that will influence the Justices’ decision remains to be seen.