The High Court has, for the time being at least, dealt a blow to the prospect of large scale US-style 'opt out' class actions in data protection cases. However, the decision of Mr Justice Warby (which is likely to be appealed) may turn out to be confined to the facts of this particular case. 

Lloyd v Google [2018] EWHC 2599

A representative claim was issued by Richard Lloyd, a former director of Which?, on behalf of 4.4 million iPhone users in England and Wales. The claim centres on the so-called Safari Workaround, which affected iPhone users running Apple's Safari browser. During 2011 and 2012, Google was able to collect large amounts of personal data from Safari users without their consent, through the use of the Google Double-Click Ad Cookie. If the claim succeeds, Google's potential liability to UK claimants could be up to £3bn. 

This was an application for permission to serve proceedings on Google outside the jurisdiction. The application was dismissed at first instance because while the Court accepted that Google had breached data protection law, Warby J found that the claimant failed to show that any individual had suffered any damage as a result of the breach. The judge was also critical of the attempt to bring an opt out representative action on behalf of a group of people who had shown no interest in enforcing their rights individually. 

No damage

To obtain permission to serve the claim on Google in the USA, the claimant needed to show that he had a "good arguable case", which included showing that the members of the class had suffered damage which merited compensation under English data protection law.  

The claimant did not argue that the members of the class had suffered financial loss. Nor did he argue that they had suffered distress, despite the fact than another recent case also concerning the Safari Workaround established that under the old 1998 Data Protection Act damages are recoverable for distress suffered as a result of breach of data protection law. Rather, the claimant argued that damage arose as a result of the act of infringement of data protection rights and the commission of the wrong itself, and for loss of control over personal data. 

The Court considered that the first two categories were merely descriptions of the breach and could not be characterised separately as damage. As for the loss of control argument, the claimant had sought to argue this based on a Court of Appeal decision in Gulati v MGN Limited [2015] EWCA Civ 1291 on misuse of private information arising out of the phone hacking scandal. However, the judge considered that in that case the claimants had still suffered some form of loss. He also reaffirmed the principle that the court could not make an award of vindicatory damages simply to acknowledge that a wrong has been committed, and he refused to order damages as a means of censuring Google.

He also commented that the mere fact that a person's data has been used without consent does not invariably mean he or she has suffered harm worthy of compensation – not everything that happens to a person without their prior consent causes distress. As the judge put it, "some people enjoy a surprise party". 

This case concerns the old data protection regime. Would the ruling have been different if it was decided under GDPR? The GDPR specifically allows for recovery of "non-material damage". The Data Protection Act 2018 clarifies that "non-material damage" includes distress. The right to be compensated for distress caused by data protection breaches is therefore enshrined in statute. And the GDPR's call for the concept of damage to be "broadly interpreted" may invite attempts to widen it still further.

No class

The judge was dismissive of the attempt to bring the claim as a representative action under CPR 19.6 on behalf of millions of people.  

He did not think the claim met the requirement that all the claimants should have the "same interest". The class may include claimants who had suffered many different levels and forms of damage, making overall damages impossible to assess. There may also be defences available in respect of some members which would not apply to others. 

There were also overwhelming practical difficulties in ascertaining whether any given individual was a member of the class. Not all iPhone users had the Google Double-Click Ad Cookie placed on their phones during the relevant period, but there was no viable way of excluding users who were not affected. This created a risk that compensation would go to people who did not suffer damage. 

Finally, the judge was critical of the attempt to bring a claim "on behalf of individuals who have not authorised it, and have shown no interest in seeking any remedy for, or even complaining about, the alleged breaches". 

Comment

The judge was clearly sceptical about the entire basis of this claim. He emphasised that the purpose of damages under data protection law is to compensate for actual harm suffered by individuals, and not to censure big companies. The fact that the claim was brought as a representative action, with no individuals coming forward to identify the specific damage they suffered, arguably reinforced the impression that no real harm had been suffered. 

Some of the judiciary would appear to be suspicious of US-style class actions. This will come as good news for the internet giants who control ever more of our personal data, but less so for the individuals whose data they control. The practical reality is that a class action is likely to be the only means for private citizens to protect their data privacy and defend themselves against big tech.

Sooner or later a data privacy case will arise with more claimant friendly facts, such as a more easily defined class, greater commonality of interest, obvious and easily quantifiable damage – a data breach scenario might be an example – which may commend itself more readily to the Court as a potential class action.

Read the full judgment here.