Group litigation - into the breach
Lloyd v Google [02.10.19]
Claims by data subjects have been labelled “the new PPI”, particularly following the ratification of the right to non-material damages in the GDPR. Worryingly, the latest decision of Lloyd v Google appears to have made it even easier for claimants to bring such claims, particularly en masse.
We previously discussed the background to the claim in: High Court opts-out of US style group litigation for data breaches, but the decision of the lower court has now been reversed by the Court of Appeal, which potentially opens the litigation floodgates.
The basis of the claim is that Mr Richard Lloyd brought a claim against Google alleging that they had breached their duty as a data controller under the old Data Protection Act 1998 by tracking the internet activity of Apple iPhone users, without their knowledge and thereafter selling the accumulated data. He brought an action in a representative capacity on behalf of a class of affected iPhone users (estimated to be around 4.4 million), claiming non-material damage for distress and anxiety.
The High Court initially dismissed the claim by Mr Lloyd on the basis of the following two key issues:
- For a claim to be successful there needed to be evidence of damage suffered, rather than Mr Lloyd’s proposed unquantified compensatory tariff scheme; and
- The court did not consider that such a large class could be reliably determined and therefore did not meet the requirements of a representative action as all the members of the class did not have exactly the “same interest” in the claim.
Decision at appeal
Surprisingly, the Court of Appeal upheld Mr Lloyd’s appeal and reversed the High Court decision entirely. Firstly, the Court of Appeal said that there should be no requirement to prove pecuniary loss or distress for a claimant to recover compensation successfully under the Data Protection Act. The Court of Appeal determined that the loss of control over personal data itself is sufficient to constitute non-material damage.
Secondly, that for the purposes of CPR Part 19.6(1) Mr Lloyd had met the requirements of a representative action on the basis that those he sought to represent did have the “same interest” in the claim. Whilst the High Court had previously raised concerns regarding the identification of individuals within that class, the Court of Appeal held that “the data in possession of Google will be able to identify who is, and who is not, in the class”.
Whilst the previous decision was welcomed by a large number of data controllers in the UK, it is likely that the Court of Appeal’s decision will have the opposite effect. We have seen the recent fallout from the ICO on large scale data breaches for British Airways and Marriott hotels, with claimant firms attempting to press for class action law suits being filed in the US, this now has the potential to move across the Atlantic.
The previous decision, indicated that the courts would be less than favourable of US style representative actions where a large body of individuals would generally have no knowledge or interest in the claim. The previous requirement to demonstrate loss and encourage each potential claimant to opt-in, means that we will likely see UK group litigation actions take off again, especially as more and more data breaches come to fruition.
This decision will likely reverberate with more claimants pursuing claims as a consequence of a data breach, in addition to slightly elevated damages to those claimed previously. The cost of a data breach will potentially rise following this decision.
It should be noted to that this may not be the end of this as there is an intention by Google to appeal the decision to the Supreme Court.