Class action data breach litigation under CPR 19.6 is given the green light by the Court of Appeal in Lloyd v Google
Written By
Dispute Resolution Knowledge & Development Lawyer
UK
I am the knowledge and development lawyer in our London International Dispute Resolution team. I play a key role in keeping my colleagues updated so that they are at the forefront of legal developments, trends and case law in the litigation and international arbitration arenas for the benefit of our clients.
Related
Practices
Sectors
Trending Topics
Countries
Offices
The recent judgment by the English Court of Appeal in Lloyd v Google LLC [2019] EWCA Civ 1599, a large-scale data breach claim, provides helpful insight into the operation of CPR 19.6. CPR 19.6 allows individuals with the 'same interest' to be made a party to a claim in a representative capacity. Following the enactment of the Data Protection Act 2018 ('DPA'), these types of large-scale data breach claims are expected to increase dramatically but the operation of CPR 19.6, especially with regard to how the class with the 'same interest' is to be identified, and the pecuniary relief sought for each member of the class, has been a cause of concern. Lloyd v Google, although decided under the Data Protection Act 1988 rather than the DPA, is very helpful in determining whether the representative class in large-scale data breach actions has the 'same interest' and whether the class is readily identifiable in accordance with the criteria set out in CPR 19.6.
Background to the appeal
The claim, seeking damages for breach of statutory duty, is brought by Richard Lloyd, an ex-director of consumer rights group Which?, on behalf of over 4 million UK iPhone users (the 'Representative Class'). The so-called 'Safari Workaround' allowed Google to set a cookie on the users' devices circumventing Safari's default settings which blocked third-party cookies, enabling Google to gather data on the timing, and sometimes location, of the users' activity on certain websites. This browser generated information ('BGI') was used to create customer interest groups which advertisers would pay Google to target their advertisements against specific audiences.
The Court of Appeal considered three issues in allowing the appeal:
- Issue 1 - Could a claimant recover damages for the type of breach alleged?
- Issue 2 – Did members of the Representative Class have the same interest and were they identifiable under CPR 19.6?
- Issue 3 – Is it open to an Appellate Court to exercise its discretion afresh in these circumstances?
In allowing the appeal, the Court of Appeal ruled that a loss of control of personal data alone could constitute damage for the purpose of the claim, even in the absence of pecuniary loss. The court considered that BGI had its own inherent economic value as it was capable of being sold, and that each claimant had lost the right of control over their own private BGI. The Court of Appeal accepted that the case of Gulati [2] was applicable by analogy to the facts before it. Although Gulati was a case about Misuse of Private Information ('MPI'), rather than a decision on the DPA, the Court accepted that both MPI and s.13 of the DPA emanate from the same core rights to privacy under European law. Gulati was authority that damages for MPI are available without proof of pecuniary loss or distress, and therefore the Court said that "it would be wrong in principle if the Representative claimants' loss of control over BGI data could not, likewise, for the purposes of the DPA, also be compensated"[3] . The Court held that in the circumstances, this breach could constitute loss for the purpose of the DPA entitling the innocent party to compensation under s13 of the DPA.
Issue 2 - Did members of the Representative Class have the same interest under CPR 19.6?
Having established that the High Court was wrong to find that no damage arose from the breach, the Court of Appeal reconsidered the ability of the claimants to form a representative group under CPR 19.6. The Court of Appeal held that the judge at first instance had interpreted the phrase 'same interest' too narrowly, as a result of his (incorrect) interpretation of lack of 'damage' for the purpose of the claim. The court accepted that the damage to each claimant was the loss of control of their BGI, taken by Google without their consent. This was a common loss originating from the same alleged wrong, taking place in the same circumstances and within the same period of time for each claimant. Sir Geoffrey Vos stated in his judgment:
'… once the claim is understood in the way I have described, it is impossible to imagine that Google could raise any defence to one represented claimant that did not apply to all others. The wrong is the same, and the loss claimed is the same. The represented parties do, therefore, in the relevant sense have the same interest[4] .'
The court did acknowledge the possibility that individual claimants may, due to their own personal circumstances, have suffered particularly great loss or distress as a result of the breach. This would entitle the claimant to a greater sum than what would be available as a uniform award under a representative action. However, the court pointed out that the limitation period has now expired and 'represented claimants could, at least in theory, seek to be joined as parties if they wished to claim additional losses'. The court expressed that the purpose of the uniform sum was to account for the basic breach against every claimant for the loss of control of their personal data.
"It seems to me that allowing a representative action in a case of this kind is not so much an exception to the rule … but rather an application of the rule[6] ."
In addressing whether the representative class was 'identifiable', the Court of Appeal held that the only requirement was whether any given person qualified for membership of the representative class because they had the same interest as Lloyd at all stages of proceedings. This was satisfied on the facts as Google held data relating to which users' BGI had been gathered. While there may be incidents of misremembering or attempts to abuse the categorisation, these are practical difficulties and do not make the representative class any less identifiable. The Court of Appeal emphasised that, according to case law, the number of claimants cannot impact the ability to use the representative action procedure.
This decision gives clarity to the circumstances in which representative parties with the 'same interest' can bring an action under CPR 19.6, and its applicability to modern data breaches. It is particularly noteworthy that the Court of Appeal presented its decision as a natural application of existing legal principles. Up until this point it has been very difficult to show that claimants all have the 'same interest' under CPR 19.6. This decision will go some way to clarifying how claimants can create a class with the same interest to form a representative action, although at the time of writing, an application to appeal the judgment before the Supreme Court is pending, on which a decision is expected by February 2020.
Commentators speculated that the arrival of the GDPR would result in a tidal wave of data privacy class actions, but as we wrote last year this is still to materialise in huge numbers . However, data breach claims are on the rise. In October the English High Court held that approximately 500,000 customers could bring a Group Litigation Order claim against British Airways under CPR 19.10. The claimants allege that British Airways allowed their personal and payment details to be fraudulently gathered by hackers in breach of the GDPR . As the use of personal data by businesses comes under greater scrutiny, and following the introduction of the GDPR, it is likely that the frequency of such class action type claims will increase dramatically in future whether under CPR 19.6 or by way of a Group Litigation Order.
[1] S.13 of the DPA provides that an individual who suffers damage by a data controller by reason of any contravention of the requirements of the DPA is entitled to compensation for that damage from the data controller. The data controller here is Google.
[2] Gulati v. MGN Limited [2015] EWHC 1482 (Ch)
[3] Para 57 of the judgment
[4] Para 75 of the judgment
[5] The Duke of Bedford v. Ellis [1901] A.C. 1; Markt & Co v. Knight Steamship Company [1910] 2 K.B. 1021; Emerald Supplies Ltd. V. British Airways plc [2011] Ch 345 (among others)
[6] Para 78 of the judgment
