Data breaches and the damage test

The High Court has rejected a significant claim against Google by a representative of more than 4 million iPhone users for alleged misuse of data, on the basis that the claimant had failed to provide evidence of actual damage. In doing so, the court has restricted possible representative group claims for compensation arising from breaches of data protection law. 

The Safari workaround

The decision of Mr Justice Warby in Lloyd v Google LLC [2018] EWHC 2599 (QB) has brought an abrupt end to a claim arising from Google allegedly secretly tracking the internet activity of approximately 4.4 million iPhone users. The case related to the collection of data by Google through its use of third-party cookies, designed to track users’ web browsing habits. Third- party cookies can be placed on a user’s computer or mobile device if a website they visit includes content from a third-party domain, most usually advertisements.

Google’s third-party cookie, known as the “DoubleClick Ad cookie”, was placed on a device that accessed any website that included content from Google’s DoubleClick domain. It was designed to track a user’s particular preferences and feed them back to Google so that targeted advertisements could be sent to that user. Given the extensive nature of Google’s advertising network, this cookie collected significant amounts of user data, including websites they visited, how long they visited the site for, what advertisements they viewed and for how long, the user’s IP address and their approximate geographical location.

In light of the extent of the data gathered, it was argued that Google could deduce a user’s interests and habits, race or ethnicity, social class, political or religious views, age, health, gender, sexuality and financial position. It was also claimed that it enabled Google to place users into particular groups depending on their interests. All of this was said to be done, for the most part, without the user’s consent or knowledge.

Safari, which is the default browser on Apple devices including the iPhone, was set to block all third-party cookies automatically. However, Google developed a workaround enabling their DoubleClick Ad cookie to be placed on an iPhone without the knowledge and consent of the user. Google’s workaround was discovered back in 2012 and led to regulatory action against Google in the US and a significant fine. It also led to a successful US class action in 2013.

Representative claim

Lloyd, a previous director of Which? magazine, decided to sue Google in a representative capacity on behalf of a class of residents in England & Wales who were allegedly affected by the Safari workaround. The class was defined widely as anyone with an iPhone running Safari who had not changed the default user settings to allow third-party cookies. Lloyd sought compensation on behalf of the class according to a tariff. The claim was framed as a claim for compensation in terms of a breach of s 4(4) of the Data Protection Act 1998 (“DPA”), as the alleged breach predated the GDPR introduced in May 2018.

Lloyd argued that all the users in the class were entitled to compensation in terms of s 13(1) of the DPA. Compensation was claimed to be payable due to the infringement of the user’s rights under the DPA, the commission of the wrong by Google and the user’s loss of control over their personal data. However, no material loss or damage was alleged. There was also no allegation of distress, anxiety, embarrassment or other harm. Alternatively, Lloyd argued that each member of the class was entitled to damages equivalent to the value of Google’s use of the data.

A figure of £750 per person was stated in the letter of claim. That meant a potential liability ranging between £1 billion and £3 billion. If successful, the idea was that Lloyd would distribute funds to anyone who could evidence that they were a member of the class. Lloyd received £15.5 million from a third-party litigation funder. In return the funder would have received a proportion of the compensation awarded before funds were distributed to class members.

The decision: a reasonable prospect of success?

The application heard by Mr Justice Warby was an application for permission to serve out of the jurisdiction. This was because Google is based in Delaware. To be successful, Lloyd had to show that the claim had a reasonable prospect of success in the High Court.

The court looked at s 13 of the DPA, which provides for compensation where an individual suffers damage by reason of a contravention of the requirements of the DPA. It was accepted that there might have been a breach of the data protection principles. However, the question for the court was, did the actions of Google cause “damage”? Lloyd argued that a loss of control of data was sufficient in itself to amount to damage. There was no need for the user to know about the breach or actually to have suffered distress or anxiety as a result. This element of the claim was based on Gulati v MGN [2015] EWHC 1482 (Ch), which awarded damages as a result of MGN’s hacking of the claimants’ voicemails, on the basis that they had lost control of their private information.

Mr Justice Warby commented that Gulati was an exceptional case relating to the wrongful access to significant information which could have had a real and appreciable impact on the claimants concerned. While Gulati shows that damages can be awarded for loss of control of private information, nothing comparable was alleged in this case. Not everything that happens to a person without their prior consent causes significant, or any, distress. The judge gave the example of a surprise party. He also commented that not everyone objects to non-consensual disclosure of their private information: for example, where a relationship is formed by reason of a mutual friend disclosing your contact details without seeking advance consent. Further, in his view some people were quite happy to receive targeted advertisements. Lloyd’s claim did not seek to differentiate between those who had suffered damage and those who had not.

This is not the first case in the UK to consider the Safari workaround. Vidal-Hall v Google [2014] EWHC 13 (QB) was a claim for damages relating to Google obtaining and using private information about three individuals’ browsing habits.

The claimants successfully argued before the High Court and Court of Appeal that they could show distress and anxiety caused by Google’s actions. This case was ultimately settled before a further appeal to the Supreme Court. It could be contrasted with Lloyd’s case where there was no evidence of distress, or indeed any suggestion of distress.

Lloyd also argued for damages calculated by reference to the market value of the data, based on a notional licence fee. However, the court rejected this argument, observing that people consent to the use of their data by accepting cookie notices but that does not involve the payment of money. Instead, users receive the value of targeted advertisements more likely to be of interest to them.

For completeness, the court also decided that Lloyd had failed to show that the users in the class had the same interest in the claim, meaning that a representative group action was not appropriate. The information collected about each user would be different and individual attitudes to collection of the data would be different. The impact of the breach on individual class members, and therefore their interest in the proceedings, varied considerably.

Lloyd has indicated an intention to appeal the High Court’s decision.

Comment: need to show damage

Vidal-Hall is authority for the proposition that compensation under the DPA can be awarded for distress. This was applied in Scotland in the case of Woolley v Akram [2017] SC Edin 7.

In that case, the sheriff awarded compensation for the distress caused by the defender recording CCTV and audio footage of the pursuers, who were her neighbours, without consent. The CCTV cameras covered the pursuers’ property and meant that the defender could track who arrived or left the pursuers’ property. The court accepted that this was an extreme breach of the DPA and had a materially negative impact on the pursuers’ life, causing distress.

The comments from the court in Lloyd are equally applicable in Scotland. According to Vidal-Hall, damage does not need to be financial and can include distress. In Lloyd, there was no evidence of distress, and indeed providing such evidence would be practically impossible given the size and undefined nature of the class. Any future claim would need to be limited to identifiable individuals who could evidence distress, or any other material or non-material damage, as a result of the breach.

The case was decided under the DPA, which has now been largely superseded by the GDPR, but the provisions of the GDPR are unlikely to have changed the outcome. Article 82 of the GDPR, together with s 168 of the Data Protection Act 2018, provide that compensation requires the pursuer to have suffered material or non-material damage. Non-material damage specifically includes distress. However, in line with the decision in Lloyd, that damage will need to be evidenced.