In the recent case of Lloyd v Google LLC, a class action was initiated by Richard Lloyd, a former editor of “Which”, on behalf of four million Apple iPhone users whose internet browsing data was collected and sold by Google to advertisers without their consent between August 2011 and February 2012.
Mr Lloyd’s original application against Google was dismissed at first instance on the basis that:
- None of the class that he represented had actually suffered any damage in the form of financial loss or distress; and
- Members of the class in the action could not be identified and may not have all had the same interest as required by the Civil Procedure Rules.
The relevant law
Section 13 of the Data Protection Act 2018 (DPA) provides that:
“[an] individual who suffers damage by reason of [a breach] is entitled to compensation”.
Section 8 of the DPA requires public bodies to respect the private life of an individual and any information held about them. They must be able to justify storing and processing data.
Civil Procedure Rule Part 19.6 (1) states that members of a class action, such as the one brought by Richard Lloyd on behalf of 4 million iPhone users, must have the same interest.
Mr Lloyd appealed this decision to the Court of Appeal. The judgement was handed down on 2nd October 2019. The Court of Appeal gave a unanimous judgement in favour of Richard Lloyd and overturned the decision of Warby J in the High Court.
Up until the recent decision, Claimants under the DPA have had to prove either financial loss or distress. However, in this case the Court says:
“Accordingly in my judgement, a person’s control over data or over their Business Generated Information does have a value, so the loss of that control must also have a value”.
And they therefore held that damages should be available for circumstances like these where there has been a “loss of control of data” even where no financial loss or distress had been alleged.
This seemingly creates a somewhat smaller hurdle for Claimants to pass in relation to data breach claims.
As mentioned earlier, the claim initially failed due to the fact that Richard Lloyd could not identify or prove that each of the 4 million iPhone users had the same interest.
In this decision, the Court have permitted the claim to proceed as a representative action. The Court decided that the members of the class had the “same interest” despite their being differences between how much personal data of individuals within the class was affected.
What does it mean for data breach claims?
This case appears to create a dramatic shift in favour of Claimants and the Court of Appeal’s finding could have significant consequences for data protection and privacy cases going forward.
Due to the lowering of the “damages” threshold and an easier way to establish members of a class have “the same interest” is likely to make it easier for representatives to bring class actions for data breaches.
Whilst we await information as to what damages will be awarded to individual claimants in this judgment, it should ring alarm bells for anyone who deals with data.
Those defending data breach claims and/or may face prospect of such claims in the future will need to re-evaluate their position as a result of this judgement. Organisations will have to continue to comply with data protection and GDPR to the satisfaction of regulators in order to limit their litigation exposure in respect of such class actions.
It’s fair to say that the Courts do not take data breaches lightly.
How can Nelsons help?
For further information in relation to the subjects discussed in this article, please contact Sayra or another member of the team in Derby, Leicester or Nottingham on 0800 024 1976 or via our online form.