In the run up to ‘GDPR Day’ on 25th May 2018 there were warnings data protection was set to become the new PPI and fears spread of ‘ambulance chasing’ law firms jumping on the bandwagon. Indeed, DPN co-founder the late Rosemary Smith wrote about this back in December 2017 – GDPR and People Power.
Since then, we’ve probably all seen adverts of a ‘Have you been the victim of a Data Breach? – No Win No Fee’ nature springing up.
Furthermore, a recent ruling by the Court of Appeal is now being hotly debated as to whether it has opened the door or not to more class/group actions.
Part of the ruling focuses on what can be considered ‘damage’ and it has been ruled that a class action can proceed and compensation can be sought for ‘loss of control of personal data’ regardless of whether there is any pecuniary loss or distress, or not.
Brief Summary of the case of Lloyd vs Google
The case pertains to allegations that Google used tracking cookies which overrode iPhone users’ privacy settings in Apple’s Safari browser between 2011 and 2012 – specifically that Google’s ‘Doubleclick’ ad cookie was set without iPhone users’ knowledge or consent.
In 2017, Richard Lloyd, former director of the consumer rights group Which? filed a collective lawsuit seeking to represent millions of UK iPhone users whose browser settings he alleges were ignored by Google’s tracking technologies. Mr Lloyd alleges the so-called “Safari workaround” collected data on iPhone users even if they had chosen a “Do not track” privacy setting.
Last year the High Court threw out the lawsuit, in his decision Mr Justice Warby said it was difficult to calculate exactly how many people had been affected and he was not convinced the claimants could demonstrate they had suffered damage as a result of a data protection violation.
However, the Court of Appeal has this month overturned this decision, granting Mr Lloyd permission to serve the proceedings on Google. An important aspect of this ruling is that the Court of Appeal considers that;
- Individual personal data has economic value
- The loss of control of that data is violation of privacy which can in principle constitute damage under Section 13 of DPA 1998, without the need to demonstrate pecuniary loss or distress.
While this case relates to the old data protection regime, it’s likely GDPR and Data Protection Act 2018 would be interpreted in the same way, indeed Recital 85 of GDPR specifically points to ‘loss of control’ over personal data.
In response to the Court of Appeal Ruling James Oldnall, a partner at Mischon de Reya which is representing Mr Lloyd said;
‘This decision is significant not only for the millions of consumers affected by Google’s activity but also for the collective action landscape more broadly.
“The Court of Appeal has confirmed our view that representative actions are essential for holding corporate giants to account. In doing so it has established an avenue to redress for consumers.’
Google for its part has responding saying;
‘Protecting the privacy and security of our users has always been our number one priority. This case relates to events that took place nearly a decade ago and that we addressed at the time. We believe it has not merit and should be dismissed.’
The Ruling has led to a number of articles claiming this has opened the floodgates to data breach claims. It has, perhaps unsurprisingly been picked up by law firms representing class actions. Hayes Connor Solicitors which says it’s currently acting for thousands of claimants with data breach action against Ticketmaster, Equifax, Marriott International and others, published an article stating;
‘The Court decided that claimants would be entitled to compensation even if the only personal information breached was their email address. It also ruled that a claim would be valid without the requirement to prove a loss or damage as the loss of control of the personal information was sufficient grounds.’
‘The ground-breaking judgement also clarified that firms representing only a portion of the total number of individuals affected in major data breaches, such as the British Airways and Ticketmaster incidents, can claim compensation for the entire population affected and can thereafter distribute the funds.’
However, the law firm Linklaters questions whether the ruling will really open the floodgates saying, ‘Much of the judgement suggests that this may be peculiar to its facts’, and that this particular case rests on the criticism of Google that it deliberately and unlawfully misused personal data without consent and in violation of individuals’ rights. Linklaters points to the fact that the Court clearly states there’s a threshold of seriousness and a claim for loss of control of personal data would not arise in relation to ‘an accidental one-off data breach that was quickly remedied’.
What’s evident from this ruling is it clearly shows how seriously the Court of Appeal takes the fundamental right to privacy and data protection. However, future class actions may remain limited to cases where there’s a deliberate and widespread misuse of data. The context and nature of the breach of data protection law will be key.
Philippa Donn, October 2019
Other Related articles:
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.