A data protection Safari – Google eventually wins in iPhone class action

Background

The claim arose from what was referred to as the “Safari workaround”, in reference to the Safari internet browser on iPhones.  Between 9 August 2011 and 15 February 2012, the relevant versions of Safari had default settings that blocked third-party cookies.  Google had a DoubleClick Ad cookie, which would be placed on devices that visited a website with DoubleClick advertising content and allowed Google to identify visits by that device to any website with an advert from Google’s network and collect information.  Apple developed exceptions to the default settings to allow certain popular web functions.  While the exceptions were in place, Google could implement the Safari workaround and place the DoubleClick Ad cookie on an iPhone without the user’s knowledge or consent.  

Mr Lloyd brought a representative action on behalf of all affected iPhone users (which was estimated to include around 4 million people), on the basis that Google used the Safari workaround to collect personal data in breach of Google’s duty as a data controller to comply with the data protection principles under section 4(4) of the Data Protection Act 1998 (DPA 1998).

Issues of law

Representative actions

Representative actions are a mechanism under Civil Procedure Rule 19.6.  They allow a person to bring a claim on behalf of one or more people who have the “same interest” in the claim.  There is no requirement of consent, and the members of the represented class do not even need to know that the action exists.  Requiring the represented parties to have the same interest as the representative ensures that the representative will promote the interests of all persons in the class.  Once the same interest is established, the court still has a discretion as to whether to proceed with the claim by way of a representative action, and the court must refer to the overriding objective to ensure that cases are dealt with justly and at proportionate costs.

Under a representative action, all members of the class will be represented unless an “opt-out” procedure is established, in contrast to the “opt-in” nature of Group Litigation Orders, which allow claims with common issues to be managed together.  As the Supreme Court noted, the drawback of an opt-in regime is that the claimants have to take active steps to join the group and to become a claimant, including to obtain appropriate legal advice.  Where an individual claim is only worth a few hundred pounds, the initial costs may exceed the value.  Further, the need to obtain evidence of damage for each individual adds to the uneconomic nature of group actions with small individual losses.

Damages

Mr Lloyd relied on section 13(1) of the DPA 1998, which gives an individual who suffers damage “by reason of any contravention by a data controller of any of the requirements of this Act” a right to compensation for that damage.  

In a representative claim, damages can be assessed on a “top-down” approach for the damage suffered by all members of the class, without looking at each individual’s entitlement.  In this case, however, Mr Lloyd adopted the “bottom-up” approach of calculating damages on the basis of what each class member is entitled to recover.  It was recognised that a representative action could not claim compensation that would have to be individually assessed for each member.  To avoid a need for individual assessment, Mr Lloyd argued that compensation could be awarded for any (non-trivial) contravention of the requirements of the DPA 1998 without showing financial loss or mental distress and in a uniform sum that did not consider individual circumstances.  Mr Lloyd sought to formulate such compensation on the basis of: (a) damages for “loss of control” of personal data; or alternatively (b) user damages in a sum that the members could reasonably have charged for releasing Google from the duties that it breached.

Mr Lloyd needed permission to serve the claim form on Google outside the jurisdiction. Google contested this on the basis that the claim had no real prospect of success because: (a) loss-of-control damages are not available under the DPA 1998 without showing financial damage or distress; and (b) the claim was not suitable to proceed as a representative action.

Procedural history  

The High Court refused permission to serve the proceedings on Google.  It was held that the right to compensation under section 13(1) only arose where there had been a breach of the DPA 1998 and damage was suffered as a result of that breach.  This treated the breach and damage as distinct.  Accordingly, whether any individual had suffered damage would depend on the specific facts in each case.  The High Court was also concerned about practical difficulties in ascertaining whether any individual was a member of the class, and permission to proceed as a representative action was refused as a matter of discretion.  

The Court of Appeal reversed the High Court’s decision.  It held that control of data generated through internet browsers had a value, and loss of that control should also have a value.  The Court of Appeal drew an analogy to Gulati v MGN Ltd, [2] where loss of control of private information was found to give rise to damages, even if there was no financial loss or distress.  The Court of Appeal held that the represented class had been the victim of the same wrong, suffered the same loss (of control of data) and so had the same interest.  It further held that the members of the class could be sufficiently identified, and the claim was allowed to proceed as a matter of discretion.  

Google appealed against the reversal of the High Court’s decision.  

Decision

The Supreme Court accepted that claims could be made, at least in Mr Lloyd’s own right, for: (a) damages under section 13(1) of the DPA 1998, for distress suffered due to Google’s contravention of the DPA 1998; and/or (b) damages for misuse of private information, without the need to show any material damage or distress.  

No reason was given as to why a claim for misuse of private information had not been made.  The Supreme Court considered that the view may have been taken that establishing a reasonable expectation of privacy would require evidence for each member of the class, which is incompatible with a representative action.  Mr Lloyd was instead seeking to apply the principles of damage for misuse of private information to the assessment of compensation under section 13(1) of the DPA 1998 on the basis that “damage” could include “loss of control”.  Mr Lloyd argued that data protection and misuse of private information both seek to protect the right to privacy under article 8 of the ECHR, and the approach to damages should therefore be the same for both claims.  

Interpretation of section 13

The Supreme Court looked at the wording of section 13 and found that the breach of a data controller’s duty is not sufficient for the purposes of compensation.  The right to compensation arises where damage has occurred by reason of a breach of the DPA 1998 and is to compensate for that damage.  So the “damage” has to be distinct from the breach.  The clear interpretation of the DPA 1998 was that damage was intended to mean material damage.  The court in Vidal-Hall v Google [3] had been able to widen the scope of “damage” under section 13(1) to include distress, on the basis that the previous separation of distress into section 13(2) (which imposed restrictions on when compensation could be awarded for distress) was incompatible with EU law.  Yet the distinction between damage and breach was consistent with EU law, and there was no scope to interpret “damage” more widely.  

Misuse of private information

In the view of the Supreme Court, the fact that data protection seeks to protect the same value as the tort of misuse of private information does not mean that it should afford identical remedies.  There are significant differences between data protection and misuse of private information:

1. Regulating the processing of personal data is wider than the scope of Article 8 and the tort of misuse of private information, where information is only protected if there is a reasonable expectation of privacy.  Mr Lloyd was seeking damages under a principle that depends on a violation of privacy, without showing a violation of privacy for any individual.
2. Under data protection legislation, there can be compensation for a breach where the data controller fails to exercise reasonable care.  Privacy does not, however, require material damage or distress and involves strict liability, but only for deliberate acts.  

So the analogy to Gulati was rejected, and it was concluded that section 13 cannot reasonably be interpreted as giving a right to compensation for any (non-trivial) breach of the DPA 1998 by a data controller, without proving that material damage or distress has been caused to the relevant individual.  

User damages

User damages are usually awarded where someone has made wrongful use of someone else’s property and are assessed on the basis of what a reasonable person would have paid for the right of usage.  It was recognised that a person’s internet browsing history is a commercially valuable asset.  Yet the Supreme Court could not interpret section 13 as allowing user damages.  Based on the same analysis as for loss-of-control damages, the court held that section 13 only provides a right to compensation for material damage or distress.

Need for individualised assessment

The Supreme Court found that, even if there were no need to show material damage or distress, it would still be necessary to show the extent of the unlawful processing in each individual case.  To quantify damages, the court would have to look at a number of factors including the period of time over which the individual’s browsing was tracked, the amount of unlawfully processed data, whether such data included sensitive information, what use Google made of the information and whether Google obtained any commercial benefit.  Mr Lloyd sought a “lowest common denominator” and argued that there was an irreducible minimum harm suffered by every member of the class, and that a uniform sum could be awarded on that basis.  But without considering any individual circumstances, the court had insufficient facts to establish that any member of the class had a right to compensation.  To be entitled to compensation, unlawful processing of personal data had to be shown for each individual data subject.  

Mr Lloyd only intended to prove the facts needed to bring each individual within the definition of the class.  That only required that the individual had an appropriate model of iPhone with the relevant version of the Safari browser that was used during the relevant period to access a website with DoubleClick advertising content.  That could include someone who only accessed a relevant website once, even if their data were not illicitly tracked or collated, and they never received any targeted advertising due to the DoubleClick Ad cookie.  Mr Lloyd admitted that there was a threshold of seriousness before a right to compensation is established, and the Supreme Court could not see that the facts intended to be proven for each individual would pass this threshold.  

Similarly, if user damages had been available, it would need to be shown how much unlawful processing Google had carried out in relation to each member’s personal data to be able to estimate the commercial value.  Given that Mr Lloyd only intended to prove that the DoubleClick Ad cookie had been placed on each member’s device (even if only from one website visit) without showing that Google collected or used any personal data, the hypothetical fee would be for a licence to place a cookie on a phone, but would not release Google from its obligations not to collect or use any information.  Such a licence would have no value, and the fee that could reasonably be charged would be nil.

Overall, the Supreme Court unanimously found in favour of Google, allowed the appeal and restored the High Court’s decision to refuse permission to serve proceedings on Google outside the jurisdiction.

Comment

The Supreme Court’s decision that damages are not available under the DPA 1998 for loss of control of data will make any future class actions difficult to justify on a cost-effective basis – as will the requirement that damages must be assessed on an individualised basis.  The Supreme Court could not see any legitimate objection to a representative action seeking to establish whether Google had breached the DPA 1998 and seeking a declaration that any member of the class who suffered damage could claim compensation.  Yet this is unlikely to be economical given that, if successful, the costs of each individual in later bringing a claim for damages would probably exceed the respective damages.  

Further, litigation funders would be unlikely to fund the first-stage representative action unless there would be sufficient damages available to make a financial return under the individual claims.  The Supreme Court had accepted, as the courts below did, that the only economic way of pursuing the claims was as a representative action for damages.

It is worth reiterating that this claim was brought under the Data Protection Act 1998, and the Supreme Court was clear that it was not considering the Data Protection Act 2018 or the GDPR.  That might leave some scope for inventive representative actions in the future.  That said, as there are similarities in the wording under both sets of legislation, it seems likely that representative actions in data protection claims will still face difficulties in overcoming this ruling.

The decision also highlights the distinction between data protection and misuse of private information.  Despite Mr Lloyd’s common-source argument, the court clearly ruled out transferring principles from one regime to the other.  While loss-of-control damages are available in a case of misuse of private information, the need to establish a reasonable expectation of privacy in each individual case does not assist for representative actions.

Written for Entertainment Law Review.