Lloyd v Google LLC

The Court of Appeal held that damages under section 13 of the Data Protection Act 1998 can, in principle, include compensation for a non-trivial loss of control over personal data even in the absence of pecuniary loss or recognised distress, when the claim is construed in light of the Directive and article 8 rights. The court treated such loss of control as a form of compensatable damage under article 23 of the Directive and section 13 of the DPA, subject to the ordinary de minimis/seriousness threshold.

It also held that the proposed representative class satisfied CPR Part 19.6(1): the members had the same interest where the pleaded cause of action and the loss claimed were uniform (loss of control of browser-generated information), and the class was identifiable in principle. The court rejected the lower court's reasoning that uniform per-capita (tariff) damages were precluded as a matter of law.

The court further found that the first-instance judge had exercised his discretion under CPR Part 19.6(2) on an incorrect basis in several respects and that the Court of Appeal could and should exercise the discretion afresh. The appeal was allowed and permission granted to serve the proceedings outside the jurisdiction.

This appeal arose from Warby J's refusal of permission to serve a representative claim out of the jurisdiction. The claim, brought by Mr Richard Lloyd on behalf of a class of Apple iPhone users, alleged that Google had implemented the 'Safari Workaround' (August 2011–February 2012) enabling covert collection and commercial use of browser-generated information (BGI) without consent. The pleaded causes of action included breach of statutory duty under section 4(4) and damages under section 13 of the Data Protection Act 1998 for contraventions of the data protection principles (including the first, second and seventh principles).

• Nature of relief sought: Representative damages for each member of the class (a uniform per-capita award) under section 13 DPA and, in consequence, permission to serve proceedings on Google in the United States.
• Issues framed by the court: (i) whether a claimant can recover uniform per-capita damages for infringement of data protection rights under section 13 without proving pecuniary loss or distress; (ii) whether the proposed class members have the "same interest" under CPR Part 19.6(1) and are identifiable; and (iii) whether the first-instance judge's exercise of discretion under CPR Part 19.6(2) was vitiated.

The Court of Appeal reasoned that the wording of section 13 should be read in light of the Directive (article 23) and article 8 rights such that non-pecuniary loss in the form of loss of control over personal data can amount to compensatable damage, subject to a seriousness threshold. The court found Gulati (tort of misuse of private information) persuasive by analogy: both MPI and breach of the DPA originate from the same privacy right and should not be treated as diverging on the core question of what constitutes "damage". The court declined to decide at this stage whether damages should be assessed on a user/negotiating basis (One Step principles), but said such assessment was arguable and should be left for trial. On the representative-procedure issue the court concluded that when the claim is pleaded as a uniform loss of control, the class members have the same interest and the class is identifiable in principle (with verification possible by reference to Google’s data). Finally, the court held that the first-instance judge had taken some irrelevant factors into account in exercising his discretion and that the Court of Appeal should exercise the discretion in favour of allowing the representative action to proceed; it granted permission to serve outside the jurisdiction. The court noted the ordinary requirement that trivial or de minimis breaches would not attract compensation and left assessment methodology and quantum to trial.

The appeal is allowed. The Court of Appeal held that (a) damages under section 13 of the Data Protection Act 1998 can, in principle, include compensation for loss of control of personal data without proof of pecuniary loss or distress (subject to a seriousness threshold); (b) the proposed represented class satisfy CPR Part 19.6(1) as having the "same interest" and are identifiable in principle; and (c) the first-instance judge exercised his discretion under CPR Part 19.6(2) on an incorrect basis. The court accordingly exercised the discretion to allow the representative action to proceed and granted permission to serve the proceedings outside the jurisdiction.

This is an appeal from the High Court (Queen's Bench Division, Media and Communications List) where Warby J dismissed Mr Lloyd’s application for permission to serve Google outside the jurisdiction (order dated 8 October 2018). Permission to appeal was granted on 21 January 2019. The Court of Appeal allowed the appeal in this judgment ([2019] EWCA Civ 1599).