The Court of Appeal has unanimously allowed an appeal in a case which could pave the way for more mass data protection claims.

In the case of Lloyd v Google LLC (2019), Mr Lloyd sued Google for damages on behalf of more than 4 million Apple iPhone users for allegedly secretly tracking the users’ internet activity over a period of 6 months in 2011/12 without their knowledge or consent.

At first instance, the judge ruled that the claim could not proceed because none of the affected users had suffered damage due to Google breaching any of the requirements of the Data Protection Act 1998. The judge also dismissed the claim for procedural reasons, whereby he exercised his discretion in directing that Mr Lloyd could not be allowed to represent the users because their interests were not all the same, which is required if the claim could proceed as a representative action.

The appeal was allowed on the basis that

  1. Google sold users’ personal information collected from different users’ browsers to advertisers who wanted to target those users with their advertising. This information was clearly of value to the advertisers who purchased it from Google, and when considering the appeal, the court drew comparisons between this case and another case which related to the misuse of private information in the form of telephone data, in which compensation was awarded despite the claimant not proving that they had suffered “damage” in the form of distress or monetary loss. The court therefore concluded that it would be wrong, in principle, if the users in this case, who had suffered a loss of control of their browser generated information, were not allowed to be compensated. The court also noted the EU principle of a right to privacy and considered that privacy breaches leading to a loss of control over data should be allowed to be compensated without the need to prove distress or pecuniary loss. Furthermore, Article 82.1 of the GDPR states that a person should have the right to receive compensation for “material or non-material damage as a result of an infringement” of the GDPR, and loss of control of personal data is given as an example of “material or non-material damage” under the GDPR. On this basis, the court was satisfied that damages were capable of being awarded to users in this case.
  2. The judge at first instance had interpreted the meaning of “same interest” under the Civil Procedure Rules too narrowly in this case because the users were all victims of the same alleged wrong and had all sustained the same loss. The Court of Appeal stated that the users did all have the same interests, provided that this interest was (and had been throughout the proceedings) the same as Mr Lloyd’s. The first instance judge had considered that the class of claimants were not identifiable, however the Court of Appeal noted that the data that Google had in its possession could be used to identify whether a user was in that class and therefore had the same interest.
  3.  At first instance, the judge exercised his discretion when deciding that the users did not have the same interest, and it was now open to the Court of Appeal to also exercise its discretion in this regard. The Court of Appeal considered that in this case, at least at first sight, there was a “clear; repeated and widespread breach of Google’s data processing obligations”, and the Claimant was seeking to hold them to account for this. If the first instance judge’s decision were to be upheld, the more than 4 million affected users would have no remedy, as the claim would have been dismissed.

This case has brought to the forefront the increased risk that data breaches pose for companies which process people’s data, particularly as the Court of Appeal’s decision means that an individual’s personal data has economic value and therefore the claimant does not need to demonstrate that they have suffered any damage or distress in order to pursue a claim. They may well lead to a flood of claims against technology businesses and other data controllers for similar breaches.

This case is also of note as Mr Lloyd pursued it on behalf of the affected users on an “opt-out” basis, meaning that the claimants would have to decide not to proceed with the claim rather than having to actively pursue the claim themselves.

The Court of Appeal did, however, confirm that this ruling would not apply to minor breaches and not every breach will automatically entitle a person to bring a claim, such as in the case of an accidental one-off data breach which was quickly remedied.

Our dispute resolution team has experience in dealing with data protection claims. Part of our expertise is advising clients (both businesses and individuals) on whether a potential breach may be considered serious enough to bring a claim. Please do not hesitate to contact a member of the team today via email or phone on 0161 941 4000 if you need assistance with a data protection claim.