Inconsequential data protection breaches: High Court blocks big-money action against Google

Popular impressions of data protection range from the tedious (“the GDPR forces me to get consent for everything”) to the apocalyptic (“if you breach the GDPR, you will automatically get multi-million pound fine”, etc.). A common apocalyptic theme is that contraventions affecting large numbers of individuals may well trigger financially ruinous group litigation. They might. But this morning’s judgment of Warby J in Lloyd v Google [2018] EWHC 2599 (QB) is an important corrective to apocalyptic thinking.

The background to the case is the so-called “Safari Workaround” by which Google allegedly used its “DoubleClick cookie” technology on the iPhone Safari browser secretly to obtain browser generated information about users of iPhone users in 2011-12 – essentially, to track their internet activity without their knowledge. It is alleged that Google contravened the DPA 1998 in doing so, and that compensation flows from that contravention.

So far, the case sounds quite a lot like Vidal-Hall, doesn’t it? But there are some crucial distinctions that made Lloyd a novel and ambitious attempt at translating data protection shortcomings into compensation cheques.

First, whereas Vidal-Hall involved fact-specific individual claims, Mr Lloyd brought a representative action under CPR 19.6. He proposes to be the representative claimant of a “Class” of users with the “same interest” (the test under CPR 19.6). The Class is envisaged to contain several million individuals, with a total compensation bill of between £1 and £3bn in the offing. To help get the claimants there, Therium Litigation Funding has put up a £15.5m litigation war chest, while ATE insurance is in place for £12m. Nice.

Strikingly, the proposed venture would not involve actually identifying the other members of the Class up front. Litigate first (with opt-outs for affected Safari users who wanted nothing to do with it) and secure the compensation pot, then invite people to come forward to demonstrate that they are entitled to some slice of it.

Another striking feature of the Lloyd project is this: while the stakes are huge in financial terms (see above), the alleged DP contravention is not said to have been that big a deal for any individual in the Class. Mr Lloyd is not saying that he or anyone else in the class suffered any financial loss or other concrete harm as a result of Google’s actions. It is not even alleged that anyone suffered any distress or anxiety whatsoever. Compensation is sought more or less for the fact of the contravention alone. You breach, you pay.

Google was not too keen on facing litigation with features like that. Cue Warby J’s judgment on these vitally important issues about compensation for data protection contraventions. He had to decide whether to give Mr Lloyd permission to serve his claim on Google in the US. Permission can be granted where (i) the claim has a reasonable prospect of success, (ii) it falls within one of the jurisdictional “gateways” in paragraph 3.1 of Practice Direction 6B, and (iii) the England court is the appropriate forum.

The last of those was not really in dispute. But the “gateway” issue and the “reasonable prospect of success” issues bled into each other. DPA contraventions constitute torts and are thus halfway to getting through one of the gateways. But to get through (and to have reasonable prospects of succeeding), the claimant(s) must have suffered “damage”.

Also, in this context, a reasonable prospect of success for this particular claim doesn’t just mean asking “how likely is the claimant to win?”. It also involves asking “how likely is it that the court would permit this to proceed as a representative action under CPR 19.6?”.

Warby J tackled those two issues – the “data protection damage” issue and the “representative action” issue – in turn. They both went Google’s way.

The data protection damage issue

The question was this: did the claim as pleaded disclose a basis for seeking compensation under the DPA 1998?

As a matter of statutory construction, the answer is no: the statutory right to compensation under s. 13(1) DPA 1998 arises if (a) there is a contravention of a requirement of the DPA and (b) as a result, the claimant suffers damage. The contravention and the damage are conceptually separate. Contrary to the claimant’s pleaded case, the former does not necessarily produce the latter. “The pleaded case appears circular: it asserts that the commission of the tort has caused compensatable damage, consisting of the commission of the tort” (Warby J at [58]).

So, you can’t just rely on the fact of a contravention. The court cannot make an award of “vindicatory” damages, merely to mark the commission of the wrong. That would be contrary to authority and principle, and it would jar with reality. It is unrealistic simply to assert that any data protection contravention causes distress or some other kind of damage. You need something more.

Mere reference to a “loss of control/autonomy over personal data” (a touchstone for compensation discussions post-Gulati in particular) won’t suffice either. There will of course be cases where a loss of control/autonomy can have significant consequences for the individual (as in Gulati, given the phone-hacking context), but that will not inevitably be so. See Warby J at [70] for an exegesis of what Gulati established in this respect.

Data protection compensation claims – which hinge on “damage” – are not concerned with “censuring” the data controller.

Nor can compensation be sought in order to strip the controller of the money he has made from the contravention and hand that money over to the data subject. That “restitutionary” approach to compensation is contrary to authority, including Murray v Express Newspapers [2007] EWHC 1908 (Ch). Anyway, how would you work out how much should be given to each of the disparate Class of claimants, without risking (among other things) over-compensating some?

Warby’s overall view of Mr Lloyd’s approach to compensation for data protection breaches was very clear (see [74]): “I do not believe that the authorities show that a person whose information has been acquired or used without consent invariably suffers compensatable harm, either by virtue of the wrong itself, or the interference with autonomy that it involves. Not everything that happens to a person without their prior consent causes significant or any distress. Not all such events are even objectionable, or unwelcome. Some people enjoy a surprise party…”

So, even if there has clearly been a contravention of data protection duties, it is important to think through – and to plead – how damage is said to have flowed from that contravention on the particular facts of the case. Mr Lloyd’s project did not fit that bill, so Warby J stopped it getting off the ground – subject of course to any appeal.

The representative action issue

Google considered the Lloyd action to be a cynical venture that the court should not facilitate. It did not mince its words. Google maintained (see Warby J at [52]) that “this claim is a contrived and illegitimate attempt to shoe-horn a novel “opt-out class action” into the representative action procedure, in circumstances where Parliament has not considered it appropriate to make such a claim available; and that the claim is unnecessary in case management terms, unworkable in practice and disproportionately expensive”.

The broad question for Warby J was this: was there a real prospect that the court would allow the claim to progress as a representative claim under CPR 19.6? His answer was no, for three broad reasons.

First, the essential requirements for a representative action were absent. Mr Lloyd and the Class do not all have the “same interest” within the meaning of CPR 19.6(1). For example, some within the Class might have a good case on damage, but clearly not all would. Even if (contrary to Warby J’s analysis of the damage issue) everyone in the Class could meet the “damage” requirement, there would be no uniform profile. For example, the heavy internet user and the occasional user would have different interests.

Secondly, even if the Class is appropriately defined, there are insuperable practical difficulties in ascertaining whether any given individual within the possible cohort of 5m people is a true member of the Class. People may not remember exactly how they used Safari back then. There was no reliable way to bottom out the facts. Some might end up being compensated for nothing, through error or abuse.

Thirdly, the Court’s discretion would in any event be exercised against allowing this to go forward as a representative action. This was not simply because of the novelty of litigating as a representative of those who have not put their hands up or endorsed you: “This is a novel form of action, but everything was new once… That does not mean, however, that the Court must permit such an unauthorised action to continue, come what may” ([100]). In Warby’s assessment, the overriding objective delivered a red light to this project, given inter alia the resource implications and the (very low or non-existent) quantum likely to emerge.

A bottom-line theme in both issues was this: there was no good indication that anyone who suffered the alleged contravention actually cared much about it. In fact, Warby J’s judgment is replete with references to technical data protection contraventions that should not trigger any expectation of cash payments. There may be an appeal against today’s judgment, but for now we have good cause to think very carefully about the links between data protection and compensation.

Robin Hopkins @hopkinsrobin