Google got a good result from the CJEU last week on the right to be forgotten front: in Google LLC v CNIL (Case C‑507/17), the French DP regulator’s rather ambitious demand for global delisting on right to be forgotten grounds was overturned. In a nutshell:
Google has acknowledged that the EU’s RTBF rights are undermined if an internet user can simply switch to a non-EU version of Google and see the offending search results. So it implemented geo-blocking measures, whereby an EU user is automatically routed to an EU version of Google (one that doesn’t deliver the offending references), regardless of whether they type in a non-EU Google domain name.
Not good enough, said the CNIL, slapping Google with a €100k fine: Google must de-reference the offending links from search results delivered through any Google domain in the world. Perhaps understandably balking at this overreach, Google took the matter to the CJEU and won. Global delisting is not mandatory: an operator need only implement the de-referencing in all of the EU member state versions of its search engine, ‘using where necessary measures which prevent, or at the very least seriously discourage’ an internet user from gaining access to the offending links that would otherwise be displayed. So, where those prevention/serious discouragement measures are unavailable or ineffectual, there may perhaps be scope for demanding global delisting. But Google banked this as a good win.
As the old adage goes, a week is a long time in data protection.
Lloyd v Google: the background
Today’s Court of Appeal judgment Lloyd v Google [2019] EWCA Civ 1599 was a much less happy outcome for the internet behemoth.
The background to the case is explained in my post on Warby J’s first-instance judgment here. It concerns the so-called “Safari Workaround” by which Google allegedly used its “DoubleClick cookie” technology on the iPhone Safari browser secretly to obtain browser generated information about users of iPhone users in 2011-12 – essentially, to track their internet activity without their knowledge. To quote myself in my previous post, the Lloyd case has these differences from Vidal-Hall:
“First, whereas Vidal-Hall involved fact-specific individual claims, Mr Lloyd brought a representative action under CPR 19.6. He proposes to be the representative claimant of a “Class” of users with the “same interest” (the test under CPR 19.6). The Class is envisaged to contain several million individuals, with a total compensation bill of between £1 and £3bn in the offing. To help get the claimants there, Therium Litigation Funding has put up a £15.5m litigation war chest, while ATE insurance is in place for £12m. Nice.
Strikingly, the proposed venture would not involve actually identifying the other members of the Class up front. Litigate first (with opt-outs for affected Safari users who wanted nothing to do with it) and secure the compensation pot, then invite people to come forward to demonstrate that they are entitled to some slice of it.
Another striking feature of the Lloyd project is this: while the stakes are huge in financial terms (see above), the alleged DP contravention is not said to have been that big a deal for any individual in the Class. Mr Lloyd is not saying that he or anyone else in the class suffered any financial loss or other concrete harm as a result of Google’s actions. It is not even alleged that anyone suffered any distress or anxiety whatsoever. Compensation is sought more or less for the fact of the contravention alone. You breach, you pay.”
Or, as it was put in today’s judgment: “Mr Lloyd claims a uniform amount by way of damages on behalf of each person within the defined class without seeking to allege or prove any distinctive facts affecting any of them, save that they did not consent to the abstraction of their data.”
Warby J was having none of this: he refused to grant permission for the claim to be served on Google outside the jurisdiction (in the US) and for it to proceed as a representative action under CPR 19.6. Mr Lloyd appealed, and prevailed. Here are the headlines on the three grounds of appeal.
Issue 1: in order to be compensated under data protection law, do you need to prove pecuniary loss or distress?
Warby J’s answer was yes, you do. Sir Geoffrey Vos, Chancellor of the High Court, giving judgment for the Court of Appeal, took the opposite view.
It all depends on what you mean by ‘damage’ under the DPA 1998/the Directive – and, for that matter, Article 82 of the GDPR.
‘Damage’ here as an autonomous meaning, i.e. an EU law meaning rather than a purely domestic one.
As the Court of Appeal put it, “the key to these claims is the characterisation of the class members’ loss as the loss of control or loss of autonomy over their personal data” (para 45). This was essentially the touchstone used in Gulati, which concerned damages for misuse of private information nefariously obtained via phone-hacking. The Court of Appeal has held that the Gulati analysis applies equally to data protection: where a DP contravention causes the individual to lose or control or autonomy over their personal data, the individual is entitled to be compensated, regardless of any pecuniary loss or distress.
Today’s judgment is thus a striking development in data protection law. This is both for its practical consequences (claims for DP compensation now have a much firmer starting point) and for its philosophical treatment of personal data rights. To understand what I mean, see para 46:
“The first question that arises is whether control over data is an asset that has value… Even if data is not technically regarded as property in English law, its protection under EU law is clear. It is also clear that a person’s BGI [browser generated information] has economic value: for example, it can be sold. It is commonplace for EU citizens to obtain free wi-fi at an airport in exchange for providing their personal data. If they decline to do so, they have to pay for their wi-fi usage. The underlying reality of this case is that Google was able to sell BGI collected from numerous individuals to advertisers who wished to target them with their advertising. That confirms that such data, and consent to its use, has an economic value.”
So the conclusion is this: “a person’s control over data or over their BGI does have a value, so that the loss of that control must also have a value” (para 47).
It doesn’t follow that every DP breach automatically sounds in damages. The Court of Appeal confirmed the de minimis threshold. See para 55:
“That threshold would undoubtedly exclude, for example, a claim for damages for an accidental one-off data breach that was quickly remedied. But that is far from this case. On the case pleaded, every member of the represented class has had their data deliberately and unlawfully misused, for Google’s commercial purposes, without their consent and in violation of their established right to privacy.”
Also on the subject of how damages for DP infringements might be approached, the Court of Appeal considered on an obiter basis, without needing to decide the point, that “user damages” might in principle be recoverable in contexts like this. For more on that term, see One Step (Support) Ltd v Morris-Garner [2018] UKSC 20 – but the digested read is that where a defendant takes something for nothing, the owner is entitled to payment.
Further, while the point was not decisive (as the Lloyd claims predate the GDPR), the conclusion was reinforced by Recital 85 of the GDPR, where “loss of control” over personal data is given as an example of the kind of “physical, material or non-material damage” that might be caused to natural persons as a result of a data breach.
So, for both practical and philosophical reasons, today’s judgment is a Very Big Deal in data protection terms.
Issue 2: did the members of the class have the ‘same interest’ and were those members identifiable?
The representative action under CPR Part 19.6(1) could only proceed (and permission to serve proceedings on Google in the US could only be granted) where the individuals intended to make up the class of claimants had the ‘same interest’.
Warby J concluded that, in this case, they did not – the individuals were likely to have been affected by Google’s alleged contraventions in different ways. As Warby J had put it: some people like surprise parties.
The Court of Appeal held that he had gone wrong in law, in part because of the error on what was meant by ‘damage’ (you can’t really tell if people suffered the same ‘damage’ if you aren’t sure what ‘damage’ means) and that he had applied the ‘same interest’ test in an unduly stringent way. See para 75:
“Once it is understood that the claimants that Mr Lloyd seeks to represent will all have had their BGI – something of value – taken by Google without their consent in the same circumstances during the same period, and are not seeking to rely on any personal circumstances affecting any individual claimant (whether distress or volume of data abstracted), the matter looks more straightforward.”
So, if your class action is not based on the facts of how the individuals were affected, it is necessarily pared down to the lowest common denominator, but that can be enough common ground to pass the ‘same interest’ test. And “it is impossible to imagine that Google could raise any defence to one represented claimant that did not apply to all others. The wrong is the same, and the loss claimed is the same” (para 75 again).
Another basis on which Warby J had held that this could not be a representative action was that it was not possible to identify with any certainty who did and did not fall within the class. Again, the Court of Appeal took the opposite view (para 80):
“… the only applicable test is that “it must be possible to say of any particular person whether or not they qualify for membership of the represented class of persons by virtue of having” the same interest as Mr Lloyd “[a]t all stages of the proceedings, and not just at the date of judgment”.
Again, this is a Very Big Deal: whereas issue 1 opens up the prospect of damages based on the contravention alone (or more accurately, a loss of control over something of value), issue 2 paves the way for US-style class actions, by making it much easier to identify a big enough cohort with enough common skin in the game.
Issue 3: should the Court have exercised its discretion to allow this representative action to proceed?
You’ll have got the drift by now. Warby J: no! Court of Appeal: yes!
And that polarised judicial impression of Mr Lloyd’s venture is neatly summed up at para 86:
“As the judge himself said, this representative action is in practice the only way in which these claims can be pursued. I do not accept the judge’s characterisation of this claim as “officious litigation”. To the contrary, this case, quite properly if the allegations are proved, seeks to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit. It is not disproportionate to pursue such litigation in circumstances where, as was common ground, there will, if the judge were upheld, be no other remedy. The case may be costly and may use valuable court resources, but it will ensure that there is a civil compensatory remedy for what appear, at first sight, to be clear, repeated and widespread breaches of Google’s data processing obligations and violations of the Convention and the Charter.”
We’ll see what happens next, but for now, the outlook is clear: misuse of BGI (and other personal information of value) is officially a Very Big Deal.
Robin Hopkins @hopkinsrobin