A break from the usual corporate and commercial case review for the Full English team as we tuck into a data protection case which has the potential to send tremors through all organisations who handle personal data.
The question of whether individuals can claim damages for loss of control over their personal data will be heading for the Supreme Court later in the year as it recently granted permission for an appeal in the Lloyd v Google case (“Lloyd”). The threat of massive fines, whilst troubling, is becoming very real since the GDPR was introduced almost two years ago, as British Airways and Marriott International have discovered to their potential detriment (the UK’s data protection authority, the Information Commissioner’s Office, has announced its intention to levy fines but are yet to claim payment as of July 2020).
The UK’s Information Commissioner’s Office (“ICO”) announced its intention to levy fines without actually following through as of July 2020. However, if the Supreme Court upholds the Court of Appeal’s decision in Lloyd, it may not be just regulators who have the power to financially punish organisations.
Before diving into the Lloyd case itself, the key takeaways are as follows:
As things stand, it is possible for individuals to claim damages for a mere “loss of control” over their personal data.
What this means in practice is unclear, and the question of what counts as “loss of control” remains unanswered – is it limited to circumstances like Lloyd where an organisation uses personal data for a purpose that the individual is unaware of, or can it be broader than that?
There is also the question of how you would possibly quantify these damages in monetary terms. Lloyd potentially opens the door to the risk of “annihilatory” class actions, i.e. damages being levied on top of already huge regulatory fines. By way of example, in this case Mr. Lloyd suggested damages of £750 per person affected. As the courts are yet to consider quantum in cases such as these, so this amount may yet prove fanciful, but as a worse case scenario and to highlight the potential impact of class actions, this would create a total liability for Google of nearly £3 billion.
This is a case to watch out for in the future as it could have a profound impact on any organisation handling personal data; as well as paving the way for class actions where there has been a data breach (whether or not such a breach was avoidable and whether or not the individuals affected actually suffered any financial loss or mental distress).
In the meantime, organisations should take great care with how they collect, use, store and protect personal data, ensuring that appropriate data protection policies, privacy notices and cookie notices/consents are in place. A data protection audit to ascertain how, where and why your organisation handles personal data, whilst being a useful endeavour in any case, could highlight any compliance gaps in need of remedying to mitigate the risks exposed by Lloyd.
Mr. Lloyd brought an action before the UK’s High Court in October 2018, purportedly on behalf of 4.4 million Google users, claiming that they had lost control over their data when Google had harvested browser information using hidden cookies without their consent for the purposes of monetising it.
Under the pre-GDPR legislation (in the UK, the Data Protection Act 1998), in order to bring a claim for damages it was necessary for an individual to show that they had suffered financial loss arising from the misuse or loss of their personal data. The Courts then extended this scope by allowing individuals to bring claims for damages if they had suffered mental distress as a result of their data being mishandled or lost.
In order to bring a class action claim in the UK though, it must be shown that all class members have “the same interest”. For Mr. Lloyd, this posed a number of issues. None of the individuals he claimed to represent had suffered any financial loss from Google’s misuse of their personal data, and it would be almost impossible to prove that each of the 4.4 million individuals affected had suffered the same level of distress, if any at all.
To circumvent this problem, Mr. Lloyd, relying on two previous cases, brought an action claiming damages for “loss of control”, as demonstrably each individual had lost control of their data when it was used by Google without their knowledge or consent. The High Court dismissed the claim in the first instance, refusing to grant what it called “vindicatory damages” and questioning the legitimacy of “loss of control” damages, as well as who the true beneficiaries of such representative actions would be (i.e. claims lawyers).
The Court of Appeal Judgment
This reprieve for organisations proved short-lived. The Court of Appeal overturned the High Court’s decision and stated that “loss of control” damages are, in principle, recoverable. Its argument being that if Google was seeking to use the browser data for monetary gain, then it followed that the data in question holds value to the individual whose data it is. As the data has a value, it should be treated as property, and a loss of control over that property should give the individual a right to compensation.
The ramifications of this, as outlined above, are far-reaching and significant. It also serves as a timely reminder that organisations need to keep their data protection house in order, in particular by ensuring they are transparent in their privacy and cookie notices.
Whilst the Court of Appeal allowed the class action to proceed, the Supreme Court has now been asked to (hopefully) decide this issue. Recent developments in this space offer organisations a cause for cautious optimism where large scale “loss of control” class actions are concerned, as the Atkinson v Equifax claim (which was purported to be on behalf of 15 million individuals) was withdrawn by the claimant before proceedings could begin, in the face of a stern defence from Equifax. However, Lloyd remains on the docket and we will provide a further update once the Supreme Court’s judgment is handed down.
Vidal-Hall v Google LLC  EWCA Civ 311
Gulati v MGN Ltd  EWHC 1482 (Ch); and Wrotham Park Settled Estates v Hertsmere BC  3 WLUK 250