Decision “confirms a number of important legal principles under Data Protection law”
Consumer champion Richard Lloyd has been given the green light by the UK Court of Appeal to sue Google on behalf of four million iPhone users, for allegedly “secretly tracking their internet activity for commercial purposes”.
Justices at the court, the UK’s second-highest, unanimously overturned the October 2018 judgment of Justice Warby which had refused Lloyd — represented by law firm Mishcon de Reya – permission to proceed with the collective action.
The law firm described the decision as “ground breaking” for establishing a new procedural framework for mass data breach claims.
Sue Google? Go Ahead, Says Court of Appeal
Dame Victoria Sharp, Sir Geoffrey Vos, and Lord Justice Davis determined that a claimant can recover damages for loss of control of their data under section 13 of Data Protection Act 1998 (“DPA”), implementing article 23.1 of the Data Protection Directive, without proving “pecuniary loss or distress.”
Crucially, they’ve agreed Lloyd can claim a uniform amount by way of damages on behalf of each person without seeking to prove any distinctive facts affecting any of them, save that they did not consent to the abstraction of their data.
The first instance judge, Justice Warby, had dismissed Mr Lloyd’s application for permission to serve Google outside the jurisdiction in the USA, preventing the claim getting under way. The Court of Appeal has given Lloyd the right to proceed against Google in the Media and Communications Court in London.
The claim relates to what is known as the “Safari Workaround” – Google’s alleged unlawful and clandestine tracking of iPhone users in 2011 and 2012 without their consent through the use of third party cookies.
Mr Lloyd seeks damages against Google LLC on behalf of a class of over 4 million iPhone users alleging breaches of s.4(4) of the Data Protection Act 1998 (DPA) and claiming compensation under s.13 of the Act. The claim is being brought as a representative action under CPR r19.6: “Representative parties with same interest.”
Mishcon de Reya said today: “The Court of Appeal’s decision is ground breaking in that it confirms a number of important legal principles under Data Protection law and for representative actions under CPR r19.6 that could establish a new procedural framework for the conduct of mass data breach claims.”
As it notes, these include:
- “An individual’s personal data has an economic value and loss of control of that data is a violation of their right to privacy which can, in principle, constitute damage under s.13 of the DPA, without the need to demonstrate pecuniary loss or distress. The Court, can therefore, award a uniform per capita sum to members of the class in representative actions for the loss of control of their personal data.
- “That individuals who have lost control of their personal data have suffered the same loss and therefore share the “same interest” under CPR 19.6.
- “That representative actions are, in practice, the only way that claims such as this can be pursued.
Mishcon de Reya Partner James Oldnall, who leads the case, said: “This decision is significant not only for the millions of consumers affected by Google’s activity but also for the collective action landscape more broadly. The Court of Appeal has confirmed our view that representative actions are essential for holding corporate giants to account. In doing so it has established an avenue to redress for consumers.”
Google has been contacted for comment.