Judge dismisses “officious” collective action brought against Google for alleged breaches of data protection legislation

The judgment in Richard Lloyd v Google LLC handed down on Monday of this week (08 October 2018) makes grim reading for litigation funders and claimant firms seeking to embark on speculative data protection class actions on behalf of data subjects but gives some comfort to data controllers and processors who have been concerned about the proliferation of group claims or quasi-class actions of this nature following the case of Various Claimants v Wm Morrisons Supermarket PLC.

The Claim

The claim was brought by campaign group “Google You Owe Us” and related to Google’s historical practices of tracking and collating data on iPhone users’ internet activity on the Safari browser where their iPhone settings should have prevented such access. The group had sought permission to have the case heard as a representative action under CPR 19.6, through which a claimant (here Richard Lloyd, former executive director of Which?) represents a class of impacted individuals with the “same interest” without gaining individual consent.

As the claim related to alleged breaches committed from 2011 to 2012, it was brought under s.13 Data Protection Act 1998 (the DPA 1998). S.13 DPA 1998 provides data subjects with a means of obtaining compensation should they suffer damage as a result of a data controller’s breach of the DPA 1998.

The Judgment

In hearing an application from the group for permission to serve proceedings on Google out of the jurisdiction (as it is a Delaware corporation), the Court identified and considered two issues:

  1. Did the pleaded facts disclose any basis for the claim under the DPA?
  2. Would the Court permit the claim to continue as a representative action?

1) Did the pleaded facts disclose any basis for the claim under the DPA?

Justice Warby found that the claim did not disclose a basis for seeking a claim under s.13(1) DPA 1998. Unlike in Vidal Hall v Google Inc where damages were claimed on the basis of distress caused by the data controller’s acts, the group’s case here was that the class had suffered damage by virtue of the wrong itself (ie the act of collection and collation), with no distress or inconvenience specifically pleaded. The Court’s view was that the breach and damage flowing from it were two distinct things, and that the former didn’t automatically result in the latter. It therefore concluded that no compensatable harm had been established under s.13(1) DPA 1998. S.13 DPA makes clear that any claimant(s) seeking compensation under that section must not only establish that a data controller has committed a breach but also that the claimant(s) has suffered damage as a result of the breach.

The position would be the same if a claim was brought on the same basis under the current regime (ie under s.168 Data Protection Act 2018). Whilst the current regime extends the definition of compensatable damages to cover both “material” and “non-material” damage suffered, it still requires a claimant to prove the damage suffered and would not impose damages where they are claimed purely on the basis of the breach itself.

2) Would the Court permit the claim to continue as a representative action?

Warby J concluded that there was no real prospect that the continuation of representative proceedings would be allowed for the following reasons:

  • the representative claimant and class did not have the “same interests” as the class would necessarily include individuals who had not actually suffered any “damage” and the impact of the breach of duty would vary within the class depending on the level of internet use by each individual
  • there would be insurmountable practical difficulties in determining whether an individual is a member of the class. In particular it would be impossible to identify and exclude un- affected users and verification of impacted users would be almost impossible, and
  • The Court would inevitably exercise its discretion against the continued pursuit of this representative action.

Comment

The judgment contains a number of comments which suggest that the Court is alive to speculative data protection class actions being used opportunistically by litigation funders and claimant law firms. At paragraph 102 Warby J pointedly notes that the main beneficiaries of any award would be “the funders and the lawyers, by a considerable margin”. Furthermore, in summarising the action he concludes at paragraph 103 that: “It would not be unfair to describe this as officious litigation, embarked upon on behalf of individuals who have not authorised it, and have shown no interest in seeking any remedy for, or even complaining about, the alleged breaches.”

When viewed alongside the recent costs judgment in Various Claimants v Wm Morrisons Supermarket PLC which saw the claimants’ costs award significantly reduced due to its pursuit of tenuous data protection claims, the message from the Court seems to be clear: do not throw everything at a data protection claim just because it is the issue of the moment.

From a broader perspective it is also interesting to view this case alongside the various unsuccessful attempts to get opt out class actions for breach of competition law (as provided for in the Consumer Rights Act 2015). Similar issues as to the nature of the class have contributed to grounding those claims. At paragraph 52 Warby J set out Google’s view of the claim in Lloyd with which his own final judgment was not wholly inconsistent: “Google maintains that this claim is a contrived and illegitimate attempt to shoe-horn a novel "opt-out class action" into the representative action procedure, in circumstances where Parliament has not considered it appropriate to make such a claim available”.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.