Green light on data class actions? Supreme Court to decide Google’s fate
Herbert Smith Freehills disputes partner Julian Copeman and Consultant Kate Macmillan explain the landmark Supreme Court case that will decide whether Google can face a claim over alleged illegal tracking of millions of iPhone users.
Those interested in how to control the use of personal data in the digital age are awaiting with keen interest the Supreme Court’s decision of the appeal in Lloyd (Respondent) v Google LLC (Appellant).
[Background: Mr Lloyd alleges that between 2011 and 2012 Google cookies collected data on health, race, ethnicity, sexuality and finance through Apple’s Safari web browser, even when users had chosen a “do not track” privacy setting. The case aims to get compensation for 4.4 million affected users.]
The appeal is expected to determine whether England gives the green light to American style data class actions on the representative action or “opt out” basis. The judges tasked with deciding this case, heard at the end of April – and the important public policy considerations it involves – are Lord Reed, Lady Arden, Lord Sales, Lord Leggatt and Lord Burrows.
“Damage” in relation to the use of information in the digital age
Under English law, breach of statutory duty is not actionable per se – one needs to demonstrate harm and consider whether there are harmful consequences for a particular individual, said Counsel for the Appellant in opening submissions.
So what is harm under English data protection law – the Data Protection Act 1998 – and its successor, the UK GDPR? It is clear that damages can be awarded for “non-material” harm and that this includes emotional distress.
Further, English law tells us that in order to claim damages under data protection law the only threshold you have to get over is the “de minimis” threshold – which is a legal term meaning “something too small to be meaningful or taken into consideration.”
So far, so good. But when you try to achieve precision regarding what non-material harm means in a case such as this one, it can feel like trying to nail a cloud to a wall.
Where are we in relation to damages for that most elusive of all non-material harms – “loss of control” of personal data? Is this something which should be compensated by a damages award? If not, how might it otherwise be compensated? And if we say it won’t be compensated at all, can we say it is a right at all?
“Loss of control”
The Appellant submitted that any personal data breach involves “loss of control” – but there might be loss of control below the de minimis threshold. Counsel for the Respondent accepted that the sum may be very small and that if the breach were trivial, in fact, it would not be compensatable, whilst also making the point that there are “numerous examples the English courts awarding substantial damages for infringement of the right itself”.
In considering the issue of how much “loss of control” might be worth in damages, it is helpful to consider why “loss of control” of personal data matters. This is covered in case law relating to Article 8 of the European Convention of Human Rights (incorporated into English law with the Human Rights Act), which provides a right to respect for one’s private and family life, his home and his correspondence, subject to certain exceptions that are “in accordance with the law” and “necessary in a democratic society”.
Packed into this right are the concepts of “autonomy” and “dignity”. “Autonomy” confers on individuals “the ability to conduct one’s life in a manner of one’s own choosing”. “Dignity” has been described as an entitlement to at least a minimal degree of consideration by others. Autonomy and dignity allow people to escape the chilling effect of unwanted observation and develop autonomous thought and action.
Counsel for the Information Commissioner, intervening in the case, expressed the position in relation to “loss of control” eloquently. Whilst accepting that not all personal data breaches will result in loss of control and not all loss of control will warrant compensation, he made the point that the Commissioner emphasises that the right to control data has its own intrinsic value (emphasis added).
It is a valuable and fundamental right in itself, he said; it concerns individuals’ ability to decide what happens and to have autonomy over their information, which is different to economic value. An ability to exercise control is commonly what citizens want and expect from data protection. Loss of control causes harm to individuals and society at large.
Applying these concepts to a practical example, consider someone who is tracked using an online dictionary to check the spelling of a word, compared to someone else who is tracked researching cancer clinics, lawyers specialising in wills and estate planning, Dignitas and flights to Switzerland. One can see easily that although both have suffered “loss of control” in relation to their personal data, the latter’s loss of control is far more serious than the former’s.
In a representative action it is very likely that claimants would fall into both categories.
This leads on neatly to the second key issue in the case, which is that in order to bring a representative claim under Civil Procedure Rules 19.6 claimants must have the “same interest” in a claim. In the leading case of the Duke of Bedford v Ellis of 1901 it was recognised that three elements are required for “same interest” – namely a “common interest”, a “common grievance” and a “remedy beneficial to all.”
Counsel for the Appellant submitted that damages are inherently personal and have to be proved separately and it would be wrong to disavow individual circumstances.
Is it possible to come up with a sum per capita with reference to a “hypothetical negotiation” between data aggregator and user (so called “user damages”)? This sum would not be large but it would not be zero either.
If a specific sum per capita were awarded, might that result in prejudice to some? What about people who had suffered far more harm than others? Should the person researching flights to Switzerland cited above receive the same as the person using an online dictionary?
In relation to this Counsel for the Respondent pointed out that the court rules allow anyone who wants to be excluded from the representative action to opt out and bring their own individual claim (although they would have to know about the representative action to do that, of course).
In relation to unclaimed damages, Lady Arden noted that the claimants would have to be assured that the damages would be divided on a fair basis. She suggested that the damages could be paid into a trust fund and queried what the court might be able to order if the full monies were not paid out, perhaps with advice from the data protection regulator. Could the funds be returned to the Appellant, for example?
A difficult decision
Data class actions are one way to deliver accountability and achieve the public policy objective of creating the trust amongst users that will allow the digital economy to develop. If the Supreme Court does not allow representative class actions to go ahead, claimants will be denied access to justice, say the Respondents. They would not be able to bring their claims under an individual basis or using the group litigation order procedure as the numbers just don’t add up for claimant firms or litigation funders. In the “Wild West” of the digital world, where it is very easy to gather, bundle, use, exploit data, individuals would be left with only regulation, which many allege is not working effectively.
Counsel for the Respondents submitted that the common law has devised rules to provide compensation – and if they don’t produce justice, the court can adjust the rules. The Supreme Court’s task is not easy: the question of how you uphold individual rights (including to autonomy and dignity), whilst keeping things sensible and continuing to use big data for innovation which benefits society, is one of the greatest conundrums of the digital age.