On 11 March 2020, the Supreme Court granted Google permission to appeal against the Court of Appeal's decision allowing a representative claimant (Lloyd) permission to serve a representative claim out of the jurisdiction.
The action, brought on behalf of an estimated 4.4 million iPhone users, is in respect of Google's use of the ''Safari Workaround'' that permitted it to bypass Safari's blocking of third-party cookies. This allowed it to exploit and collect users' data without their knowledge or consent.
At the first instance, the judge refused the claimants permission to serve the claim on Google in the United States, outside of the jurisdiction of the English Courts, because he did not consider that the claimants had suffered ''damage'' for the purpose of s.13 of the Data Protection Act 1988 (DPA), which applied at the time. He also determined that the requirements of a representative claim were not satisfied and exercised his discretion and refused to allow Mr Lloyd to continue as a representative claimant for the class.
The Court of Appeal overturned that decision on three grounds that are the subject of the appeal to the Supreme Court.
Interpretation of "damage"
The question is what is meant by ''damage'' under section 13 of the DPA and in particular, whether a “uniform per capita” amount of compensation can be awarded for “loss of control” for a non-trivial breach of the DPA in circumstances where there is no distress or material damage.
The Court of Appeal held that damages should be available even without material damage or pecuniary loss. This was because a person’s control over data has value and accordingly the loss of that control also has a value.
However, the Court of Appeal also emphasised that a breach of the DPA does not necessarily or automatically entitle the affected data subjects to damages. It made it clear at paragraph 55 of the Judgment that there is a "threshold of seriousness" applicable to such claims which would "undoubtedly exclude, for example, a claim for damages for an accidental one-off data breach that was quickly rectified.''
Is it a requirement that the members of the class in order can be identified in order to demonstrate the ''same interest'' and bring a representative action pursuant to CPR 19.6(1)?
According to the Court of Appeal, because damages were claimed on a per capita basis, all claimants had suffered the same loss (i.e. loss of control over their data) and therefore shared the ''same interest''.
Was the first instance judge correct to exercise his discretion in ruling that the claim should not be permitted to proceed under CPR 19.6 as a representative action?
The Court of Appeal thought not. The court exercised its own discretion to allow the case to proceed. In doing so, the Court of Appeal determined that the class members were identifiable and did not need individually to authorise a representative claim. It was additionally noted that the claimants would otherwise be left without an effective remedy.
The decision that ''damages are in principle capable of being awarded for loss of control of data'', without the claimant having to prove pecuniary loss or any material damage. Although the Court of Appeal was keen to emphasise that the decision was confined to providing damages for the loss of control of the data, it nonetheless significantly widened the scope for claims to be brought in respect of a failure to protect data.
Grounds for appeal
The Court of Appeal itself refused permission to appeal. However, that permission has now been granted by the Supreme Court in respect of all three issues determined by the Court of Appeal.
The appeal is not expected to be heard by the Supreme Court until late 2020 or early 2021. Given the potential implications for collective actions and US-style class actions within the UK, it will be closely watched by those involved in privacy rights, data protection law and practice.