Compensation for breaches of data protection legislation that’s resultant in a loss of control of personal data, sought through a representative action can be awarded without proof of distress or any material damage
November 7, 2019
Richard Lloyd v Google LLC
EWCA Civ 1599
Court of Appeal (Civil Division)
D V Sharp, P; G Vos, C; Davis,LJ
October 2, 2019
Reported by Faith Wanjiku
Communications Law-data-data controller – data protection – infringement of data of an individual -where a claimant was expected to prove pecuniary loss to recover damages – whether a claimant could recover uniform per capita damages for infringement of their data protection rights under section 13 of the DPA, without proving pecuniary loss or distress -Data Protection Act, 1998, section 13
Civil Practice and Procedure – parties and group litigation – representative parties – class members with same interest-whether members of the class for the representative action sought by the claimant did not have the same interest and were not identifiable as required under CPR part 19.6(1) and so could not begin a claim -Civil Procedure Rules, part 19.6(1)
The claimant sought damages against Google LLC, a Delaware corporation (the defendant). The claimant made the claim on behalf of a class of more than 4 million Apple iPhone users. The case concerned the acquisition and use of browser generated information (BGI). That was information about an individual’s internet use which was automatically submitted to websites and servers by a browser, upon connecting to the internet. Through the use of ‘cookies’ the defendant was able to identify visits by the device to any website displaying an advertisement from its vast advertising network, and to collect considerable amounts of information. It could tell the date and time of any visit to a given website, how long the user spent there, which pages were visited for how long, and what ads were viewed for how long. In some cases, by means of the IP address of the browser, the user’s approximate geographical location could be identified.
Over time, the defendant could and did collect information as to the order in which and the frequency with which websites were visited. It was said by the claimant that that tracking and collating of BGI enabled the defendant to obtain or deduce information relating not only to users’ internet surfing habits and location, but also about such diverse factors as their interests and habits, race or ethnicity, social class, political or religious views or affiliations, age, health, gender, sexuality, and financial position. It was alleged that the defendant secretly tracked some of their internet activity, for commercial purposes, between August 9, 2011 and February 15, 2012.
The claimant sought on behalf of the represented class, damages under section 13 of the DPA for infringement of their data protection rights, commission of the wrong, and loss of control over their data protection rights. It was alleged that the defendant, as a data controller, failed to comply with the first, second and seventh data protection principles set out in Part I of Schedule 1 to the DPA.
i Whether a claimant could recover uniform per capita damages for infringement of their data protection rights under section 13 of the DPA, without proving pecuniary loss or distress.
ii Whether members of the class for the representative action sought by the claimant did not have the same interest and were not identifiable as required under Civil Procedure Rules (CPR) Part 19.6(1) and so could not begin a claim.
iii Whether the trial court’s exercise of discretion not to permit the claim to continue due to class members not having authorised the representative claim could be vitiated.
Relevant Provisions of the Law
Data Protection Directive, 1995
“1. Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered”.
Data Protection Act, 1998
(4) Subject to section 27(1), it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller”.
Section 13-Compensation for failure to comply with certain requirements
“(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—
(a) the individual also suffers damage by reason of the contravention, or
(b) the contravention relates to the processing of personal data for the special purposes”.
Civil Procedure Rules
Part 19.6-Representative parties with same interest
“(1) Where more than one person has the same interest in a claim –
(a) the claim may be begun; or
(b) the court may order that the claim be continued, by or against one or more of the persons who have the same interest as representatives of any other persons who have that interest.
- If the court decided that the infringement of the Directive and the DPA was trivial or de minimis it would be entitled to refuse to make an award of loss of control damages.A domestic approach to statutory construction would point towards the conclusion that section 13 of DPA on compensation for suffering damage by reason of any contravention by a data controller and article 23 of the Directive on receiving compensation from the controller for the damage suffered required proof of both a contravention and consequent damage, whether pecuniary or non-pecuniary. That was not a circular to plead that the alleged infringement of the class members’ data protection rights caused a loss of control over their personal data. The key to those claims was the characterisation of the class members’ loss as the loss of control or loss of autonomy over their personal data.
- The first question that arose was whether control over data was an asset that had value. As a matter of English law, an electronic database was not a form of property capable of possession and that, therefore, it could not be subject to a possessory lien. Even if data was not technically regarded as property in English law, its protection under European Union (EU) law was clear. It was also clear that a person’s BGI had economic value: for example, it could be sold. It was commonplace for EU citizens to obtain free wi-fi at an airport in exchange for providing their personal data. If they declined to do so, they had to pay for their wi-fi usage. The underlying reality of that case was that the defendant was able to sell BGI collected from numerous individuals to advertisers who wished to target them with their advertising. That confirmed that such data, and consent to its use, had an economic value.
- A person’s control over data or over their BGI did have a value, so that the loss of that control had to also have a value. In one sense, if that was right, it was sufficient to answer the question of whether, in theory, a person could recover compensation under section 13 of DPA and article 23 of the Directive. But it was necessary first to consider whether that kind of loss of control over data could properly be considered damage in the legal sense in which the term damage was used in article 23 of the Directive and section 13 of DPA.
- Damages in consequence of a breach of a person’s private rights were not the same as vindicatory damages to vindicate some constitutional right. In the present context, the damages were an award to compensate for the loss or diminution of a right to control formerly private information and for the distress that the respondents could justifiably have felt because their private information had been exploited, and were assessed by reference to that loss.
- The underlying rights on which misuse of private information and infringements of the DPA were based were themselves founded on the same principle: namely, that privacy be protected. The EU law principles of equivalence and effectiveness should also not be forgotten. The principle of equivalence particularly provided that the detailed procedural rules governing actions for safeguarding an individual’s rights under EU law had to be no less favourable than those governing similar domestic actions. Since the torts of MPI and breach of the DPA were undoubtedly similar domestic actions, it would be prima facie inappropriate for the court to apply differing approaches to the meaning of damage. The principle of effectiveness provided that a member state had to not render it practically impossible or excessively difficult to exercise rights conferred by EU law. The protection of data was such a right, so that principle too was engaged.
- The award of compensatory damages, whether substantial or nominal, served a vindicatory purpose: in addition to compensating a claimant’s loss, it vindicated the right that had been infringed, but that it was another to award a claimant an additional award, not in order to punish the wrongdoer, but to reflect the special nature of the wrong. Whilst discretionary vindicatory damages might be awarded for breach of a constitutional right in order to reflect the sense of public outrage, it was a big leap to apply that reasoning to any private claim against the executive.
- Damages were in principle capable of being awarded for loss of control of data under article 23 of the Directive and section 13 of the DPA, even if there was no pecuniary loss and no distress. The words in section 13 “an individual who suffered damage by reason of a breach was entitled to compensation” justified such an interpretation. Only by construing the legislation in that way could individuals be provided with an effective remedy for the infringement of such rights.
- Other remedies, apart from damages were theoretically available. Injunctive and declaratory relief could be sought, and rectification, blocking and erasure of data were available under article 12 of the Directive and section 14 of the DPA. The breaches alleged would go unremedied in the absence of damages being available. It was not necessary under that heading to decide whether uniform per capita damages were the appropriate remedy, since that was more relevant to the next question, namely whether the members of the class that the claimant purported to represent had the same interest.
- The fundamental requirement for a representative action was that those represented in the action had the same interest in it. At all stages of the proceedings, and not just at the date of judgment at the end, it had to be possible to say of any particular person whether or not they qualified for membership of the represented class of persons by virtue of having the same interest.
- Having the same interest a representative action did not mean that the membership of the group had to remain constant and closed throughout. It could indeed fluctuate. It did not have to be possible to compile a complete list when the litigation began as to who was in the class or group represented. The problem in the case was not with changing membership. It was a prior question how to determine whether or not a person was a member of the represented class at all. Judgment in the action for a declaration would have to be obtained before it could be said of any person that they would qualify as someone entitled to damages against based adverts. A second difficulty was that the members of the represented class did not have the same interest in recovering damages for breach of competition law if a defence was available in answer to the claims of some of them, but not to the claims of others.
- The essential point was that the requirement of identity of interest of the members of the represented class for the proper constitution of the action meant that it had to be representative at every stage, not just at the end point of judgment. If represented persons were to be bound by a judgment that judgment had to have been obtained in proceedings that were properly constituted as a representative action before the judgment was obtained. The rule to be treated as being not a rigid matter of principle but a flexible tool of convenience in the administration of justice could not mean that the same interest test could be abrogated.
- The only applicable test was that it had to be possible to say of any particular person whether or not they qualified for membership of the represented class of persons by virtue of having the same interest as the claimant at all stages of the proceedings, and not just at the date of judgment. Every affected person would, in theory, know whether they satisfied the conditions that the claimant had specified. Also, the data in possession of the defendant would be able to identify who was, and who was not, in the class. Both exercises could be undertaken at any time. It was true that some persons’ memories could be at fault, and that there could, in theory, be abuse, but those factors were practical ones, not ones that affected the formal ability to identify the class. It had repeatedly been said that the number of claimants could not itself affect the ability to use the representative procedure.
- The representative action was in practice the only way in which those claims could be pursued. The case, quite properly if the allegations were proved, sought to call the defendant to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit. It was not disproportionate to pursue such litigation in circumstances where, as was common ground, there would be no other remedy. The case could be costly and could use valuable court resources, but it would ensure that there was a civil compensatory remedy for what appeared, at first sight, to be clear, repeated and widespread breaches of the defendant’s data processing obligations and violations of the European Convention for the Protection of Human Rights and Fundamental Freedoms and the Charter of Fundamental Rights of the European Union.
- A claimant could recover damages for loss of control of their data under section 13 of DPA, without proving pecuniary loss or distress, and the members of the class that the claimant sought to represent did have the same interest under the Civil Procedure Rules part 19.6(1) on more than one person having the same interest in a claim and beginning it and were identifiable.
Appeal allowed: the claimant could serve the proceedings on the defendant outside the jurisdiction of the court.
Relevance to the Kenyan Situation
The Constitution of Kenya, 2010 provides for the right to privacy in Article 31 that every person has the right to privacy, which includes the right not to have their person, home or property searched; their possessions seized; information relating to their family or private affairs unnecessarily required or revealed; or the privacy of their communications infringed.
The two petitions challenged the introduction of a Device Management System devicewhichhad the capacity to access customers’ information illegally into the networks of the interested parties and respondents who provided various telecommunication services to their customers and those services included mobile telephone, data, internet and mobile money transfers. The device would lead to a violation of the right to privacy. The Court held that that the plan seeking to integrate the DMS to the parties’ networks to inter alia create connectivity between the DMS and the parties’ system to access information on the IMEI, IMSI, MSISDN and CDRs of their subscribers on their network was a threat to the subscribers privacy, hence a breach of the subscribers’ constitutionally guaranteed rights to privacy, therefore unconstitutional, null and void.
Nubian Rights Forum & 2 others v Attorney-General & 6 others; Child Welfare Society & 8 others(Interested Parties); Centre For Intellectual Property & Information Technology(Proposed Amicus Curiae)  eKLR, the petitioners sought to challenge the National Integrated Information Management System (NIIMS) that was intended to be a single repository of personal information of all Kenyans as well as foreigners resident in Kenya, introduced new definitions of biometric and global positioning systems coordinates, among others. They challenged it especially as regards the right to privacy, in light of the nature of personal information that would be collected in the NIIMS and the lack of any security in the manner of storage of and access to the collected data.
The Court held that as matters stood, there was no specific legislation that provided for the collection, storage, protection and use of data collected by or held by government or other entities. It went on to state that it was in the public interest to have an efficient and organised system of registration of persons, and the responsible use of resources in the process, in light of the socio-economic gains of the system that had been illustrated by the respondents.
The above Kenyan case law may not be as precise as the UK case but what is common to them all is that protection of personal data is heavily guarded by the law and any contravention of data protection rights ought to be remedied. Therefore with the enactment of the Data Protection Act, the issue of acquisition and use of browser generated information and such case law will be jurisprudential in pursuance of compensation for infringement of data protection rights.