Privacy, Data Protection and Retention
Google Spain SL v. Agencia Española de Protección de Datos
Spain
Closed Contracts Expression
Global Freedom of Expression is an academic initiative and therefore, we encourage you to share and republish excerpts of our content so long as they are not used for commercial purposes and you respect the following policy:
Attribution, copyright, and license information for media used by Global Freedom of Expression is available on our Credits page.
In a unanimous judgment, the UK Supreme Court held that Google was not liable to pay damages for unlawfully collecting data from millions of Apple iPhone users in England and Wales. The court held that under the Data Protection Act 1998 (“DPA 1998”), damages cannot be granted without an individual assessment of the damages payable to the aggrieved. The claimant (Mr. Richard Lloyd) had brought a class action suit against Google for illegally tracking the data of millions of iPhone users in England for a brief period of time. While ruling out the argument for a uniform sum of damages for each iPhone user, the Court held that damages for ‘loss of control’ of personal data are unavailable for a breach under the DPA 1998. Additionally, it held that unlawful processing itself, without proving material damage or distress does not warrant a case for compensation under the DPA 1998.
Mr. Richard Lloyd claimed that between 9 August 2011 and 15 February 2012, Google had collected data from millions of Apple iPhone users for commercial purposes, without authorization or user consent. It was alleged that Google used a third-party cookie, known as “DoubleClick Ad cookie” which could bypass the regular block against cookies in Apple’s Safari internet browser. The Google cookie would then assimilate user information about “the date and time of any visit to a given website, how long the user spent there, which pages were visited for how long, and what advertisements were viewed for how long” [para. 11]. In this manner, it could also collect the user’s personal information including “race or ethnicity, social class, political or religious beliefs or affiliations, health, sexual interests, age, gender and financial situation” [para. 12]. Google would then segregate users based on their choices and create groups like “football lovers” or “current affairs enthusiasts” and thereafter offer them to subscribing advertisers for monetary gains [para. 14].
As a result, Mr. Lloyd claimed for a uniform sum to be awarded to every iPhone user in England and Wales at the time of the breach. He claimed an alleged breach of Google’s duties as a data controller under section 4(4) of the DPA 1998. The High Court found in favour of Google against actions being brought under the DPA 1998, which was subsequently reversed by the Court of Appeal.
As a result, Mr. Lloyd claimed a uniform sum to be awarded to every iPhone user in England at the time of the breach. He claimed an alleged breach of Google’s duties as a data controller under section 4(4) of the DPA 1998. The High Court found in favour of Google’s argument against actions being brought under the DPA 1998, which was subsequently reversed by the Court of Appeal.
Lord Leggatt wrote a unanimous judgment for the Court. The primary issue before the Court was whether a group action claim could be brought against Google for violation under the DPA 1998, and whether “loss of control” damages can be uniformly awarded to every user without the need of making individualised assessment.
Mr. Lloyd had to prove that despite the Parliament having not enacted a legislation for class action in the data protection field, the claim against Google was still maintainable. He sought to make good his case by placing reliance on Rule 19.6 of the Civil Procedure Rules (“CPR”), whereby a suit can be brought by a group having “the same interest” in the claim. He contended that the requirement for individual assessment under the rule is unnecessary as under the DPA 1998, compensation could be awarded for “loss of control” of personal data without the need of establishing any evidence for financial loss or mental distress [para. 5]. It was thus claimed that a uniform sum of £750 was recoverable, as damages per person, which would round-up to producing a total award of £3 billion. Google raised the issue of maintainability contending that since it is a corporate based out of Delaware, the permission of the Court was required to serve notice to Google outside its jurisdiction. On merits, it was argued that first, damages under the DPA 1998 could not be awarded without proving financial damage or distress, and second, the claim could not be brought as a representative action [para. 6].
In the first instance the Court clarified that despite the enactment of the Data Protection Act 2018, which repealed and replaced the DPA 1998, because the alleged breach took place when the DPA 1998 was in force, the claim would be governed by it. Section 4(4) of the DPA 1998 imposes a duty on the data controller to comply with the eight “data protection principles” set out in Schedule 1. The said schedule in turn provides that the data controller cannot process personal data without informing the data subject of the purpose for which the data is being processed. Schedule 2 provides the conditions that justify the processing of data. Section 13 provides for damages to be paid to the individual who suffers by reason of contravention by a data controller. Mr Lloyd had contended that Google was in breach of the first, second and seventh data protection principles as mentioned in Schedule 1. While commenting that the claimant might have a “real prospect of success” if he were to advance a case against Google only for his own right, the Court stated that the main issue is whether Mr. Lloyd can claim the same for everyone else, in a representative capacity [para. 23]. To arrive at a finding on that issue, the Court examined the scope of the class action as available under the CPR.
Under Rule 19.6 of the CPR, the Court noted that the only requirement that is to be satisfied is that the representative carries “the same interest” in the claim as others. Whereas, in the case of Duke of Bedford v Ellis [1901] AC 1, Lord Macnaghten had prescribed a tripartite test for a representative suit under Rule 19.6, the Court deemed the approach as “misguided” [para. 70]. It stated that a purposive interpretation of “same interest” is warranted, one which promotes no conflict of interest between the litigants without prejudicing one over the other. To establish this, the Court under Rule 1.2(a) needs to exercise discretion “to give effect to the overriding objective of dealing with cases justly and at proportionate cost” [para .75]. There is no requirement for consent, as the rule does not present a choice to opt-out, and therefore a member is not required to take a positive step or even be aware of the existence of the litigation [para. 77]. Further, there is no requirement of a clear definition of class in a given suit [para. 78], no requirement in the ordinary course for the representatives to distribute the cost of the litigation [para. 79], and no bar to a representative claim for a separate cause of action or separate relief for damage or monetary relief [para. 80].
Applying the legal principles in the present case, the Court stated that the claimant has adopted a “bottom up” approach, whereby he seeks damages uniformly on a per capita basis. The Court found difficulty with this argument as the extent to which the Safari workaround had affected individuals could not be made uniform. If Google was indeed found liable, then according to the ordinary compensation principles, the amounts of damages would vary in each case, which therefore would require individualised assessment of damages. While the claimant sought to argue that any contravention of DPA 1998 would not entail proving financial loss or distress, the claims made in the draft particulars would reveal that compensation would require that evidence to be adduced to establish facts of each individual claimant.
As for wordings of section 13 of DPA 1998, the Court held that to recover compensation, in addition to proving that there was a breach by the data controller, it is also required to be proved that the damage was the result of such dereliction. The term “damage” can be used to describe financial loss or physical or psychological injury [para. 92]. The Court read down the judgment delivered in Vidal-Hall v Google Inc [2016] QB 1003 to cement its reasoning that damage or distress is required to be proved for each individual for a claim under section 13 to sustain. The Court also distinguished the case of Gulati v MGN Ltd [2015] EWHC 1482 (Ch), a case where damages were awarded for misuse of private information. While the claimant had used Gulati to argue that the present case was fit for damages for “loss of control” over personal data by Google, the Court disagreed by stating that they would still be required to prove material damage or distress as a consequence of the breach [para. 115].
The claimant further advanced his claim on a “common source argument”, stating that as damages could be awarded under the tort of misuse of private information, the same should be extended under section 13 of DPA 1998, as both the legislations have a common source [para. 111]. The Court highlighted the difference in the two regimes. First, the wording of section 13 makes clear that a right to compensation can be availed only when damages have been suffered and not for mere contravention of the Act. This interpretation of the legislation is not incompatible with “damage” as defined under article 23 of the EU data protection directive and thus need not be amended. Second, the common source of the tort and the data protection legislation in Article 8 of the ECHR does not justify reading the principles governing damages from one regime to another. Third, there are material differences between the two regimes. While data protection legislation applies to all personal data, information is protected by the tort of misuse of private information only where there is a reasonable expectation of privacy.
The argument on “user damage”, a tortious remedy for wrongful entry into immovable or movable property without financial loss, did not find favour with the Court as the claim was advanced only under DPA 1998 which had to follow the mandate of section 13 requiring material damage or distress [para. 143]. The Court further held that even if it was held that material damage or distress was not required to be proved, “it would still be necessary for this purpose to establish the extent of the unlawful processing in his or her individual case” [para. 144].
Hence, the Court found that the attempt of the claimant to seek damages under section 13 of the DPA 1998, without displaying any wrongful use made by Google of the personal data, would fail without advancing any proof [para. 159]. Thus, the appeal was allowed and the order of the judge refusing to entertain the claimant’s application to serve Google outside the jurisdiction of England and Wales was restored.
Decision Direction indicates whether the decision expands or contracts expression based on an analysis of the case.
The Supreme Court held that in a data protection claim, damages cannot be claimed for mere “loss of control” of data or contravention of the UK data protection legislation. For a successful claim, damages or distress due to breach of data protection principles need to be proved. The decision highlights the need for claimants to provide an individualised assessment of damages when bringing a representative suit, since damages vary on an individual basis which comes as a relief to data controllers facing mass claims.
Global Perspective demonstrates how the court’s decision was influenced by standards from one or many regions.
Case significance refers to how influential the case is and how its significance changes over time.
Let us know if you notice errors or if the case analysis needs revision.