High court dismisses latest data protection action against Google
A data protection claim that was potentially worth over £1 billion has been dismissed by the High Court.
The claimant, Richard Lloyd, brought the case as a representative of a very large class of potential claimants, which could have been as many as 4.4 million Apple iPhone users. He argued that each claimant was entitled to damages for a breach by Google of its obligations under the Data Protection Act 1998 (DPA 1998). Before the case could proceed to trial, Mr Lloyd needed to seek permission of the court to serve the claim on Google in California. The judgment, delivered on 8 October, dismissed his application. You can read the full judgment here.
This case concerned a workaround developed by Google which allowed it to gather data about users of Apple's Safari web browser and target advertising to those users, despite Apple's privacy settings supposedly preventing such data gathering. It is the same workaround which formed the basis of the damages claim in the Vidal-Hall litigation, which was eventually settled out of court after a Court of Appeal hearing in 2015.
The judgment contains some important lessons for data protection claims. Unlike the Vidal-Hall case, this claim was not based on any specific damage caused to individual claimants. Instead, the claimant argued that Google's use of the workaround was in breach of the DPA 1998 and therefore each potential claimant has suffered damage and was entitled to compensation. The judge dismissed this argument, stating that a successful claim "… requires proof not only of a contravention but also of consequent damage …". Not all breaches of the DPA 1998 will result in damage, and so not all breaches can entitle individuals to compensation. As any damage suffered is likely to be fact-specific, it makes these wide 'class' claims potentially difficult to pursue.
Of course, the DPA 1998 has now been repealed and so alleged contraventions of this nature would be dealt with under the General Data Protection Regulation (GDPR) if they were to happen now. But it is likely that the courts will take a similar approach under the GDPR. Regulation 82 states that "Any personal who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation …". A claimant will still need to prove both the infringement and the damage to be successful.
The judgment also included an interesting snippet about the purpose of compensation under data protection law and the role of the Information Commissioner as the statutory regulator. The court heard arguments that Google's breach in this case was so serious that it deserved censure. The judge dismissed these arguments, stating: "Censure is the role of the regulator, or the criminal law. There have been regulatory responses to the breaches, which have resulted in consequences for Google. If those responses are perceived to be inadequate, I do not believe the remedy is to fashion a means of imposing a further penalty by bringing a class action for compensation …" . It is for the ICO, not the courts, to ensure that organisations are censured for serious infringements.