Friday, 4 October 2019

Lloyd v Google LLC

Author Gciriani
Licence CC BY-SA 4.0
Source Wikipedia Google

Jane Lambert

Court of Appeal (Dame Victoria Sharp P, Sir Geoffrey Vos C, Lord Justice Davis) Lloyd v Google LLC [2019] EWCA Civ 1599 (2 Oct 2019)

This was an appeal against Mr Justice Warby's refusal to allow the claimant, Richard Lloyd ("Mr Lloyd"), to serve proceedings on Google LLC ("Google") outside the jurisdiction claiming damages on behalf of 4 million i-phone users for  allegedly tracking secretly their internet activity for commercial purposes between 9 Aug 2011 and 15 Feb 2012.  The appeal was heard on 16 and 17 July 2019 by the President of the Queen's Bench Division, the Chancellor and Lord Justice Davis. Judgment was given on 2 Oct 2019. The lead judgment was delivered by the Chancellor, Sir Geoffrey Vos.

The Issues
The facts in this appeal were very similar to those in Google Inc v Vidal-Hal and others [2015] 3 WLR 409, [2015] CP Rep 28, [2015] FSR 25, [2015] 3 CMLR 2, [2015] WLR(D) 156, [2015] EMLR 15, [2015] EWCA Civ 311, [2016] QB 1003, [2016] 2 All ER 337 where the Court of Appeal dismissed Google's appeal against Mr Justice Tugendhat's decision to allow a similar claim to be served  outside the jurisdiction (see Vidal-Hall and others v Google Inc [2014] EWHC 13 (QB) (16 Jan 2014)  [2014] EMLR 14, [2014] 1 WLR 4155, [2014] WLR 4155, [2014] FSR 30, [2014] 1 CLC 201, [2014] WLR(D) 21, [2014] EWHC 13 (QB)). However, the Chancellor pointed out at paragraph [3] of his judgment that there was one crucial difference between the two cases.   In Vidal-Hall, the individual claimants claimed damages for distress as a result of Google's breaches of the Data Protection Act 1998 ("DPA").  In the present case, Mr Lloyd claimed a uniform amount by way of damages on behalf of each person within the defined class without seeking to allege or prove any distinctive facts affecting any of them, save that they did not consent to the abstraction of their data.

The Chancellor analysed Mr Justice Warby's decision between paragraphs [25] and [39] of his judgment.  According to the Chancellor, the grounds on which the application had been refused were  "that: (a) none of the represented class had suffered 'damage' under section 13 of the Data Protection Act 1998 (the 'DPA'), (b) the members of the class did not anyway have the 'same interest' within CPR Part 19.6 (1) so as to justify allowing the claim to proceed as a representative action, and (c) the judge of his own initiative exercised his discretion under CPR Part 19.6 (2) against allowing the claim to proceed."

His lordship summarized the main issues raised by the appeal as follows:
"(a) whether the judge was right to hold that a claimant cannot recover uniform per capita damages for infringement of their data protection rights under section 13 of the DPA, without proving pecuniary loss or distress, (b) whether the judge was right to hold that the members of the class did not have the same interest under CPR Part 19.6 (1) and were not identifiable, and (c) whether the judge's exercise of discretion can be vitiated."
The Facts
Sir Geoffrey adopted the following paragraphs from Mr Justice Warby's judgment:
"[7]. The case concerns the acquisition and use of browser generated information or "BGI". This is information about an individual's internet use which is automatically submitted to websites and servers by a browser, upon connecting to the internet. BGI will include the IP address of the computer or other device which is connecting to the internet, and the address or URL of the website which the browser is displaying to the user. As is well-known, "cookies" can be placed on a user's device, enabling the placer of the cookie to identify and track internet activity undertaken by means of that device.
[8]. Cookies can be placed by the website or domain which the user is visiting, or they may be placed by a domain other than that of the main website the user is visiting ("Third Party Cookies"). Third Party Cookies can be placed on a device if the main website visited by the user includes content from the third party domain. Third Party Cookies are often used to gather information about internet use, and in particular sites visited over time, to enable the delivery to the user of advertisements tailored to the interests apparently demonstrated by a user's browsing history ("Interest Based Adverts").
[9]. Google had a cookie known as the "DoubleClick Ad cookie" which could operate as a Third Party Cookie. It would be placed on a device if the user visited a website that included content from Google's Doubleclick domain. The purpose of the DoubleClick Ad cookie was to enable the delivery and display of Interest Based Adverts.
[10]. Safari is a browser developed by Apple. At the relevant time, unlike most other internet browsers, all relevant versions of Safari were set by default to block Third Party Cookies. However, a blanket application of these default settings would prevent the use of certain popular web functions, so Apple devised some exceptions to the default settings. These exceptions were in place until March 2012, when the system was changed. But in the meantime, the exceptions enabled Google to devise and implement the Safari Workaround. Stripped of technicalities, its effect was to enable Google to set the DoubleClick Ad cookie on a device, without the user's knowledge or consent, immediately, whenever the user visited a website that contained DoubleClick Ad content.
[11]. This enabled Google to identify visits by the device to any website displaying an advertisement from its vast advertising network, and to collect considerable amounts of information. It could tell the date and time of any visit to a given website, how long the user spent there, which pages were visited for how long, and what ads were viewed for how long. In some cases, by means of the IP address of the browser, the user's approximate geographical location could be identified. Over time, Google could and did collect information as to the order in which and the frequency with which websites were visited. It is said by the claimant that this tracking and collating of BGI enabled Google to obtain or deduce information relating not only to users' internet surfing habits and location, but also about such diverse factors as their interests and habits, race or ethnicity, social class, political or religious views or affiliations, age, health, gender, sexuality, and financial position.
[12]. Further, it is said that Google aggregated BGI from browsers displaying sufficiently similar patterns, creating groups with labels such as "football lovers", or "current affairs enthusiasts". Google's DoubleClick service then offered these groups to subscribing advertisers, allowing them to choose … the type of people that they wanted to direct their advertisements to".
Proceedings in the USA
The US Federal Trade Commission bought proceedings for misrepresenting to Safari users that it would not place tracking cookies on their browsers or send targeted advertising which Google settled by agreeing to pay a civil penalty of US$22.5 million.  It also settled an action by 37 states and the District of Columbia on behalf of their consumers by agreeing to pay US$17 million damages and giving certain undertakings.

Proceedings in the UK
 Mr Justice Warby had noted at paragraph [14] of his judgment that similar proceedings had not been brought in the UK by the Information Commissioner but he mentioned Vidal-Hall's claim that I discussed above. 

Applicable Law
Sir Geoffrey referred to paragraphs (2), (7), (8), (10), (11) and (55) of the recitals and arts 1, 22 and 23 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("the Directive").  He also referred to ss.1 (1) (a) and (b), 3, 4 (1) and (4), 13 (1) and (2) and 14 (4) of the Data Protection Act 1998. Finally, he referred to CPR 19.6 (1), (2), (3) and (4).

Was the judge right to hold that a claimant cannot recover uniform per capita damages for infringement of their data protection rights under section 13 without proving pecuniary loss or distress?
The Chancellor affirmed that s.13 of the Data Protection Act 1998 has to be construed in accordance with art 23 of the Directive which had been adopted to give effect to art 8 of the European Convention on Human Rights. He also noted that the parties had agreed that there was a de minimis threshold for an award of damages. After considering the Court of Appeal's decisions in Gulati and others v MGN Ltd [2015] WLR(D) 232, [2015] EWHC 1482 (Ch) which was a case on the misuse of personal information, Halliday v Creation Consumer Finance Ltd (CCF) [2013] EWCA Civ 333 (15 March 2013) which was on damages under s.13 of the Data Protection Act 1998 and other authorities, his lordship concluded at [70] "that damages are in principle capable of being awarded for loss of control of data under article 23 and section 13, even if there is no pecuniary loss and no distress."  He added that it was only by construing the legislation in this way that individuals can be provided with an effective remedy for the infringement of their rights under the Act.

Was the judge was right to hold that the members of the class did not have the same interest under CPR Part 19.6(1) and were not identifiable?
CPR 19.6 (1) provides:
"Where more than one person has the same interest in a claim –
(a) the claim may be begun; or
(b) the court may order that the claim be continued,
by or against one or more of the persons who have the same interest as representatives of any other persons who have that interest."
Mr Justice Warby had held that a representative claim was disqualified unless (a) "every member of the class [had] suffered the same damage (or their share of a readily ascertainable aggregate amount [was] clear)", and (b) different potential defences were not available in respect of claims by different members of the class.  In the present case, for example, some in the claimant class would have been heavy internet users with much BGI taken; it was not credible that all the specified categories of data were obtained by Google from each represented claimant. The same variations would apply if the user principle were applied. Neither the breach of duty nor the impact of it was uniform across the entire class membership.

Sir Geoffrey believed that Mr Justice Earby had applied too stringent a test of "same interest" partly because of his earlier finding on recoverable damages.  H observed at [75]:
"Once it is understood that the claimants that Mr Lloyd seeks to represent will all have had their BGI – something of value - taken by Google without their consent in the same circumstances during the same period, and are not seeking to rely on any personal circumstances affecting any individual claimant (whether distress or volume of data abstracted), the matter looks more straightforward. The represented class are all victims of the same alleged wrong, and have all sustained the same loss, namely loss of control over their BGI. Mr Tomlinson disavowed, as I have said, reliance on any facts affecting any individual represented claimant. That concession has the effect, of course, of reducing the damages that can be claimed to what may be described as the lowest common denominator. But it does not, I think, as the judge held, mean that the represented claimants do not have the same interest in the claim. Finally, in this connection, once the claim is understood in the way I have described, it is impossible to imagine that Google could raise any defence to one represented claimant that did not apply to all others. The wrong is the same, and the loss claimed is the same. The represented parties do, therefore, in the relevant sense have the same interest. Put in the more old-fashioned language of Lord Macnaghten in The Duke of Bedford at [8], the represented claimants have a 'common interest and a common grievance' and 'the relief sought [is] in its nature beneficial to all'".
Mr Justice Warby had also held that a class of claimants having the same interest could not be identified. The Chancellor disagreed.  He said at [81]:  Havi
"In my judgment, therefore, the judge ought to have held that the members of the represented class had the same interest under CPR Part 19.6(1) and that they were identifiable."
Can the judge's exercise of discretion be vitiated?
Having reached a different conclusion on the other two issues, the Chancellor considered that it was appropriate for the court to exercise its discretion afresh.  Having considered carefully all the factors raised by both sides he concluded that this was a claim which, as a matter of discretion, should be allowed to proceed.

The President of the Queen's Bench Divison and Lord Justice Davis agreed with the Chancellor's judgment.  The appeal was therefore allowed and permission was granted to the claimants to serve their claim on Google in the USA.

Anyone wishing to discuss this appeal pr data protection generally should call me on +44 (0)20 7404 5252 or send me a message through my contact form. 

No comments:

Post a comment