Data breach: the requirement of damage and suitability of representative actions

After a number of very high-profile data breaches, including at British Airways and Facebook, there has been a great deal of focus on potential class actions to recover damages for individuals affected. The potential number of victims in a data breach (BA estimates about 380,000 and Facebook 50 million) means that any successful class actions could result in very significant damages. The European Union’s General Data Protection Regulation (GDPR) expressly permits “representative actions”, where a single organisation can represent the interests of data subjects, and also allows the recovery of damages where no physical or financial loss has been suffered.

Richard Lloyd v Google LLC, a representative action brought by the former executive director of Which? against Google, is therefore of significant interest. As one of the first representative actions in connection with the use of data without consent, the stakes were high; an estimated 4.4 million to 5.4 million potential claimants meant that even a small damages award for each claimant could result in a significant award against Google.

On 8 October, the UK High Court gave judgment on whether the claim could proceed, finding that the underlying issues did not support a claim for damages under the Data Protection Act 1998 (DPA), and even if they did, it could not be dealt with as a representative action as the members of the group could not be reliably identified and would not necessarily have the same interest in the claim. Although the legal basis of the claim pre-dates the GDPR, the decision is of interest for those organisations that process large amounts of data and could face a representative action in the event of a breach.

 

Background

The claim concerned the ‘Safari workaround’; a method by which Google was able to track the internet activity of Apple iPhone users for a period of time between 2011 and 2012 without their knowledge or consent. The claimant alleged that, in time, the tracking and collating of data by Google enabled them to obtain information relating to an individual’s surfing habits and to build up a profile of data that could include, among other things, an individual’s interests, habits, race or ethnicity, social class, age, gender and health.

The claim for compensation under section 13 of the DPA focused on the lack of consent or knowledge and the fact the data collected was contrary to Google’s public statements, and of commercial benefit to Google. It anticipated a standard award for each and every iPhone user affected during the relevant period. The claim did not allege any financial loss or distress suffered by iPhone users.

 

The issues – damages

The key issue was whether there was any basis for damages under the DPA, and if so, whether the claim could continue as a representative action. Without a viable claim for damages, there could be no representative action.

The court found that the claim did not disclose a basis for claiming compensation under the DPA. Although it was concluded by the Court of Appeal in Judith Vidal-Hall & Others v Google Inc (2015), another case about the Safari workaround, that section 13 of the DPA allowed a remedy of compensation for distress even if no material loss was suffered, the court found that there could be no remedy where the breach caused neither material harm nor distress. The court was careful to distinguish Vidal-Hall, a case focusing on the distress caused to the claimants, which was not a case advanced by Mr Lloyd.

The court also considered whether there could be damages for infringements of rights and found that an individual whose information has been acquired or used without consent does not invariably suffer harm that should be compensated. Nor was the court prepared to accept that damages should be awarded because Google should face consequences for a breach of the nature and scale alleged. The court focused on the DPA’s use of the word compensation, as distinct from regulatory sanctions deterring breaches of the rules.

 

The issues – the representative action

The court also had to consider whether the claim was capable of being dealt with by representative proceedings. This is an issue of interest given the infancy of representative proceedings in the UK, and the GDPR’s express permitted use of representative actions. The court found that the requirement that all members of a representative action have the “same interest” was not met. While the consequences of the breach might mean that some individuals have suffered damage, there will be others that suffered none.

An action cannot be brought on behalf of someone that has no cause of action and no interest in a claim and those that did have a claim would have different interests from one another, dependant on individual facts. Different data had been obtained from different users and the nature and extent of any loss of control of data varied. Consequently, the effect of a breach of duty would not impact the entire class in the action uniformly.

The court identified perhaps the most significant, and fatal, issues that the claimant faced: the ability to identify those iPhone users affected by the Safari workaround, and the lack of any real interest from the potential claimants in pursuing a claim. These appear to have been significant factors that reflected badly on the claim in the eyes of the court. The judge described the claim as “officious litigation, embarked upon on behalf of individuals who have not authorised it, and have shown no interest in seeking any remedy for…the alleged breaches”.

Comment

The decision highlights that claims for damages following a data breach, or use of data without consent, are by no means a foregone conclusion. Each case will be dealt with on its merits and claimants – representative or otherwise – must prove all necessary ingredients of their claims.

If future representative claims are to succeed they will need to demonstrate:

• A valid claim for damages under GDPR and/or the Data Protection Act 2018, most likely based on financial or material damage and/or distress
• That the members of a representative class:
  • Can be identified
  • Have the same interest in the claim
  • Have shown some interest in pursuing the claim.

These may well be significant hurdles that prevent representative actions in the UK becoming anything like the class action industry in the US. Mr Lloyd has stated publicly that the decision will be appealed, so this may not be the end of the story.

 

Contributed by Tom White, partner, Clyde & Co