Some saw this case as a multi billion pound representative action, seeking justice in the face of unwarranted use of personal data. Others saw it as a doomed attempt to drive a consumer rights agenda by Mr Lloyd, who has had a long career in consumer protection, and was Executive Director of Which? between April 2011 and February 2016. The claim was supported by significant litigation funding.
The claim alleged breach of the duty imposed by s 4(4) of the Data Protection Act 1998 (“DPA”). The allegation was that over some months in 2011-2012 Google acted in breach of that duty by secretly tracking the internet activity of Apple iPhone users, collating and using the information it obtained by doing so, and then selling the accumulated data. The method by which Google was able to do this is generally referred to as “the Safari Workaround”. The effect of the Safari Workaround was to enable Google to set a DoubleClick Ad cookie on a device, without the user’s knowledge or consent, immediately, whenever the user visited a website that contained DoubleClick Ad content.
Google got into a fair bit of trouble following the discovery of the Safari Workaround. In August 2012 the company agreed to pay a US$22.5 million civil penalty to settle charges brought by the United States Federal Trade Commission that it misrepresented to users of the Safari browser that it would not place tracking cookies or serve targeted advertisements to those users. On 11 November 2013 it agreed to pay US$17 million to settle US state consumer-based actions brought against it by attorneys general representing 37 US states and the District of Columbia.
The Lloyd v Google case was at an early stage in procedure – service of the proceedings. But the question considered went to the heart of the dispute – did the claim disclose a basis for seeking compensation under the Data Protection Act?
The Safari Workaround
There were three cases in the UK relating to the Safari Workaround, reported as Vidal-Hall v Google Inc  EWHC 13 (QB),  1 WLR 4155. The nature and basis of the claims in Vidal-Hall were described as compensation for distress suffered by the individual claimants when they learned that information about their “personal characteristics, interests, wishes or ambitions” had been used as the basis for advertisements targeted at them, or when they learned that, as a result of such targeted advertisements, such matters had in fact, or might well have, come to the knowledge of third parties who they had permitted to use their devices, or to view their screens. As Tugendhat J said at : “What each of the claimants claims in the present case is that they have suffered acute distress and anxiety.” The details of the “personal characteristics, interests, wishes or ambitions” referred to were considered sensitive enough to be set out in Confidential Schedules to the claimants’ statements of case.
This is an important aspect of the judgement. In the Vidal-Hall case, the claimants appear to have been browsing the internet, obviously thinking that their browsing was private. We do not know what they were looking at, but the inference is that advertisements relating to what they were looking at appeared on their screens when other people were looking at the screen. The pleading seems to have set out a direct cause and effect.
In the Lloyd v Google case, what was sought was a single figure for damages across all of the millions of people who were potentially affected. It was argued that damages could be awarded for the “infringement of the right”, and assessed damages on the basis that compensation could be given for the “commission of the wrong itself”.
This argument was rejected. The judge said:
“It is clear law that the Court cannot make an award of “vindicatory” damages, merely to mark the commission of the wrong; this is wrong in principle: see R (Lumba) v Secretary of State for the Home Department  1 AC 245 [97-100].”
Working through the technical aspect of cookies and the potential for different claimants to take different approaches to their phone settings, he concluded that, in essence each claimant would be different. And because a claimant had to prove cause and effect in each case, that was fatal to the attempt to build a representative action.
The judge explained:
“The procedural rule is clear: a representative action may only be started, and the court may only order that a claim be continued as a representative action, if the representative party and those whom that party represents, have “the same interest in” the claim. This is a “threshold point which must be established” by reference to the facts ascertained or assumed at the relevant time: Millharbour Management Ltd v Weston Homes Ltd  3 All ER 1027 [22(1)] (Akenhead J). The requirement is “fundamental”: Emerald Supplies Ltd v British Airways plc.  Ch 345 . The rule is “non-bendable”: In re X (Court of Protection: Deprivation of Liberty)  1 WLR 227  (Black LJ).”
Relief of for data sector
So why is this a relief for the data sector?
Claimant lawyers are keenly aware that when something goes wrong with data, such as a data breach, it tends to be big. Many individuals may be affected. Many users may be concerned. Individuals know that their personal data should be safe and secure.
However if individual claimants have to prove that they were directly affected in a material way by a data breach then the possibility of a representative action becomes remote. This is particularly the case if the judicial attitude is one of insouciance when it comes to personal data. Mr Justice Warby said:
“I do not believe that the authorities show that a person whose information has been acquired or used without consent invariably suffers compensatable harm, either by virtue of the wrong itself, or the interference with autonomy that it involves. Not everything that happens to a person without their prior consent causes significant or any distress. Not all such events are even objectionable, or unwelcome. Some people enjoy a surprise party. Not everybody objects to every non-consensual disclosure or use of private information about them. Lasting relationships can be formed on the basis of contact first made via a phone number disclosed by a mutual friend, without asking first. Some are quite happy to have their personal information collected online, and to receive advertising or marketing or other information as a result. Others are indifferent.”
The difficulty for claimants is that they have to prove their damage in each case. There is no assumed damage. This means that each case can and will be fought on its merits. And that means that potential claimants will be deterred by the time, cost and uncertainty that comes with any traditional litigation.
For those in data sector this decision will come as a relief. The sector’s focus will and should be (for now) on the regulatory authorities. As the judge said:
“Censure is the role of the regulator, or the criminal law. There have been regulatory responses to the breaches, which have resulted in consequences for Google. If those responses are perceived to be inadequate, I do not believe the remedy is to fashion a means of imposing a further penalty by bringing a class action for compensation, based on an artificial notion of “damage”.
The case also raises again the difficult issue of the law’s attitude towards data. At the moment, the data is about us, and there are obligations in relation to how it is handled. Eben Wilson has considered why data should instead be considered a property right, allowing individuals to sell that data if they wish.
Court of Appeal decision in Google v Vidall Hall can be found here: https://www.judiciary.uk/wp-content/uploads/2015/03/google-v-vidal-hall-judgment.pdf