If you type “can I claim for a data breach” into Google, you will receive several pages of lawyers willing to help individuals sue organisations for misusing or losing your data.  Many of these lawyers are seeking to bring class actions, whereby they will act for tens, hundreds, or thousands of claimants who have been affected by such breaches, normally on a no-win-no-fee basis.  With PPI claims coming to an end in 2019, there has been a fear that many of these claim managers would turn their sights onto data protection, and this fear has been a significant driver for many organisations to get their GDPR (General Data Protection Regulation) compliance model up to scratch.

Ironically, the first significant judgement in this area is against Google (type “can I claim against Google for the Safari Workaround” into Google, and see what you get), and it has not gone to plan for the claimants.  The judgement also gives a strong message as to the future success (or failure) of such cases.  Whilst the claim predates the GDPR and the Data Protection Act 2018, the general attitude of the courts (and the underlying law) are likely to continue on the same path.  If this is the case then the former PPI claims managers are unlikely to find data protection litigation a fruitful racket.

The case itself relates to events that took place in 2012.  Google exploited a loophole in the Safari web-browser which enabled them to track iPhone users’ browsing without their knowledge. This was known as the "Safari Workaround", and it has since become a thorn in Google's side: Google has paid out nearly US$40 million in the US to regulators, and it has already led to litigation in the UK.

Google has now seen off a further claim that, if successful, could have led to a multi-billion pound compensation bill.

This claim was made under the Data Protection Act 1998 (which has now been replaced by the Data Protection Act 2018, which of course preserves the GDPR in UK law).  The judgement of Mr Justice Warby is a really interesting insight into the way in which class actions are set to become big business in the UK.

The claim against Google was brought by Richard Lloyd, a well-known advocate of consumer rights and former Executive Director of Which?. He was well supported: His advisory committee consists of Martin Lewis (of Money Saving Expert fame); the retired judge, Sir Christopher Clark; and Christine Furnish, a prominent former regulator with the FSA, Oftel and The Pensions Regulator.  His legal representatives are  a top firm of City lawyers (not an ambulance chaser in sight), and he has very deep legal pockets, courtesy of legal funders Therium Litigation, who have put up a £15.5 million war-chest. This is litigation as big business, with potential high returns.

Mr Lloyd's intention has been to garner a representative class action of all relevant Safari users (essentially everyone who had an iPhone 3G, using an Apple Safari Internet browser on that phone, who had not changed the default security settings, and who lives in the UK). This is estimated to be approximately 4.4 million people.  This class action is highly speculative, and there is no long queue of aggrieved vintage iphone users waiting for their money: the strategy was to secure a judgement in favour of the class, and then encourage its members to come forward, identify themselves, and receive their compensation.

Mr Lloyd's assertion is that Google’s breach of the Data Protection Act 1998 should see each of the 4.4 million "victims" compensated.  Whilst the level of compensation is to be assessed, the figure of £750 appears to be accepted as about right (this would give Google a compensation bill of somewhere in the region of £3.3 billion, if every user was paid).

One very early hurdle for Mr Lloyd to overcome (and he has fallen at this first hurdle) is the fact that Google is a Delaware registered corporation with its principal place of business outside of the United Kingdom. As such, the UK Court’s consent is required before Google can be served with the proceedings.  Without service, a claim cannot move forward. Whether or not service is permitted is a matter within the discretion of a judge.  The judge in this case was Mr Justice Warby, who has given an extremely robust judgement, refusing Mr Lloyd's application to serve Google outside of jurisdiction.  Unless there is a successful appeal, this judgement marks the end of Mr Lloyd’s claim.

It is clear from some of the Judge’s comments that he was not a fan of this application.  Commenting upon the minimal level of damage allegedly suffered by Mr Lloyd (of which more below) he states:

"the damage sustained and the compensation recoverable by each represented individual are modest at best. The main beneficiaries of any award at the end of this litigation will be the funders and the lawyers by a considerable margin.… It would not be unfair to describe this as officious litigation, embarked upon on behalf of individuals who have not authorised it, and have shown no interest in seeking any remedy for, or even complaining about, the alleged breaches".

So, what is it that has led to such strong words from a High Court judge, and what does this mean for the future of class actions under the data protection legislation?

First the Judge was clearly influenced by the fact that very few members of the "class" (i.e. the 4.4 million odd users of iPhone 3Gs) were perturbed by Google's misuse of their data.  He was struck by how few of that class had demonstrated any interest in the breach by coming forward to complain, let alone to make a claim, in the five or six years since the Safari Workaround was discovered.  This is perhaps not surprising, given that even Mr Lloyd accepted that neither he or his potential fellow claimants had suffered any real damage.

The Judge considered whether damage could be the loss of control of data suffered by the individuals; or that individuals would have received potentially unwanted advertising targeted by reference to their interests, but ultimately he failed to see how this could constitute damage worthy of being financially compensated. Nor was it the case that damages should be granted merely to punish Google for having misused the data – that was the job of regulators; if an individual is to receive compensation then they must have suffered some form of loss or damage as a result of the breach.

The Judge also raised concerns about how the class could be defined, and whether they shared the characteristics necessary to get a class action off the ground.  Ultimately, however, the judgement turns upon an explicit finding that the claim would not succeed because of a lack of damage to the individuals concerned, and a more implicit finding that this litigation seems intended to benefit the lawyers and their funders, rather than genuinely aggrieved individuals.

Does this mean that all class actions are dead?  Not at all.  There are likely to be some high profile class actions where the individual claimants can show actual loss, particularly as a result of organisations’ lax data security.  We also need to remember that the Data Protection Act 2018 specifically identifies distress as being damage capable of being compensated.  That, however, is a far cry from what Mr Lloyd sought to argue should be compensated in his claim against Google. 

For more information please contact Matthew Cole - mcole@prettys.co.uk - 01473 298221 or Emma Loveday-Hill - elovedayhill@prettys.co.uk - 01473 298266