Appeal Ref: A2/2018/2769 Case No: HQ17M01913
ON APPEAL FROM THE HIGH COURT OF JUSTICE
QUEENS’ BENCH DIVISION
MEDIA AND COMMUNICATIONS LIST
The Honourable Mr Justice Warby
Royal Courts of Justice Strand, London, WC2A 2LL
Before:
DAME VICTORIA SHARP, PRESIDENT OF THE QUEEN’S BENCH DIVISION SIR GEOFFREY VOS, CHANCELLOR OF THE HIGH COURT
and
LORD JUSTICE DAVIS
Between:
RICHARD LLOYD
Claimant/Appellant
and
GOOGLE LLC
Defendant/Respondent
- - - - - - - - - - - - - - - - - - - - -
Mr Hugh Tomlinson QC, Mr Oliver Campbell QC and Ms Victoria Wakefield QC (instructed by Mishcon de Reya LLP) for the Appellant
Mr Antony White QC and Mr Edward Craven (instructed by Pinsent Masons LLP) for the Respondent
Hearing dates: 16th and 17th July 2019
- - - - - - - - - - - - - - - - - - - - -
Approved Judgment
Sir Geoffrey Vos C:
Introduction
The claimant, Mr Richard Lloyd (“Mr Lloyd”), is a champion of consumer protection. This action seeks damages against Google LLC, the defendant, a Delaware corporation (“Google”). Mr Lloyd makes the claim on behalf of a class of more than 4 million Apple iPhone users. It is alleged that Google secretly tracked some of their internet activity, for commercial purposes, between 9th August 2011 and 15th February 2012.
Warby J dismissed Mr Lloyd’s application for permission to serve Google outside the jurisdiction on the basis that: (a) none of the represented class had suffered “damage” under section 13 of the Data Protection Act 1998 (the “DPA”), (b) the members of the class did not anyway have the “same interest” within CPR Part 19.6(1) so as to justify allowing the claim to proceed as a representative action, and (c) the judge of his own initiative exercised his discretion under CPR Part 19.6(2) against allowing the claim to proceed.
The appeal against the judge’s decision raises some important issues that were not decided by this court in Vidal-Hall v. Google Inc [2015] EWCA Civ 311 (“VidalHall”). Vidal-Hall was argued on the basis of analogous underlying facts, but with one crucial difference; in that case, the individual claimants claimed damages for distress as a result of Google’s breaches of the DPA. In this case, Mr Lloyd claims a uniform amount by way of damages on behalf of each person within the defined class without seeking to allege or prove any distinctive facts affecting any of them, save that they did not consent to the abstraction of their data.
Against that background, the main issues raised by the appeal are: (a) whether the judge was right to hold that a claimant cannot recover uniform per capita damages for infringement of their data protection rights under section 13 of the DPA, without proving pecuniary loss or distress, (b) whether the judge was right to hold that the members of the class did not have the same interest under CPR Part 19.6(1) and were not identifiable, and (c) whether the judge’s exercise of discretion can be vitiated.
Mr Lloyd made a preliminary challenge to the judge’s decision to deal with the points of law arising at this early stage. In my view, however, that challenge can be quickly resolved. The judge was right to deal with the points of law identified by reference primarily to the pleaded facts. No extensive factual evaluation was needed, and it was better to confront at once the clear legal issues that arose.
Mr Hugh Tomlinson QC, leading counsel for Mr Lloyd, relied primarily on the decisions of Mann J and the Court of Appeal in Gulati v. MGN Limited [2015] EWHC 1482 (Ch) (Mann J), [2015] EWCA Civ 1291 (CA) (“Gulati”) to argue that, if damages are available without proof of pecuniary loss or distress for the tort of misuse of private information (“MPI”), they should also be available for a non-trivial infringement of the DPA. Both claims are derived from the same fundamental right to data protection contained in article 8 of the Charter of Fundamental Rights of the European Union 2012/C 326/02 (the “Charter”): “[e]veryone has the right to the protection of personal data concerning him or her”. That right is reinforced by article 47 requiring that “[e]veryone whose rights and freedoms guaranteed by the law of the
Union are violated has the right to an effective remedy before a tribunal …”. Further, Mr Tomlinson contended that those in the represented class were entitled to “user damages” or what the Supreme Court has now called “negotiating damages” (see One Step (Support) Ltd v. Morris-Garner [2018] UKSC 20, [2018] 2 WLR 1353 (“One
Step”)).
Mr Tomlinson accepted that this action, if allowed to proceed, would be an unusual and innovative use of the representative procedure in CPR Part 19.6. But he submitted that the authorities did not always prevent representative actions for damages. Here, there was no relevant factual distinction between the pleaded claims of any of the represented class, nor could Google raise any individual defence. The judge, argued Mr Tomlinson, exercised his undoubted discretion under CPR Part 19.6(2) on the wrong basis.
Conversely, Mr Antony White QC, leading counsel for Google, submitted that both article 23.1 of the Data Protection Directive (the “Directive”),1 and section 13(1) of the DPA require proof of causation and consequential damage. The Directive requires Member States to provide that “any person who has suffered damage as a result of an unlawful processing operation” or any contravention of the DPA is entitled to receive compensation, and the DPA provides that “an individual who suffers damage by reason of any contravention” is entitled to compensation for that damage. Mr White contended that Gulati did not approve an award of damages for the abstract fact that a person has had their personal information misused. It held only that damages for MPI could be awarded in the absence of material loss or distress where the defendant’s breach of privacy had a significant adverse effect on the claimant’s right to choose when and to whom their information was disclosed. Mr White submitted that user damages should not be made available simply because that might be a just course to adopt.
Mr White submitted that the authorities clearly prevented a representative claim for damages save in exceptional circumstances that did not exist here. Allowing such a claim would be an inadmissible use of the procedure; only Parliament could introduce a new regime to allow such a claim. The judge had been right to hold that the definition of the represented class had to be conceptually sound and workable. Actions could not be pursued on behalf of persons who were not identifiable before judgment and perhaps not even identifiable then. The judge’s discretion had been exercised on an appropriate basis and could not be interfered with.
I will return to these arguments in more detail, but first, I should set out the essential elements of factual background, statutory provisions, and the judge’s reasoning.
Factual background
The judge explained the technical background to the claim in terms that I am happy to adopt as follows:-
1 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The Directive was replaced by the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) after the events to which these claims relate.
“7. The case concerns the acquisition and use of browser generated information or “BGI”. This is information about an individual’s internet use which is automatically submitted to websites and servers by a browser, upon connecting to the internet. BGI will include the IP address of the computer or other device which is connecting to the internet, and the address or URL of the website which the browser is displaying to the user. As is well-known, “cookies” can be placed on a user’s device, enabling the placer of the cookie to identify and track internet activity undertaken by means of that device.
8. Cookies can be placed by the website or domain which the user is visiting, or they may be placed by a domain other than that of the main website the user is visiting (“Third Party Cookies”). Third Party Cookies can be placed on a device if the main website visited by the user includes content from the third party domain. Third Party Cookies are often used to gather information about internet use, and in particular sites visited over time, to enable the delivery to the user of advertisements tailored to the interests apparently demonstrated by a user’s browsing history (“Interest Based Adverts”).
9. Google had a cookie known as the “DoubleClick Ad cookie” which could operate as a Third Party Cookie. It would be placed on a device if the user visited a website that included content from Google’s Doubleclick domain. The purpose of the DoubleClick Ad cookie was to enable the delivery and display of Interest Based Adverts.
10. Safari is a browser developed by Apple. At the relevant time, unlike most other internet browsers, all relevant versions of Safari were set by default to block Third Party Cookies. However, a blanket application of these default settings would prevent the use of certain popular web functions, so Apple devised some exceptions to the default settings. These exceptions were in place until March 2012, when the system was changed. But in the meantime, the exceptions enabled Google to devise and implement the Safari Workaround. Stripped of technicalities, its effect was to enable Google to set the DoubleClick Ad cookie on a device, without the user’s knowledge or consent, immediately, whenever the user visited a website that contained DoubleClick Ad content.
11. This enabled Google to identify visits by the device to any website displaying an advertisement from its vast advertising network, and to collect considerable amounts of information. It could tell the date and time of any visit to a given website, how long the user spent there, which pages were visited for how long, and what ads were viewed for how long. In some cases, by means of the IP address of the browser, the user’s approximate geographical location could be identified. Over time, Google could and did collect information as to the order in which and the frequency with which websites were visited. It is said by the claimant that this tracking and collating of BGI enabled Google to obtain or deduce information relating not only to users’ internet surfing habits and location, but also about such diverse factors as their interests and habits, race or ethnicity, social class, political or religious views or affiliations, age, health, gender, sexuality, and financial position.
12. Further, it is said that Google aggregated BGI from browsers displaying sufficiently similar patterns, creating groups with labels such as “football lovers”, or “current affairs enthusiasts”. Google’s DoubleClick service then offered these groups to subscribing advertisers, allowing them to choose … the type of people that they wanted to direct their advertisements to”.
The judge also dealt with the history of litigation and regulatory action in relation to the Safari Workaround as follows:-
“13. … Regulatory action was then taken against Google in the USA. In August 2012 the company agreed to pay a US$22.5 million civil penalty to settle charges brought by the United
States Federal Trade Commission (“FTC”) that it misrepresented to users of the Safari browser that it would not place tracking cookies or serve targeted advertisements to those users. On 11 November 2013 it agreed to pay US$17 million to settle US state consumer-based actions brought against it by attorneys general representing 37 US states and the District of Columbia. In addition, [Google] was required to give a number of undertakings governing its future conduct in its dealings with users in the USA.
14. In this jurisdiction, these matters would fall under the regulatory jurisdiction of the Information Commissioner, but it appears that there has been no regulatory action taken here. The Safari Workaround has however been the subject of [highprofile] civil litigation against Google in this jurisdiction. In June 2013, Judith Vidal-Hall and two others issued claims against Google claiming damages on the basis that by obtaining and using information about their internet usage via the Safari Workaround the company had misused their private information and/or committed a breach of confidence and breach of the DPA and caused them distress and anxiety”.
On 31st May 2017, Mr Lloyd issued a claim form alleging breach of statutory duty under section 4(4) of the DPA. It sought, on behalf of the represented class, damages under section 13 of the DPA for infringement of their data protection rights, commission of the wrong, and loss of control over their data protection rights. It was alleged that Google, as a data controller, failed to comply with the
first, second and seventh data protection principles set out in Part I of Schedule 1 to the DPA. (Footnote: 1)
On 29th November 2017, Mr Lloyd applied for permission to serve the proceedings outside the jurisdiction on Google in the USA. The contested hearing of that application between 21st and 23rd May 2018 resulted in the judge’s order of 8th October 2018. Lewison LJ described the judgment as cogent and well-reasoned, but granted permission to appeal on 21st January 2019, on the grounds of the novelty of the claim and the procedure for dealing with it, together with the public interest in data breaches, the potential number of persons affected and the potential sums of money involved.
Relevant legislation
The Directive
The DPA was intended to implement the Directive, which was aimed at safeguarding privacy rights in the context of data-management. The recitals included the following:
“(2) Whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to economic and social progress, trade expansion and the wellbeing of individuals; ...
(7) Whereas the difference in levels of protection of the rights and freedoms of individuals, notably the right to privacy, with regard to the processing of personal data afforded in the Member States may prevent the transmission of such data from the territory of one Member State to that of another Member State;
(8) Whereas, in order to remove the obstacles to flows of personal data, the level of protection of the rights and freedoms of individuals with regard to the processing of such data must be equivalent in all Member States; …
(10) Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms [the “Convention”] and in the general principles of [EU] law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the [EU];
(11) Whereas the principles of the protection of the rights and freedoms of individuals, notably the right to privacy, which are contained in this Directive, give substance to and amplify those contained in the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data. …
(55) Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, …”.
Article 1 of the Directive provided as follows:
“Object of the Directive
In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data”.
Article 22 of the Directive (“article 22”) provided as follows:
“Without prejudice to any administrative remedy for which provision may be made, inter alia before the supervisory authority referred to in Article 28, prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question”.
Article 23 of the Directive (“article 23”) provided as follows:
“1. Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered”.
The DPA
Section 1(1) of the DPA provided as follows:
“personal data” means data which relate to a living individual who can be identified— (a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller…”.
Section 3 of the DPA provided as follows: “In this Act “the special purposes” means any one or more of the following—
the purposes of journalism,
artistic purposes, and
literary purposes”.
Section 4 of the DPA provided as follows:
“(1) References in this Act to the data protection principles are to the principles set out in Part I of Schedule 1. …
(4) Subject to section 27(1), it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller”.
Section 13 of the DPA (“section 13”) provided as follows:
“(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—
(a) the individual also suffers damage by reason of the contravention, or
(b) the contravention relates to the processing of personal data for the special purposes”. (Footnote: 2)
Section 14(4) of the DPA provided as follows:
“If a court is satisfied on the application of a data subject—
(a) that he has suffered damage by reason of any contravention by a data controller of any of the requirements of this Act in respect of any personal data, in circumstances entitling him to compensation under section 13, and
(b) that there is a substantial risk of further contravention in respect of those data in such circumstances,
the court may order the rectification, blocking, erasure or destruction of any of those data”.
The CPR
CPR Part 19.6 provides as follows:-
“(1) Where more than one person has the same interest in a claim –
(a) the claim may be begun; or
(b) the court may order that the claim be continued,
by or against one or more of the persons who have the same interest as representatives of any other persons who have that interest.
(2) The court may direct that a person may not act as a
representative.
(3) Any party may apply to the court for an order under paragraph (2).
(4) Unless the court otherwise directs any judgment or order given in a claim in which a party is acting as a representative under this rule –
(a) is binding on all persons represented in the claim; but
(b) may only be enforced by or against a person who is not a party to the claim with the permission of the court”.
The judge’s reasoning
The judge provided an uncontroversial summary of the principles governing service of tort claims outside the jurisdiction. (Footnote: 3) He said that the claimant must establish that the claim has a reasonable prospect of success (CPR Part 6.37(1)(b)), there is a good arguable case that each claim advanced falls within one of the jurisdictional gateways in paragraph 3.1 of CPR PD 6B, and England is clearly or distinctly the appropriate place to try the claim (CPR Part 6.37(3)). The only gateway that required consideration was paragraph 3.1(9) of PD 6B, which related to “[a] claim
… in tort where – (a) damage was sustained within the jurisdiction; or (b) the damage was sustained from an act committed within the jurisdiction”.
The judge held first that England was clearly the appropriate place for the claim to be tried, since the representative class was restricted to those in England and Wales. He then said that the real question was whether the impact of the Safari Workaround on the represented class “caused or counts as “damage” for the purposes of paragraph 3.1(9)”.
Since Vidal-Hall had only decided that the claimants’ distress amounting to nonmaterial damage fell within the scope of section 13(1) when interpreted in the light of the Charter, there remained the open question of whether the represented class in this case could show a good arguable case that the conduct complained of did cause or involve anything that was properly characterised as “damage”, for which compensation was recoverable under the DPA. The question of user damages had also not been decided. He concluded that these were questions of law that he should decide. He said that “it was of the essence of the claim that the Court would never need to reach any factual conclusions about the position of any individual claimant”. It followed that there was substantial overlap between the gateway question and the requirement that the claim should have reasonable prospects of success. The latter raised two questions: first, whether the claim disclosed any reasonable basis for seeking compensation under the DPA, and the second, whether there was a real prospect that the court would permit the claim to continue as a representative action under CPR Part 19.6.
The judge decided first that the claim disclosed no reasonable basis for seeking compensation under the DPA. He held that the issue was one of statutory construction, and the wording of both section 13(1) and article 23 required a causal link between the infringement and the damage claimed. That made sense, because it presupposed that some contraventions of the DPA would not result in damage. Other available remedies included rectification, blocking, and erasure of inaccurate data. (Footnote: 4) It could not realistically be said that the conclusion in Vidal-Hall applied where “the breach of duty has caused neither material loss nor emotional harm, and has had no other consequences for the data subject”. It had not been suggested by Mr Lloyd that the Charter required a departure from the proper interpretation of section 13 and article 23.
The judge said that the pleaded case was circular, because it asserted that the commission of the tort had caused compensatable damage, consisting of the commission of the tort. The allegation of loss of control over personal data could be significant and harmful, for example where there was distress as in Vidal-Hall. Even if the persistent delivery of unwanted commercial communications could infringe a person’s right to respect for their autonomy in a way which counted as damage for the purpose of section 13, where it represented a material interference with their freedom of choice over how to lead their life, that was not the case advanced here.
The judge said that he had not been shown any European authority that the pleaded types of loss counted as damage within article 23. Leitner v. TUI Deutschland
GmbH & Co KG (Case-168/00) [2002] All ER (EC) 561 (“Leitner”) tended to suggest that “damage” could sometimes include “non-material damage” but only where “genuine quantifiable damage had occurred”.
The judge then began his consideration of Mr Lloyd’s arguments on Gulati and negotiating damages by saying that his (Mr Lloyd’s) overall approach might be thought to be flawed because the term “damage” in section 13 had to be interpreted in conformity with the causative language there and in article 23.
The judge noted that Gulati was a claim for MPI, and, whilst it was true that “the two torts [had] a common source, in the form of Article 8 of the Convention”, that did not “compel a conclusion that they [were] coterminous”. In any event, Gulati was an exceptional case, and he did not read the Court of Appeal decision as holding that “damages must be awarded for the infringement of the right, in and of itself”. Gulati had decided that damages could be awarded for MPI even in the absence of material loss or distress. There, the defendants’ conduct had, in fact, “adversely affected the claimants’ ability to exercise control over information about themselves, and thus the value of their right to exercise such control, … deserving of substantial (as opposed to nominal) compensation”. R (Lumba) v. Secretary of State for the Home Department [2012] 1 AC 245 at [97-100] (“Lumba”) had held that it was wrong in principle to make an award of vindicatory damages, merely to mark the commission of the wrong. The Court of Appeal in Shaw v. Kovac [2017] EWCA Civ 1028, [2017] 1 WLR 4773 (“Shaw v Kovac”) had refused to award a conventional sum for loss of autonomy, where a surgical operation was conducted without informed consent, holding (per Davis LJ) that “most torts can be said to involve a ‘loss of autonomy’”.
The judge’s conclusions on these points were reinforced by Google’s argument that, on authority, both an award of damages for MPI and under section 13 required a threshold of seriousness or lack of triviality to be crossed. Some claimants would not have minded their data being used as it was, so that the question of whether an individual claimant had suffered damage as a result of the non-consensual use of personal data depended on the facts. It was, the judge said, for the regulator or the criminal law to censure such breaches, not for the court to fashion a penalty based on an artificial notion of damage.
The judge held that the claim to user damages was barred by authority, relying on Patten J’s decision in Murray v. Express Newspapers [2007] EWHC 1908 (Ch), [2007] EMLR 22 (“Murray”). It was wholly artificial to envisage a bargaining process involving the class of claimants in this case, where the only realistic option open to them was to refuse consent. In any event, the personal characteristics and attitudes of the claimants in the class inevitably differ.
On the second question, namely whether there was a real prospect that the court would permit the claim to continue as a representative action under CPR Part 19.6, the judge held that it did not arise if he was right about the absence of damage under the DPA. He nonetheless decided the question in case, as has happened, there was an appeal, and because the two issues overlapped.
The judge held that the fundamental “non-bendable” threshold point was that the class must all have the same interest in the claim, on the basis of facts ascertained or assumed at the relevant time. (Footnote: 5) The representative claim was disqualified here because it was not available unless (a) “every member of the class [had] suffered the same damage (or their share of a readily ascertainable aggregate amount [was] clear)”, and (b) different potential defences were not available in respect of claims by different members of the class. The result would be the same even if he were wrong about what amounted to damage for the purposes of section 13, because the amount of compensation for any individual still depended on the facts, as Mann J had determined in Gulati at [230] when he took £10,000 p.a. as just a starting point for serious levels of hacking. In the present case, for example, some in the claimant class would have been heavy internet users with much BGI taken; it was not credible that all the specified categories of data were obtained by Google from each represented claimant. The same variations would apply if the user principle were applied. Neither the breach of duty nor the impact of it was uniform across the entire class membership. The tariff strategy adopted by Mr Lloyd reflected neither the law nor the factual reality.
As regards the definition of the class, Mummery LJ had said in Emerald Supplies Ltd. v. British Airways plc [2011] Ch 345 (“Emerald Supplies”) at [62] that “[a]t all stages of the proceedings ... it must be possible to say of any particular person whether or not they qualify for membership of the represented class of persons”. Google had been right to say that it was not possible here to identify and exclude unaffected users. Although the definition of the class had been altered to reflect those who could never have been affected, that definition still relied on selfidentification. But the problem was one of verification, and in the absence of a viable method of identifying and excluding individuals, there was an obvious risk that compensation would go to persons who did not suffer damage on any view. In principle, the definition of the class had to be both conceptually sound and workable. It was an inadequate “Micawberite” response to say that there was a huge amount of data in Google’s possession that could be analysed and which would allow determination of whether someone was within the class “in many, perhaps all cases”. There were two risks. A person might come forward honestly to claim compensation which was not in fact due, and there might be abuse.
The judge accepted Google’s case that the court would inevitably exercise its discretion against the continued pursuit of the claim as a representative action. He decided, on his own initiative, to exercise the discretion conferred by CPR Part 19.6(2) as to whether or not to allow the claimant to act as a representative.
In exercising that discretion, the judge accepted that a person might sue in a representative capacity without the authority of those they represent, provided the conditions in CPR 19.6 were met. But the discretion had to be exercised with the overriding objective in mind. (Footnote: 6) He took into account the likely costs, the court time required, and that the compensation that each represented individual was likely to recover would be “modest at best”. He said that the main beneficiaries of any award at the end of this litigation would be “the funders and the lawyers, by a considerable margin”. It was, he said, a striking feature of the case that in the years since the Safari Workaround was publicised, none of the millions of affected people in England and Wales had come forward to “claim, or complain, or to identify [themselves] as a victim” other than Mr Lloyd and the claimants in Vidal-Hall. This action would, the judge thought, not provide a convenient case management tool. It would not be unfair to describe this as officious litigation. Whilst he was not striking out the claim on proportionality grounds, (Footnote: 7) Mr Lloyd should not, he held, even if he were wrong on the first points, “be permitted to consume substantial resources in the pursuit of litigation on behalf of others who have little to gain from it, and have not authorised the pursuit of the claim, nor indicated any concern about the matters to be litigated”. The difficulties of ascertaining whether any given individual is within the class was an additional factor.
Issue 1: Was the judge right to hold that a claimant cannot recover uniform per capita damages for infringement of their data protection rights under section 13 without proving pecuniary loss or distress?
EU or domestic law?
The starting point is the distinction between EU law and domestic law. As the Court of Appeal said in Vidal-Hall at [72]: “[i]t is a well-established principle of EU law that legal terms have an autonomous meaning which will not necessarily accord with their interpretation in domestic law”. (Footnote: 8) In providing that “[a]n individual who suffers damage by reason of any contravention” was entitled to compensation, section 13 was implementing the provision of article 23 to the effect that “any person who has suffered damage as a result of an unlawful processing operation … is entitled to receive compensation”. Accordingly, the language of both is to be construed as a matter of EU law. The reasoning of the ECJ, now the Court of Justice of the European Union (“CJEU”), in Leitner in relation to Directive 90/314/EEC on package travel was based on the express aim of harmonising the law on package holiday compensation across the EU. (Footnote: 9) In the same way, the object of the Directive was to ensure that Member States should protect “the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data”, (Footnote: 10) and to ensure an equivalent level of protection of the rights of individuals with regard to the processing of data. (Footnote: 11) Accordingly, the objectives of article 8 of the Convention were given effect in the Directive.
In 2012, the Charter was introduced and was “addressed to … Member States only when they [were] implementing [EU] law”. (Footnote: 12) Article 8 of the Charter confirmed the protection of data rights covered by the Directive, by providing that everyone had “the
right to the protection of personal data concerning him or her” and that “[s]uch data must be processed fairly for specified purposes and on the basis of the consent of the person concerned”. The DPA was enacted to implement EU law, so the provisions of the Charter became applicable to data rights under the DPA after it was introduced.
For these reasons, it seems to me that this court was right in Vidal-Hall to give an autonomous meaning to article 23 and section 13, and to construe both on the basis that they were giving effect to one aspect of article 8 of the Convention and, in effect also, to article 8 of the Charter. In this connection, it may be noted that article 47 of the Charter provided that everyone whose EU rights are violated has the right to an effective remedy before a tribunal.
The de minimis threshold for a finding of infringement
It was common ground, in this context, that if the court decided that the infringement of the Directive and the DPA was trivial or de minimis it would be entitled to refuse to make an award of what Mr Tomlinson referred to as “loss of control damages”.
What kind of damage can be compensated under article 23 and section 13?
This question needs to be answered against the background that one is answering an EU law question, and that trivial loss will not attract compensation.
I agree with the judge that a domestic approach to statutory construction would point towards the conclusion that section 13 and article 23 required proof of both a contravention and consequent damage, whether pecuniary or non-pecuniary. I do not, however, agree that it is circular to plead that the alleged infringement of the class members’ data protection rights caused a loss of control over their personal data. Indeed, in my view, the key to these claims is the characterisation of the class members’ loss as the loss of control or loss of autonomy over their personal data.
The first question that arises is whether control over data is an asset that has value. That question again should, in this context, be answered as a matter of EU law. In Your Response Limited v. Datateam Business Media Limited [2014] EWCA Civ 281, this court held that, as a matter of English law, an electronic database was not a form of property capable of possession and that, therefore, it could not be subject to a possessory lien. That question may in due course need to be revisited, but it does not, in my judgment affect the answer to the relevant question for current purposes. Even if data is not technically regarded as property in English law, its protection under EU law is clear. It is also clear that a person’s BGI has economic value: for example, it can be sold. It is commonplace for EU citizens to obtain free wi-fi at an airport in exchange for providing their personal data. If they decline to do so, they have to pay for their wi-fi usage. The underlying reality of this case is that Google was able to sell BGI collected from numerous individuals to advertisers who wished to target them with their advertising. That confirms that such data, and consent to its use, has an economic value.
Accordingly, in my judgment, a person’s control over data or over their BGI does have a value, so that the loss of that control must also have a value. In one sense, if that is right, it is sufficient to answer the question of whether, in theory, a person can recover compensation under section 13 and article 23. But it is necessary first to consider whether this kind of loss of control over data can properly be considered damage in the legal sense in which the term “damage” is used in article 23 and section 13.
Gulati
Mr Tomlinson relied strongly on an analogy with the decisions in Gulati. Mr White relied equally strongly on 5 reasons why the judge was right to reject the submission that Gulati led to the conclusion that compensation should be available under section 13 for loss of control of personal data.
It is, therefore, necessary to consider Gulati in some detail. Gulati was a case about MPI, and not the DPA. It is relevant, however, because both Mann J and this court recognised the importance of article 8 of the Convention on which domestic privacy rights were based. Mann J relied on passages from the House of Lords in Campbell v. MGN Ltd [2004] 2 AC 457 (“Campbell v MGN”) at [18], [50-51] and [134], and from the European Court of Human Rights in Armonienè v. Lithuania [2009] EMLR 7 at [38] and in Halford v. United Kingdom (1997) 24 EHRR 523 at [74]-[76]
(“Halford”). Arden LJ (with whom Rafferty and Kitchin LJJ agreed) said in Gulati at [46] that “[p]rivacy is a fundamental right. The reasons for having the right are no doubt manifold. Lord Nicholls put it very succinctly in [Campbell v. MGN] at [12]: “Privacy lies at the heart of liberty in a modern state. A proper degree of liberty is essential for the well-being and development of an individual””.
Mann J, having reviewed the relevant authorities, concluded at [132] that: “[w]hat [was] still open [was] to allow for compensation to be given for the act of misuse itself, where appropriate”. He commented that “the defendant will have helped itself, over an extended period of time, to large amounts of personal and private information and treated it as its own to deal with as it thought fit. There is an infringement of a right which is sustained and serious. While it is not measurable in money terms, that is not necessarily a bar to compensation (distress is not measurable in that way either). Damages awarded to reflect the infringement are not vindicatory in the sense used in Lumba. They are truly compensatory”.
Arden LJ reached the same conclusion at [45]-[48] as follows:- “45. … The essential principle is that, by misusing their private information, MGN deprived the respondents of their right to control the use of private information … The respondents are entitled to be compensated for that loss of control of information as well as for any distress … The scale of the disclosure is a matter which goes to the assessment of the remedy, not to its availability.
…
I agree with Mr Sherborne’s submission on Vidal-Hall. There was no claim in that case beyond damages for distress. I also accept his submission about vindicatory damages. Damages in consequence of a breach of a person’s private rights are not the same as vindicatory damages to vindicate some constitutional right. In the present context, the damages are an award to compensate for the loss or diminution of a right to control formerly private information and for the distress that the respondents could justifiably have felt because their private information had been exploited, and are assessed by reference to that loss”.
Gulati is, therefore, particularly relevant because the underlying rights on which MPI and infringements of the DPA are based are themselves founded on the same principle: namely, that privacy be protected. In considering Gulati in this context, the EU law principles of equivalence and effectiveness should also not be forgotten. The principle of equivalence particularly provides that the detailed procedural rules governing actions for safeguarding an individual’s rights under EU law must be no less favourable than those governing similar domestic actions. Since the torts of MPI and breach of the DPA are undoubtedly similar domestic actions, it would be prima facie inappropriate for the court to apply differing approaches to the meaning of damage. Moreover, the principle of effectiveness provides that a Member State must not render it practically impossible or excessively difficult to exercise rights conferred by EU law. The protection of data is such a right, so this principle too is engaged. (Footnote: 13)
As I have said, Mr White made 5 points in support of the judge’s conclusion on Gulati. First, he said that the judge was right to hold that, whilst the two torts had a common source in the form of article 8 of the Convention, that did not compel the conclusion that they were coterminous. They are indeed not coterminous, but it would, for the reasons I have already given, be odd if they approached the legal nature of damage differently. The actions in tort for MPI and breach of the DPA both protect the individual’s fundamental right to privacy; although they have different derivations, they are, in effect, two parts of the same European privacy protection regime. Mr White’s second point also argued that the judge had been right when he said that it did not help Mr Lloyd to rely on Gulati, as it was domestic authority on a
different tort, which afforded a compensatory remedy for things that would not count as damage under the Directive. (Footnote: 14) This reasoning seems to me to take the first argument no further, whilst assuming what it sets out to prove, namely the scope of the meaning of damage under the Directive.
Mr White’s third point supports the judge’s central reasoning on Gulati, namely that it had not approved the award of damages for the “abstract fact that a person has had their personal information misused”. Instead, Gulati had held that damages for MPI could be awarded in the absence of material loss or distress where the breach of privacy had a significant or material adverse effect on the claimant’s valuable right to choose how, when and to whom their significant personal information was disclosed. Gulati was decided on exceptional facts, which were not comparable to those before this court. (Footnote: 15) This is, in my judgment, a misinterpretation of the court’s decision. Lord
Pannick QC argued for the defendant in Gulati that Mann J had been wrong to hold
that damages could be awarded for mere intrusion into a person’s privacy independently of any distress caused. (Footnote: 16) But that argument was rejected. As Arden LJ said at [48] (cited above): “[i]n the present context, the damages are an award to compensate for the loss or diminution of a right to control formerly private information”. The court in Gulati did not suggest that its decision on the nature of the damage that could be compensated arose from the exceptional nature of the facts. (Footnote: 17)
Fourthly, Mr White suggested that the approach to damages for MPI could not be transposed to the DPA, because there were built-in safeguards for claims for damages in respect of minor misuses of private information, namely the threshold requirement of seriousness and the balancing exercise, whereas Mr Lloyd’s case would give everyone a right to compensation no matter how trivial or inconsequential the breach. As I have said, I understood it to be common ground that the threshold of seriousness applied to section 13 as much as to MPI. That threshold would undoubtedly exclude, for example, a claim for damages for an accidental one-off data breach that was quickly remedied. But that is far from this case. On the case pleaded, every member of the represented class has had their data deliberately and unlawfully misused, for Google’s commercial purposes, without their consent and in violation of their established right to privacy.
Finally, in this connection, Mr White supported the judge’s observation that not everyone objected to Google’s use of their data. It was, therefore, artificial and wrong automatically to characterise the use of personal data as damage without any reference to the circumstances and attitude of the individual concerned and the impact (if any) of the use of their data. In my judgment, this approach misunderstands the nature of the damage alleged. Mr Lloyd alleges that each member of the class has sustained a loss of control as a result of the breach alleged. Each claimant has lost something valuable, namely the right to control their private BGI.
To summarise this aspect of the case, in my judgment the decision in Gulati is (a) relevant, albeit strictly not binding on us as it was not a decision on the DPA, and (b) applicable by analogy, for three main reasons. First, both MPI and section 13 derive from the same core rights to privacy. Secondly, since loss of control over telephone data was held to be damage for which compensation could be awarded in Gulati, it would be wrong in principle if the represented claimants’ loss of control over BGI data could not, likewise, for the purposes of the DPA, also be compensated. Thirdly, the EU law principles of equivalence and effectiveness point to the same approach being adopted to the legal definition of damage in the two torts which both derive from a common European right to privacy.
Other authorities
Thus far, I have tried to deal with the meaning of article 23 and section 13 from first principles in the light of Gulati. As it seems to me, however, there is also some support for the approach I have adopted in a range of authorities cited by the parties.
In Halliday v. Creation Consumer Finance Limited [2013] EWCA Civ 333, the Court of Appeal awarded the claimant £750 for the wrongful processing of his data. Arden LJ said at [35] that it was a “general principle that, where an important European instrument such as data protection had not been complied with, there ought to be an award”, even though there was “no contemporary evidence of any manifestation of injury to feelings and distress apart from what one would normally expect from frustration at these prolonged and protracted events”. It is true, as the judge said, that in that case, the defendant had conceded that an award of nominal damages was “damage” for the purposes of article 23 and section 13, so that the issue of principle did not need to be decided, and the court was making an award for putative distress. (Footnote: 18) That said, Arden LJ’s obiter statement of principle is consistent with her later judgment in Gulati.
The parties in this case and the Gulati decisions also referred to two first instance cases in AAA v. Associated Newspapers Ltd [2012] EWHC 2103 (QB), [2013] EMLR 2 (Nicola Davies J) (“AAA”) and Weller v. Associated Newspapers Ltd [2014] EMLR 24 (Dingemans J) (“Weller”). In both cases, substantial awards of damages were given to children for misuse of photographs taken without their consent. The children were too young to have suffered any distress or other immediate adverse effect. A DPA claim was made in Weller, but not in AAA. Moreover, even though the meaning of damage under the DPA was not fully argued, (Footnote: 19) Dingemans J said at [192] in Weller that “damages for [MPI] should compensate the Claimants for the misuse of their private information”. Again, the cases give some support to the approach that I have indicated, although the underlying issues of principle that arise in this case were, of course, not considered.
Finally, in Halford, the European Court of Human Rights awarded a senior police officer £10,000 in respect of the intrusion into her privacy caused by the interception of her phone calls, where the court declined to accept that stress had been caused by the interception. (Footnote: 20) Again, the case seems to support the proposition that privacy breaches leading to loss of control over data ought to be compensated without proof of distress or pecuniary loss.
Lumba, Shaw v. Kovac and vindicatory damages
In Lumba, the majority in the UK Supreme Court held that the Secretary of State was liable for the tort of false imprisonment, but declined to award more than nominal damages. Lord Dyson said at [100] that it was “one thing to say that the award of compensatory damages, whether substantial or nominal, serves a vindicatory purpose:
in addition to compensating a claimant’s loss, it vindicates the right that has been infringed”, but that it was “another to award a claimant an additional award, not in order to punish the wrongdoer, but to reflect the special nature of the wrong”. Whilst discretionary vindicatory damages might be awarded for breach of a constitutional right in order to reflect the sense of public outrage, it was a big leap to apply that reasoning to any private claim against the executive.
In my judgment, Lumba is not relevant to what we have to decide. First, this is not a private claim against the executive. Secondly, what is in issue here is not a claim to vindicatory damages, but a claim to compensatory damages, as Arden LJ made clear in Gulati at [48]. For the same reason, I do not think that the Court of Appeal’s decision in Shaw v. Kovac (Footnote: 21) has any relevance to this case. Not only did Davis LJ specifically exclude an analogy with privacy cases at [53], but the issues concerning conventional awards and vindicatory damages for physical injuries and loss of life are far removed from those in this case.
Other factors
There was much debate before us about the meaning of non-pecuniary or non-material damage, and whether or not those terms might include loss of control damages of the kind sought by Mr Lloyd. I accept that one cannot interpret a Directive by reference to the Regulation that replaced it. But I have, nonetheless found it helpful although not decisive to consider how the GDPR deals with damage. Article 82.1 of the GDPR provides that a person who has suffered “material or non-material damage as a result of an infringement of this Regulation” should have the right to receive compensation for the damage suffered. More significantly, perhaps, recital 85 to the GDPR notes the following:-
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned”.
Whilst recital 85 is actually concerned with the need to notify such data breaches within 72 hours, it is noteworthy that “loss of control” over personal data is given as an example of the kind of “physical, material or non-material damage” that might be caused to natural persons as a result of a data breach. This, as it seems to me, accords with the conclusion that I have already reached as to the EU law position on the availability of damages for non-trivial data processing breaches in respect of loss of control. It is also worth mentioning that section 169(5) of the Data Protection Act 2018, implementing the GDPR, provides that “damage” includes financial loss and damage not involving financial loss, such as distress. That too is a non-exclusive definition.
Assessment of damage and “user damages”
It will already be apparent that, in my view, the loss of control damages claimed by the represented claimants are properly to be regarded as compensatory in nature. In these circumstances, it is not strictly necessary to consider the argument that they were also, or alternatively, recoverable as “user damages” within the principles most recently explained in One Step. (Footnote: 22) Moreover, user damages are a domestic concept, which might be regarded as a method of assessment of loss and, therefore, properly within the scope of domestic law, even where they are being used to compensate for breach of an EU law right.
I do not think that we should decide at this stage whether the represented claimants might be able to recover damages calculated on One Step principles. First, it is not necessary to do so. Secondly, it may involve a more detailed consideration of the nature of the right that has been infringed. Thirdly, it is an area of developing law that is best left to be decided once the facts of the infringement have been found.
That said, I can see no reason in principle why it is not, at least, fairly arguable that damages might in this case be assessed on the user basis. Having referred to many cases, (Footnote: 23) Lord Reed held in One Step at [30] that in those cases “the courts have treated user damages as providing compensation for loss, albeit not loss of a conventional kind”. (Footnote: 24) He explained that, where unlawful use is made of property, and the right to control such use is a valuable asset, the owner suffers a loss of a different kind, which calls for a different method of assessing damages. Lord Reed then said that in that situation “the person who makes wrongful use of the property prevents the owner from exercising his right to obtain the economic value of the use in question, and should therefore compensate him for the consequent loss”. That may or not be applicable in a case where the asset is a non-rivalrous one (which BGI may be, because it can theoretically be sold to or used by multiple individuals simultaneously without necessarily reducing its value). (Footnote: 25) Lord Reed concluded that paragraph with a summary that resonates in this situation, saying: “[p]ut shortly, [the defendant] takes something for nothing, for which the owner was entitled to require payment”.
In these circumstances, it seems to me that we should not at this stage of the litigation engage, as the judge did, with the possible artificiality of the exercise of assessing a fee for the notional release of the right. (Footnote: 26) It is sufficient to say that I do not think the judge was justified in relying on Patten J’s judgment in Murray, when that judge’s decision on the data protection aspect of the case was reversed by the Court of Appeal, and his conclusion on the meaning of “damage” in section 13 was expressly doubted. (Footnote: 27) There is a clear justification for the possible application of user damages to this situation in [95(1)-(5)] of Lord Reed’s judgment, [120] of Lord Sumption’s judgment, and [135] of Lord Carnwath’s judgment in One Step.
Conclusion on whether the represented claimants can claim to have sustained
“damage” under article 23 and section 13
For the reasons, I have given, I would conclude that damages are in principle capable of being awarded for loss of control of data under article 23 and section 13, even if there is no pecuniary loss and no distress. The words in section 13 “[an] individual who suffers damage by reason of [a breach] is entitled to compensation” justify such an interpretation, when read in the context of the Directive and of article 8 of the Convention and article 8 of the Charter, and having regard to the decision in Gulati. Only by construing the legislation in this way can individuals be provided with an effective remedy for the infringement of such rights.
It is true, as the judge said, that other remedies, apart from damages are theoretically available. Injunctive and declaratory relief can be sought, and rectification, blocking and erasure of data are available under article 12 of the Directive and section 14 of the DPA. It is noteworthy, however, that in this case, the breaches alleged would go unremedied in the absence of damages being available.
It is not necessary under this heading to decide whether uniform per capita damages are the appropriate remedy, since that is more relevant to the next question, namely whether the members of the class that Mr Lloyd purports to represent have the same interest.
Issue 2: Was the judge was right to hold that the members of the class did not have the same interest under CPR Part 19.6(1) and were not identifiable?
The same interest
The persons represented in a claim brought under CPR Part 19.6 must have the “same interest” in the claim. Those words have been repeatedly considered in cases since The Duke of Bedford v. Ellis [1901] A.C. 1 (“The Duke of Bedford”) and Markt & Co v. Knight Steamship Company [1910] 2 K.B. 1021 (“Markt”). (Footnote: 28) Many of the cases concerned contractual rights, which raise rather different issues from those in this case. Moreover, the cases have not all spoken with one voice. I confess to not having derived much assistance from looking at the historical twists and turns. We must be bound by the rule and the latest authoritative and relevant interpretation of it. The latest authoritative statement was in Emerald Supplies where it was held that a representative claim could not be brought where it was alleged that the defendant had engaged in a concerted practice to fix prices for airfreight for the importation of cut
flowers into the UK in contravention of article 81(1) of the EU treaty (now article 101(1)). Mummery LJ (with whom Toulson and Rimer LJJ agreed) said the following at [62]-[65]:
“62. … The fundamental requirement for a representative action is that those represented in the action have “the same interest” in it. At all stages of the proceedings, and not just at the date of judgment at the end, it must be possible to say of any particular person whether or not they qualify for membership of the represented class of persons by virtue of having “the same interest” as Emerald.
63. This does not mean that the membership of the group must remain constant and closed throughout. It may indeed fluctuate. It does not have to be possible to compile a complete list when the litigation begins as to who is in the class or group represented. The problem in this case is not with changing membership. It is a prior question how to determine whether or not a person is a member of the represented class at all. Judgment in the action for a declaration would have to be obtained before it could be said of any person that they would qualify as someone entitled to damages against BA. …
64. A second difficulty is that the members of the represented class do not have the same interest in recovering damages for breach of competition law if a defence is available in answer to the claims of some of them, but not to the claims of others …
65. In brief, the essential point is that the requirement of identity of interest of the members of the represented class for the proper constitution of the action means that it must be representative at every stage, not just at the end point of judgment. If represented persons are to be bound by a judgment that judgment must have been obtained in proceedings that were properly constituted as a representative action before the judgment was obtained. …”
The fact that, as Megarry J said in John v. Rees (1970) Ch 345 at 370, the rule is to be “treated as being not a rigid matter of principle but a flexible tool of convenience in the administration of justice” cannot mean that the “same interest” test can be abrogated.
In my judgment, however, the judge applied too stringent a test of “same interest”, partly I think because of his determination as to the meaning of “damage”. Once it is understood that the claimants that Mr Lloyd seeks to represent will all have had their BGI – something of value - taken by Google without their consent in the same circumstances during the same period, and are not seeking to rely on any personal circumstances affecting any individual claimant (whether distress or volume of data abstracted), the matter looks more straightforward. The represented class are all victims of the same alleged wrong, and have all sustained the same loss, namely loss of control over their BGI. Mr Tomlinson disavowed, as I have said, reliance on any
facts affecting any individual represented claimant. That concession has the effect, of course, of reducing the damages that can be claimed to what may be described as the lowest common denominator. But it does not, I think, as the judge held, mean that the represented claimants do not have the same interest in the claim. Finally, in this connection, once the claim is understood in the way I have described, it is impossible to imagine that Google could raise any defence to one represented claimant that did not apply to all others. The wrong is the same, and the loss claimed is the same. The represented parties do, therefore, in the relevant sense have the same interest. Put in the more old-fashioned language of Lord Macnaghten in The Duke of Bedford at [8], the represented claimants have a “common interest and a common grievance” and “the relief sought [is] in its nature beneficial to all”.
I have considered whether there might be injustice in allowing Mr Lloyd to represent individuals who may have sustained significant pecuniary loss or distress as a result of the data breach alleged. But since the limitation period has now expired, and represented claimants could, at least in theory, seek to be joined as parties if they wished to claim additional losses, I cannot see that there is any injustice in the pleaded claim proceeding as a representative one.
The judge explained (Footnote: 29) why he thought that the breaches and the losses would vary across the represented class. He was concentrating on the amount of data removed without consent and the differing impact on individual represented claimants. He thought that no tariff approach could work because, even in Gulati, there had not been a fixed sum awarded for loss of control to each claimant (even though £10,000 was the starting point). In my view, however, this approach did not pay adequate regard to the way that Mr Lloyd put his case. If individual circumstances are disavowed, the representative claimant could, be entitled to claim a uniform sum in respect of the loss of control of data sustained by each member of the represented class. The sum will be much less than it might be if individual circumstances were taken into account, but it will not be nothing for the reasons I have given in answering the first issue. It will take into account, at least, the facts of the tort proved against Google generically, and the effect, in terms of loss of control of personal data, that the breaches would have on any person affected by Google’s unlawful actions.
It seems to me that allowing a representative action in a case of this kind is not so much an exception to the rule as was suggested in argument as being illustrated by cases such as EMI Records Ltd. v. Riley [1981] 1 W.L.R. 923 and Independiente Ltd v. Music Trading On-Line (HK) Ltd. [2003] EWHC 470 (Ch), but rather an application of the rule. The represented class does indeed have the same interest, provided of course it satisfies the rule as to identification that is clearly expressed in the passage I have cited from Emerald.
Identification of the class
The judge explained at [94]-[98] why he was not convinced that Mr Lloyd’s class definition was, after amendment to take account of the evidential points made by Google, unassailably appropriate. He rejected two methods by which the class would be made certain before the trial: (a) by disclosure from Google, and (b) by selfcertification of class members. He rejected the former as “Micawberite”, and the latter as open both to honest error and abuse.
The judge saw the problem as one of verification, and determined that the class was not identifiable because he held that the class definition had to be “workable” in addition to “conceptually sound”. In my judgment, the only applicable test is that “it must be possible to say of any particular person whether or not they qualify for membership of the represented class of persons by virtue of having” the same interest as Mr Lloyd “[a]t all stages of the proceedings, and not just at the date of judgment”. I cannot see why that test is not satisfied here. Every affected person will, in theory, know whether he satisfies the conditions that Mr Lloyd has specified. Also, the data in possession of Google will be able to identify who is, and who is not, in the class. Both exercises can be undertaken at any time. It is true that some persons’ memories may be at fault, and that there could, in theory, be abuse, but those factors are practical ones, not ones that affect the formal ability to identify the class. It has repeatedly been said that the number of claimants cannot itself affect the ability to use the representative procedure. (Footnote: 30)
In my judgment, therefore, the judge ought to have held that the members of the represented class had the same interest under CPR Part 19.6(1) and that they were identifiable.
Issue 3: Can the judge’s exercise of discretion be vitiated?
The judge said that he would have exercised his discretion against allowing the claim to continue whatever he had decided on the first two issues. That may well be the case, but I think it would be hard for the detached observer to accept that he was not, in any way, influenced in the exercise of his discretion by what he had decided on the first two issues.
Mr Lloyd contends that the judge took several matters into account that he ought not to have done, namely: (a) his view that the main beneficiaries of the claim would be the funders and the lawyers, (b) the fact that the litigation would generate significant costs and that the amount recovered by each class member would be modest, (c) that none of the millions of affected individuals had come forward to complain, (d) the inability to identify the members of the class, and (e) that the members of the class had not authorised the claim.
Whilst I accept that the judge might have been better to invite argument on the first two matters I have mentioned, I think he was justified in taking them into account. Likewise, the judge may have been justified in taking into account the factual position as to the absence of complainers. The same cannot, however, be said of the latter two matters, both of which were irrelevant to his discretion. The class was, as I have already said, identifiable. It is well established that the members of a represented class do not have to have authorised the claim. (Footnote: 31)
In these circumstances, it is open to this court to exercise its discretion afresh.
As the judge himself said, this representative action is in practice the only way in which these claims can be pursued. I do not accept the judge’s characterisation of this claim as “officious litigation”. To the contrary, this case, quite properly if the allegations are proved, seeks to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit. It is not disproportionate to pursue such litigation in circumstances where, as was common ground, there will, if the judge were upheld, be no other remedy. The case may be costly and may use valuable court resources, but it will ensure that there is a civil compensatory remedy for what appear, at first sight, to be clear, repeated and widespread breaches of Google’s data processing obligations and violations of the Convention and the Charter.
I have considered carefully all the factors raised by both sides and have concluded that this is a claim which, as a matter of discretion, should be allowed to proceed.
Conclusions
For the reasons I have tried to give as shortly as possible, I take the view that the judge ought to have held: (a) that a claimant can recover damages for loss of control of their data under section 13 of DPA, without proving pecuniary loss or distress, and (b) that the members of the class that Mr Lloyd seeks to represent did have the same interest under CPR Part 19.6(1) and were identifiable.
The judge exercised his discretion as to whether the action should proceed as a representative action on the wrong basis and this court can exercise it afresh. If the other members of the court agree, I would exercise our discretion so as to allow the action to proceed.
I would, therefore, allow the appeal, and make an order granting Mr Lloyd permission to serve the proceedings on Google outside the jurisdiction of the court.
Lord Justice Davis:
I agree.
Dame Victoria Sharp P:
I also agree.