Richard Lloyd v Google LLC
|England & Wales
|Sir Geoffrey Vos C,Lord Justice Davis,Dame Victoria Sharp P
|02 October 2019
| EWCA Civ 1599
|Court of Appeal (Civil Division)
|Appeal Ref: A2/2018/2769
 EWCA Civ 1599
IN THE COURT OF APPEAL (CIVIL DIVISION)
ON APPEAL FROM THE HIGH COURT OF JUSTICE
QUEENS' BENCH DIVISION
MEDIA AND COMMUNICATIONS LIST
The Honourable Mr Justice Warby
Royal Courts of Justice
Strand, London, WC2A 2LL
Dame Victoria Sharp, PRESIDENT OF THE QUEEN'S BENCH DIVISION
Sir Geoffrey Vos, CHANCELLOR OF THE HIGH COURT
Lord Justice Davis
Appeal Ref: A2/2018/2769
Case No: HQ17M01913
Mr Hugh Tomlinson QC, Mr Oliver Campbell QC and Ms Victoria Wakefield QC (instructed by Mishcon de Reya LLP) for the Appellant
Mr Antony White QC and Mr Edward Craven (instructed by Pinsent Masons LLP) for the Respondent
Hearing dates: 16 th and 17 th July 2019
The claimant, Mr Richard Lloyd (“Mr Lloyd”), is a champion of consumer protection. This action seeks damages against Google LLC, the defendant, a Delaware corporation (“Google”). Mr Lloyd makes the claim on behalf of a class of more than 4 million Apple iPhone users. It is alleged that Google secretly tracked some of their internet activity, for commercial purposes, between 9 th August 2011 and 15 th February 2012.
Warby J dismissed Mr Lloyd's application for permission to serve Google outside the jurisdiction on the basis that: (a) none of the represented class had suffered “damage” under section 13 of the Data Protection Act 1998 (the “ DPA”), (b) the members of the class did not anyway have the “same interest” within CPR Part 19.6(1) so as to justify allowing the claim to proceed as a representative action, and (c) the judge of his own initiative exercised his discretion under CPR Part 19.6(2) against allowing the claim to proceed.
The appeal against the judge's decision raises some important issues that were not decided by this court in (“ ”). DPA. was argued on the basis of analogous underlying facts, but with one crucial difference; in that case, the individual claimants claimed damages for distress as a result of Google's breaches of the In this case, Mr Lloyd claims a uniform amount by way of damages on behalf of each person within the defined class without seeking to allege or prove any distinctive facts affecting any of them, save that they did not consent to the abstraction of their data.
Against that background, the main issues raised by the appeal are: (a) whether the judge was right to hold that a claimant cannot recover uniform per capita damages for infringement of their data protection rights under section 13 of the DPA, without proving pecuniary loss or distress, (b) whether the judge was right to hold that the members of the class did not have the same interest under CPR Part 19.6(1) and were not identifiable, and (c) whether the judge's exercise of discretion can be vitiated.
Mr Lloyd made a preliminary challenge to the judge's decision to deal with the points of law arising at this early stage. In my view, however, that challenge can be quickly resolved. The judge was right to deal with the points of law identified by reference primarily to the pleaded facts. No extensive factual evaluation was needed, and it was better to confront at once the clear legal issues that arose.
Mr Hugh Tomlinson QC, leading counsel for Mr Lloyd, relied primarily on the decisions of Mann J and the Court of Appeal in DPA. (Mann J), (“ ”) to argue that, if damages are available without proof of pecuniary loss or distress for the tort of misuse of private information (“MPI”), they should also be available for a non-trivial infringement of the Both claims are derived from the same fundamental right to data protection contained in article 8 of the Charter of Fundamental Rights of the European Union 2012/C 326/02 (the “Charter”): “[e]veryone has the right to the protection of personal data concerning him or her”. That right is reinforced by article 47 requiring that “[e]veryone whose rights and freedoms guaranteed by the law of the Union are violated has the right to an effective remedy before a tribunal …”. Further, Mr Tomlinson contended that those in the represented class were entitled to “user damages” or what the Supreme Court has now called “negotiating damages” (see , (“ ”)).
Mr Tomlinson accepted that this action, if allowed to proceed, would be an unusual and innovative use of the representative procedure in CPR Part 19.6. But he submitted that the authorities did not always prevent representative actions for damages. Here, there was no relevant factual distinction between the pleaded claims of any of the represented class, nor could Google raise any individual defence. The judge, argued Mr Tomlinson, exercised his undoubted discretion under CPR Part 19.6(2) on the wrong basis.
Conversely, Mr Antony White QC, leading counsel for Google, submitted that both article 23.1 of the Data Protection Directive (the “Directive”), 1 and section 13(1) of the DPA require proof of causation and consequential damage. The Directive requires Member States to provide that “any person who has suffered damage as a result of an unlawful processing operation” or any contravention of the DPA is entitled to receive compensation, and the DPA provides that “an individual who suffers damage by reason of any contravention” is entitled to compensation for that damage. Mr White contended that did not approve an award of damages for the abstract fact that a person has had their personal information misused. It held only that damages for MPI could be awarded in the absence of material loss or distress where the defendant's breach of privacy had a significant adverse effect on the claimant's right to choose when and to whom their information was disclosed. Mr White submitted that user damages should not be made available simply because that might be a just course to adopt.
Mr White submitted that the authorities clearly prevented a representative claim for damages save in exceptional circumstances that did not exist here. Allowing such a claim would be an inadmissible use of the procedure; only Parliament could introduce a new regime to allow such a claim. The judge had been right to hold that the definition of the represented class had to be conceptually sound and workable. Actions could not be pursued on behalf of persons who were not identifiable before judgment and perhaps not even identifiable then. The judge's discretion had been exercised on an appropriate basis and could not be interfered with.
I will return to these arguments in more detail, but first, I should set out the essential elements of factual background, statutory provisions, and the judge's reasoning.
The judge explained the technical background to the claim in terms that I am happy to adopt as follows:-
“7. The case concerns the acquisition and use of browser generated information or “BGI”. This is information about an individual's internet use which is automatically submitted to websites and servers by a browser, upon connecting to the internet. BGI will include the IP address of the computer or other device which is connecting to the internet, and the address or URL of the website which the browser is displaying to the user. As is well-known, “cookies” can be placed on a user's device, enabling the placer of the cookie to identify and track internet activity undertaken by means of that device.
8. Cookies can be placed by the website or domain which the user is visiting, or they may be placed by a domain other than that of the main website the user is visiting (“Third Party Cookies”). Third Party Cookies can be placed on a device if the main website visited by the user includes content from the third party domain. Third Party Cookies are often used to gather information about internet use, and in particular sites visited over time, to enable the delivery to the user of advertisements tailored to the interests apparently demonstrated by a user's browsing history (“Interest Based Adverts”).
9. Google had a cookie known as the “DoubleClick Ad cookie” which could operate as a Third Party Cookie. It would be placed on a device if the user visited a website that included content from Google's Doubleclick domain. The purpose of the DoubleClick Ad cookie was to enable the delivery and display of Interest Based Adverts.
10. Safari is a browser developed by Apple. At the relevant time, unlike most other internet browsers, all relevant versions of Safari were set by default to block Third Party Cookies. However, a blanket application of these default settings would prevent the use of certain popular web functions, so Apple devised some exceptions to the default settings. These exceptions were in place until March 2012, when the system was changed. But in the meantime, the exceptions enabled Google to devise and implement the Safari Workaround. Stripped of technicalities, its effect was to enable Google to set the DoubleClick Ad cookie on a device, without the user's knowledge or consent, immediately, whenever the user visited a website that contained DoubleClick Ad content.
11. This enabled Google to identify visits by the device to any website displaying an advertisement from its vast advertising network, and to collect considerable amounts of information. It could tell the date and time of any visit to a given website, how long the user spent there, which pages were visited for how long, and what ads were viewed for how long. In some cases, by means of the IP address of the browser, the user's approximate geographical location could be identified. Over time, Google could and did collect information as to the...
To continue readingRequest your trial
Lloyd v Google LLC
...UKSC 50 before Lord Reed, President Lady Arden Lord Sales Lord Leggatt Lord Burrows Supreme Court Michaelmas Term On appeal from:  EWCA Civ 1599 Appellant Antony White Edward Craven (Instructed by Pinsent Masons LLP (London)) Respondent Hugh Tomlinson QC Oliver Campbell QC Victoria Wa......
Harrison Jalla and Others v Royal Dutch Shell Plc
...If that is not what he was saying, I would respectfully disagree with his approach because, as was clearly stated in Lloyd v Google  2 WLR 484 at : “The fact that … the rule is to be “treated as being not a rigid matter of principle but a flexible tool of convenience in the admin......
SMO (a child represented by Anne Longfield as litigation friend) acting as a representative claimant pursuant to CPR 19.6 v TikTok Inc.
...about the matters to be litigated”: –. 12 The Court of Appeal handed down judgment, reversing Warby J, on 2 October 2019  QB 747. It took a very different view of the merits of the representative claim. The Court of Appeal regarded the fact that the members of the represent......
Yvonne Ameyaw v Christina McGoldrick
...beyond material loss, and covers non-material harm (such as distress) and loss of control over personal data: see Lloyd v Google LLC  EWCA Civ 1599;  QB 747 , [45–47]. The Particulars of Claim do not clearly identify the damage said to follow from this alleged wrongdoing, b......
Cybersecurity Comparative Guide
...theory) allow data subjects to make a claim in the tort of negligence or in the tort of misuse of private information (Lloyd v Google  EWCA Civ 1599). A fundamental requirement for a class action is that the individuals represented in the action all have the 'same interest'. Particula......
Data Privacy Comparative Guide
...of rogue employees is covered (typically, cover will be on the conditions that the preceding points are satisfied) Lloyd v Google LLC  EWCA Civ 1599: This data protection class action against Google sets a precedent for representative opt-out style class actions for data protection br......
English Court Of Appeal Upholds Data Protection Rights And Expands Scope For Representative Actions
...GDPR will continue to apply when the U.K. leaves the EU. Footnotes 1 The English equivalent of a class action. 2 Lloyd v Google LLC  EWCA Civ 1599. 3 The data protection regime in place prior to the The content of this article is intended to provide a general guide to the subject matt......
Data Protection Hot Topics - Thinkhouse (Video)
...understanding that there is a de-minimis threshold for compensation comes from the Court of Appeal decision in Lloyd v Google in  [EWCA Civ 1599] despite that decision otherwise being helpful for claimants. The decision refers to the threshold for seriousness applying to claims under ......
Confidential Information and Data Protection
...v Michael Reed  SGHC 125 at . It should also be noted here that the English Court of Appeal decision in Lloyd v Google LLC  EWCA Civ 1599, which was relied upon by Reed on this point, has now been overturned by the UK Supreme Court: see Lloyd v Google LLC  UKSC 50. 91 ......