Richard Lloyd v Google LLC

JurisdictionEngland & Wales
CourtCourt of Appeal
JudgeSir Geoffrey Vos C,Lord Justice Davis,Dame Victoria Sharp P
Judgment Date02 Oct 2019
Neutral Citation[2019] EWCA Civ 1599
Docket NumberAppeal Ref: A2/2018/2769

[2019] EWCA Civ 1599

IN THE COURT OF APPEAL (CIVIL DIVISION)

ON APPEAL FROM THE HIGH COURT OF JUSTICE

QUEENS' BENCH DIVISION

MEDIA AND COMMUNICATIONS LIST

The Honourable Mr Justice Warby

Royal Courts of Justice

Strand, London, WC2A 2LL

Before:

Dame Victoria Sharp, PRESIDENT OF THE QUEEN'S BENCH DIVISION

Sir Geoffrey Vos, CHANCELLOR OF THE HIGH COURT

and

Lord Justice Davis

Appeal Ref: A2/2018/2769

Case No: HQ17M01913

Between:
Richard Lloyd
Claimant/Appellant
and
Google LLC
Defendant/Respondent

Mr Hugh Tomlinson QC, Mr Oliver Campbell QC and Ms Victoria Wakefield QC (instructed by Mishcon de Reya LLP) for the Appellant

Mr Antony White QC and Mr Edward Craven (instructed by Pinsent Masons LLP) for the Respondent

Hearing dates: 16 th and 17 th July 2019

Approved Judgment

Sir Geoffrey Vos C

Introduction

1

The claimant, Mr Richard Lloyd (“Mr Lloyd”), is a champion of consumer protection. This action seeks damages against Google LLC, the defendant, a Delaware corporation (“Google”). Mr Lloyd makes the claim on behalf of a class of more than 4 million Apple iPhone users. It is alleged that Google secretly tracked some of their internet activity, for commercial purposes, between 9 th August 2011 and 15 th February 2012.

2

Warby J dismissed Mr Lloyd's application for permission to serve Google outside the jurisdiction on the basis that: (a) none of the represented class had suffered “damage” under section 13 of the Data Protection Act 1998 (the “ DPA”), (b) the members of the class did not anyway have the “same interest” within CPR Part 19.6(1) so as to justify allowing the claim to proceed as a representative action, and (c) the judge of his own initiative exercised his discretion under CPR Part 19.6(2) against allowing the claim to proceed.

3

The appeal against the judge's decision raises some important issues that were not decided by this court in Vidal-Hall v. Google Inc [2015] EWCA Civ 311 (“ Vidal-Hall”). Vidal-Hall was argued on the basis of analogous underlying facts, but with one crucial difference; in that case, the individual claimants claimed damages for distress as a result of Google's breaches of the DPA. In this case, Mr Lloyd claims a uniform amount by way of damages on behalf of each person within the defined class without seeking to allege or prove any distinctive facts affecting any of them, save that they did not consent to the abstraction of their data.

4

Against that background, the main issues raised by the appeal are: (a) whether the judge was right to hold that a claimant cannot recover uniform per capita damages for infringement of their data protection rights under section 13 of the DPA, without proving pecuniary loss or distress, (b) whether the judge was right to hold that the members of the class did not have the same interest under CPR Part 19.6(1) and were not identifiable, and (c) whether the judge's exercise of discretion can be vitiated.

5

Mr Lloyd made a preliminary challenge to the judge's decision to deal with the points of law arising at this early stage. In my view, however, that challenge can be quickly resolved. The judge was right to deal with the points of law identified by reference primarily to the pleaded facts. No extensive factual evaluation was needed, and it was better to confront at once the clear legal issues that arose.

6

Mr Hugh Tomlinson QC, leading counsel for Mr Lloyd, relied primarily on the decisions of Mann J and the Court of Appeal in Gulati v. MGN Limited [2015] EWHC 1482 (Ch) (Mann J), [2015] EWCA Civ 1291 (CA) (“ Gulati”) to argue that, if damages are available without proof of pecuniary loss or distress for the tort of misuse of private information (“MPI”), they should also be available for a non-trivial infringement of the DPA. Both claims are derived from the same fundamental right to data protection contained in article 8 of the Charter of Fundamental Rights of the European Union 2012/C 326/02 (the “Charter”): “[e]veryone has the right to the protection of personal data concerning him or her”. That right is reinforced by article 47 requiring that “[e]veryone whose rights and freedoms guaranteed by the law of the Union are violated has the right to an effective remedy before a tribunal …”. Further, Mr Tomlinson contended that those in the represented class were entitled to “user damages” or what the Supreme Court has now called “negotiating damages” (see One Step (Support) Ltd v. Morris-Garner [2018] UKSC 20, [2018] 2 WLR 1353 (“ One Step”)).

7

Mr Tomlinson accepted that this action, if allowed to proceed, would be an unusual and innovative use of the representative procedure in CPR Part 19.6. But he submitted that the authorities did not always prevent representative actions for damages. Here, there was no relevant factual distinction between the pleaded claims of any of the represented class, nor could Google raise any individual defence. The judge, argued Mr Tomlinson, exercised his undoubted discretion under CPR Part 19.6(2) on the wrong basis.

8

Conversely, Mr Antony White QC, leading counsel for Google, submitted that both article 23.1 of the Data Protection Directive (the “Directive”), 1 and section 13(1) of the DPA require proof of causation and consequential damage. The Directive requires Member States to provide that “any person who has suffered damage as a result of an unlawful processing operation” or any contravention of the DPA is entitled to receive compensation, and the DPA provides that “an individual who suffers damage by reason of any contravention” is entitled to compensation for that damage. Mr White contended that Gulati did not approve an award of damages for the abstract fact that a person has had their personal information misused. It held only that damages for MPI could be awarded in the absence of material loss or distress where the defendant's breach of privacy had a significant adverse effect on the claimant's right to choose when and to whom their information was disclosed. Mr White submitted that user damages should not be made available simply because that might be a just course to adopt.

9

Mr White submitted that the authorities clearly prevented a representative claim for damages save in exceptional circumstances that did not exist here. Allowing such a claim would be an inadmissible use of the procedure; only Parliament could introduce a new regime to allow such a claim. The judge had been right to hold that the definition of the represented class had to be conceptually sound and workable. Actions could not be pursued on behalf of persons who were not identifiable before judgment and perhaps not even identifiable then. The judge's discretion had been exercised on an appropriate basis and could not be interfered with.

10

I will return to these arguments in more detail, but first, I should set out the essential elements of factual background, statutory provisions, and the judge's reasoning.

Factual background

11

The judge explained the technical background to the claim in terms that I am happy to adopt as follows:-

“7. The case concerns the acquisition and use of browser generated information or “BGI”. This is information about an individual's internet use which is automatically submitted to websites and servers by a browser, upon connecting to the internet. BGI will include the IP address of the computer or other device which is connecting to the internet, and the address or URL of the website which the browser is displaying to the user. As is well-known, “cookies” can be placed on a user's device, enabling the placer of the cookie to identify and track internet activity undertaken by means of that device.

8. Cookies can be placed by the website or domain which the user is visiting, or they may be placed by a domain other than that of the main website the user is visiting (“Third Party Cookies”). Third Party Cookies can be placed on a device if the main website visited by the user includes content from the third party domain. Third Party Cookies are often used to gather information about internet use, and in particular sites visited over time, to enable the delivery to the user of advertisements tailored to the interests apparently demonstrated by a user's browsing history (“Interest Based Adverts”).

9. Google had a cookie known as the “DoubleClick Ad cookie” which could operate as a Third Party Cookie. It would be placed on a device if the user visited a website that included content from Google's Doubleclick domain. The purpose of the DoubleClick Ad cookie was to enable the delivery and display of Interest Based Adverts.

10. Safari is a browser developed by Apple. At the relevant time, unlike most other internet browsers, all relevant versions of Safari were set by default to block Third Party Cookies. However, a blanket application of these default settings would prevent the use of certain popular web functions, so Apple devised some exceptions to the default settings. These exceptions were in place until March 2012, when the system was changed. But in the meantime, the exceptions enabled Google to devise and implement the Safari Workaround. Stripped of technicalities, its effect was to enable Google to set the DoubleClick Ad cookie on a device, without the user's knowledge or consent, immediately, whenever the user visited a website that contained DoubleClick Ad content.

11. This enabled Google to identify visits by the device to any website displaying an advertisement from its vast advertising network, and to collect considerable amounts of information. It could tell the date and time of any visit to a given website, how long the user spent there, which pages were visited for how long, and what ads were viewed for how long. In some cases, by means of the IP address of the browser, the user's approximate geographical location could be identified. Over time, Google could and did collect information as to the...

To continue reading

Request your trial
7 cases
  • Lloyd v Google LLC
    • United Kingdom
    • Supreme Court
    • 10 November 2021
    ...this case described as “an unusual and innovative use of the representative procedure” in rule 19.6 of the Civil Procedure Rules: see [2019] EWCA Civ 1599; [2020] QB 747, para 7. This is a procedure of very long standing in England and Wales whereby a claim can be brought by (or against) ......
  • Yvonne Ameyaw v Christina McGoldrick
    • United Kingdom
    • Queen's Bench Division
    • 12 November 2020
    ...beyond material loss, and covers non-material harm (such as distress) and loss of control over personal data: see Lloyd v Google LLC [2019] EWCA Civ 1599; [2020] QB 747 [3], [45–47]. The Particulars of Claim do not clearly identify the damage said to follow from this alleged wrongdoing, b......
  • Petr Aven v Orbis Business Intelligence Ltd
    • United Kingdom
    • Queen's Bench Division
    • 8 July 2020
    ...interferes with the data subject's control over his data, even if this does not cause material damage or distress: Lloyd v Google LLC [2019] EWCA Civ 1599 [2020] 2 WLR 484. These, although not natural interpretations of the terms of s 13, have been held to be necessary by reason of the pa......
  • Harrison Jalla and Others v Royal Dutch Shell Plc
    • United Kingdom
    • Queen's Bench Division (Technology and Construction Court)
    • 14 August 2020
    ...If that is not what he was saying, I would respectfully disagree with his approach because, as was clearly stated in Lloyd v Google [2020] 2 WLR 484 at [74]: “The fact that … the rule is to be “treated as being not a rigid matter of principle but a flexible tool of convenience in the admin......
  • Request a trial to view additional results
9 firm's commentaries
  • Cybersecurity Comparative Guide
    • United Kingdom
    • Mondaq UK
    • 28 July 2020
    ...theory) allow data subjects to make a claim in the tort of negligence or in the tort of misuse of private information (Lloyd v Google [2019] EWCA Civ 1599). A fundamental requirement for a class action is that the individuals represented in the action all have the 'same interest'. Particula......
  • Data Privacy Comparative Guide
    • United Kingdom
    • Mondaq UK
    • 12 November 2020
    ...of rogue employees is covered (typically, cover will be on the conditions that the preceding points are satisfied) Lloyd v Google LLC [2019] EWCA Civ 1599: This data protection class action against Google sets a precedent for representative opt-out style class actions for data protection br......
  • English Court of Appeal Upholds Data Protection Rights and Expands Scope for Representative Actions
    • United Kingdom
    • JD Supra United Kingdom
    • 22 October 2019
    ...will continue to apply when the U.K. leaves the EU. Footnotes [1] The English equivalent of a class action. [2] Lloyd v Google LLC [2019] EWCA Civ 1599. [3] The data protection regime in place prior to the [View source.] James MatthewsSusanna Charlwood...
  • Claimants Come Up Trumps In Defamatory Personal Data Breach
    • United Kingdom
    • Mondaq UK
    • 13 October 2020
    ...were recoverable, pointing to the Court of Appeal's decisions in Vidal-Hall v Google Inc [2015] EWCA Civ 311 and Lloyd v Google LLC [2019] EWCA Civ 1599 (see here for our update on that case). The former provides that 'damage' is not confined to material loss so compensation for distress is......
  • Request a trial to view additional results

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT