Data Protection – October 2019

Binary Code Print publication


Developments in group data breach claims; update on EU-US Privacy Shield; latest from the ICO; cybersecurity update; and more.

Court of Appeal gives go-ahead to representative action against Google…

The Court of Appeal has reversed an earlier High Court decision and given the go-ahead to a representative action brought against Google by Richard Lloyd (the former executive director of consumer organisation Which?) on his own behalf and on behalf of an estimated class of 4.4 million people [1]. A representative action is one of the currently available methods for bringing collective proceedings in England and Wales.

The decision is significant because it clears the way for an “opt-out” group data breach claim. It does not have to be possible to compile a complete list when the litigation begins as to who is in the class or group represented, the members of the class do not have to have authorised the claim, and compensation can in principle be awarded without having to prove financial loss or distress. Even where the amount of compensation awarded is low, the potential financial exposure could be considerable. While the case concerns the old data protection regime, the same interpretation is likely to apply in relation to the General Data Protection Regulation (GDPR) and new Data Protection Act 2018.

By way of background, the claim alleges that Google acted in breach of the duty imposed by section 4(4) of the Data Protection Act 1998 (the Act) by placing cookies to secretly track the internet activity of Apple iPhone users, collating and using the information obtained, and selling the accumulated data. The claim is for compensation under section 13(1) of the Act, which provides that an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of the Act is entitled to compensation from the data controller for that damage.

No financial loss or distress is alleged. Mr Lloyd is claiming a uniform amount by way of damages on behalf of each person within the defined class without seeking to allege or prove any distinctive facts affecting any of them, save that they did not consent to the abstraction of their data.

Mr Lloyd applied to the High Court for permission to serve the proceedings on Google in the United States. The application was dismissed on the basis that none of the represented class had suffered “damage” and the members of the class did not have the “same interest” within the relevant procedural rule so as to justify allowing the claim to proceed as a representative action. In any event, the judge exercised his discretion against allowing the claim to proceed, describing it as “officious litigation”.

The Court of Appeal disagreed and reversed the decision, finding that a claimant can recover damages for loss of control of their data under section 13 of the Act, without proving financial loss or distress, and the members of the class that Mr Lloyd seeks to represent do have the same interest and are identifiable. Here are some of the key points from the judgment:

  • The key to the claims was the characterisation of the class members’ loss as the loss of control or loss of autonomy over their personal data. The underlying reality was that Google was able to sell browser generated information collected from numerous individuals to advertisers who wished to target them with their advertising – that confirmed that such data, and consent to its use, has an economic value. A person’s control over data or over their browser generated information has a value, so the loss of that control must also have a value.
  • It would be inappropriate for the court to apply differing approaches to the meaning of damage in respect of an action for misuse of private information and an action for breach of the Act. Both actions protect the individual’s fundamental right to privacy and are two parts of the same European privacy protection regime. The Court was referring here to the phone hacking misuse of private information case Gulati v MGN Limited [2] in which loss of control over telephone data was held to be damage for which compensation could be awarded.
  • The High Court judge applied too stringent a test of “same interest”. The claimants that Mr Lloyd seeks to represent will all have had their browser generated information – something of value – taken by Google without their consent in the same circumstances during the same period, and are not seeking to rely on any personal circumstances affecting any individual claimant (whether distress or volume of data extracted). The represented class are all victims of the same alleged wrong, and have all sustained the same loss, namely loss of control over their browser generated information.
  • Not seeking to rely on any facts affecting any individual represented claimant had the effect of reducing the damages that can be claimed to what could be described as “the lowest common denominator”, but this did not mean that the represented claimants did not have the same interest. It was impossible to imagine that Google could raise any defence to one represented claimant that did not apply to all others. The wrong is the same, and the loss claimed is the same. Represented claimants could, in theory, seek to be joined as parties if they wished to claim additional losses.
  • The data in possession of Google would be able to identify who was, and who was not, in the class.
  • In relation to the exercise of the judge’s discretion against allowing the claim to continue, it was irrelevant that the members of the class had not authorised the claim. It was well established that the members of a represented class do not have to have authorised the claim.
  • In practice, this representative action was the only way in which the claims could be pursued.
  • The Court of Appeal did not accept the High Court judge’s characterisation of the claim as “officious litigation”: “To the contrary, this case, quite properly if the allegations are proved, seeks to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit…The case may be costly and may use valuable court resources, but it will ensure that there is a civil compensatory remedy for what appear, at first sight, to be clear, repeated and widespread breaches of Google’s data processing obligations and violations of the Convention [the European Convention on Human Rights] and the Charter [the Charter of Fundamental Rights of the European Union]”.

It remains to be seen, however, whether this decision will open the floodgates when it comes to other group data breach claims in the future. Importantly, the Court referred to a threshold of seriousness which it said would undoubtedly exclude a claim for damages for an accidental one-off data breach that was quickly remedied. It was common ground that if the Court decided that the infringement was trivial it would be entitled to refuse to make an award for loss of control damages. But the Court said that that was far from the case here – on the pleaded case, every member of the represented class had had their data deliberately and unlawfully misused, for Google’s commercial purposes, without their consent and in violation of their established right to privacy. This was clearly a key consideration for the Court when it exercised its discretion as to whether to proceed.

Additionally, claimants looking to use this representative action procedure will still need to meet the “same interest” requirement, which will present an issue where individual claimants’ circumstances vary (for example, when damages are sought for financial loss or distress) or there are different defences to the claims.

We understand that Google intends to appeal to the Supreme Court and will continue to monitor and report on developments.

…as High Court gives go-ahead to group litigation against British Airways

In a separate but related development, the High Court has granted a group litigation order which effectively gives the go-ahead to around half a million British Airways customers to bring compensation claims over a data breach that occurred in September 2018. In July 2019, the Information Commissioner’s Office (ICO) issued a notice of its intention to fine British Airways £183.39 million for infringements of the GDPR. The fine, and this group litigation, concern a cyber incident in which the personal data of approximately half a million customers was compromised by poor security arrangements.

A group litigation order differs from the representative action route used in Lloyd v Google because it is “opt-in”. Individual claimants have to decide whether to become a party to the litigation and, if they do, they must make their own claim. The group litigation order is a way for the court to manage individual claims which give rise to common or related issues of fact or law.

These latest developments serve as a stark warning to organisations of the importance of ensuring that the necessary arrangements are in place to comply with data protection and privacy legislation.

US continues to ensure adequate level of protection for personal data transferred under the Privacy Shield

On 23 October 2019, the European Commission confirmed in its report on the third annual review of the functioning of the EU-US Privacy Shield that the US continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to participating companies in the US. The Commission concluded that a number of concrete steps need to be taken to better ensure the effective functioning of the Privacy Shield in practice. This includes the development of common guidance on the definition and treatment of human resources data. The Commission will also closely monitor further developments concerning specific elements of the framework, including in relation to the issue of surveillance. The report notes the pending litigation relating to the Privacy Shield which is before the Court of Justice of the European Union (CJEU), and that the Commission may have to reassess the situation once the CJEU rules on those cases. See the press release.

Latest from the ICO

  • On 31 October 2019, the Information Commissioner issued an Opinion on the use of live facial recognition technology by law enforcement in public places. The key recommendation arising from the ICO’s investigation is to call for government to introduce a statutory and binding code of practice on the deployment of this technology.
  • The ICO is consulting until 9 December 2019 on an accountability toolkit, to help organisations to assess whether they have appropriate and effective internal data protection governance arrangements in place and to help them demonstrate their compliance to the ICO, the public, or a business customer. See the blog post for details.
  • As part of its ongoing call for input on developing a framework for auditing artificial intelligence (AI), the ICO published a blog post on enabling access, erasure, and rectification rights in AI systems, and a separate blog post on some of the key considerations for organisations undertaking data protection impact assessments (DPIAs) for AI systems. A later blog post was published setting out final considerations and next steps, reflecting on the following key governance and accountability themes that cut across all the AI risk areas explored so far: AI governance and risk management capabilities; setting a meaningful risk appetite; and DPIAs as a roadmap to a compliant and ethical approach to AI.
  • A business suspected of making nuisance pensions calls was raided as part of an ICO investigation. Stricter rules introduced earlier this year made cold calls about pensions illegal in certain circumstances.
  • The First Tier Tribunal (Information Rights) dismissed an appeal by a data controller against a £400 penalty notice from the Information Commissioner for non-payment of the required £40 data protection fee [3]. The controller appealed on the basis that non-payment was an innocent mistake – it had cancelled a previous direct debit by mistake before payment was made. While she accepted that the failure to pay was due to an oversight, the Information Commissioner said that the controller should have had the relevant administrative systems in place. The Tribunal concluded that a reasonable data controller would have systems in place to comply and the controller in this case had pointed to no particular difficulty or misfortune which explained its departure from the expected standards of a reasonable data controller. The Tribunal noted that nine months had passed between the controller receiving a first reminder that the fee was due and the penalty notice being issued, during which time it failed to realise that the direct debit had not been paid.

More news from Europe

  • A recent CJEU decision has confirmed that: pre-ticked boxes do not constitute valid consent to the placement of cookies on website users’ devices; the service provider must provide the website user with information regarding the duration of the operation of cookies and whether or not third parties may have access to those cookies; and it does not matter for the application of the ePrivacy Directive whether the data accessed through the cookies is personal or non-personal [4]. We reported in the June/July 2019 edition of the Regulatory round-up that the ICO recently published its long-awaited updated guidance on the use of cookies and similar technologies. This decision serves as a timely reminder to organisations that have not yet done so to review and update cookie policies and consent mechanisms to ensure compliance.
  • Trade association DigitalEurope is urging Member States to ask the European Commission to reconsider its proposal for an ePrivacy Regulation (which is intended to replace the current ePrivacy Directive). Among other things, it says that too many important questions remain unaddressed, amendments continue to create more confusion than clarity, and Europe’s digital transformation will be severely hampered without a major overhaul of the text.
  • The European Data Protection Board adopted a final version of its guidelines on the lawful basis for processing for online services based on contracts under Article 6(1)(b) of GDPR, i.e. where processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Cybersecurity update

  • On 16 October 2019, the government published guidance on what UK digital service providers operating in the EU should do after Brexit in order to comply with regulations covering the security of network and information systems. Separate guidance was later published for non-UK digital service providers operating in the UK.
  • Just after the previous edition of the Regulatory round-up went to press, the National Cyber Security Centre published a revised version of the Cyber Assessment Framework to make it suitable for a wider range of potential users, beyond its application to UK providers of essential services. See this blog post with a link through to the guidance.


[1] Lloyd v Google LLC [2019] EWCA Civ 1599
[2] [2015] EWHC 1482 (Ch) and [2015] EWCA Civ 1291
[3] Roy & Partners v The Information Commissioner (Dismissed) [2019] UKFTT 2019_0096 (GRC)
[4] Bundesverband der Verbraucherzentralen und Verbraucherverbände Verbraucherzentrale Bundesverband eV v Planet49 GmbH Case C-673/17