Interpretation of UK Data Protection Act needs to be grounded in the European Charter and applicable principles
The United Kingdom Court of Appeal has given the green light in a class action against Google related to the collection of “browser generated information”, or “BGI”. The Court Richard Lloyd v Google LLCreversed the decision of the judge below, who held that the putative representative plaintiff could not serve Google LLC outside of the UK in the proceeding and that Google could not be liable for damages without proving further pecuniary loss.
The plaintiff allege that Google created a “workaround” for functionality built into the Safari browser to block third party cookies, such as Google’s advertising cookie. This has already been the subject of various lawsuits and investigations in the United States.
The Court of Appeal disagreed with Google argument that the representative plaintiff would need to prove causation and consequential damages according to section 13(1) of the Data Protection Act (“DPA”).
13(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
While this is a provision in UK Law, the Court of Appeal conducted its analysis on the basis that it is a matter of EU law. If a purely domestic statutory construction was applied, section 13 would require proof of both a contravention of the law and actual consequent damage, whether pecuniary or non-pecuniary. What changed the analysis was the introduction in 2012 of the Charter of Fundamental Rights of the European Union, “addressed to… Member States only when they [were] implementing [EU] law” (para 41). Article 8 of the Charter, titled “Protection of personal data” confirmed the protection of data rights under EU law:
- Everyone has the right to the protection of personal data concerning him or her.
- Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
- Compliance with these rules shall be subject to control by an independent authority.
The Court of Appeal concluded that because the Data Protection Act was enacted to give effect to EU law, the provisions of the Charter undergird the rights under the DPA: From Paragraph 41:
The DPA was enacted to implement EU law, so the provisions of the Charter became applicable to data rights under the DPA after it was introduced.
Interpretation of the DPA must take into account the Charter and similarly consider those terms as giving effect to the provisions set out in the Charter. As a result, what is harm compensable by damages is determined by EU law and not domestic UK law. And under EU law, the court considered (a) whether control over data is an asset that has value, and (b) whether there are compensatory “damages” within the legal definition of the word.
With respect to the first question, the Court concluded that the data at issue was an asset that has value. Though UK law has hesitated to see data as property, EU law clearly affords it protection. That it could be monetized for advertising purposes reinforced the value it has. As a result, the Court concluded that an aggrieved person can recover damages under section 13 of the DPA and Article 23 of the EU Data Protection Directive.
For the second question, the Court relied on the case of Gulati v. MGN Limited [2015] EWHC 1482 (Ch) (Mann J), [2015] EWCA Civ 1291 (CA) (“Gulati”) which had held that damages are available without proof of pecuniary loss or distress for the tort of misuse of private information (“MPI”). Though MPI is a different legal basis for a claim, the Court of Appeal determined that Gulati was relevant and applicable by analogy because the misuse of private information tort and the DPA claim both derive from the same core rights to privacy. Further, the loss of control over telephone data in Gulati by the defendant newspaper company hacking phones was held to be damage that was compensable, and therefore Google’s acquisition of browser generated information must also be compensable.
The Court of Appeal also determined that the judge below erred in determining that the members of the class did not have the same interest under the relevant Civil Procedure Rules related to class and representative proceedings, and were not identifiable.
The plaintiff was seeking to represent claimants whose BGI was taken by Google without their consent, in the same circumstances, and during the same period. This was not dependent on personal circumstances that would vary among individual claimants. The effect of this results in reducing the damages that could be claimed to the lowest common denominator.
The Court of Appeal granted the appellant’s appeal and the case can proceed.