The DPA 1998 has since been replaced by the UK General Data Protection Regulation supplemented by the Data Protection Act 2018, but was in force at the time of the alleged breaches by Google. The decision comes in the wake of a number of preliminary references to the Court of Justice of the European Union (the “CJEU”) by Austrian and German Courts under Article 267 TFEU on the interpretation of Article 82 of the GDPR, and sets the tone for a new line of jurisprudence in increasingly prevalent data protection claims.

Background

Richard Lloyd, prior executive of Consumers International and Which? filed a representative action against Google in 2017 on behalf of over 4 million Apple iPhone users (the “Claimants”) alleging that Google had breached its duties as a data controller under the DPA 1998 in a period between 2011 and 2012. Lloyd, who runs the ‘Google You Owe Us’ campaign, on behalf of the Claimants, accused Google of bypassing the privacy settings on Apple’s iPhone Safari browser to track iPhone users’ internet activity including time spent on relevant websites and advertisements viewed with an aim to targeting advertising, without the users’ consent. Google disabled the ‘Safari Workaround’ after The Wall Street Journal broke the story in early 2012 and was fined $25m by the Federal Trade Commission in the US later that year.
In the wake of this fine, the Court of Appeal of England and Wales in Vidal-Hall v Google Inc. [2014] EWHC 13 (QB), paved the way for Lloyd when they ruled that three users could sue Google in the UK for damages for breaches of their individual privacy rights by the ‘Safari Workaround’.
In the present case, Lloyd sought permission from the UK courts to serve the claims on Google LLC in the US. In this claim, Lloyd sought confirmation that:

1. the DPA 1998 allowed for compensation to be paid to claimants for loss of control of their personal data without the need for identification of specific financial loss or evidence of material damage and distress; and
2. a representative action under Rule 19.6 of the Civil Procedure Rules (the “CPR”) could proceed on behalf of 4.6 million identifiable members with the “same interest”.

Google LLC opposed the application on the grounds that:

1. damages cannot be awarded under the DPA 1998 without proof that a breach caused an individual to suffer financial damage or distress; and
2. the claim was not suitable to proceed as a representative action.

The claim was initially refused by the UK High Court in October 2018 on the basis that “vindicatory” damages could not be awarded where it could not be shown that material damage or distress had been caused.
The High Court decision was overturned by the Court of Appeal of England and Wales (the “COA”) in October 2019 which held that control over personal data had value to an individual, and in that instance damages could be awarded absent proof of distress or economic loss. The COA also held that the representative class had the “same interest” in that they had all suffered the same alleged loss of control over their personal data.

The Supreme Court Judgment

Non-Material Damage
The Supreme Court considered a number of elements that have far reaching consequences in respect of data protection claims for non-material damage in the UK and other common law jurisdictions, including Ireland, with similar data protection legislation in place.
The Supreme Court unanimously held that for claimants to be awarded compensation under section 13 of the DPA 1998, which requires claimants to suffer “damage by reason of any contravention”, the damage must be caused by, and be distinct from, such contravention.
This moves UK jurisprudence away from the reasoning in cases such as Johnson v Medical Defence Union [2007] EWCA Civ 262 where “damage” for the purposes of the DPA 1998 did not go beyond monetary loss or material damage towards the Vidal-Hall line of reasoning where the COA held that there was a fundamental right to the protection of personal data under Article 8 of the Charter of Fundamental Rights rejecting pecuniary loss as the sole basis for claiming under the provisions of the DPA 1998.
However, the above jurisprudence is peripheral to the Lloyd judgment and instead Lloyd segways from judgments such as Gulati v Mirror Group Newspapers [2015] EWCA Civ where misuse of private information was found to be per se compensable, to distinguishing the tort of misuse of private information from claims for damages under the DPA 1998. Antony White, QC for Google, told the Supreme Court in submissions that “it is an important point of reference in this case that under the general law, a claim in tort of breach of statutory duty is not actionable per se; it requires proof of harm.”
In respect of the DPA 1998, the Supreme Court held that, on the proper interpretation of section 13, the term “damage” refers to material damage or mental distress distinct from, and caused by, unlawful processing of personal data in contravention of the Act, and does not refer to the act of unlawful processing itself.
Further, the Supreme Court held that it is necessary to prove what specifically amounted to unlawful processing by Google of personal data relating to a given individual in order to recover compensation in such claims. The Supreme Court emphasised that the right to such compensation is a qualified right and is subject to the defence of reasonable care taken by a defendant, as opposed to the strict liability operation of misuse of private information.
As it was not held that the alleged damage was compensable without evidence, the Supreme Court did not elaborate on the issue of quantum, however the Court did find that ‘user damages’ (which are a category of damages available for the wrongful use of another’s property rights) are not available for such a breach as damages under the DPA arise from an infringement of the claimant’s right to have personal data processed in accordance with the DPA 1998, and not the infringement itself. Therefore the principles applying to an award of ‘user damages’ do not apply to a claim for damages under the DPA.
Collective Actions
The Supreme Court held that representative actions are a “flexible tool of convenience in the administration of justice” and that the “same interest” requirement for members of a certain class must be interpreted purposely and pragmatically, in keeping with the overriding objective of the CPR of dealing with cases justly, so that Google would be able to identify “who is, and who is not, in the class”.
The Court was at pains to note that there is no bar to a representative claim where each represented person has in law a separate cause of action nor where the relief claimed consists of or includes damages, but in instances where the assessment of individual harm would vary across the large number of claimants, such actions are not the appropriate vehicle in that regard.
The Court acknowledged representative actions could be taken in two stages, the first being a claim by a representative to assess liability of a defendant for the alleged breach and the second an assessment of compensation in separate individual claims. However, the Claimant did not propose such a two–stage procedure in Lloyd, likely because the proceedings would not be economic if it was necessary to prove loss on an individual basis.
Relevance to the GDPR
In obiter comments, the Supreme Court in Lloyd stated that “EU law therefore does not provide a basis for giving a wider meaning to the term “damage” in section 13 of the DPA 1998 than was given to that term by the Court of Appeal in Vidal-Hall”.
As to whether this is the case in respect of “damage” as defined in Article 82 of the GDPR, which states that “any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered” is yet to be decided by a court.
There have been two recent referrals to the CJEU on various aspects of Article 82, by the German and Austrian Courts.
The Austrian Supreme Court requested a preliminary ruling by the CJEU under Article 267 TFEU on the interpretation and application of the claim for damages under Article 82 GDPR. In particular, clarification was sought on:

1. whether a claim for damages, in addition to the violation of a GDPR provision, requires the Claimant to have suffered specific damages or whether said violation is sufficient to qualify for the award;
2. whether additional requirements of EU law, beyond the principles of effectiveness and equivalence, must be considered by national courts in their assessment of damages; and
3. whether the threshold for non-pecuniary/non-material damages requires that the infringement has consequences of a certain degree or weight that extends beyond anger or annoyance caused by said infringement.

In Germany, the Magistrate Court dismissed a Plaintiff’s claim for a breach of the GDPR following receipt of an unsolicited advertisement via email. The Magistrate Court held the Plaintiff was not entitled to compensation under Article 82 because he failed to show that he suffered any relevant damages from the unsolicited email that met the de minimis threshold of impairment. Ultimately, the Plaintiff filed a constitutional complaint arguing that the decision violated his right to a trial before a legal judge under the German Constitution, and that the Magistrate Court had wrongly applied its own interpretation of the law, rather than referring to the CJEU the question of whether it is necessary to meet a de minimis threshold of impairment to be entitled to compensation for non-material damage under Article 82.
The Federal Constitutional Court ruled that the Magistrate Court was obliged to turn to the CJEU in circumstances where the proceeding clearly raised the question of EU law i.e. under what circumstances Article 82 entitles a claimant alleging non-material damage to monetary compensation particularly in light of Recital 146 sentence 3 of the GDPR’s broad interpretation of the concept of damages.
The Future of Data Protection Claims in Ireland
Although there is provision in Order 15 Rule 9 of the Rules of the Superior Courts 1986 for representative actions to be taken in Ireland, the current trend in the absence of any statutory provision for actions involving groups of claimants is to progress class actions through test cases.
In addition, section 117 of the Data Protection Act 2018, which implements parts of the GDPR in Ireland expressly provides that “damage” includes “material and non-material damage.” The Supreme Court noted obiter in Murphy v Callinan [2018] IESC 59, which concerned pre-GDPR Data Protection Act 1988 (as amended) but was decided close to the introduction of the new Act, that “the Data Protection Act 2018 implementing GDPR permits an individual to seek compensation from the court for breaches of data subject rights even in the absence of any material damage or financial loss.” In Murphy, the defendant insurance company cancelled a motor insurance policy upon receiving information about the plaintiff’s convictions for road traffic offences from a member of An Garda Síochána. The plaintiff claimed that the defendant had not rectified errors in his data and sought damages under section 7 of the Data Protection Act 1988 (as amended), the predecessor to section 117 of the 2018 Act. The Supreme Court ruled that the plaintiff was not entitled to damages as he had not provided any evidence of loss.
As of yet, the Irish courts have not issued any decision on a data protection action under section 117 of the Data Protection Act 2018. In light of this most recent judgment in the UK, it remains to be seen whether the courts in Ireland will follow suit, particularly once the ECJ opines on the scope of Article 82 for ‘bare breach’ claims.
The authors wish to thank Leah O’Mahony and Isabel Cooke for their contribution to this briefing.