In these cases it may seem less attractive for each individual to raise their own action for compensation when the costs involved with doing so are balanced against the amount of compensation they might be entitled to. The recent English decision of Richard Lloyd v Google LLC [2018] EWCA 2599 (QB) is an example of a situation where an attempt was made to obtain compensation on behalf of a large number of individuals in one action.
The action related to alleged data breaches in the period between 2011 and 2012 by Google as a result of it using its "Safari Workaround" technology. The technology allowed Google to track some of the online behaviour of individuals who used iPhones in the UK and Google then sold the data it collected by using the technology to advertisers. It was not at all clear at the time that Google was collecting data in this way. Individuals had not been asked to consent to this and what Google was doing was, in fact, contrary to its own privacy policy.
This decision arose because, as Google is based outside of the UK, it was necessary for the claimant to apply to the High Court for permission to serve papers on Google outwith the UK. A couple of interesting points considered in the court's decision were (i) whether the claim could continue as a representative action and (ii) whether the claimant had set out a sufficient basis for claiming compensation as a result of the data protection breach.
Raising the claim as a representative action
The claim was raised by one claimant who was seeking to sue both in his own name and in a representative capacity on behalf of a class of other residents in England and Wales who were said to have been affected by the use by Google of the Safari Workaround technology. The members of the class were not defined and estimates of their number ranged between 4.4 and 5.4 million. Mr Justice Warby considered that the essential requirements for a representative action were absent, there were practical difficulties in ascertaining whether any individual was a member of a class and the court's discretion would be exercised against the action continuing as a representative action.
It is not possible for a representative action of this type to be raised in Scotland. The Civil Litigation (Expenses and Group Proceedings)(Scotland) Act 2018 has allowed for introduction of both "opt-in" and "opt-out" group proceedings so it is possible that actions along these lines might be available in the future in Scotland. However we need to wait for creation of new court rules to get the details of how these types of proceedings will operate in practice.
Basis for claiming compensation
The claim for compensation in this case was based on section 13(1) of the Data Protection Act 1998. This allowed for compensation as follows: "An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller of that damage".
Mr Justice Warby did not consider that the facts which had been pled in the action disclosed a basis for claiming compensation under that provision. The statute allowed a right to compensation for damage suffered and the infringement and damage are presented as two separate events, connected by a causal link. An interpretation of these provision which requires proof not only of a contravention but also of consequent damage made sense and presupposing that some contraventions of the DPA will not result compensation was a realistic approach.
He discussed the earlier case of Vidal-Hall v Google Inc [2014] EWCH 13 (QB) and [2015] EWCA Civ 311 (which had arisen out of the same circumstances as the current case but was brought by three named claimants who sought compensation for themselves only). In Vidal-Hall the Court of Appeal concluded the remedy of compensation is required where distress has been suffered as a result of a breach of duty. The claimants in Vidal-Hall were seeking for compensation for distress and anxiety suffered when they learned that information about their personal characteristics, interests, wishes or ambitions had been used as the basis for advertisements being targeted at them.
In this case, in contrast, it was said that damage was suffered by reason of the breach of the statutory duty imposed by s4(4) of the Data Protection Act 1998, by tracking, collation, aggregation, and sale of personal data without consent but there was no description of what the damage suffered actually was. The lack of any detail about the impact of the breach was another reason why the action could not proceed.
It is, of course, important to remember that the Data Protection Act 1998 has been repealed and a claim for compensation for breach of data protection requirements will now be based on the provision in Article 82 of the General Data Protection Regulation (GDPR). This provides that "Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered".
The requirement for an individual seeking to compensation to be able to point to both the infringement which occurred and the damage suffered as a result of it is therefore still in place. However Article 82 it is wider than section 13 of the Data Protection Act 1998 as Article 82 allows for compensation to be recovered from both data processors and data controllers.