Last week, the Court of Appeal allowed a campaigner to sue Google for the misuse of nearly 4 million iPhone users’ data. This ruling is sign of the times, says Tom Jones, as representative actions in relations to data breaches are growing, and becoming increasingly cross-jurisdictional.
We’d like to put aside Brexit, the Rugby World Cup (Cymru am byth!), climate change, cat memes, and “gosh, they’ve got Christmas stuff in the shops now. It’s not even Halloween!” commentary for a moment and focus on another one of the key debates taking place in society today – personal data.
Last week, the Court of Appeal allowed an appeal against a ruling that barred a consumer protection campaigner from suing Google for the misuse of circa 4 million iPhone users’ data between August 2011 and February 2012. The ruling now allows campaigner Richard Lloyd to commence proceedings against the US-based tech giant, one of the “Big Four” technology companies, to hold it accountable for this alleged misuse of data. Some commentators put the value of this compensation claim at £3.3 billion.
The ruling is interesting, because it reflects two trends characteristic of our ever-connected and ever-globalised world: representative actions in relations to data breaches are growing, and becoming increasingly cross-jurisdictional.
A new scale of representative actions
Representative actions in relation to data breaches are not only growing in number, they’re also growing in scale. Data breaches for commercial gain seldom happen in isolation, meaning millions of victims may find themselves represented by one claimant.
That’s why, before ruling, the Court first had to consider whether damages could effectively be claimed on behalf of nearly 4 million iPhone users, and whether Google’s misuse of data could result in the award of damages at all.
The loss or distress caused by the data breach is likely to vary considerably across the group – some people may still have no idea that their data was misused by Google. But the Court noted Article 82.1 of the GRPR, which provides that a person who has suffered “material or non-material damage as a result of an infringement of this Regulation” should have the right to receive compensation for the damage suffered. On this basis, the Court ruled that the victims all suffered from the same alleged wrong and loss and shared the same interest, noting:
“…it is impossible to imagine that Google could raise any defence to one represented claimant that did not apply to all others. The wrong is the same, and the loss claimed is the same. The represented parties do, therefore, in the relevant sense have the same interest.”
“…Every person will, in theory, know whether he satisfies the conditions that Mr. Lloyd has specified. Also, the data in possession of Google will be able to identify who is, and who is not, in the class.”
So, the Court made clear that the number of claimants cannot itself affect the ability to use the representative procedure. However, with such a high number of victims, the actual loss and damages are much more difficult to determine.
Whilst in English law, data is not currently regarded as property, its protection under EU law is clear. The Court also noted that a person’s data has value, as it can be sold. As Google was able to sell data collected from numerous individuals to advertisers who wished to target those people with their advertising, then it was confirmed that such data, and consent to its use, has an economic value.
Therefore, the Court found that the loss of control over one’s data, even if there is no pecuniary loss and no distress, could result in an award of compensation.
Blurry jurisdictional boundaries
Arguably, there are few people on the planet who haven’t heard of or used Google – the company’s sphere of influence reach is truly global. It has even become a verb – how many times have you heard “Google it?” in conversation?
By allowing victims of a data breach to file claims against a company based outside of the jurisdiction of the England and Wales legal system, the ruling sets another precedent. It is deconstructing one of the traditional bureaucratic barriers that large tech firms can hide behind – jurisdictional boundaries.
The case has been appealed to the Supreme Court. We wait with bated breath to see if it will be upheld, especially with regards to the new GDPR legislation. But the wider societal question remains about how we, and our friends and neighbours around the world, want to trust these large tech companies with the care of our data.
Meanwhile, we’re likely to see more and more international proceedings against large tech companies on behalf of millions of users.
If you have any queries about misuse of data, please contact Nicola Mead-Batten (firstname.lastname@example.org).