Future magic circle trainee Will Holmes looks at yesterday’s data protection ruling
For those with a record of questionable data practices, yesterday’s judgment handed down by the UK Supreme Court will have come as a massive relief. And if you’re TikTok, who discovered in April that it was to face a possible collective action led by the former children’s commissioner for England Anne Longfield, you might have even burst out into song and dance.
The ruling concerned allegations that Google had breached its duties as a data controller under the Data Protection Act (DPA)1998. In late 2011 and early 2012 Google allegedly tracked millions of iPhone users’ online activity without their knowledge or consent using the now infamous “Safari workaround”. With the backing of a large litigation funder, Robert Lloyd sought to lead a representative claim on behalf of the millions of affected iPhone users.
There are two distinct elements of this ruling that are particularly significant. First, can a representative claim be brough under Rule 19.6 of the Civil Procedure Rules?
The UKSC found that it could see “no legitimate objection to a representative claim” [84]. In the context of data breach claims, which by its nature affects large numbers of people, this makes sense.
The court diagnosed the problem like this:
“As the present case illustrates, the development of digital technologies has added to the potential for mass harm for which legal redress may be sought. In such cases it is necessary to reconcile, on the one hand, the inconvenience or complete impracticality of litigating multiple individual claims with, on the other hand, the inconvenience or complete impracticality of making every prospective claimant (or defendant) a party to a single claim.”
So, surely a representative claim is a good solution? Well, the UKSC found that a representative claim was not adequate due to its inability to follow the compensatory logic of damages. Lloyd’s claim was for damages to be awarded in a uniform manner (each claimant gets the same). Under common law, damages are intended to put an individual in the same position they were in before the loss occurred. This is difficult to do for mass claims because people can be affected in different ways (with more frequent users being vulnerable to more breaches and the data being used in different ways by Google in this case). Therefore, the fact that representative claims do not allow for an individualised assessment of the claimants and that “the effect of the Safari workaround was obviously not uniform across the represented class” made them unsuitable for Lloyd’s claim.
The second key question was: can compensation be claimed under section 13 DPA 1998 for a possible breach by Google of its duties as a data controller? Lloyd was claiming that ‘loss of control’ over personal data amounted to a breach. Section 13 recognises two breaches: material damage and distress (as was established in Vidal-Hall v Google [2015]). The UKSC’s interpretation found that ‘loss of control’ is “not an expression used in the DPA 1998” nor are any of the requirements of the act “predicated on “control” over personal data by the data subject”.
So if your gut reaction to my initial summary of Google’s non-consensual data tracking activities was ‘so what’, then you were on the right lines. Furthermore, the court found that the threshold for seriousness which “must be crossed” for compensation to be awarded fell short of the mark.
This all bodes well for data controllers such as TikTok facing claims centred around ‘loss of control’. But they are not out of the woods yet.
The UKSC did left open the possibility of a bifurcated approach whereby common issues of law or fact are decided through a representative claim but damages are determined later via a process of individualised assessment. In addition, the ruling suggests that a more fruitful path for claimants may be going down the misuse of private information path which “naturally lend[s] itself to an award of user damages” (a remedy available where harm cannot be quantified in the normal way). One final distinction is that this was decided under the DPA 1998, whereas TikTok’s case would be considered against the Data Protection Act 2018.
Despite this, the ruling means that any representative claims will fail by virtue of the differences in possible damages between claimants. It leaves it up to users to challenge large and powerful data controllers on their own. Today’s ruling passes the baton to parliament. Whether this imbalance will be addressed, as it has been in competition law by the Consumer Rights Act, remains up to government who in early 2021 rejected such proposals.
Will Holmes is a future trainee solicitor at a magic circle law firm.