Notizie, Sentenze, Articoli - Avvocato Cassazionista Trapani

Sentenza

Lloyd (Respondent) v Google LLC (Appellant) Case ID: UKSC 2019/0213
Lloyd (Respondent) v Google LLC (Appellant) Case ID: UKSC 2019/0213
Lloyd (Respondent) v Google LLC (Appellant)
Case ID: UKSC 2019/0213
Case summary
Issue

Whether the respondent should have been refused permission to serve his representative claim against the appellant out of the jurisdiction (i) because members of the class had not suffered 'damage' within the meaning of section 13 of the Data Protection Act 1998 ('DPA'); and/or (ii) the respondent was not entitled to bring a representative claim because other members of the class did not have the 'same interest' in the claim and were not identifiable; and/or (iii) because the court should exercise its discretion to direct that the respondent should not act as a representative.
Facts

The respondent has issued a claim alleging that the appellant ('Google') has breached its duties as a data controller under the DPA to over 4m Apple iPhone users during a period of some months in 2011- 2012, when Google was able to collect and use their browser generated information. The respondent sued on his own behalf and on behalf of a class of other residents in England and Wales whose data was collected in this way. He applied for permission to serve the claim out of the jurisdiction. Google opposed the application on the grounds that (i) the pleaded facts did not disclose any basis for claiming compensation under the DPA and (ii) the court should not in any event permit the claim to continue as a representative action.
Judgment appealed

[2019] EWCA Civ 1599
Parties
Appellant(s)

Google LLC
Respondent(s)

Richard Lloyd
Appeal
Justices

Lord Reed, Lady Arden, Lord Sales, Lord Leggatt, Lord Burrows
Hearing start date

28 Apr 2021
Hearing finish date

29 Apr 2021


Page 49
inferred that the same entitlement should arise where a reasonable expectation of
privacy is not a necessary element of the claim.
131. This point goes to the heart of the approach adopted by the claimant in the
present case. Stripped to its essentials, what the claimant is seeking to do is to claim
for each member of the represented class a form of damages the rationale for which
depends on there being a violation of privacy, while avoiding the need to show a
violation of privacy in the case of any individual member of the class. This is a flawed
endeavour.
132. Another significant difference between the privacy tort and the data protection
legislation is that a claimant is entitled to compensation for a contravention of the
legislation only where the data controller has failed to exercise reasonable care. Some
contraventions are inherently fault based. For example, the seventh data protection
principle with which a data controller has a duty to comply pursuant to section 4(4) of
the DPA 1998 (and article 17 of the Data Protection Directive) states:
"Appropriate technical and organisational measures shall be
taken against unauthorised or unlawful processing of
personal data and against accidental loss or destruction of, or
damage to, personal data."
A complaint that a data controller has failed to take such "appropriate technical and
organisational measures" is similar to an allegation of negligence in that it is
predicated on failure to meet an objective standard of care rather than on any
intentional conduct. Even where a contravention of the legislation does not itself
require fault, pursuant to section 13(3), quoted at para 90 above, there is no
entitlement to compensation if the data controller proves that it took "such care as in
all the circumstances was reasonably required to comply with the requirement
concerned".
133. The privacy tort, like other torts for which damages may be awarded without
proof of material damage or distress, is a tort involving strict liability for deliberate
acts, not a tort based on a want of care. No inference can be drawn from the fact that
compensation can be awarded for commission of the wrong itself where private
information is misused that the same should be true where the wrong may consist only
in a failure to take appropriate protective measures and where the right to
compensation is expressly excluded if the defendant took reasonable care.
Page 50
134. Indeed, this feature of the data protection legislation seems to me to be a yet
further reason to conclude that the "damage" for which an individual is entitled to
compensation for a breach of any of its requirements does not include the commission
of the wrong itself. It would be anomalous if failure to take reasonable care to protect
personal data gave rise to a right to compensation without proof that the claimant
suffered any material damage or distress when failure to take care to prevent personal
injury or damage to tangible moveable property does not.
135. Accordingly, I do not accept that the decision in Gulati is applicable by analogy
to the DPA 1998. To the contrary, there are significant differences between the privacy
tort and the data protection legislation which make such an analogy positively
inappropriate.
(e) Equivalence and effectiveness
136. I add for completeness that the EU law principles of equivalence and
effectiveness, on which the Court of Appeal placed some reliance, do not assist the
claimant's case. The principle of equivalence requires that procedural rules governing
claims for breaches of EU law rights must not be less favourable than procedural rules
governing equivalent domestic actions. As explained by Lord Briggs, giving the
judgment of this court, in Totel Ltd v Revenue and Customs Comrs [2018] UKSC 44;
[2018] 1 WLR 4053, para 7, the principle is "essentially comparative". Thus:
"The identification of one or more similar procedures for the
enforcement of claims arising in domestic law is an essential
prerequisite for its operation. If there is no true comparator,
then the principle of equivalence can have no operation at
all. The identification of one or more true comparators is
therefore the essential first step in any examination of an
assertion that the principle of equivalence has been
infringed." [citation omitted]
For the reasons given, even if the measure of damages is regarded as a procedural
rule, a claim for damages for misuse of private information at common law is not a
true comparator of a claim under section 13 of the DPA 1998. The principle of
equivalence can therefore have no operation.
137. The principle of effectiveness invalidates a national procedure if it renders the
enforcement of a right conferred by EU law either virtually impossible or excessively
Page 51
difficult: see again Totel Ltd at para 7. However, the absence of a right to
compensation for a breach of data protection rights which causes no material damage
or distress, even if regarded as a procedural limitation, does not render the
enforcement of such rights virtually impossible or excessively difficult. The right to an
effective remedy does not require awards of compensation for every (non-trivial)
breach of statutory requirements even if no material damage or distress has been
suffered.
(f) Conclusion on the effect of section 13
138. For all these reasons, I conclude that section 13 of the DPA 1998 cannot
reasonably be interpreted as conferring on a data subject a right to compensation for
any (non-trivial) contravention by a data controller of any of the requirements of the
Act without the need to prove that the contravention has caused material damage or
distress to the individual concerned.
(9) The claim for user damages
139. "User damages" is the name commonly given to a type of damages readily
awarded in tort where use has wrongfully been made of someone else's land or
tangible moveable property although there has been no financial loss or physical
damage to the property. The damages are assessed by estimating what a reasonable
person would have paid for the right of user. Damages are also available on a similar
basis for patent infringement and other breaches of intellectual property rights.
Following the seminal decision of this court in OneStep (Support) Ltd v Morris-Garner
[2018] UKSC 20; [2019] AC 649, it is now clear that user damages are compensatory in
nature, their purpose being to compensate the claimant for interference with a right to
control the use of property where the right is a commercially valuable asset. As Lord
Reed explained in Morris-Garner, at para 95(1):
"The rationale of such awards is that the person who makes
wrongful use of property, where its use is commercially
valuable, prevents the owner from exercising a valuable right
to control its use, and should therefore compensate him for
the loss of the value of the exercise of that right. He takes
something for nothing, for which the owner was entitled to
require payment."
Page 52
140. Lord Reed, at paras 27 and 29, cited authorities which make it clear that the
entitlement to user damages does not depend on whether the owner would in fact
have exercised the right to control the use of the property, had it not been interfered
with. The "loss" for which the claimant is entitled to compensation is not loss of this
"conventional kind" (para 30); rather, it lies in the wrongful use of the claimant's
property itself, for which the economic value of the use provides an appropriate
measure. This value can be assessed by postulating a hypothetical negotiation and
estimating what fee would reasonably have been agreed for releasing the defendant
from the duty which it breached. It is this method of assessment on which the claimant
relies in the alternative formulation of the present claim.
141. A claim in tort for misuse of private information based on the factual allegations
made in this case, such as was made in Vidal-Hall, would naturally lend itself to an
award of user damages. The decision in Gulati shows that damages may be awarded
for the misuse of private information itself on the basis that, apart from any material
damage or distress that it may cause, it prevents the claimant from exercising his or
her right to control the use of the information. Nor can it be doubted that information
about a person's internet browsing history is a commercially valuable asset. What was
described by the Chancellor in the Court of Appeal [2020] QB 747, para 46, as "the
underlying reality of this case" is that Google was allegedly able to make a lot of money
by tracking the browsing history of iPhone users without their consent and selling the
information collected to advertisers.
142. The view has sometimes been expressed that asserting privacy in information is
inconsistent, or at least in tension, with treating such information as a commercial
asset: see eg Douglas v Hello! Ltd (No 3) [2005] EWCA Civ 595; [2006] QB 125, para
246; and on appeal sub nom OBG Ltd v Allan [2007] UKHL 21; [2008] AC 1, para 275
(Lord Walker of Gestinghorpe). But once the basis of the right to privacy is understood
to be the protection of a person's freedom to choose and right to control whether and
when others have access to his or her private affairs, I think that any tension largely
disappears. It is common experience that some people are happy to exploit for
commercial gain facets of their private lives which others would feel mortified at
having exposed to public view. Save in the most extreme cases, this should be seen as
a matter of personal choice on which it is not for the courts to pass judgments.
Moreover, where the defendant's very purpose in wrongfully obtaining and using
private information is to exploit its commercial value, the law should not be prissy
about awarding compensation based on the commercial value of the exercise of the
right. As was confirmed in Morris-Garner, the fact that the claimant would not have
chosen to exercise the right himself is no answer to a claim for user damages. It is
enough that, as Lord Reed put it at paras 30 and 95(1) of his majority judgment, the
defendant has taken something for nothing, for which the owner of the right was
entitled to require payment.
Page 53
143. The point does not arise in the present case, however, because the claimant is
not claiming damages for misuse of private information. As discussed, the only claim
advanced is under the DPA 1998. Here it follows from the conclusion reached above
about the meaning of section 13 that user damages are not available. This is because,
for the reasons given, compensation can only be awarded under section 13 of the DPA
1998 for material damage or distress caused by an infringement of a claimant's right to
have his or her personal data processed in accordance with the requirements of the
Act, and not for the infringement itself. Although his reasoning was in part based on an
understanding of user damages overtaken by this court's decision in Morris-Garner, it
follows that Patten J was right to hold in Murray v Express Newspapers Plc [2007]
EWHC 1908 (Ch); [2007] EMLR 22, at para 92, that the principles on which user
damages are awarded do not apply to a claim for compensation under the DPA 1998.
F. THE NEED FOR INDIVIDUALISED EVIDENCE OF MISUSE
144. There is a further reason why the claimant's attempt to recover damages under
section 13 of the DPA 1998 by means of a representative claim cannot succeed. Even if
(contrary to my conclusion) it were unnecessary in order to recover compensation
under this provision to show that an individual has suffered material damage or
distress as a result of unlawful processing of his or her personal data, it would still be
necessary for this purpose to establish the extent of the unlawful processing in his or
her individual case. In deciding what amount of damages, if any, should be awarded,
relevant factors would include: over what period of time did Google track the
individual's internet browsing history? What quantity of data was unlawfully
processed? Was any of the information unlawfully processed of a sensitive or private
nature? What use did Google make of the information and what commercial benefit, if
any, did Google obtain from such use?
(1) The claim for the "lowest common denominator"
145. The claimant does not dispute that the amount of any compensation awarded
must in principle depend on such matters. But he contends that it is possible to
identify an "irreducible minimum harm" suffered by every member of the class whom
he represents for which a "uniform sum" of damages can be awarded. This sum is
claimed on the basis that it represents what the Chancellor in the Court of Appeal
described as the "lowest common denominator" of all the individual claims: see [2020]
QB 747, para 75.
146. Google objects that Mr Lloyd, as the self-appointed representative of the class,
has no authority from any individual class member to waive or abandon what may be
Page 54
the major part of their damages claim by disavowing reliance on any circumstances
affecting that individual. Mr Lloyd's answer, which the Court of Appeal accepted, is a
pragmatic one. He points out that the limitation period for bringing any proceedings
has now expired. For any represented individual there is therefore no longer any
realistic possibility of recovering any compensation at all other than through the
present action. Furthermore, to make this action viable, it is necessary to confine the
amount of damages claimed for each class member to a uniform sum; and a uniform
sum of damages, even if considerably smaller than an individualised award would be, is
better than nothing.
147. I do not think it necessary to enter into the merits of this issue. I am prepared to
assume, without deciding, that as a matter of discretion the court could - if satisfied
that the persons represented would not be prejudiced and with suitable arrangements
in place enabling them to opt out of the proceedings if they chose - allow a
representative claim to be pursued for only a part of the compensation that could
potentially be claimed by any given individual. The fundamental problem is that, if no
individual circumstances are taken into account, the facts alleged are insufficient to
establish that any individual member of the represented class is entitled to damages.
That is so even if it is unnecessary to prove that the alleged breaches caused any
material damage or distress to the individual.
(2) The facts common to each individual case
148. The facts alleged against Google generically cannot establish that any given
individual is entitled to compensation. To establish any such individual entitlement it
must be shown, at least, that there was unlawful processing by Google of personal
data of which that particular individual was the subject. In considering whether the
facts alleged, if proved, are capable of establishing an entitlement to damages, it is
therefore necessary to identify what unlawful processing by Google of personal data is
alleged to have occurred in Mr Lloyd's own case and also in the case of each other
member of the represented class. What facts is the claimant proposing to prove to
show that Google acted unlawfully in each individual case?
149. The answer, on analysis, is: only those facts which are necessary to show that
the individual falls within the definition of the "claimant class". The premise of the
claim is that Mr Lloyd and each person whom he represents is entitled to damages
simply on proof that they are members of the class and without the need to prove any
further facts to show that Google wrongfully collected and used their personal data.
Any such further facts would inevitably vary from one individual member of the class
to another and would require individual proof.
Page 55
150. To fall within the definition of the class, it must be shown, in substance, that the
individual concerned had an iPhone of the appropriate model running a relevant
version of the Apple Safari internet browser which, at any date during the relevant
period whilst present in England and Wales, he or she used to access a website that
was participating in Google's DoubleClick advertising service. There are exclusions
from the class definition for anyone who changed the default settings in the Safari
browser, opted out of tracking and collation via Google's "Ads Preference Manager" or
obtained a DoubleClick Ad cookie via a "first party request" rather than as a "third
party cookie". The aim of the definition is to identify all those people who had a
DoubleClick Ad cookie placed on their device unlawfully, through the Safari
workaround, but not to include within the class anyone who did not receive a
DoubleClick Ad cookie during the relevant period or who received the cookie by lawful
means.
151. It is sufficient to bring an individual within the class definition that he or she
used the Safari browser to access a website participating in Google's DoubleClick
advertising service on a single occasion. The theory is that on that occasion the
DoubleClick Ad cookie will have been placed on the user's device unlawfully as a third
party cookie. To qualify for membership of the class, it is not necessary to show that
the individual ever visited a website participating in Google's DoubleClick advertising
service again during the relevant period. Nor is it alleged that any individual or
individuals did visit such a website on more than one occasion. The "lowest common
denominator" on which the claim is based is therefore someone whose internet usage
- apart from one visit to a single website - was not illicitly tracked and collated and who
received no targeted advertisements as a result of receiving a DoubleClick Ad cookie.
This is because the claimant has deliberately chosen, in order to advance a claim in a
representative capacity for damages assessed from the bottom up, not to rely on any
facts about the internet activity of any individual iPhone user beyond those which
bring them within the class of represented persons.
152. For reasons given earlier, I am leaving aside the difficulties of proving
membership of the class, significant as they would appear to be, and am assuming that
such difficulties are not an impediment to the claim. But the question that must be
asked is whether membership of the represented class is sufficient by itself to entitle
an individual to compensation, without proof of any further facts particular to that
individual.
153. On the claimant's own case there is a threshold of seriousness which must be
crossed before a breach of the DPA 1998 will give rise to an entitlement to
compensation under section 13. I cannot see that the facts which the claimant aims to
prove in each individual case are sufficient to surmount this threshold. If (contrary to
Page 56
the conclusion I have reached) those facts disclose "damage" within the meaning of
section 13 at all, I think it impossible to characterise such damage as more than trivial.
What gives the appearance of substance to the claim is the allegation that Google
secretly tracked the internet activity of millions of Apple iPhone users for several
months and used the data obtained for commercial purposes. But on analysis the
claimant is seeking to recover damages without attempting to prove that this
allegation is true in the case of any individual for whom damages are claimed. Without
proof of some unlawful processing of an individual's personal data beyond the bare
minimum required to bring them within the definition of the represented class, a claim
on behalf of that individual has no prospect of meeting the threshold for an award of
damages.
(3) User damages on a lowest common denominator basis
154. The claimant's case is not improved by formulating the claim as one for user
damages quantified by estimating what fee each member of the represented class
could reasonably have charged - or which would reasonably have been agreed in a
hypothetical negotiation - for releasing Google from the duties which it breached. I
have already indicated why, in my opinion, user damages cannot be recovered for
breaches of the DPA 1998. But even if (contrary to that conclusion) user damages
could in principle be recovered, the inability or unwillingness to prove what, if any,
wrongful use was made by Google of the personal data of any individual again means
that any damages awarded would be nil.
155. The claimant asserts, and I am content to assume, that if, instead of bypassing
privacy settings through the Safari workaround, Google had offered to pay a fee to
each affected Apple iPhone user for the right to place its DoubleClick Ad cookie on
their device, the fee would have been a standard one, agreed in advance, rather than a
fee which varied according to the quantity or commercial value to Google of the
information which was subsequently collected as a result of the user's acceptance of
the cookie. However, imagining the negotiation of a fee in advance in this way is not
the correct premise for the valuation.
156. As explained in Morris-Garner, the object of an award of user damages is to
compensate the claimant for use wrongfully made by the defendant of a valuable asset
protected by the right infringed. The starting point for the valuation exercise is thus to
identify what the extent of such wrongful use actually was: only then can an estimate
be made of what sum of money could reasonably have been charged for that use or,
put another way, for releasing the wrongdoer from the duties which it breached in the
wrongful use that it made of the asset. Imagining a hypothetical negotiation, as Lord
Reed explained at para 91 of Morris-Garner, is merely "a tool" for arriving at this
Page 57
estimated sum. As in any case where compensation is awarded, the aim is to place the
claimant as nearly as possible in the same position as if the wrongdoing had not
occurred. Accordingly, as Patten LJ put it in Eaton Mansions (Westminster) Ltd v Stinger
Compania de Inversion SA [2013] EWCA Civ 1308; [2014] 1 P & CR 5, para 21:
"The valuation construct is that the parties must be treated
as having negotiated for a licence which covered the acts of
trespass that actually occurred. The defendant is not required
to pay damages for anything else."
See also Enfield London Borough Council v Outdoor Plus Ltd [2012] EWCA Civ 608, para
47; and Marathon Asset Management LLP v Seddon [2017] EWHC 300 (Comm); [2017]
ICR 791, paras 254-262.
157. Applying that approach, the starting point would therefore need to be to
establish what unlawful processing by Google of the claimant's personal data actually
occurred. Only when the wrongful use actually made by Google of such data is known
is it possible to estimate its commercial value. As discussed, in order to avoid individual
assessment, the only wrongful act which the claimant proposes to prove in the case of
each represented person is that the DoubleClick Ad cookie was unlawfully placed on
their device: no evidence is - or could without individual assessment - be adduced to
show that, by means of this third party cookie, Google collected or used any personal
data relating to that individual. The relevant valuation construct is therefore to ask
what fee would hypothetically have been negotiated for a licence to place the
DoubleClick Ad cookie on an individual user's phone as a third party cookie, but
without releasing Google from its obligations not to collect or use any information
about that person's internet browsing history. It is plain that such a licence would be
valueless and that the fee which could reasonably be charged or negotiated for it
would accordingly be nil.
G. CONCLUSION
158. The judge took the view that, even if the legal foundation for the claim made in
this action were sound, he should exercise the discretion conferred by CPR rule 19.6(2)
by refusing to allow the claim to be continued as a representative action. He
characterised the claim as "officious litigation, embarked upon on behalf of individuals
who have not authorised it" and in which the main beneficiaries of any award of
damages would be the funders and the lawyers. He thought that the representative
claimant "should not be permitted to consume substantial resources in the pursuit of
litigation on behalf of others who have little to gain from it, and have not authorised
Page 58
the pursuit of the claim, nor indicated any concern about the matters to be litigated":
[2019] 1 WLR 1265, paras 102-104. The Court of Appeal formed a very different view
of the merits of the representative claim. They regarded the fact that the members of
the represented class had not authorised the claim as an irrelevant factor, which the
judge had wrongly taken into account, and considered that it was open to them to
exercise the discretion afresh. They saw this litigation as the only way of obtaining a
civil compensatory remedy for what, if proved, was a "wholesale and deliberate
misuse of personal data without consent, undertaken with a view to commercial
profit": see [2020] QB 747, para 86. In these circumstances the Court of Appeal took
the view that, as a matter of discretion, the claim should be allowed to proceed.
159. It is unnecessary to decide whether the Court of Appeal was entitled to
interfere with the judge's discretionary ruling or whether it would be desirable for a
commercially funded class action to be available on the facts alleged in this case. This is
because, regardless of what view of it is taken, the claim has no real prospect of
success. That in turn is because, in the way the claim has been framed in order to try to
bring it as a representative action, the claimant seeks damages under section 13 of the
DPA 1998 for each individual member of the represented class without attempting to
show that any wrongful use was made by Google of personal data relating to that
individual or that the individual suffered any material damage or distress as a result of
a breach of the requirements of the Act by Google. For the reasons explained in this
judgment, without proof of these matters, a claim for damages cannot succeed.
160. I would therefore allow the appeal and restore the order made by the judge
refusing the claimant's application for permission to serve the proceedings on Google
outside the jurisdiction of the courts of England and Wales.
Avv. Antonino Sugamele

Richiedi una Consulenza