Search

Data, damages and collective proceedings

In recent months, two significant cases data protection cases have been in the headlines: Rolfe & Ors v Veale Wasbrough Vizards LLP and Lloyd v Google.

In Rolfe & Ors, the underlying breach was an email sent to an unrelated party, but which was deleted soon after receipt, with no material consequences. In Lloyd v Google, it was the installation of cookies that gathered browsing data on the devices of millions of iPhone users, without their knowledge or consent.

These cases are likely to have a significant impact on data claims moving forward, and will be of interest to organisations which routinely process personal data, particularly where it’s at a large scale or the data is sensitive.

The particular points to note are:

  • the approach to group litigation in Lloyd v Google;
  • the need to prove damages as set out in both cases; and
  • the calculation of damages set out in Rolfe & Ors.

Class action Litigation

‘Class actions’, or claims with a large number of claimants, are in England and Wales generally dealt with under one of three ways:

  • A ‘Group Litigation Order’;
  • Collective proceedings (for specific breaches of the Competition Act 1998);
  • ‘Same interest’ representative proceedings.

Lloyd v Google was an unusual attempt at a representative proceeding. Whereas the other forms of class actions require active involvement from claimants, the claimant in Lloyd argued that all users affected by Google’s actions shared an irreducible minimum level of harm – the loss of control of their data as experienced by a hypothetical least affected member, and this minimum represented a ‘same interest’ for each affected user. As a representative proceeding, the claim could then be brought on behalf of but without the explicit consent of all affected users – effectively creating an ‘opt out claim’ rather than requiring claimants to be actively involved.

Ultimately, the Supreme Court rejected this formulation on the basis that users could have been affected in vastly different ways. However, identifying the losses of each user (see below) in such a claim would be prohibitively expensive considering individual losses are likely to be low and therefore unattractive to potential claimants; in effect the Court’s ruling means such large scale data breach cases will be hard to fund on a commercial basis as it will be hard to apply economy of scale to calculation of damages.

However, the judgment did note that a representative proceeding could be used where users were affected similarly – a salutary warning for organisations where all users in a breach face the same effects..

Proving damages

In Rolfe & Ors, damages were claimed under the Data Protection Act 2018 and the GDPR. However, the claimants had suffered no material damage – the email was deleted promptly, the recipient did not know the claimants, and the email contained very little personal information. The judge held that the nature of the breach would not cause any distress for someone of ‘ordinary fortitude’, and that there were therefore no real damages to claim.

In Lloyd v Google, compensation was claimed under the Data Protection Act 1998, as the breach occurred around 2012. However, the irreducible minimum claimed would in effect have meant that any one claim would have fallen below a threshold of significance, and so wouldn’t represent a sufficiently strong claim to be heard in court. While it was open to claimants to claim higher amounts, in order to do so they would need to be able to demonstrate the extent of the data that was unlawfully processed in each individual case, that the damage caused was more than trivial.

Both cases confirm the principle that claimants will need to have experienced more than a minimal loss of control over data.

Calculating damages

Both judgments also explored how the losses could be calculated.

In Lloyd v Google, the Supreme Court indicated loss should have been calculated based on compensating each claimant for wrongful use of their personal data, i.e. not the loss arising from the processing itself, but from the unauthorised nature of the processing. In light of the way Lloyd v Google was argued, this would have been the amount charged by each user for Google to simply store the relevant cookie on their device (as that was the minimum irreducible harm claimed). This understandably was considered valueless.

In Rolfe & Ors, the value of the breach was also (effectively) nil. However, the judgment also shows some of the factors that could have affected this. More significant damages could have resulted from:

  • The recipient knowing the data subjects;
  • The email containing information which would affect a data subject’s safety (e.g. details of location – school drop-off or trip locations);
  • The email including sensitive financial information (e.g. account details); and
  • A longer breach (if deletion hadn’t been confirmed the following day).

If you would like to discuss any of the matters raised in this article, or want to discuss a data breach, contact Chris Francis, solicitor in Ashfords’ Commercial Litigation team, at c.francis@ashfords.co.uk.

Send us a message