On October 2, 2019, the UK Court of Appeal unanimously overturned a block on a “class-action” lawsuit (technically a “collective action”) brought by a veteran on behalf of millions iPhone users against Google for the latter’s use of “Safari Workaround” . Now the case can be heard.
The lawsuit alleges that Google secretly tracked some of the users’ internet activity, for commercial purposes, between August 9, 2011 and February 15, 2012. Last year, the British High Court of Justice had blocked the class action by refusing permission to serve proceedings on Google. See here for more.
The Court of Appeal had decide whether the High Court of Justice was “right to hold that a claimant cannot recover uniform per capita damages for infringement of their data protection rights under section 13 [of the Data Protection Act 1998, DPA] [1] without proving pecuniary loss or distress”.
The Court rejects Google’s argument that an injury in fact is required for the lawsuit to proceed. The Court refers to Vidal-Hall v. Google Inc [2015] EWCA Civ 311, to make the point that terms coming from EU “an autonomous meaning which will not necessarily accord with their interpretation in domestic law” Decision at 40. Interpreting Article 13 DPA, the Court needs to refer to Article 23 of Directive 46/1995 (“Directive”) of which Section 13 DPA is the implementation. Also, both Section 13 DPA and Article 23 Directive must be “on the basis that they were giving effect to one aspect of article 8 of the Convention [ European Convention for the Protection of Human Rights and Fundamental Freedoms [2] and… to article 8 of the Charter [of the Charter of Fundamental Rights of the European Union 2012/C 326/02)” [3]
Article 13 Directive reads: “Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered”
This was a case under Directive 46/1995 and not under the GDPR, however, the Court pointed out that it found it helpful to consider how the GDPR deals with damage. Decision at 64. Article 82.1 of the GDPR talks of “material or non-material damage” and recital 85 talks of “loss of control” over data. While recital 85 actually concerns data breach notification, it is for the Court significant that “loss of control” over personal data is given as an example of the kind of “physical, material or non-material damage” caused by a data breach. Decision at 65.
The Court concludes the following:
For the reasons, I have given, I would conclude that damages are in principle capable of being awarded for loss of control of data under article 23 and section 13, even if there is no pecuniary loss and no distress. The words in section 13 “[an] individual who suffers damage by reason of [a breach] is entitled to compensation” justify such an interpretation, when read in the context of the Directive and of article 8 of the Convention and article 8 of the Charter, and having regard to the decision in Gulati. Only by construing the legislation in this way can individuals be provided with an effective remedy for the infringement of such rights. Decision at 70.
UK Parliament. Author: FGC
The Court also decided other two issues (Issue 2: Was the judge was right to hold that the members of the class did not have the same interest under CPR Part 19.6(1) and were not identifiable? and Issue 3: Can the judge’s exercise of discretion be vitiated?) but these are nor relevant to our analysis.
Read the full decision at https://www.judiciary.uk/wp-content/uploads/2019/10/Google.finaldraftjudgment.approved-2-10-19.pdf
For more information, Francesca Giannoni-Crystal
Google.finaldraftjudgment.approved-2-10-19
______________
Notes
[1]
Section 13 of the DPA (“section 13”) provides: “(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage. (2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if— (a) the individual also suffers damage by reason of the contravention, or (b) the contravention relates to the processing of personal data for the special purposes.
[2] Article 8 European convention for the protection of human rights and fundamental freedoms:
Right to respect for private and family life 1. Everyone has the right to respect for his private and family life, his home and his correspondence
[3] Article 8 of the Charter of Fundamental Rights of the European Union 2012/C 326/02 provides:“[e]veryone has the right to the protection of personal data concerning him or her