Google's Unpalatable Cookies

In Lloyd v Google [2019] EWCA Civ 1599 (Lloyd), the Court of Appeal held that a claimant can recover damages for infringement of data protection rights under section 13 of the Data Protection Act, without proving pecuniary loss or distress.

The case concerned Google’s use of cookies on Safari internet browsers. In a nutshell, Google’s ‘DoubleClick Ad’ cookie enabled Google to gather information about users of the Safari browser, without their knowledge or consent. This information concerned the date and time of a user’s visit to a website, how long the user spent there, the frequency with which pages were visited, what ads were viewed for how long, and the user’s approximate geographical location.

The court held, in essence, that tracking a person’s data without their permission justifies, without more, an award of damages. The judgment is a welcome one. It is correct as a matter of law, recognises the value of control over one’s information and justifies an award of damages for infringements of that right, rather than declaratory relief.

The implications of Gulati, Lumba and Vidal-Hall

The decision in Lloyd is correct as a matter of law. First, Vos LJ corrected the approach of Warby J in the High Court concerning the implications of Gulati v MGN Limited [2015] EWCA Civ 1291 (CA) (Gulati). The ratio of Gulati is clear: ‘The loss of the right to control is damage in itself’ (Gulati [48]). There is no requirement that the infringement have a significant or material adverse effect on the claimant.

Warby J suggested that ‘some claimants would not have minded their data being used’. However, this misses the point. The loss the claimants suffered was the opportunity to exercise their consent to the use of their data. In Vos LJ’s words, ‘the key to these claims is the characterisation of the class members’ loss as the loss of control or loss of autonomy over their personal data’ [45].

The function of torts actionable per se is to compensate for wrongful interference with some underlying protected interest. This interference constitutes ‘damage’ in itself. No further consequential material loss is required. Compensation performs a ‘vindicatory’ function, reinforcing values that deserve to be observed and promoted for their own sake. As Professor Varuhas has pointed out in his recent book ‘Damages and Human Rights’, this can be contrasted with ‘vindication’ in the more trivial sense in which ‘any affirmation by the law of the existence of a right or obligation constitutes vindication’ (at p 17). 

Thus, the award of damages in Lloyd was not an award of vindicatory damages for breach of a constitutional right, the kind which the Supreme Court rejected in R (Lumba) v Secretary of State for the Home Department [2012] 1 AC 245. The award in Lloyd was compensatory, not vindicatory. Damages compensated for the loss of the right to control information about oneself.

However, Vos LJ held that there is a threshold requirement in respect of claims for damages for loss of control over one’s information. That threshold excludes ‘a claim for damages for an accidental one-off data breach that was quickly remedied’ [55]. Any such threshold should be limited to the most trivial infringements and vexatious claims. To suggest otherwise risks confusing the questions of liability and quantum.

Finally, Vos LJ stated that while the action for misuse of private information is distinct from the action for breach of the Data Protection Act, courts are justified in adopting a consistent approach to both actions. ‘Both actions protect the individual’s fundamental right to privacy; although they have different derivations, they are, in effect, two parts of the same European privacy protection regime’. This is welcome. As the Court of Appeal recognised in Vidal-Hall v Google Inc [2015] EWCA Civ 311, it would be “irrational” to treat EU data protection law as more restrictive than the ECHR:

The object of the Directive is to ensure that data-processing systems protect and respect the fundamental rights and freedoms of individuals, ‘notably the right to privacy, which is recognized both in article 8 of the [Convention] and in the general principles of Community law’.

The value of control

In R v Broadcasting Standards Commission, Ex p British Broadcasting Corporation [2001] QB 885, Lord Mustill stated ‘an infringement of privacy is an affront to the personality, which is damaged both by the violation and by the demonstration that the personal space is not inviolate’.

The right to privacy ought to protect a right to control the information one shares with the wider world. In the words of Professor Charles Fried: ‘Privacy is not simply an absence of information about us in the minds of others; rather it is the control we have over information about ourselves’.  In other words, control over information about ourselves is constitutive of our personality.

For example, the ability to control with whom we share information about ourselves enables us to form relationships. We choose to disclose more personal information to our partner than to our employer. That choice makes these relationships what they are. If we revealed intimate information about our sex lives to our employer, we would change the relationship into a more personal one. Our employer might insist on the relationship remaining a purely professional one. Thus, privacy conventions establish a ‘boundary between what we reveal and what we do not’. That boundary, and some control over it, is ‘among the most important attributes of our humanity’ (Thomas Nagel, ‘Concealment and Exposure’ (1998) 27(1) Philosophy & Public Affairs 3).

A property right in one’s data?

The decision in Lloyd is commendable for a further reason. By drawing attention to the economic value of control over one’s data, Vos LJ resisted any objection that compensation would be unnecessary for the vindication of the right to control one’s information:

‘EU citizens can obtain free wi-fi at an airport in exchange for providing their personal data. If they decline to do so, they have to pay for their wifi usage. The underlying reality of this case is that Google was able to sell BGI collected from numerous individuals to advertisers who wished to target them with their advertising. That confirms that such data, and consent to its use, has an economic value.’

Moreover, by highlighting the economic value in control of one’s data, Vos LJ provided a useful mechanism for determining quantum. He therefore avoided any objection that there would be no principled method of calculating damages. Such an argument was endorsed by the Court of Appeal in Shaw v Kovac [2017] EWCA Civ 1028, [71].

It could be argued that relying on the economic value in control of one’s data to justify an award of damages risks confusing, on the one hand, the notion that the infringement of the right to control one’s data is damage in itself, and, on the other hand, the consequential loss suffered on foot of the infringement of that right.

However, highlighting the economic value in control of one’s data does not undermine the notion that the award of compensation is warranted for the breach of the right to control, which is damage in itself. Calculating quantum is simply made clearer by paying attention to the economic value of that control. Even if the data obtained had no economic value, an award of damages could still be justified. That follows from the fact that infringement of the right to control is damage in itself.

Moreover, having regard to the economic value of the data is distinct from compensating for economic loss incurred on foot of an infringement of a right. If economic loss is suffered by a claimant as a result of an infringement of the right to control their information, that would warrant a further head of compensation, independent to compensation for the breach of the right to control the data.

Vos LJ recognised, by way of obiter dicta, that ‘negotiating damages’ could, in principle, be awarded to the claimants in this case. Where unlawful use is made of property, and the right to control such use is a valuable asset, ‘the person who makes wrongful use of the property prevents the owner from exercising his right to obtain the economic value of the use in question, and should therefore compensate him for the consequent loss’ (One Step (Support) Ltd v Morris-Garner [2018] UKSC 20, per Lord Reed (One Step)).

In the context of personal data, however, an award of One Step damages is distinct from compensation for material losses consequential to the infringement of the claimant’s right. Rather, One Step damages would compensate the claimant for the defendant’s gainful use of the claimant’s property (or data) without the claimant’s consent. The claimant need not have suffered any material loss. He is entitled to compensation simply because, in Lord Reed’s words in One Step, the defendant ‘takes something for nothing, for which the owner was entitled to require payment’. When calculating the amount of payment which the claimant could have required for the data – and therefore the amount of compensation warranted for the breach of the right to control the data – it is appropriate and convenient to have regard to the economic value of the data, as Vos LJ did.

Finally, in English law, data is not a form of property. However, Vos LJ suggested that 'that question may in due course need to be revisited' [46]. In a post on the Oxford Property Law Blog Professor McFarlane has recently remarked that data could be held on trust for one person for the benefit of another, in a manner akin to property. However, he resists the idea of a property right in one’s data, in the sense of ‘something held by B, so that if X interferes with that thing, X will be strictly liable to B’. Vos LJ’s judgment implicitly opens up precisely that notion.

Alastair Richardson is a recent graduate of the BCL at the University of Oxford and a Research Assistant at the Law Commission of England and Wales. The views expressed here are his own, not those of his employer.