Oxford University Press's
Academic Insights for the Thinking World

Having data privacy rights is of no use if you cannot claim them - by Julia Hörnle

Having data privacy rights is of no use if you cannot claim them

The focus of legal discussions on data protection and privacy is normally placed on the extent of the rights conferred by the law on individuals. But as litigation lawyers are painfully aware, to have a claim valid in law is not the same as succeeding in court, as being “right” is expensive business and litigation financing is a key part of being successful.

The civil justice system in England and Wales, which governs claims for redress between private individuals (and business), is on its knees and has been so for many years. After successive cuts to the civil justice budget, court closure, and the removal of financial help to litigants (in the form of legal aid in civil cases), for most but the richest claimants, litigation in the civil courts is too costly and, hence, illusory. It is therefore about time that the UK government should consider enacting legislation to provide a clear and comprehensive framework for collective redress. Collective redress allows the pooling of resources between civil claimants, enabling them to share the costs, and enables the development of sophisticated litigation funding strategies, which address the access to justice issue.

Nowhere is this more obvious than in the technology sector. While the internet, user-generated content, user- profiling and tracking, search engines, and ambient computing are all greasing the exploitation of big data (including personal data) for wealth creation, the flip side of all this data science innovation are endless possibilities for privacy infringements, which threaten human autonomy. Users in the European Union (EU) have obtained a gamut of “data subject” rights in 2018, under the EU’s flagship data protection law, with the sexy name “General Data Protection Regulation” or GDPR. But the GDPR has shied away from an effective collective redress regime. More to that later. Arguably this is because of the bad reputation of United States-style class action regimes.

At the end of 2021, the Supreme Court of the United Kingdom (UK) had to decide whether to allow a representative action brought by Richard Lloyd, a consumer rights champion, on behalf of the more than 4 million users who had been spied upon by Google’s ad cookies. In a long-awaited ruling, the highest court in the UK held that the action could not proceed, even though the Court found that the claimant Richard Lloyd would probably have been successful if he had brought the action on his own behalf. The reason for this is that a person trying to bring a representative action faces a conundrum. It is for this reason that representative actions are infrequently used, even though they are long-established under the English common law.

The background to this case, is the so-called Safari workaround, which allowed Google in 2011-2012 to place cookies on Apple devices, even though they had been designed to prevent the placement of such cookies. This placement was without the knowledge or consent of users, most likely in breach of EU data protection legislation.

Given the overwhelming and dominant power of a few dozens of Big Tech companies and the exponential growth of the exploitation of our private information as big data, it seems right to ask whether a collective redress system is not needed in Europe (meaning both the EU and the UK) to rebalance the struggle between minimizing the collateral damage to our privacy with technological innovation. This is important both from the perspective of individual consumers and citizens as well as the importance of civil liberties for society as a whole.

Therefore what is the conundrum with the existing tool of representative actions in the toolbox of common law civil justice? It is this: the claimant essentially must show that all the claimants represented “have the same interest,” but a claim for compensation, for breach of data protection law, must be individually assessed. In other words, how much money each claimant gets in compensation depends on many factors, such as their internet use, the nature of the information collected (for example, has a user visited pornographic or gambling websites or accessed medical information?), and the amount of distress caused. This individualised assessment means that the claimants represented in the action do not have “the same interest.” This ruling, which means a clear victory for Google (at least for now), also means that a claim for damages in these cases cannot be brought through a representative action.

This is all the more frustrating as in a previous case on phone hacking by newspapers (Gulati v MGN [2017] QB 149), which went as far as the English Court of Appeal, the judges confirmed that if the claimant frames his claim under the tort of misuse of private information, the claimant need not prove what damage he or she has suffered—the privacy infringement itself amounts to loss of control over private information and this loss is the relevant damage—hence no need to assess the loss individually. 

But of course, before claimants can succeed in establishing that their privacy has been infringed in a way which entitles them to compensation, they must show that they had “reasonable expectations of privacy.” This very much depends on the circumstances; for example, there are fewer expectations of privacy if you are photographed in a public place compared to a private place and more expectations of privacy if you are doing something intimate (such as a sexual act) compared to doing something mundane (such as walking down a street). Therefore this test also requires an individualised assessment of circumstances, which in many situations might bar a representative action.

One ray of hope might be that the Supreme Court ruling of Google v Lloyd relied on the interpretation of the “old” data protection legislation (the UK Data Protection Act 1998, the national law stemming from the EU 1995 Data Protection Directive), which was superseded by the EU GDPR in 2018. Even though the UK has left the EU (at least to date), it has retained the GDPR in its national law and passed the Data Protection Act 2018 to implement EU standards in the UK. This now makes it clear that compensation is available for non-material damage (such as injury to feelings and distress). But whether this phrase, “non-material damage,” also includes loss of control over private information as a damage for which compensation may be obtained is not so clear. However, the inclusion of different types of non-material damage in the statutory scheme may mean that a future claimant may be successful in a representative action based on the Data Protection Act 2018. Instead of relying on an individualised assessment of distress, a future court may recognize a different type of damage which equally applies to all claimants in a representative action.

In the David versus Goliath fight between individual claimants and Big Tech, it is important that David is given a chance. Big Tech companies operate across international borders and have endless resources—this makes it almost impossible for claimants to succeed in mass privacy infringement cases. This imbalance should be urgently addressed through collective action schemes for data protection and privacy disputes that allow claimants to share the costs of litigation. The government will have to review the effectiveness of collective redress in data protection cases in 2023—arguably, it is time to act!

Featured image by FLY:D.

Recent Comments

There are currently no comments.