Having data privacy rights is no good if you can’t claim them
The focus of legal discussions on data protection and privacy is normally placed on the extent of the rights conferred by law on individuals. But as litigators painfully know, having a valid claim in law is not the same as succeeding in court, because being “right” is a costly affair and litigation funding is a key component of success.
The civil justice system in England and Wales, which governs claims between individuals (and businesses), is on its knees and has been for many years. After successive cuts in the civil justice budget, the closure of the courts and the abolition of financial assistance to litigants (in the form of legal aid in civil cases), for most claimants except the wealthiest, Litigation in civil courts is too costly and, therefore, illusory. It is therefore high time that the UK Government consider enacting legislation providing a clear and comprehensive framework for class actions. Class action allows for the pooling of resources among civil plaintiffs, allowing them to share costs, and allows for the development of sophisticated litigation funding strategies, which address the issue of access to justice.
Nowhere is this more evident than in the technology sector. While the Internet, user-generated content, user profiling and tracking, search engines and ambient computing all fuel the exploitation of big data (including personal data) for wealth creation, the The flip side of all this data science innovation is the endless possibilities for privacy breaches that threaten human autonomy. Users in the European Union (EU) gained a range of “data subject” rights in 2018, under the flagship EU data protection law, with the sexy name of “General Privacy Regulation”. data protection” or GDPR. But the GDPR has steered away from an effective class action regime. More on that later. This is no doubt due to the poor reputation of American-style class action regimes.
At the end of 2021, the Supreme Court of the United Kingdom (UK) was to decide whether or not to allow a representative action brought by Richard Lloyd, a consumer rights defender, on behalf of the more than 4 million users who had been spied on by Google advertising cookies. In a long-awaited ruling, the UK’s highest court said the action could not go ahead, even though the court ruled that plaintiff Richard Lloyd would likely have won had he brought the suit. action in his own name. The reason for this is that a person trying to bring a representative action faces a conundrum. It is for this reason that representative actions are rarely used, even though they are long established under English common law.
The context of this case is the so-called Safari workaround, which allowed Google in 2011-2012 to place cookies on Apple devices, even though they were designed to prevent such cookies from being placed. This placement was made without the knowledge or consent of users, most likely in violation of EU data protection law.
Given the overwhelming and dominating power of a few dozen Big Tech companies and the exponential growth in the exploitation of our private information as big data, it seems fair to ask whether a class action system is not necessary. in Europe (i.e. both EU and UK) to rebalance the struggle between minimizing collateral damage to our privacy and technological innovation. This is important both from the point of view of consumers and citizens and of the importance of civil liberties for society as a whole.
So what is the conundrum with the existing tool of representative actions in the common law civil justice toolkit? It is this: the plaintiff must essentially demonstrate that all plaintiffs represented “have the same interest”, but a claim for compensation, for breach of data protection law, must be assessed individually. In other words, the amount of compensation each claimant receives depends on many factors, such as their Internet usage, the nature of the information collected (for example, has a user visited pornographic websites or gambling or accessed medical information?) and the amount of distress caused. This individualized assessment means that the plaintiffs represented in the action do not have “the same interest”. This decision, which means a clear victory for Google (at least for now), also means that a claim for damages in these cases cannot be brought through a representative action.
This is all the more frustrating as in a previous case of telephone hacking by newspapers (Gulati vs. MGN  QB 149), which went all the way to the English Court of Appeal, the judges confirmed that if the plaintiff bases his claim on the tort of misuse of private information, the plaintiff need not prove the damage he has suffered – the breach of privacy itself amounts to a loss of control over private information and this loss is the relevant damage – so there is no need to assess the loss individually.
But of course, before plaintiffs can successfully establish that their privacy has been breached in a way that entitles them to compensation, they must demonstrate that they had “reasonable expectations of privacy”. Much depends on the circumstances; for example, there are less expectations of privacy if you are photographed in a public place compared to a private place and more expectations of privacy if you are doing something intimate (like a sexual act) than doing something mundane (like walking a street). Therefore, this test also requires an individualized assessment of the circumstances, which in many situations could preclude representative action.
A glimmer of hope could be that the Supreme Court’s decision Google v Lloyd was based on the interpretation of the “old” data protection legislation (the UK Data Protection Act 1998, the national law resulting from the EU Data Protection Directive 1995), which was superseded by the EU GDPR in 2018. Even though the UK has left the EU (at least to date), it has kept the GDPR in its national law and passed the Data Protection Act of 2018 to implement EU standards in the UK. It is now clear that compensation is available for intangible damage (such as emotional harm and distress). But it is not so clear that this expression “immaterial damage” also includes the loss of control over private information as a damage for which compensation can be obtained. However, the inclusion of different types of non-material damages in the statutory scheme may mean that a prospective claimant may succeed in a representative action based on the Data Protection Act 2018. Instead of relying on an individualized assessment of distress, a future court may recognize another type of damage that applies equally to all plaintiffs in a representative action.
In the David vs. Goliath fight between individual claimants and Big Tech, it’s important that David has a chance. Big tech companies operate across international borders and have endless resources, making it nearly impossible for plaintiffs to succeed in massive privacy breach cases. This imbalance should be urgently corrected through class action programs for data protection and privacy litigation that allow claimants to share the costs of litigation. The government will have to review the effectiveness of class actions in data protection cases in 2023. It is undoubtedly time to act!
Image selected by FLIGHT OF.