A barrister for the Information Commissioner’s Office hinted the regulator would stop enforcing the law on data breaches if the Supreme Court sides with Google in a case about class-action lawsuits.
The startling threat was made on behalf of the ICO by barrister Gerry Facenna QC, who was intervening on the authority’s behalf in the Lloyd v Google data protection case.
“If a large number of data subjects have had their data lost, then they have per se suffered damage: harm of the type that I described, namely loss of control of their data,” Facenna told judges in the UK’s highest court. “That is the commissioner’s view of these provisions, that’s the basis on which she takes regulatory action at the moment. If the word ‘damage’ in this regime does not include mere loss of control, it would have to be taken into account in the exercise of those regulatory barriers.”
Facenna was speaking about the difference between a “loss of control” of data by a data controller and “damage” suffered by data subjects as a result of that loss. A loss of control (as alleged here, using personal data given for one purpose for something else altogether) is against the law.
Google previously argued in the case that in law there should be a difference between loss of control and damage, saying that even though it caused the loss of control of millions of Safari users’ data it shouldn’t be held liable because there is no coherent proof anyone suffered damage (in the legal sense) as a result.
Facenna’s written submissions to the Supreme Court about this made the ICO’s position plain, saying:
The barrister also insisted that the ICO was not siding with Richard Lloyd, whose Google You Owe Us campaign aims to extract up to £3bn from Google for its early-2010s Safari Workaround naughtiness, up to half of which will go to a venture capital fund backing the campaign.
You can’t consent to something that’s unlawful
Before Facenna’s arguments came Hugh Tomlinson QC, who was putting Lloyd’s case against Google to the Supreme Court’s judges. Tomlinson had argued the exact same thing as Facenna; drawing a legal distinction between loss of control and damage caused by a data breach would, he said, create a great big hole in data protection law for companies who set out to deliberately misuse it.
While accepting that British users of Apple’s Safari browser in the early 2010s were “very unlikely” to have “suffered material damage” from Google slurping their browser-generated information to beam targeted ads at them, Tomlinson added: “It’s obvious the members of the class have the same interest in the claim. Their interest is in establishing Google breached their data protection rights by operation of the Safari Workaround.”
Profiteering and vindication
Lord Burrows, one of the judges, pondered why “culpability for the breach is relevant” for a loss-of-control case. How could suing Google for loss of control be “effective” when the alleged naughtiness was “profiteering” by a business rather than an overtly criminal act?
“My lord,” answered Tomlinson, picking his words carefully, “we say, from the point of view of the claimants, that losing control of your data or private information where someone has given it away, is a different and more serious wrong than one where it has been done accidentally.”
Vivaldi update unleashes the ‘Cookie Crumbler’ to simply block any services asking for consent (sites may break)
Unsatisfied, Lord Burrows got to the heart of his question: “But it sounds to me – I’m putting it to you now, that what you’re focusing on is not loss of control, you’re focusing on the nature of the breach and that is what you’re seeking the award for. This isn’t compensation at all, that you are in effect asking about something like vindicatory damages.”
It was explained earlier that vindicatory damages wouldn’t be available for Lloyd’s claim against Google. Dropped in front of a treacherous hill, Tomlinson shifted down a gear, looking the least confident that he had at any point in this case since 2018.
“I am certainly, as your lordship knows for reasons which concern the constitution of a representative action – I cannot focus on the individual circumstances of the claimants because that would make it impossible to have a collective action. So I am focusing on the nature of the breach,” said the QC.
And we get back to the money
As for the funding of Lloyd’s case, Tomlinson was blunt: without Therium Capital Partners LLC backing it and paying Lloyd his £50,000 salary, suing Google “wouldn’t have been practical in this case.” He also revealed that Lloyd’s lawyers would be “seeking an order that [if it lost the main case] Google paid damages to the representative on behalf of the members of the class.”
This means Lloyd and his backers would have control of whatever compensation Google was ordered to pay out.
Lord Leggatt, another judge, asked about this. “Suppose damages are awarded on the basis the claimants are entitled to £500 or whatever it is. What is the legal basis for the first part of that sum to be paid out to the litigation funders without their consent? [The members of the class] never signed up to the litigation funding?”
“Because,” replied Tomlinson, “that is the cost of obtaining the damages. It’s the cost of getting in the fund.”
Lord Leggatt replied: “They didn’t choose that the funders should get the first 40 per cent or whatever it is.” Google has previously pointed out in court that Therium Litigation Funding IC is in fact entitled to 50 per cent of the winnings.
Tomlinson dismissed this by saying members of the representative class could take whatever pittance Lloyd offered them or go away and start their own lawsuit, saying: “Your lordship is right, of course, they didn’t authorise it but the position is, without the funders, there’d be no fund at all, and as I say [members of the class] have the option to come to court and say ‘we don’t want anything to do with this action.’ Or ‘we want to proceed on our own.’ Or ‘we’re not interested in it in any way.'”
Realising this approach would mean that damages awarded to millions of people would end up concentrated in the pockets of a tiny handful, Lord Leggatt persisted: “I’m not sure how you say damages awarded to them can be allocated without their permission to litigation funders… what’s the legal principle there, more precisely? Inherent jurisdiction, restitutionary principle? What is it?”
“Mr Lloyd is the trustee of the funds,” explained Tomlinson. “He would hold it on trust for a member of the class. The trustee is entitled to remuneration for getting in the trust’s property. It is on that analogy, we say, one of the costs of getting in the trust property is the cost of funding the litigation.”
The case has now concluded and judgment will be handed down in the not-so-near future. It will set a binding precedent on how class-action lawsuits go ahead in future, so the principles here will set the tone of mass data protection lawsuits for the 2020s.
Once the Supreme Court rules on the legal question being decided here (whether Lloyd should have been refused permission to serve his not-quite-a-class-action case on Google), a lower court will have a full hearing of the Data Protection Act rights and wrongs – and, in turn, that court’s future decision will probably end up being appealed every which way. The odds of any ordinary person receiving a payout from Google are remote in the meantime, but El Reg will be chronicling it all nonetheless. ®