The Court of Appeal have allowed a class of four million UK iPhone users to serve their representative action suit on Google.

In doing so, the Court has harmonised damages across data protection and misuse of private information claims, making it easier for claimants– especially represented claimants– to bring claims.


In June 2018, IP Harbour reported on a representative action launched against Google. Richard Lloyd leads the action, on behalf of campaign group, Google You Owe Us, and a class of over four-million iPhone users. Their claim arises out of Google’s Safari Workaround, the subject of the landmark case of Vidal-Hall v Google Inc.

In Vidal-Hall, Google were found to have placed code onto iPhones which bypassed Safari’s block on third party cookies. (Read more about third party cookies here.) This allowed them to use cookies to track users’ internet activity without their knowledge or consent. The cookies relayed users’ browsing activity to Google who used to divide them into advertisement categories. At the time, 96% of Google’s revenue was generated by advertisement, totalling $36.5bn.

In June 2018, Lloyd applied to the High Court to serve the claim out of jurisdiction on Google, who are based in Delaware, United States. In October 2018 Mr Justice Warby refused permission, on the following grounds:

  1. none of the represented class had suffered “damage” under section 13 of the Data Protection Act 1998 (the “DPA”);
  2. the members of the class did not anyway have the “same interest” within CPR Part 19.6(1) so as to justify allowing the claim to proceed as a representative action; and
  3. his own initiative and discretion under CPR Part 19.6(2) against allowing the claim to proceed.

In Lloyd v Google LLC [2019] EWCA Civ 1599, the Court of Appeal considered Warby J’s reasons and disagreed with all three. Their ruling on the first reason is particularly interesting.


Vidal-Hall determined that distress could be deemed damage under section 13(1) DPA. However, Lloyd was not pleading distress, but that the commissioning of the tort of misuse of private information caused a loss of control over personal data and infringed their rights.

An award of damages requires a threshold of seriousness or lack of triviality to be crossed [see para. 43]. But there was a question as to whether the court can award damages where no consequence is pleaded save for the mere commissioning of the tort or act of infringement itself. Warby J characterised such damages as vindicatory damages, a remedy found in public law cases concerning constitutional rights, see R (Lumba) v. Secretary of State for the Home Department [2012] 1 AC 245 at [97-100].

The Supreme Court in Lumba [101] said that to allow an award of vindicatory damages would result in undesirable uncertainty. Following this, Warby J found that the damage was not damage under the DPA and Lloyd could not pass the gateway to service out of jurisdiction.

The Court of Appeal disagreed. Beginning from a different premise, they held that control over personal information is valuable because personal information is valuable [47]. They cited examples of people paying to retain control and privacy over their information when opting to pay to use free Wi-Fi. They also pointed to the fact that Google makes billions from the collection and use of this information.

They then distinguished Lumba. In doing so, they held that Lloyd was not claiming vindicatory damages, but compensatory damages [63]. This allowed them to reconsider section 13 DPA, which they did by relying on Gulati v MGN [2015] EWCA Civ 1291. In Gulati, the court held that a loss of control over telephone data was damage for which the court could compensate. The Court of Appeal held that it would be “wrong in principle” if Lloyd and the represented claimants’ loss of control could not also be compensated [57].

Gulati was a DPA claim and the court recognised at [28] that Warby J had rightly construed section 13 DPA as not providing a basis for compensation for loss of control. However, they established such a basis on the grounds that both MPI and section 13 “derive from the same core rights to privacy” as well as “from a common European right to privacy” [57]. With this, the Court of Appeal has moved towards greater alignment of remedies across DPA and MPI claims.


The effect of this judgment is that compensation is now available to those claiming loss of control of personal data and there is no longer a requirement to prove any other kind of damage or distress.

This will no doubt make it easier to bring and win data protection claims, whether on DPA or MPI grounds. And those likely to benefit most are represented groups.

Previously, in the absence of provable damage, such groups relied on distress. This was tricky because they would all have to have suffered the same level of distress in order to have the same interest in the litigation. The likelihood of this being the case, and of satisfying the court that this is the case, was extraordinarily low. But with loss of control damages now available, each member need only show the same type of damage suffered– a much easier task.