When the Supreme Court handed down its judgment on 1 April 2020 in Morrisons v Various Claimants ([2020] UKSC 12), employers and insurers might well have thought that no longer need they worry about data protection mass claims. The unanimous judgment, given by Lord Reed, and running to 19 pages of well-argued dismantling of the Claimants' case, and overturning the Court of Appeal's earlier judgment ([2018] EWCA Civ 2339), seemed to many to mark an end to the possibility of 'class action' 'data breach' lawsuits.
The argument that will be put here is this: that where the controller has benefited from its infringement of data protection law, it should be held liable for that infringement. That argument distinguishes the claim in Lloyd v Google, from that in Morrisons, and a number of other cases where damages claims have been made.
The facts of Morrisons are that a disgruntled employee used his lawful access to the supermarket chain's payroll data to publish that data unlawfully. Whilst some 100,000 employees' data was thus exposed, fewer than 10,000 signed up to the claim, the main plank of which was that, as employer, Morrisons was vicariously liable for the acts (rightful or wrongful) of the rogue employee, and thus liable to the claimant class. The case, ultimately - according to the Supreme Court - turned on that question of vicarious liability – was Morrisons to be punished for the unauthorised acts of its employee by being ordered to pay damages to the affected (innocent) employees? – and, in that context, the Supreme Court held resoundingly that it was not.
The same week that the Supreme Court found in Morrisons' favour, the claimants (under a representative action brought by Mr Atkinson) in Atkinson v Equifax Limited withdrew their claim, bringing an end to that particular complaint that, contrary to the Data Protection Act 1998 (DPA98), Equifax had failed to take appropriate technical and organisational measures against the unauthorised and unlawful processing of the claimant's (and the represented class's) personal data. As a result, the claimant argued, when Equifax notified the Information Commissioner of a data security breach resulting in unauthorised access to some one and a half million data subjects' personal data, those data subjects had suffered compensatable loss.
And now we read of the claims against Marriott, being brought as if it is a Lloyd v Google case (see below). We would argue that the Marriott claims are likely more of the Morrisons type.
The third recent case that appears to fit in the same group of cases is that of Lloyd v Google ([2019] EWCA Civ 1599). For full disclosure, the firm acts in this case for the claimant, Richard Lloyd. Here, using the representative action route under the Civil Procedure Rules (at CPR 19.6), the claimant seeks compensation for infringement of his (and the class's) DPA98 rights (in what the Court of Appeal categorised as 'loss of control of personal data' rights), in respect of the unlawful processing by Google of users' browsing data without the users' knowledge or consent, for profit-making purposes. The estimated class size is over four million people.
For the purposes of the cases discussed in this article, the relevant sections of the DPA98 and Articles of GDPR (Regulation (EU) 2016/679) may be treated as identical, although, in fact, the language of GDPR is arguably more welcoming of claims for damages.
We would argue that there are a number of types of cases which, from a great height, look as if they fall into the same bucket, namely, of data subjects seeking damages for infringement of GDPR, but which, in fact, on closer inspection, have very different storylines, and deserve to be treated very differently. The argument propounded here is that the Lloyd v Google situation is distinguishable from the others.
The different types of case may be summarised as follows:
The Class 1 Case – the 'lack of care loss': where the controller took (or did not take) appropriate steps to protect the personal data, but nonetheless, the data was in some way compromised – in Morrisons, the appeal was centred on the question of vicarious liability rather than the need to determine whether Morrisons had taken appropriate steps as required under Principle 7, Schedule 1 of DPA98 (or Article 5(1)(f) of GDPR) to look after the personal data in question. What mattered on appeal was whether Morrisons, as employer and controller, was liable for the acts of the employee who acted outside of his remit.
The question of whether the DPA98 Principle 7 obligation (that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data") was met, was answered in the positive in the High Court judgment. This article is not seeking to focus on whether that was the right conclusion for the Court – but I do note that the issue of vicarious liability was, in my view, a red herring – the key question that should still have been addressed was probably whether Principle 7 was met or not, and that key question might have been further answered by reference to the steps taken to prevent an employee from going rogue. In the absence of an appeal of that first instance decision, vicarious liability became the central theme of the arguments and Supreme Court judgment, but it should not have. Had the Supreme Court ultimately been able to consider the case from the perspective of Principle 7, it might have come to the same conclusion, namely that Morrisons was not liable, as it had taken appropriate steps but, by not being taken to that issue, the case missed providing much-needed assistance to controllers as to where the boundaries of their obligation lie.
The Class 1(b) Case (being a close cousin of the standard Class 1 case) – the 'data hack': where the controller took (or, again, did not take) appropriate steps to protect the personal data, but nonetheless the data was in some way compromised – because a third party took it. This is the more traditional hack or data security case, and Equifax serves as an example of that. The usual claim rules apply – did the infringement of DPA98/GDPR occur, did the claimant suffer the loss addressed in DPA98/GDPR, and was that loss caused by the infringement? Based on the pleaded case and defence, the representative claimant in Equifax decided to withdraw much of the claim.
Class 2 – the 'data loss': this is perhaps just a version of Class 1: readers will recall the various cases of NHS Trusts being fined (subject to a monetary penalty notice) under DPA98 when doctors or managers would leave a laptop on a train, and the ICO would pounce on that very fact as proof of infringement of Principle 7. There, there was no actual taking of data or publication of data, but a straightforward contravention of the Principle.
Class 3 – the 'data abuse': this is fundamentally different, and why this piece argues that Morrisons is not the end of the story of claims being brought, and succeeding.
In Google, the controller, it is argued (adopting the arguments put in the precursor case of Vidal-Hall), was in contravention of its obligations under DPA98, and sought to monetise the personal data it wrongfully processed. Whether 'loss of control' or some other theory is the right language, does not matter. What matters is that contrary to the law, the controller took data obtained from Lloyd (and some 4.4 million others) for one purpose and used it for another purpose, for financial gain to itself, as controller. There was no third party involved, no hacker or data thief, no data loss. Class 3 is entirely different to Class 1 (either example) and Class 2. In Class 3, unless the claimant data subject is compensated, the wrongdoer controller will have been able to avoid its obligations at no cost to it, or payment of compensation to the 'wrongdone' data subject. Unless compensation is paid, in Google, the wrongdoer makes the gain, at no cost to it.
The Court in Morrisons was asked to make a very different, and difficult, determination – should the employer-controller, Morrisons, be penalised when its own (rogue) employee was the cause of the infringement? Or should its employee-data-subject claimants be compensated by Morrisons when, in contravention of data subject rights, the controller lost control of their data? In the event, because the Supreme Court was only tasked with deciding whether the employer was (or, as it found, was not) liable for the wrongful acts of the rogue employee, the key question, of whether as controller it had met its obligations under Article 5(1)(f) GDPR, was not addressed by the Supreme Court.
What is fundamentally different between Morrisons and Equifax (on the one hand) and Google (on the other) is that in Morrisons, the controller was also a victim of the wrongdoing (assuming, for present purposes that it had met the standard required of it to take adequate measures to protect the data entrusted to it), and in Equifax, the controller was victim of a third party hack (in respect of which it might, or might not, have been in some way culpable), whereas in Google, the controller made financial gain from its own infringement of DPA98. That is a key difference, and one which the Court needs to address. If the Supreme Court were to find for Google, it would mean that a controller's own misuse of financially valuable personal data in contravention of data protection legislation for financial gain does not result in compensation to the data subject (or, in Google itself, any cost – beyond legal fees – to the miscreant controller).
Ultimately, if the claimant does not succeed in Google, controllers are being given the go-ahead to ignore data protection law – the law that is predicated on data subjects having a fundamental right to protection in relation to the processing of their personal data, with no comeback against the controller, when the controller ignores its data protection obligations.