https://gdprhub.eu/api.php?action=feedcontributions&user=Mariam-hwth&feedformat=atomGDPRhub - User contributions [en]2024-03-29T11:11:06ZUser contributionsMediaWiki 1.39.6https://gdprhub.eu/index.php?title=ICO_(UK)_-_Cabinet_Office&diff=21702ICO (UK) - Cabinet Office2021-12-06T21:29:54Z<p>Mariam-hwth: Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO (UK) |DPA_With_Country=ICO (UK) |Case_Number_N..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|DPA-BG-Color=background-color:#023868;<br />
|DPAlogo=LogoUK.png<br />
|DPA_Abbrevation=ICO (UK)<br />
|DPA_With_Country=ICO (UK)<br />
<br />
|Case_Number_Name=Cabinet Office<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Information Commissioner's Office<br />
|Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/mpns/4019105/cabinet-office-mpn-202112.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=15.11.2021<br />
|Date_Published=02.12.2021<br />
|Year=2021<br />
|Fine=500000<br />
|Currency=GBP<br />
<br />
|GDPR_Article_1=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1f<br />
|GDPR_Article_2=Article 32(1) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#1<br />
|GDPR_Article_3=Article 33(1) GDPR<br />
|GDPR_Article_Link_3=Article 33 GDPR#1<br />
<br />
<br />
|National_Law_Name_1=Paragraph 15(1), Part 2, Schedule 2 Data Protection Act 2018<br />
|National_Law_Link_1=https://www.legislation.gov.uk/ukpga/2018/12/schedule/2/paragraph/15/enacted<br />
<br />
|Party_Name_1=Cabinet Office<br />
|Party_Link_1=https://www.gov.uk/government/organisations/cabinet-office<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Infomation Commissioner's Office (UK DPA) imposed a fine of approximately €585,739 on the Cabinet Office for a data breach in violation of Articles 5(1)(f) and 32(1) GDPR. The New Years 2020 Honours List was published including postal addresses for the recipients of the Honours.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 27 December 2019, the UK Cabinet Office (department of the Government of the United Kingdom) published the content page of the New Years 2020 Honours List on its website. The content page contained a link to a CSV file version of the Honours list that was not adequately edited to remove personal data. The CSV file contained the postal address of Honours recipients in a column that had been “hidden” rather than completely “deleted” from the CSV file. Despite the various steps taken before publishing the CSV file, no one within the Cabinet Office teams working on the Honours List noticed that the column was only “hidden”. The column was still there and became apparent again once the CSV file was made available online on gov.uk.<br />
<br />
The Cabinet Office was alerted of the data breach by a member of the Government Communications Team. The Cabinet Office then republished the content page without the link to the CSV file. However, anyone who had the exact URL to the CSV file already could still access it despite this change. This is because documents cannot be removed from the gov.uk website once they have been published. <br />
<br />
The issue was escalated and eventually the CSV file was permanently deleted around 2 hours and 30 minutes after it was first made available. It was found that the CSV file was accessed 3872 times from 2798 IP addresses.<br />
<br />
The Cabinet Office alerted affected data subjects within 48 hours of the data breach and submitted a Personal Data Breach Report to the ICO within 72 hours of becoming aware of the breach.<br />
<br />
The Cabinet Office confirmed there was no written process in place to approve documents containing personal data prior to being published to ensure the content was suitably redacted. Additionally, the Cabinet Office’s page for best practice on data handling had not been updated for six months despite the implementation of a new software used to produce the Honours List (which contained a column for addresses). There were various other security concerns identified in an independent review commissioned by the Cabinet Office (accessibility of data to team members that do not need to have access; lack of testing of software to ensure they are robust enough; lack of monitoring of training for staff).<br />
<br />
=== Holding ===<br />
The United Kingdom Data Protection Authority (Information Commissioner’s Office; ICO) held that the Cabinet Office had contravened Article 5(1)(f) of the General Data Protection Regulation (GDPR) when erroneously publishing the CSV file containing the data subjects’ postal addresses. <br />
<br />
The ICO also considered that the Cabinet Office had infringed [[Article 32 GDPR#1|Article 32(1) GDPR]] as it did not have appropriate technical and organisational measures in place to ensure an appropriate level of security.<br />
<br />
The ICO investigated the Exemption within Paragraph 15(1) of Part 2 of Schedule 2 of the Data Protection Act 2018, which excludes the application of various rights and obligations to personal data processed for the purposes of conferring an honour or dignity (given by the Government under the name “the Crown”). Article 5 is listed as a provision that the data controller would not have to comply if the exemption applied. However, the ICO deemed that this did not apply as the contravention of Article 5(1)(f) as the erroneous publication of addresses was a result of a data security incident (rather than rights and obligations).<br />
<br />
The ICO considered that a monetary penalty was appropriate given: <br />
- the number of individuals affected;<br />
- the damage or harm (eg distress and/or embarrassment); and <br />
- failure to apply reasonable technical and organisational measures to mitigate any breach.<br />
It also considered the nature, gravity and duration of the infringement. Despite the short time frame of availability (2.5 hours), there was a substantial amount of views (3872 times) and the Honours List was a high-profile event that attracts interest. The ICO also considered that the address of high profile people was disclosed as a result. The ICO highlighted that the breach caused distress to some of the affected individuals (3 complaints were received from affected data subjects)<br />
<br />
The ICO considered the fact that the infringement was negligent. Staff members had been given verbal reminders to remove personal data from files, but there was no written process on how to remove said personal data. There was also no specific approval process in place to ensure personal data was adequately removed from documents intended for publication. <br />
<br />
The ICO identified steps taken by the controller to mitigate damage suffered by data subjects. This included:<br />
- removing the CSV file completely after 2.5 hours;<br />
- 2.5 hours was a short time frame for accessibility; and<br />
- most access occurred prior to the CSV file being completely deleted (when just the link was removed). This indicated that the first steps taken by the Cabinet Office were generally successful, even if the CSV file was still technically accessible in other ways.<br />
The Cabinet Office also took steps to inform data subjects within 48 hours of the breach and ensured that the Police took steps to assess the risk of the affected data subjects. The ICO found that the Cabinet Office took steps to prevent further dissemination of the data, for example by ensuring screenshots of the List posted on Twitter were removed. <br />
<br />
The ICO also highlighted the steps taken by the Cabinet Office to reduce the likelihood of similar events occurring in the future. For example, reviewing technical processes, issuing guidance on removing personal data, providing training sessions to staff members, engaging in an independent review of data handling policies, processes, practice and culture.<br />
<br />
Additionally, the ICO found that the data breach stemmed from a build error of the new software used to produce the Honours List. This generated the list to include postal address data in error. Accordingly, the Cabinet Office was responsible for the breach as the Digital and Technology team built the system. Lack of training and guidance available for staff members, including those in the Digital team, was also an important factor. <br />
<br />
The ICO therefore imposed a fine of approximately €585,739 on the Cabinet Office as an effective, proportionate and dissuasive penalty.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
ICO.<br />
Information Commissioner's Office<br />
DATA PROTECTION ACT 2018<br />
<br />
<br />
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER<br />
<br />
<br />
MONETARY PENALTY NOTICE<br />
<br />
<br />
<br />
To: Cabinet Office<br />
<br />
<br />
Of: 70 Whitehall, London, SW1A 2AS<br />
<br />
<br />
1. The Information Commissioner ("the Commissioner") has decided to<br />
<br />
issue the Cabinet Office with a penalty notice pursuant to section 155<br />
of the Data Protection Act 2018 ("DPA"). This penalty notice imposes<br />
<br />
an administrative fine on the Cabinet Office, in accordance with the<br />
<br />
Commissioner's powers under Article 83 of the GDPR. The amount of<br />
the penalty is £500,000 (five hundred thousand pounds).<br />
<br />
<br />
<br />
2. The penalty is being issued because of contraventions by the Cabinet<br />
Office of Articles 5(1)(f) and 32(1) of the GDPR in that, on 27-28<br />
<br />
December 2019, the Cabinet Office in error published on GOV.UK a CSV<br />
<br />
file which included full correspondence (postal) addresses of-data<br />
subjects (all of whom were 2020 New Year Honours recipients),<br />
<br />
resulting in a disclosure of personal data. This was a breach of Article<br />
5(1)(f) of the GDPR as the Cabinet Office did not process personal data<br />
<br />
in a manner that ensured appropriate security of the personal data.<br />
<br />
Further, at the time of and in the run up to the aforementioned breach,<br />
the Cabinet Office did not have in place appropriate technical and<br />
<br />
organisational measures to ensure a level of security appropriate to the<br />
<br />
risk associated with the processing of data for the purpose of the 2020<br />
New Year Honours List in breach of Article 32(1) of the GDPR.<br />
<br />
<br />
<br />
I ICO.<br />
Information Commissioner's Office<br />
3. This penalty notice explains the Commissioner's reasons for imposing<br />
<br />
such a penalty, and for the amount of the penalty. Prior to issuing this<br />
penalty notice, the Commissioner carefully considered the Cabinet<br />
<br />
Office's Response to Notice of Intent dated 16 September 2021.<br />
<br />
<br />
Legal Framework<br />
<br />
<br />
4. The Cabinet Office is a data controller for the purposes of the GDPR and<br />
<br />
DPA 2018 because it determines the purposes and means of the<br />
processing of the personal data associated with this incident (Article<br />
<br />
4(7) of the GDPR).<br />
<br />
<br />
5. "Personal data" is defined by Article 4(1) of the GDPR to mean:<br />
<br />
<br />
<br />
"any information relating to an identified or identifiable natural<br />
person ('data subject'); an identifiable natural person is one who<br />
<br />
can be identified, directly or indirectly, in particular by reference<br />
<br />
to an identifier such as a name, an identification number, location<br />
data, an online identifier or to one or more factors specific to the<br />
<br />
physical, physiological, genetic, mental, economic, cultural or<br />
<br />
social identity of that natural person"<br />
<br />
<br />
6. "Processing" is defined by Article 4(2) of the GDPR to mean:<br />
<br />
<br />
"any operation or set of operations which is performed on personal<br />
<br />
data or on sets of personal data, whether or not by automated<br />
<br />
means, such as collection, recording, organisation, structuring,<br />
storage, adaptation or alteration, retrieval, consultation, use,<br />
<br />
disclosure by transmission, dissemination or otherwise making<br />
<br />
available, alignment or combination, restriction,erasure or<br />
destruction"<br />
<br />
<br />
2 ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
7. Data controllers are subject to various obligations in relation to the<br />
processing of personal data as set out in the GDPR and DPA 2018. They<br />
<br />
are obliged by Article 5(2) of the GDPR to adhere to the data processing<br />
<br />
principle set out in Article 5(1).<br />
<br />
<br />
8. Article 5(1)(f) of the GDPR provides that personal data shall be:<br />
<br />
<br />
"processed in a manner that ensures appropriate security of the<br />
<br />
personal data, including protection against unauthorised or<br />
<br />
unlawful processing and against accidental loss, destruction or<br />
damage, using appropriate technical or organisational measures<br />
<br />
('integrity and confidentiality')".<br />
<br />
<br />
9. Article 32 of the GDPR provides:<br />
<br />
"(1) Taking into account the state of the art, the costs of<br />
<br />
implementation and the nature, scope, context and purposes of<br />
<br />
processing as well as the risk of varying likelihood and severity for<br />
the rights and freedoms of natural persons, the controller and the<br />
<br />
processor shall implement appropriate technical and<br />
<br />
organisational measures to ensure a level of security appropriate<br />
to the risk, including inter alia as appropriate:<br />
<br />
(a) the pseudonymisation and encryption of personal data;<br />
<br />
(b) the ability to ensure the ongoing confidentiality, integrity,<br />
availability and resilience of processing systems and services;<br />
<br />
(c) the ability to restore the availability and access to personal<br />
<br />
data in a timely manner in the event of a physical or technical<br />
incident;<br />
<br />
<br />
<br />
<br />
<br />
<br />
3 ICO.<br />
Information Commissioner's Office<br />
(d) a process for regularly testing, assessing and evaluating the<br />
<br />
effectiveness of technical and organisational measures for<br />
ensuring the security of the processing.<br />
<br />
<br />
<br />
(2) In assessing the appropriate level of security account shall be<br />
taken in particular of the risks that are presented by processing,<br />
<br />
in particular from accidental or unlawful destruction, loss,<br />
<br />
alteration, unauthorised disclosure of, or access to personal data<br />
transmitted, stored or otherwise processed."<br />
<br />
<br />
<br />
10. The Commissioner is the supervisory authority for the United Kingdom<br />
as provided for by Article 51 of the GDPR.<br />
<br />
<br />
<br />
11. By Article 57(1) of the GDPR, it is the Commissioner's task to monitor<br />
and enforce the application of the GDPR.<br />
<br />
<br />
<br />
12. By Article 58(1)(d) of the GDPR, the Commissioner has the power<br />
to notify controllers of alleged infringements of the GDPR. By Article<br />
<br />
58(2)(i), the Commissioner has the power to impose an administrative<br />
<br />
fine in accordance with Article 83 in addition to or instead of the other<br />
corrective measures referred to in Article 58(2), depending on the<br />
<br />
circumstance of each individual case.<br />
<br />
13. By Article 83(1), the Commissioner is required to ensure that<br />
<br />
administrative fines issued in accordance with Article 83 are effective,<br />
proportionate and dissuasive in each individual case.<br />
<br />
<br />
<br />
14. Article 83(2) goes on to set out a number of factors to which the<br />
Commissioner should have regard when deciding whether to impose an<br />
<br />
administrative fine and deciding on the amount of the administrative<br />
<br />
fine in each individual case.<br />
<br />
<br />
4 ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
15. The DPA 2018 contains enforcement provisions in part 6 which are<br />
<br />
exercisable by the Commissioner. Section 155 DPA 2018 provides in<br />
relevant part:<br />
<br />
<br />
<br />
"(1) If the Commissioner is satisfied that a person-<br />
<br />
(a) has failed or is failing as described in section 149(2), (3), (4)<br />
<br />
or (5),...<br />
the Commissioner may, by written notice, require the person to<br />
<br />
pay to the Commissioner an amount in sterling specified in the<br />
notice.<br />
<br />
(2) Subject to subsection (4), when deciding whether to give a<br />
<br />
penalty notice to a person and determining the amount of the<br />
penalty, the Commissioner must have regard to the following, so<br />
<br />
far as relevant-<br />
<br />
<br />
(a) to the extent that the notice concerns a matter to which<br />
<br />
the UK GDPR applies, the matters listed in Article 83(1) and<br />
(2) of the UK GDPR<br />
<br />
<br />
,,<br />
<br />
<br />
<br />
16. Section 149(2) DPA 2018 provides in relevant part:<br />
<br />
"The first type of failure is where a controller or processor has<br />
<br />
failed, or is failing, to comply with any of the following:<br />
(a)e provision of Chapter II of the UK GDPR or Chapter 2 of<br />
<br />
Part 3 or Chapter 2 of Part 4 of this Act (principles of<br />
processing)<br />
<br />
,,<br />
<br />
<br />
<br />
5 ICO.<br />
Information Commissioner's Office<br />
Background Facts<br />
<br />
<br />
Overview<br />
<br />
<br />
17. On Friday 27 December 2019 at 22:e 0 the Cabinet Office published the<br />
<br />
content page for the New Year 2020 Honours List on GOV.e K. This was<br />
<br />
completed via a scheduled automatic publication set up by the Cabinet<br />
Office Publishing Team.<br />
<br />
<br />
<br />
18. The content page as published contained a link to a comma-separated<br />
values ("CSV") file version of the Honours list, which in error included<br />
<br />
the correspondence (postal) addresses of Honours recipients. This<br />
resulted in an unauthorised disclosure affecting - data subjects<br />
<br />
<br />
<br />
<br />
<br />
<br />
19. The Cabinet Office Press Office was alerted to the data breach by a<br />
<br />
member of the Government Communications Team who had "identified<br />
the data breach by chance". After becoming aware of the breach, at<br />
<br />
22: 59 on 27 December 2019 the Cabinet Office Publishing Team<br />
<br />
republished the content page removing the link to the CSV file.<br />
However, as files uploaded onto GOV.e K are automatically cached on a<br />
<br />
content delivery network, the file continued to be accessible online to<br />
people who had the exact webpage URL.<br />
<br />
<br />
<br />
20. The Cabinet Office contacted the Government Digital Service (GDS) at<br />
23: 34 for GDS to assist with removing the CSV file, as although the<br />
<br />
Cabinet Office can edit pages and remove links, they cannot remove<br />
<br />
documents from the GOV.e K website once they have been published.<br />
<br />
<br />
-the issue was escalated within GDS and support was obtained<br />
<br />
6 ICO.<br />
Information Commissioner's Office<br />
<br />
from a developer. This resulted in the CSV file being permanently<br />
deleted at 00: 51 on 28 December 2019.<br />
<br />
<br />
21. Therefore, in total, the CSV file containing the postal address data was<br />
<br />
accessible from 22: 30 on 27 December 2019 to 00: 51 on 28 December<br />
<br />
2019 - a period of two hours and 21 minutes. During that time the CSV<br />
file was accessed 3,872 times from 2,798 IP addresses.<br />
<br />
<br />
<br />
22. Although the file was accessible via the cache until 00: 51, the Cabinet<br />
Office Publishing Team republished the content page at 22: 59 which<br />
<br />
removed the link to the file. The Cabinet Office's logs show most of the<br />
access to the file (72%) occurred in the initial period before the link<br />
<br />
was removed and access declined over time.<br />
<br />
<br />
23. Affected data subjects were contacted within 48 hours of the data<br />
<br />
breach via email or telephone (if data subjects did not have an email<br />
address, the email had bounced back, or if there was an out-of-office<br />
<br />
message) where possible on 28 and 29 December 2019. Approximately<br />
<br />
11 data subjects were not contactable via either telephone or email and<br />
needed a hard copy letter to be posted to them. Following this, a hard<br />
<br />
copy letter was posted to all affected data subjects on 30 December<br />
2019.<br />
<br />
<br />
<br />
24. The Cabinet Office submitted a Personal Data Breach Report to the ICO<br />
within 72 hours of becoming aware of the data breach in accordance<br />
<br />
with Article 33(1) of the GDPR.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
7 ICO.<br />
Information Commissioner's Office<br />
Circumstances surrounding the data breach<br />
<br />
<br />
25. The Honours and Appointments Secretariat ("HAS") in the Cabinet<br />
<br />
Office coordinates the Honours system and processes all public<br />
<br />
nominations.<br />
<br />
<br />
26. A new IT system was introduced within HAS in 2019.<br />
<br />
was built between January and June 2019 and was in use<br />
from July 2019. The 2020 Honours round was the first to use the new<br />
<br />
system.<br />
<br />
<br />
27. The report which generated the CSV file was incorrectly<br />
<br />
formulated to include postal address data which it should not have done<br />
<br />
and was not an element requested in the original build requirements.<br />
The Cabinet Office's Digital and Technology Team was responsible for<br />
<br />
building the system.<br />
<br />
<br />
28. Although testing took place on the report by the Cabinet<br />
<br />
Office's Digital and Technology Team and the HAS Operations Team,<br />
<br />
the postal address column went unnoticed during the testing process<br />
which the Cabinet Office has said they believe was due to the large<br />
<br />
number of fields in the spreadsheet and the focus on ensuring the list<br />
<br />
of successful Honours recipients was accurate.<br />
<br />
<br />
29. A 'desk note' of instructions had been produced to articulate the<br />
process for running the reports which produce the final<br />
<br />
Honours lists. These instructions were available to employees via<br />
<br />
Google Drive. However, these instructions reflected the<br />
report as it should have been set up and did not include a check to<br />
<br />
ensure personal data that should not have been included therein was<br />
<br />
removed.<br />
<br />
8 ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
30. On 19 December 2019, the error with the report incorrectly<br />
including postal address data was identified by the HAS Operations<br />
<br />
Team. However, due to short timescales between finalising<br />
<br />
amendments to the list and the deadline for giving the lists to the Press<br />
Office for publication "the decision was taken to amend the output as<br />
<br />
opposed to the report build itself".<br />
<br />
<br />
31. On 23 December 2019 following certain changes to the Honours list, a<br />
<br />
second report was run to generate the CSV file for publication. This was<br />
<br />
completed by an employee not usually responsible for the process. This<br />
employee "was aware that postal address information should not be in<br />
<br />
the report and altered it to hide the information". Due to this, the CSV<br />
<br />
file incorrectly included postal address data which had been hidden but<br />
was still contained in the document as it had not been deleted. The<br />
<br />
Cabinet Office has subsequently stated "we acknowledge that the<br />
<br />
information should have been deleted". This version of the CSV file was<br />
sent to the Press Office on the same date.<br />
<br />
<br />
<br />
32. On 24 December 2019 a opened and reviewed the<br />
documents sent to the Press Office on 23 December 2019 and identified<br />
<br />
formatting errors which needed correcting. The<br />
emailed the HAS Operations team on 24 December 2019 to highlight<br />
<br />
the formatting errors. The Cabinet Office said inclusion of the postal<br />
<br />
address data was not identified by the as it was not<br />
visible. In relation to this event, the Cabinet Office said, "In retrospect,<br />
<br />
this incident should have then automatically triggered a formal review<br />
<br />
point to check that the final version was correctly amended."<br />
<br />
<br />
<br />
<br />
<br />
<br />
9 ICO.<br />
Information Commissioner's Office<br />
33. On 24 December 2019 a third and final report was run<br />
<br />
to make the corrections requested by the . This report<br />
again generated a CSV file incorrectly including postal address data.<br />
<br />
<br />
<br />
34. As the postal address data was hidden, the employee sending the<br />
document to the Press Office on 24 December 2019 thought the postal<br />
<br />
address data had been removed when "in reality it was still there and<br />
<br />
became visible when the document was uploaded to gov.uk". When<br />
asked if it was the same employee who hid the data as who sent the<br />
<br />
document to the Press Office, the Cabinet Office confirmed two people<br />
<br />
were involved in the process.<br />
<br />
<br />
35. The Cabinet Office's internal investigation report said the email sent to<br />
<br />
the Press Office on 24 December 2019 "was copied to the -<br />
- and a small number of HAS members, but did not include the<br />
<br />
relevant Director or senior press office staff". The Cabinet Office<br />
<br />
confirmed that the copied into the email was the same<br />
person who identified the formatting errors with the version produced<br />
<br />
on 23 December 2019. However, the was on annual<br />
<br />
leave on 24 December 2019 when the final version was sent to the<br />
Press Office.<br />
<br />
<br />
36. The Press Office received the final version of the CSV file on 24<br />
<br />
December 2019, which incorrectly included the postal address data. It<br />
is understood the covering email "indicated that the previous issue had<br />
<br />
been resolved". The final CSV file was not opened by the Press Office<br />
<br />
before they completed a web publication form and sent this and the<br />
documents they had received to the Digital Team for publication on the<br />
<br />
same date, as they relied upon reassurance from the HAS in the<br />
<br />
covering email that the document was the final version. The Cabinet<br />
<br />
<br />
<br />
10 ICO.<br />
Information Commissioner's Office<br />
Office stated that "the press office and digital teams were not<br />
responsible for reviewing the data for sensitivities of this type".<br />
<br />
<br />
37. On 27 December 2019 the Press Office checked with the HAS that there<br />
<br />
had been no further changes and were told by the that<br />
this was correct. Therefore they "assumed that the document was still<br />
<br />
the final version to publish".<br />
<br />
<br />
38. On 27 December 2019, the work to prepare the publication was<br />
completed by the Digital Team. At this point the Digital Team checked<br />
<br />
with the Press Office that there had been no changes to the documents.<br />
<br />
Checks for formatting, accessibility standards and correct functionality<br />
were completed by the Digital Team as per the standard process.<br />
<br />
However, these did not include any assessment of the substance, "as<br />
<br />
the team is not best placed to make any judgements" on the content<br />
and "it is clear that the documents need to be final signed-off versions".<br />
<br />
The documents were subsequently included in the content page for<br />
<br />
automatic publication.<br />
<br />
<br />
39. The Cabinet Office has stated that "it has always been standard practice<br />
for the [HAS] Team to undertake a final review of the list documents<br />
<br />
before publication to ensure, for example, that there is no sensitive<br />
<br />
data present and that the information is presented in the correct<br />
format. This review is not intended to require or result in extensive<br />
<br />
amendments, as that would indicate that the underlying data had been<br />
<br />
incorrectly entered in the database or that the report had been set up<br />
wrongly". However, the Cabinet Office confirmed there was no specific<br />
<br />
or written process in place in the HAS to sign-off or approve documents<br />
<br />
containing personal data prior to being sent for release to ensure the<br />
content was suitable for publication.<br />
<br />
<br />
<br />
<br />
11 ICO.<br />
Information Commissioner's Office<br />
40. The Cabinet Office's internal investigation report included three<br />
<br />
recommendations for improvement following the incident,<br />
demonstrating certain measures were not present at the time the data<br />
<br />
breach occurred:<br />
<br />
<br />
a. Recommendation 1: That the Honours IT system is updated and<br />
<br />
re-tested to ensure that a publication-ready document is<br />
<br />
produced when the report is run, which does not include<br />
address or other sensitive data. The Desk Instructions should<br />
<br />
be amended to ensure the report is always checked so that it<br />
<br />
only ever includes data that can be published.<br />
<br />
<br />
b. Recommendation 2: Ensure clear line of accountability for sign<br />
<br />
off for documents that will be published and that there are clear<br />
instructions in the email, which give sufficient detail so others<br />
<br />
can check.<br />
<br />
<br />
c. Recommendation 3: Press Office and Digital Communications<br />
<br />
ensure that the process for removing documents published in<br />
<br />
error is clearly understood, including for out of hours.<br />
<br />
<br />
41. An independent review led by Adrian Joseph and commissioned by the<br />
<br />
Cabinet Office reviewed wider data handling processes/practices within<br />
the Cabinet Office. That review includes the following observations:<br />
<br />
"Breaches, such as the one that impacted New Year's Honours<br />
<br />
recipients in December 2019, are too easily assigned to human<br />
<br />
error where a greater consistency of process, controls and culture<br />
across Cabinet Office could have reduced the risk systemically.<br />
<br />
There is a significant risk that further and more impactful breaches<br />
<br />
<br />
<br />
<br />
12 ICO.<br />
Information Commissioner's Office<br />
will occur as the amount of personal data being handled by the<br />
<br />
Department increases.<br />
<br />
<br />
The Cabinet Office identified two main factors that had contributed<br />
<br />
to the breach: the introduction of a new IT software package,<br />
which had included an additional field with individuals' addresses;<br />
<br />
and a lack of clarity about sign-off processes for the final versions<br />
<br />
of the documents that went online, and in the context of the new<br />
<br />
IT system."<br />
<br />
<br />
42. The review also highlighted the following concerns relevant to the<br />
<br />
incident:<br />
<br />
<br />
a. Whilst different documents exist on the Cabinet Office's intranet<br />
<br />
page regarding best practice on data handling, these<br />
documents are not regularly updated or promoted throughout<br />
<br />
the Department; "The GDPR Hub, for example, has not been<br />
<br />
updated since May 2019".<br />
b. There appear to be issues with access restrictions which are<br />
<br />
"often imposed too late and there are examples of personal<br />
<br />
data being accessible to whole teams".<br />
<br />
c. Cabinet Office structures regularly change with new business<br />
units often being stood up to deliver on urgent political<br />
<br />
priorities. "The pace required to deliver on these priorities was<br />
<br />
cited by some business units and stakeholders as potentially<br />
compromising the disciplines of good personal data handling".<br />
<br />
d. Some teams have built additional checks into their processes,<br />
<br />
including validating data being transferred between<br />
Government Departments, "however, in some instances it<br />
<br />
would be possible to eliminate human error altogether by fixing<br />
<br />
failings in IT systems. For example, in one software system it<br />
<br />
13 ICO.<br />
Information Commissioner's Office<br />
is possible to accidentally send personal information about one<br />
individual to another, unconnected, individual whose details are<br />
<br />
also held in the same system".<br />
<br />
e. "Interviewees raised a number of concerns around the<br />
procurement of new software to run their data handling<br />
<br />
processes. Some said that financial considerations meant that<br />
<br />
off-the-shelf solutions were chosen to run processes that, given<br />
their complexity, warranted bespoke solutions".<br />
<br />
f. "Another concern raised by a number of teams was that<br />
<br />
software had not undergone sufficiently robust or extensive<br />
testing in advance of being rolled out. The reasons cited<br />
<br />
included lack of both staff and money, lack of expertise within<br />
the commissioning teams, and projects being rolled out too<br />
<br />
quickly in order to meet Ministerial commitments. In all<br />
<br />
instances considered by the Review these risks had been signed<br />
off by senior managers or Ministers".<br />
<br />
g. "...training is not monitored across the organisation. One team<br />
<br />
interviewed for the Review had set up their own training log,<br />
but most did not actively monitor which members of their teams<br />
<br />
had completed the training".<br />
<br />
Apology<br />
<br />
43. On 7 January 2020, the Minister for the Cabinet Office made a<br />
<br />
statement to Parliament by which the Cabinet Office gave a public<br />
<br />
apology in relation to the incident.<br />
<br />
<br />
Notice of Intent<br />
<br />
<br />
<br />
<br />
44. On 4 August 2021, in accordance with section 155(5) and paragraphs<br />
<br />
2 and 3 of Schedule 16 DPA 2018, the Commissioner issued the Cabinet<br />
<br />
14 ICO.<br />
Information Commissioner's Office<br />
Office with a Notice of Intent to impose a penalty under section 155<br />
<br />
DPA 2018. The Notice of Intent described the circumstances and the<br />
nature of the personal data in question, explained the Commissioner's<br />
<br />
reasons for the proposed penalty of £600,000, including what she<br />
<br />
regarded as the aggravating and mitigating factors, and invited written<br />
representations from the Cabinet Office.<br />
<br />
<br />
<br />
45. On 16 September 2021, the Cabinet Office provided written<br />
representations in response to Notice of Intent. The key representations<br />
<br />
made by the Cabinet Office were:<br />
<br />
<br />
a. the level of the fine is disproportionate to the scale of the breach<br />
(particularly taking into account that of the addresses revealed<br />
<br />
the majority were already readily accessible in the public<br />
<br />
domain);<br />
<br />
<br />
b. the proposed penalty does not take into account the extensive<br />
<br />
immediate and long-term action taken by the Cabinet Office to<br />
mitigate the consequences of the breach and was not<br />
<br />
determined in accordance with the statutory guidance reflected<br />
<br />
in the Commissioner's Regulatory Action Policy;<br />
<br />
c. the proposed penalty does not adequately reflect the statement<br />
<br />
made to Parliament by the Minister for the Cabinet Office on 7<br />
<br />
January 2020 and the apology contained within that statement<br />
and this statement does not appear to have been taken into<br />
<br />
account adequately when the Notice of Intent was formulated;<br />
<br />
and<br />
<br />
<br />
d. The breaches do not warrant an administrative penalty and that<br />
<br />
another sanction such as that set out Article 58(2)(b) GDPR<br />
would be more appropriate.<br />
<br />
15 ICO.<br />
Information Commissioner's Office<br />
<br />
46. The Cabinet Office's representations have been considered in full. Having<br />
<br />
taken these representations and all other factors into account, the<br />
<br />
Commissioner has decided to issue a monetary penalty in the sum of<br />
£500,000.<br />
<br />
<br />
Breaches of GDPR<br />
<br />
<br />
<br />
Contravention of Article 5(1)(f) of the GDPR<br />
<br />
<br />
47. Article 5(1)(f) of the GDPR has been contravened as the Cabinet Office,<br />
<br />
the controller, published the CSV file on GOV.e K which included full<br />
correspondence (postal) addresses of data subjects in error,<br />
<br />
resulting in a disclosure of personal data.<br />
<br />
<br />
48. By Article 5(2) it is the controller who is responsible for and must be<br />
<br />
able to demonstrate compliance with Article 5(1).<br />
<br />
<br />
<br />
Contravention of Article 32 of the GDPR<br />
<br />
<br />
49. Article 32(1) of the GDPR has been contravened as the Cabinet Office,<br />
<br />
the controller, did not have in place appropriate technical and<br />
organisational measures to ensure a level of security appropriate to the<br />
<br />
risk associated with the processing of data for the purpose of the 2020<br />
<br />
New Year Honours List.<br />
<br />
<br />
Exemptions<br />
<br />
<br />
<br />
50. Paragraph 15 (1) of Part 2 of Schedule 2 to the DPA 2018 provides:<br />
<br />
<br />
<br />
16 ICO.<br />
Information Commissioner's Office<br />
"The listed GDPR provisions do not apply to personal data<br />
processed for the purposes of the conferring by the Crown of any<br />
<br />
honour or dignity."<br />
<br />
<br />
51. Paragraph 6 of Part 2 of Schedule 2 to the DPA 2018 provides (emphasis<br />
added):<br />
<br />
<br />
<br />
"In this Part of this Schedule, "the listed GDPR provisions" means<br />
the following provisions of the GDPR (the rights and obligations in<br />
<br />
which may be restricted by virtue of Article 23(1) of the GDPR)-<br />
<br />
<br />
(a) Article 13(1) to (3) (personal data collected from data subject:<br />
information to be provided);<br />
<br />
(b) Article 14(1) to (4) (personal data collected other than from<br />
<br />
data subject: information to be provided);<br />
(c) Article 15(1) to (3) (confirmation of processing, access to data<br />
<br />
and safeguards for third country transfers);<br />
(d) Article 16 (right to rectification);<br />
<br />
(e) Article 17(1) and (2) (right to erasure);<br />
<br />
(f) Article 18(1) (restriction of processing);<br />
(g) Article 19 (notification obligation regarding rectification or<br />
<br />
erasure of personal data or restriction of processing);<br />
<br />
(h) Article 20(1) and (2) (right to data portability);<br />
(i) Article 21(1) (objections to processing);<br />
<br />
(j) Article S (general princip les) so far as its provisi ns<br />
<br />
correspond to the rights and obligations provided for in the<br />
provisions mentioned in sub-paragraphs (a) to (i).e<br />
<br />
<br />
52. The contravention of Article 5(1)(f) of the GDPR in the present case<br />
<br />
arises from a data security incident not from the rights and obligations<br />
<br />
at paragraph 6(a)-(i) of Part 2 of Schedule 2 to the DPA 2018 - the<br />
exemption therefore does not apply.<br />
<br />
17 ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
The Regulatory Action Policy<br />
<br />
<br />
<br />
53. When deciding to impose a monetary penalty and when setting the<br />
<br />
amount of that penalty, the Commissioner had regard to and acted in<br />
<br />
accordance with the Regulatory Action Policy.<br />
<br />
<br />
54. In deciding to impose a monetary penalty, the Commissioner had<br />
<br />
regard to all of the factors set out on page 24 of the Regulatory Action<br />
Policy and assessed this case objectively on its own merits. In all the<br />
<br />
circumstances, a monetary penalty was considered appropriate given:<br />
<br />
<br />
a. the number of individuals affected;<br />
b. there was a degree of damage or harm (which may include<br />
<br />
distress and/or embarrassment); and<br />
<br />
c. there was a failure to apply reasonable measures to mitigate<br />
any breach (or the possibility of it).<br />
<br />
<br />
55. In setting the amount of the penalty, the Commissioner applied the five<br />
<br />
step approach set out in the Regulatory Action policy:<br />
<br />
a. At step 1, the Commissioner determined that there were no<br />
<br />
discernible financial gains identified or losses avoided in relation<br />
<br />
to the incident.<br />
b. At step 2, the Commissioner had regard to the scale and<br />
<br />
severity of the breach by taking into account the considerations<br />
<br />
identified in sl 55(2)-(4) DPA 2018.<br />
c. At step 3, the Commissioner determined that there were no<br />
<br />
additional aggravating factors.<br />
<br />
<br />
<br />
<br />
18 ICO.<br />
Information Commissioner's Office<br />
d. At step 4, the Commissioner determined that in view of the<br />
factors set out below, an amount should be added to the<br />
<br />
penalty otherwise payable in order to act as a deterrent.<br />
<br />
e. At step 5, the Commissioner determined that there were no<br />
other factors (including ability to pay) on which to reduce the<br />
<br />
amount of the monetary penalty.<br />
<br />
<br />
Article 83(2) GDPR<br />
<br />
<br />
<br />
56. The Commissioner has considered the factors set out in Article 83(2)<br />
GDPR in deciding whether to impose a penalty and when deciding on<br />
<br />
the amount of the penalty as follows:<br />
<br />
<br />
Nature, gravity and duration of the infringement<br />
<br />
<br />
57. The data breach was a security incident whereby the confidentiality of<br />
<br />
personal data (postal addresses) was compromised by inclusion in the<br />
<br />
CSV file that was published in the public domain. The data breach was<br />
caused by or contributed to by the absence of appropriate technical and<br />
<br />
organisational measures to ensure a level of security appropriate to the<br />
<br />
risk associated with the processing of the data in breach of Article<br />
32(1).<br />
<br />
<br />
58. The CSV file which contained the postal address data was live and<br />
<br />
publicly accessible in the public domain via GOV.e K for two hours and<br />
<br />
21 minutes, - a relatively short duration. However, during the period<br />
in which the CSV file was accessible, where it could be either viewed in<br />
<br />
a web browser or downloaded, it was accessed 3,872 times from 2,798<br />
<br />
unique IP addresses. Further, the Cabinet Office was well aware that<br />
the New Year's Honours list is a high-profile event which attracts<br />
<br />
considerable interest such that publication of this data set would place<br />
<br />
19 ICO.<br />
Information Commissioner's Office<br />
<br />
the associated data in the public domain in a high demand arena, with<br />
accesses likely to take place quickly and on a relatively large scale.<br />
<br />
<br />
59. Although the data disclosed was basic personal identifiers and, in error,<br />
<br />
location data (i.e. postal addresses) as opposed to more sensitive data<br />
such as special category data or criminal conviction data, the personal<br />
<br />
data disclosed related to - data subjects across the United<br />
<br />
Kingdom who are from a broad range of professions and include various<br />
high profile peopThe personal data was published in the public<br />
<br />
domain and therefore accessible to anyone, as opposed to for example,<br />
being disclosed to other individuals who also had a high profile and<br />
<br />
therefore who would likely hold a shared interest in keeping the data<br />
<br />
secure.<br />
<br />
<br />
60. The Cabinet Office confirmed that 207 data subjects out of a total of<br />
- affected had postal addresses that were not obviously in the<br />
<br />
public domain prior to the breach.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
20 ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
64. The Cabinet Office has stated that it has been informed by policee<br />
that there is no information to suggest an increased risk<br />
<br />
in relation to any persons as a result of the data breach.<br />
<br />
<br />
65. There is, however, evidence that the data breach has caused distress<br />
to some of the affected data subjects. The ICO has received three<br />
<br />
complaints from affected data subjects raising personal safety concerns<br />
<br />
resulting from the breach. The Cabinet Office has also been contacted<br />
by 30 affected data subjects with 27 of those contacts relating to<br />
<br />
concerns about the possible impact on the individual's personal safety,<br />
largely as a result of pre-existing considerations.<br />
<br />
<br />
66. The Cabinet Office also acknowledged in its initial breach report that<br />
<br />
the data breach gave rise to a possible increase in vulnerability to<br />
<br />
identity fraud, caused by the combination of names, postal addresses<br />
and, in a number of instances, the type of work they undertake being<br />
<br />
published.<br />
<br />
<br />
21 ICO.<br />
Information Commissioner's Office<br />
67. The Cabinet Office further stated that "To our knowledge, there has<br />
<br />
been a single instance, on 29 December, of a badly-redacted screenshot<br />
of the data being posted on Twitter. We asked Twitter to remove the<br />
<br />
tweet as a violation of their terms of service and this was carried out<br />
<br />
the same day"and "there is no evidence that the personal data involved<br />
in this incident has been inappropriately disseminated more widely, or<br />
<br />
indeed at all"<br />
<br />
<br />
68. In all the circumstances, the data breach was serious and could easily<br />
<br />
have been avoided. Further, the Cabinet Office had not implemented<br />
<br />
appropriate technical and organisational measures to ensure a level of<br />
security appropriate to the risk. The gravity of the failure was, then,<br />
<br />
very high.<br />
<br />
<br />
Intentional or negligent<br />
<br />
<br />
<br />
69. The infringements were negligent.<br />
<br />
<br />
70. The data breach had the potential to occur due to a build error with the<br />
<br />
newly introduced IT system within the HAS. Specifically,<br />
the report which generated the CSV file was incorrectly<br />
<br />
formulated to include postal addresses in error. The original build<br />
<br />
requirements did not include a postal address field. The erroneous<br />
inclusion of the postal address data was not identified when the report<br />
<br />
was tested by Cabinet Office staff.<br />
<br />
<br />
71. However, the error with the report functionality including the postal<br />
<br />
address data was identified by the HAS Operations Team on 19<br />
December 2019. This date is before the data breach occurred and<br />
<br />
presented the Cabinet Office with the opportunity to implement<br />
<br />
<br />
<br />
22 ICO.<br />
Information Commissioner's Office<br />
measures to sufficiently mitigate the risk and protect the data. The<br />
<br />
Cabinet Office did not do so.<br />
<br />
<br />
72. Upon identification of the error with the report functionality "the<br />
<br />
decision was taken to amend the output as opposed to the report build<br />
itself". This was because of the short timescales between finalising<br />
<br />
amendments to the list and the deadline for giving the lists to the Press<br />
<br />
Office. Due to this decision, any outputs generated from the report<br />
would therefore continue to include the postal address data in error<br />
<br />
which would have left the data open to the risk of inadvertent<br />
<br />
publication. This is demonstrated by the data breach later taking place.<br />
<br />
<br />
73. The ICO queried if all employees within the HAS were made aware of<br />
<br />
the requirement to remove the personal data (postal address data)<br />
before processing the generated reports once the error with the<br />
<br />
report was identified by the HAS Operations Team. The<br />
<br />
Cabinet Office confirmed only 22 people have access to the<br />
system. Information about the report functionality was relevant to only<br />
<br />
five members of the HAS Operations Team. These five employees were<br />
<br />
verbally advised of the requirement to remove the postal address data.<br />
However, employees were not issued any guidance on how to remove<br />
<br />
the data. The Cabinet Office said as "was a new system, and<br />
in effect a new process, the team were responsible for identifying<br />
<br />
solutions to the issues identified throughout the process"<br />
<br />
<br />
74. Employees relied on the desk note to produce the reports<br />
<br />
which did not reflect the report as it was set up, and did not include a<br />
<br />
check to ensure personal data that should not have been included was<br />
removed.<br />
<br />
<br />
<br />
<br />
<br />
23 ICO.<br />
Information Commissioner's Office<br />
75. Additionally, there was no specific or written sign-off process in place<br />
in the HAS before sending documents containing personal data for<br />
<br />
release to ensure the content was suitable for publication, even after<br />
<br />
formatting errors were identified in the second version of the CSV file<br />
when it was delivered via email to the Press Office. In relation to the<br />
<br />
formatting errors with the second version of the CSV file, the Cabinet<br />
<br />
Office said, "In retrospect, this incident should have then automatically<br />
triggered a formal review point to check that the final version was<br />
<br />
correctly amended".<br />
<br />
<br />
76. The Cabinet Office had the opportunity on at least two occasions to<br />
<br />
implement measures to mitigate the risk and protect the data from a<br />
potential breach; firstly when the error with the report functionality<br />
<br />
including postal address data was identified by the HAS Operations<br />
<br />
Team on 19 December 2019, and secondly when the<br />
identified formatting errorswith the second version of the CSV file sent<br />
<br />
to the Press Office on 23 December 2019.<br />
<br />
<br />
Action taken by the data controller to mitigate the damage<br />
<br />
suffered by data subjects<br />
<br />
<br />
77. The Cabinet Office has undertaken a number of appropriate and<br />
<br />
effective remedial measures after becoming aware of the data breach<br />
as follows:<br />
<br />
<br />
<br />
To contain the incident<br />
<br />
<br />
a. Once the data breach was identified the Cabinet Office<br />
<br />
subsequently removed the link to the file on the content page<br />
and contacted GDS to remove the file from cache.<br />
<br />
<br />
<br />
24 ICO.<br />
Information Commissioner's Office<br />
<br />
b. The Cabinet Office's logs show the majority of access to the file<br />
occurred in the initial period before the link was removed at<br />
<br />
22: 59 and access declined over time until the file was<br />
permanently deleted. This demonstrates that the immediate<br />
<br />
attempts to remove access to the data likely contributed to<br />
<br />
reducing the level of access after this point.<br />
<br />
c. The file was accessible from 22: 30 on 27 December 2019 to<br />
<br />
00: 51 on 28 December 2019 (two hours and 21 minutes) which<br />
<br />
is a short duration. It is however noted that the quick<br />
identification of the incident was due to a member of the<br />
<br />
Government Communications Team identifying the data breach<br />
by chance.<br />
<br />
<br />
To inform data subjects<br />
<br />
<br />
d. Affected data subjects were contacted within 48 hours of the<br />
data breach via email or telephone where possible on 28 and<br />
<br />
29 December 2019. Approximately 11 data subjects were not<br />
<br />
contactable via either method and needed a hard copy letter<br />
posted to them. Following this, a hard copy letter was posted<br />
<br />
to all affected data subjects on 30 December 2019.<br />
<br />
<br />
e. The HAS established a rota to answer recipient queries between<br />
<br />
08:e 0-20:e 0 for the two weeks following the data breach.<br />
<br />
<br />
To attempt to mitigate potential and actual damage caused to the data<br />
<br />
subjects<br />
<br />
<br />
f.<br />
<br />
<br />
<br />
<br />
25 ICO.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
g. After being informed, actions were undertaken by the Police -<br />
to assess the risk to the affected data<br />
subjects in their area/region/locality. Where additional actions<br />
<br />
were required, this was taken forward by the relevant Police<br />
force - where appropriate. This included a reminder of<br />
<br />
security advice, data subjects being advised to contact 101<br />
(excluding those who had contacted the HAS with specific<br />
<br />
issues) and placing additional protective flags at data subjects<br />
addresses etc. National Police Coordination Centre circulated a<br />
guidance document to all Police forces which could be circulated<br />
<br />
to individual Honours recipients wanting additional advice.<br />
<br />
<br />
To identify and prevent further dissemination of the personal data<br />
<br />
26 ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
h. GDS used analytics to ascertain the extent of access to the data<br />
<br />
and were commissioned by the Cabinet Office to provide advice<br />
on further digital tracking and possible mitigation actions.<br />
<br />
<br />
<br />
i.Cabinet Office staff monitored social media and arranged for a<br />
Twitter post which showed a screenshot of the data to be<br />
<br />
removed.<br />
<br />
<br />
j.<br />
<br />
<br />
<br />
<br />
k. Internet monitoring was carried out by Police colleagues<br />
<br />
<br />
for the first week and a half following the<br />
<br />
breach. Simultaneously, the Government continues to carry out<br />
its own monitoring which the ICO were told on 29 January 2020<br />
<br />
will "remain for the foreseeable future". "This monitoring tracks<br />
instances of the data appearing online and seeks to identify<br />
<br />
obvious instances of the data being shared".<br />
<br />
<br />
To reduce the likelihood of a similar event occurring in the future<br />
<br />
<br />
<br />
I.GDS undertook a full incident review, including a review of<br />
checks on the publisher tool and incident handling. This review<br />
<br />
looked at how the escalation process works, publisher training,<br />
and technical changes that could have mitigated impact. This<br />
<br />
resulted in the caching time frame being reduced from 24 hours<br />
<br />
to 30 minutes for attached documents.<br />
<br />
<br />
<br />
<br />
27 ICO.<br />
Information Commissioner's Office<br />
m. A number of actions have been undertaken in the Honours<br />
<br />
system specifically, this includes reviewing the overall security<br />
of the system and permission levels, an operational process<br />
<br />
review, the approvals process, reviewing the desk note of<br />
<br />
instructions, and creating a new report generated from their<br />
database which does not include postal information.<br />
<br />
Additionally,all employees in the HAS refreshed their<br />
<br />
Responsible for Information e-Learning after the breach.<br />
<br />
<br />
n. Cabinet Office has confirmed "The report functionality in<br />
<br />
question has been amended to remove address data so that<br />
this does not arise in the future. Approvals processes for use<br />
<br />
from the (current) Birthday 2020 honours round will include a<br />
<br />
check to ensure that all documents for publication are checked<br />
for personal and sensitive data even when they should not<br />
<br />
contain it". The Cabinet Office have also provided a document<br />
<br />
with 16 action points where all except two have either had the<br />
work completed or they are currently in the process of doing<br />
<br />
so.<br />
<br />
<br />
o. The Communications Team were taking action to ensure that<br />
<br />
anyone who has not recently undertaken training does so as<br />
soon as possible.<br />
<br />
<br />
<br />
p. An independent review in the Cabinet Office led by Adrian<br />
Joseph OBE focusing on data handling policies, processes,<br />
<br />
practice and culture has been completed (dated March 2020)<br />
<br />
which includes recommendations for improvement.<br />
<br />
<br />
<br />
<br />
<br />
<br />
28 ICO.<br />
Information Commissioner's Office<br />
Degree of responsibility<br />
<br />
<br />
78. The data breach stems from a build error with a newly introduced IT<br />
<br />
system within the HAS. Specifically, the report which<br />
<br />
generated the CSV file was incorrectly formulated to include postal<br />
address data in error. The original build requirements did not include a<br />
<br />
postal address field.<br />
<br />
<br />
79. The Cabinet Office's Digital and Technology team were responsible for<br />
<br />
building the system:<br />
<br />
<br />
a. The system was implemented under the agile project<br />
<br />
development process, with development being completed in<br />
<br />
periods called 'sprints' in which specific elements of the system<br />
were built, tested and approved. Required system functionality<br />
<br />
and any changes needed are articulated in project development<br />
<br />
software called JIRA which provides the audit trail for<br />
development.<br />
<br />
<br />
<br />
b. In relation to JIRA, the Cabinet Office said "User stories are<br />
defined and put into sprints for development. Each story<br />
<br />
outlines the requirements with clearly defined acceptance<br />
criteria. Stories are developed in a testing environment, then<br />
<br />
moved into the 'Testing' column where an internal functional<br />
<br />
test is carried out against the acceptance criteria. Once it has<br />
passed this test it moves into 'Product Owner Sign Off' where a<br />
<br />
member of the business unit checks the story. When the story<br />
<br />
has passed these checkpoints it moves to 'Done' and is<br />
deployed to the production environment. If necessary a training<br />
<br />
session is carried out with the business unit to walk through the<br />
<br />
story".<br />
<br />
29 ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
c. The period of the build between January and June 2019 was<br />
completed in two weeklong sprints and once the new IT system<br />
<br />
was in use from July 2019, the sprints became one month long.<br />
<br />
<br />
d. The agile sprints included the delivery of system training to<br />
<br />
employees which included training on specific issues and was<br />
<br />
completed on numerous occasions throughout the year.<br />
Members of the Digital and Technology team were<br />
<br />
simultaneously co-located within the Honours Operations team<br />
<br />
for two days each week for several months to assist with issues,<br />
and all employees involved in this data breach knew how to use<br />
<br />
and had received training on the report functionality.<br />
<br />
<br />
e. The report functionality went through several tests<br />
<br />
and iterations before it reflected the correct candidates for the<br />
<br />
final Honours list. The report was tested by the both the Cabinet<br />
Office's Digital and Technology Team and the HAS Operations<br />
<br />
Team.<br />
<br />
<br />
f. Not all staff in the HAS have access to the system,<br />
<br />
which is a measure to control access to the material it contains.<br />
<br />
Only 22 employees have access.<br />
<br />
<br />
80. Accordingly, there were measures in place regarding the initial building<br />
and testing of the system/report. However, the error with<br />
<br />
the functionality of the report including postal address data<br />
<br />
was not identified during this process.<br />
<br />
<br />
81. There were also other measures in place within the Cabinet Office/HAS<br />
<br />
including:<br />
<br />
30 ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
a. The Cabinet Office had mandatory data protection training in<br />
place prior to the incident, which was primarily comprised of<br />
<br />
the Civil Service e-Learning course 'Responsible for<br />
<br />
Information'. This training had been completed by employees<br />
in the HAS. Each unit provides a six-monthly Information<br />
<br />
Assurance return which confirms that employees have<br />
<br />
completed training. The Cabinet Office said the training is part<br />
<br />
of induction to [the HAS] and a record is kept of completion.<br />
<br />
<br />
b. There is a data hub on the Cabinet Office's intranet with<br />
<br />
guidance concerning all elements of the GDPR; information<br />
assurance (managing of information risks) including relating to<br />
<br />
the collection and sharing of personal data; the mandatory<br />
<br />
training; templates for data processing and privacy notices; and<br />
applied examples of best practice. The Cabinet Office said<br />
<br />
information is drawn to employees' attention via mechanisms<br />
<br />
such as a short cut to the hub on the intranet front page and<br />
staff communications. There are also additional, non<br />
<br />
mandatory, learning courses about other elements of data<br />
<br />
handling on Civil Service Learning.<br />
<br />
<br />
82. However:<br />
<br />
<br />
<br />
a. When asked what percentage of Cabinet Office employees had<br />
completed the mandatory data protection training in the two<br />
<br />
years prior to the incident, the Cabinet Office confirmed there<br />
<br />
are seven modules in the "Responsible for Data" e-Learning<br />
which were completed between 3,517 and 4,070 times in the<br />
<br />
period encompassing the data breach. They were unable to<br />
<br />
provide a percentage but estimated take up of the training is<br />
<br />
31 ICO.<br />
Information Commissioner's Office<br />
widespread "but could vary between roughly half and most of<br />
the staff in the department at any given time".<br />
<br />
<br />
<br />
b. Employees in the Press Office and Digital Team, who were also<br />
involved in the process of the data being published, had not<br />
<br />
received data protection training in the last two years.<br />
<br />
<br />
c. There was a 'desk note' of instructions which articulated the<br />
<br />
process for running the reports which produce the<br />
<br />
final Honours lists available to employees via Google Drive.<br />
However, the desk note reflected the report as it<br />
<br />
should have been set up. It did notinclude a check to ensure<br />
personal data that should not have been present was removed.<br />
<br />
<br />
<br />
d. The Cabinet Office said the data hub does not cover redaction<br />
of documents to remove personal data and that "Staff in the<br />
<br />
Secretariat were not explicitly trained on this point, in part<br />
<br />
because had the report been set up correctly, it should not have<br />
been necessary". However, in mitigation to the above they said<br />
<br />
"However, as part of their wider data training, they were aware<br />
<br />
that postal address information constituted personal data which<br />
should not be disclosed".<br />
<br />
<br />
This is particularly relevant to the data breach, as the employee<br />
<br />
involved believed that hiding the data in the CSV file involved in<br />
<br />
the data breach was a sufficient method to remove it.<br />
<br />
<br />
e. There was no specific or written sign-off process in place in the<br />
<br />
HAS before sending documents containing personal data for<br />
release to ensure the content was suitable for publication, even<br />
<br />
after formatting errors were identified with the second version<br />
<br />
32 ICO.<br />
Information Commissioner's Office<br />
of the CSV file when delivered via email to the Press Office. In<br />
<br />
relation to the identification of the formatting errors, the<br />
Cabinet Office said, "In retrospect, this incident should have<br />
<br />
then automatically triggered a formal review point to check that<br />
<br />
the final version was correctly amended".<br />
<br />
<br />
f. As set out above, the error with the report functionality<br />
<br />
including the postal address data was identified by the HAS<br />
<br />
Operations team on 19 December 2019 before the data breach<br />
occurred, which presented the Cabinet Office with the<br />
<br />
opportunity to implement measures to sufficiently protect the<br />
<br />
data and mitigate the risk of it being handled incorrectly in<br />
error. The data breach later occurring demonstrates the risk of<br />
<br />
the postal address data being handled incorrectly was not<br />
<br />
sufficientlymitigated by appropriate technical and/or<br />
organisational measures. If the Cabinet Office had introduced<br />
<br />
further measures following the identification of the error with<br />
<br />
the report, they could have reduced the likelihood of<br />
the postal address data being disclosed in error. Examples of<br />
<br />
such measures include:<br />
<br />
<br />
<br />
i. Amending the desk note to include robust and<br />
prescriptive instructions on the correct method to remove<br />
<br />
the postal address data in the CSV file generated which<br />
<br />
was not to be included in the list publication.<br />
<br />
<br />
ii. Implementing a sign-off procedure to check the postal<br />
<br />
address data had been removed correctly, in accordance<br />
with the instructions provided above, before delivering<br />
<br />
the final version to the Press Office for publication.<br />
<br />
<br />
<br />
33 ICO.<br />
Information Commissioner's Office<br />
83. The nature of the publication of the Honours list is and was such that<br />
<br />
the document may need regular changes, possibly at the last minute.<br />
This, coupled with the fact that some of the data on the spreadsheet<br />
<br />
referred to vulnerable (to reflect the terminology adopted by the<br />
<br />
Cabinet Office) or high-profile individuals, meant that the security<br />
measures involved should, in order to demonstrate effective<br />
<br />
organisational and technical controls, have been more detailed and<br />
<br />
taken greater care to address the risks presented in the processing of<br />
the data set, including its eventual publication.<br />
<br />
<br />
<br />
Any relevant previous infringements<br />
<br />
<br />
84. No relevant previous infringements have been identified.<br />
<br />
<br />
<br />
The degree of cooperation with the Commissioner<br />
<br />
<br />
85. The Cabinet Office has been cooperative and responsive with the ICO's<br />
<br />
investigation. In particular:<br />
<br />
<br />
a. The initial Personal Data Breach Report for the data breach was<br />
<br />
submitted within 72 hours of becoming aware, in line with<br />
Article 33 (1) of the GDPR.<br />
<br />
b. Two conference calls took place between the ICO and the<br />
<br />
Cabinet Office early-on in the ICO's investigation.<br />
c. The Cabinet Office have answered four rounds of written<br />
<br />
enquiries sent by the ICO albeit some of the responses were<br />
<br />
not as clear as they might have been.<br />
d. The Cabinet Office have been open with the ICO regarding the<br />
<br />
failures/factors which contributed to the data breach.<br />
<br />
<br />
<br />
<br />
34 ICO.<br />
Information Commissioner's Office<br />
<br />
The categories of personal data affected by the infringement<br />
<br />
<br />
86. The data disclosed was location data (i.e. postal addresses). Some of<br />
the data affected was already in the public domain. However, numerous<br />
<br />
postal addresses which were not in the public domain were made public<br />
<br />
by the data breach. There were 207 such entries with addresses - which<br />
is not an insubstantial amount.<br />
<br />
<br />
<br />
The manner in which the infringement became known to the<br />
Commissioner<br />
<br />
<br />
87. The infringement became known to the Commissioner as a result of the<br />
<br />
Cabinet Office submitting a Personal Data Breach Report to the ICO<br />
<br />
within 72 hours of becoming aware of the data breach in accordance<br />
with Article 33(1) of the GDPR.<br />
<br />
<br />
Where measures referred to in Article 58(2) have previously<br />
<br />
been ordered against the controller or processor concerned with<br />
<br />
regard to the same subject-matter, compliance with those<br />
measures<br />
<br />
<br />
88. Not applicable.<br />
<br />
<br />
<br />
Adherence to approved codes of conduct pursuant to Article 40<br />
or approved certification mechanisms pursuant to Article 42<br />
<br />
<br />
<br />
89. Not applicable.<br />
<br />
<br />
Aggravating and mitigating factors<br />
<br />
<br />
<br />
<br />
35 ICO.<br />
Information Commissioner's Office<br />
90. Beyond the matters referred to above there were no other significant<br />
<br />
factors that aggravate or mitigate the infringement.<br />
<br />
<br />
Deterrent Effect<br />
<br />
<br />
91. The Cabinet Office is a long-established organisation at the heart of<br />
<br />
government that processes a variety of data across a range of activities.<br />
<br />
It has the standing, access to resource and expertise, and<br />
sophistication to provide a high standard of organisational and technical<br />
<br />
measures in comparison to, for example, a small private sector<br />
<br />
organisation or a small public authority. Organisations that have the<br />
means to do so, are expected to take the most stringent possible<br />
<br />
preventative measures. The Cabinet Office would have incurred very<br />
<br />
little, if any, cost in implementing a procedure that could have<br />
<br />
prevented the data breach.<br />
<br />
<br />
92. Further, the honours list is an annual process involving high profile and<br />
<br />
vulnerable individuals. The Cabinet Office should have been more aware<br />
of the need for strong security arrangements. Following an external<br />
<br />
review initiated by the Cabinet Office, cultural challenges were<br />
<br />
identified in regard to data protection requirements.<br />
<br />
<br />
93. For the avoidance of doubt, the Cabinet Office has not been held to a<br />
<br />
higher standard than another like controller, merely a high standard in<br />
<br />
relation to an important and high-profile processing activity undertaken<br />
by it. The Cabinet Office has the standing, access to resource and<br />
<br />
expertise, and sophistication to provide a high standard of<br />
<br />
organisational and technical measures. The penalty reflects the Cabinet<br />
<br />
Office's breach when considered in that context, albeit some reduction<br />
has been made to the penalty to reflect the Cabinet Office's<br />
<br />
representations with regard to deterrent effect.<br />
<br />
<br />
36 ICO.<br />
Information Commissioner's Office<br />
Reducing the amount to reflect anymitigating factors, including ability<br />
to pay<br />
<br />
<br />
<br />
94. The Commissioner is not aware of any financial hardships or factors<br />
that would reduce the Cabinet Office's ability to pay. Whilst the<br />
<br />
Response to the Notice of Intent refers to the current strain on public<br />
<br />
finances including as a result of the Covid-19 pandemic, no specific<br />
figures or details were provided in relation to the extent of any such<br />
<br />
strain or hardship on the Cabinet Office. Nor does the Commissioner<br />
consider there are any other factors that should lead to a reduction in<br />
<br />
the penalty amount.<br />
<br />
<br />
95. The spending and budget of the Cabinet Office was previously<br />
<br />
understood to be in excess of £1 billion in 2019/20. However, in the<br />
<br />
Response to the Notice of Intent, the Cabinet Office stated that the<br />
appropriate budget amount was £381 million. The Commissioner<br />
<br />
accepts that £381 million is the appropriate budget figure. For the<br />
<br />
avoidance of doubt, the Cabinet Office's spending/budget has not been<br />
used in any sort of mechanistic fashion to determine the penalty<br />
<br />
amount. Rather it was considered that the Cabinet Office is of sufficient<br />
size to be able to withstand the proposed penalty. This position holds<br />
<br />
true even on the basis of the Cabinet Office's budget being £381 million.<br />
<br />
<br />
96. Taking into account all of the above, the Commissioner is of the view<br />
<br />
that a penalty in the sum of £500,000 is effective, proportionate and<br />
<br />
dissuasive.<br />
<br />
<br />
Summary and decided penalty<br />
<br />
<br />
97. For the reasons set out above, the Commissioner has decided to impose<br />
<br />
a financial penalty on the Cabinet Office.<br />
<br />
37 ICO.<br />
Information Commissioner's Office<br />
<br />
98. Taking into account all of the factors set out above, the Commissioner<br />
<br />
has decided to impose a penalty in the amount of £500,000 (five<br />
hundred thousand pounds).<br />
<br />
<br />
<br />
Payment of the penalty<br />
<br />
<br />
99. The penalty must be paid to the Commissioner's office by BACS transfer<br />
<br />
or cheque by 14 December 2021 at the latest. The penalty is not kept<br />
by the Commissioner but will be paid into the Consolidated Fund which<br />
<br />
is the Government's general bank account at the Bank of England.<br />
<br />
<br />
100. There is a right of appeal to the First-tier Tribunal (Information Rights)<br />
<br />
against:<br />
<br />
<br />
(a) the imposition of the monetary penalty and/or;<br />
<br />
<br />
<br />
(b) the amount of the penalty specified in the monetary penalty<br />
notice.<br />
<br />
<br />
<br />
101. Any notice of appeal should be received by the Tribunal within 28 days<br />
of the date of this monetary penalty notice.<br />
<br />
<br />
102. Information about appeals is set out in Annex 1.<br />
<br />
<br />
103. The Commissioner will not take action to enforce a monetary penalty<br />
<br />
unless:<br />
<br />
<br />
• the period specified within the notice within which a monetary<br />
<br />
penalty must be paid has expired and all or any of the monetary<br />
penalty has not been paid;<br />
<br />
<br />
<br />
38 ICO.<br />
Information Commissioner's Office<br />
• all relevant appeals against the monetary penalty notice and any<br />
<br />
variation of it have either been decided or withdrawn; and<br />
<br />
<br />
• period for appealing against the monetary penalty and any variation<br />
of it has expired.<br />
<br />
<br />
104. In England, Wales and Northern Ireland, the monetary penalty is<br />
recoverable by Order of the County Court or the High Court.<br />
<br />
Scotland, the monetary penalty can be enforced in the same manner<br />
as an extract registered decree arbitral bearing a warrant for execution<br />
<br />
issued by the sheriff court of any sheriffdom in Scotland.<br />
<br />
<br />
<br />
Dated the 15th day of November 2021<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Elizabeth Denham<br />
Information Commissioner<br />
Information Commissioner's Office<br />
Wycliffe House<br />
Water Lane<br />
Wilmslow<br />
Cheshire<br />
SK9 SAF<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
39 ICO.<br />
Information Commissioner's Office<br />
ANNEX 1<br />
<br />
<br />
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER<br />
<br />
<br />
1. Section 55B(S) of the Data Protection Act 1998 gives any person<br />
upon whom a monetary penalty notice has been served a right of<br />
<br />
appeal to the First-tier Tribunal (Information Rights) (the 'Tribunal')<br />
<br />
against the notice.<br />
<br />
<br />
2. If you decide to appeal and if the Tribunal considers:e<br />
<br />
<br />
a) that the notice against which the appeal is brought is not in<br />
<br />
accordance with the law; or<br />
<br />
<br />
b) to the extent that the notice involved an exercise of<br />
<br />
discretion by the Commissioner, that she ought to have exercised<br />
her discretion differently,<br />
<br />
<br />
<br />
the Tribunal will allow the appeal or substitute such other decision as<br />
could have been made by the Commissioner. In any other case the<br />
<br />
Tribunal will dismiss the appeal.<br />
<br />
<br />
3. You may bring an appeal by serving a notice of appeal on the<br />
<br />
Tribunal at the following address:<br />
<br />
<br />
General Regulatory Chamber<br />
HM Courts & Tribunals Service<br />
PO Box 9300<br />
Leicester<br />
<br />
LE1 8DJ<br />
Telephone: 0203 936 8963<br />
Email: grc@justice.gov.uk<br />
<br />
<br />
<br />
40 ICO.<br />
Information Commissioner's Office<br />
a) The notice of appeal should be sent so it is received by the<br />
Tribunal within 28 days of the date of the notice.<br />
<br />
<br />
<br />
b) If your notice of appeal is late the Tribunal will not admit it<br />
unless the Tribunal has extended the time for complying with this<br />
<br />
rule.<br />
<br />
<br />
4. The notice of appeal should state:e<br />
<br />
<br />
<br />
a) your name and address/name and address of your<br />
representative (if any);<br />
<br />
<br />
b) an address where documents may be sent or delivered to<br />
<br />
you;<br />
<br />
<br />
c) the name and address of the Information Commissioner;<br />
<br />
<br />
<br />
d) details of the decision to which the proceedings relate;<br />
<br />
<br />
e) the result that you are seeking;<br />
<br />
<br />
f) the grounds on which you rely;<br />
<br />
<br />
g) you must provide with the notice of appeal a copy of the<br />
<br />
monetary penalty notice or variation notice;<br />
<br />
<br />
h) if you have exceeded the time limit mentioned above the<br />
<br />
notice of appeal must include a request for an extension of time<br />
<br />
and the reason why the notice of appeal was not provided in<br />
time.<br />
<br />
<br />
<br />
41 ICO.<br />
Information Commissioner's Office<br />
5. Before deciding whether or not to appeal you may wish to consult<br />
your solicitor or another adviser. At the hearing of an appeal a party<br />
<br />
may conduct his case himself or may be represented by any person<br />
whom he may appoint for that purpose.<br />
<br />
<br />
6. The statutory provisions concerning appeals to the First-tier<br />
<br />
Tribunal (Information Rights) are contained in section 55B(S) of, and<br />
Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure<br />
<br />
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009<br />
(Statutory Instrument 2009 No. 1976 (L.20)).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
42<br />
</pre></div>Mariam-hwthhttps://gdprhub.eu/index.php?title=UKSC_-_Richard_Lloyd_v_Google_LLC_(2021)_UKSC_50&diff=21385UKSC - Richard Lloyd v Google LLC (2021) UKSC 502021-11-23T18:37:49Z<p>Mariam-hwth: /* Holding: */</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=UKSC<br />
|Court_With_Country=UKSC (United Kingdom)<br />
<br />
|Case_Number_Name=Richard Lloyd v Google LLC (2021) UKSC 50<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=The Supreme Court of the United Kingdom<br />
|Original_Source_Link_1=https://www.supremecourt.uk/cases/docs/uksc-2019-0213-judgment.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Date_Decided=10.11.2021<br />
|Date_Published=10.11.2021<br />
|Year=2021<br />
<br />
<br />
|EU_Law_Name_1=Article 23 of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:31995L0046<br />
<br />
|National_Law_Name_1=Rule 19.6 of the Civil Procedure Rules<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=Section 13 of the Data Protection Act 1998<br />
|National_Law_Link_2=https://www.legislation.gov.uk/ukpga/1998/29/contents<br />
|National_Law_Name_3=Section 14 of the Data Protection Act 1998<br />
|National_Law_Link_3=https://www.legislation.gov.uk/ukpga/1998/29/contents<br />
|National_Law_Name_4=Section 4(4) of the Data Protection Act 1998<br />
|National_Law_Link_4=https://www.legislation.gov.uk/ukpga/1998/29/contents<br />
|National_Law_Name_5=Rule 19.11 of the Civil Procedure Rules<br />
|National_Law_Link_5=<br />
<br />
|Party_Name_1=Richard Lloyd<br />
|Party_Link_1=<br />
|Party_Name_2=Google LLC<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=England and Wales Court of Appeal (Civil Division)<br />
|Appeal_From_Case_Number_Name=Lloyd v Google LLC (2019) EWCA Civ 1599<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=https://www.bailii.org/ew/cases/EWCA/Civ/2019/1599.html<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=MH<br />
|<br />
}}<br />
<br />
The UK Supreme Court held that to claim compensation for an infringement of the Data Protection Act 1998, it was necessary to demonstrate material damage or distress suffered by each individual. A representative action was therefore not suitable. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Google secretly tracked Apple iPhone users between late 2011 and early 2012 and using their data collected in that way for commercial purposes. Google bypassed privacy settings on Apple iPhones and the default blocking of third party cookies on Safari with its “DoubleClick Ad” cookie by relying on an exception devised by Apple. Google placed this cookie without the user’s knowledge or consent. This cookie was enabled if users visited a website that included DoubleClick Ad content (advertising content). The cookie identified visits by a specific device on websites using this advertising content, including data and time of visit; time spent by the user on the website; what advertisement was viewed for how long; and using IP address, the user’s geographical location. <br />
<br />
As a result, Google could infer the user’s internet surfing habits, location, as well as interests, race or ethnicity, social class, political or religious beliefs, health, sexual interests, age, gender and financial situation. Google then used this aggregated information to give them labels (eg “football lovers”) and eventually offering these group labels to advertising organisations looking to target specific groups when using Google’s DoubleClick service. <br />
<br />
This allegation was brought in the US and Google settled a charge of $22.5 million with the US Federal Trade Commission and $17 million to settle consumer based actions in the US. <br />
<br />
Three individuals in the UK sued Google in 2013 for the same allegation and their claim was settled by Google (Vidal-Hall v Google Inc). <br />
<br />
Lloyd has filed a claim before the UK courts on behalf of everyone that resides in England and Wales and owned an Apple iPhone at the time of the secret tracking. Lloyd filed this class action with the intention of recovering damages for more than 4 million people affected. He claimed that compensation (£750 suggested) should be awarded under the Data Protection Act 1998 for loss of control of personal data without having to demonstrate that the claimant suffered financial or mental distress as a result of the infringement.<br />
<br />
=== Holding ===<br />
<br />
==== Legal framework: ====<br />
Section 4(4) of the Data Protection Act 1998 (DPA 1998) imposes a duty on data controllers to comply with data protection principles. These are laid out in Schedule 1 of the DPA 1998.<br />
<br />
Section 13 of the DPA 1998 gives individuals a right to compensation from the controller if they suffer damage as a result of a contravention of the Act by that controller.<br />
<br />
Individuals can bring claims which give rise to a common issue of fact or law can apply for a Group Litigation Order to be made under Rule 19.11 of the Civil Procedure Rules. This is an “opt-in” regime where claimants must take steps to join the group. <br />
<br />
They can also do so under a representative action, reflected in Rule 19.6 of the Civil Procedure Rules (CPR). However, as a detailed legislative framework is missing, the representative action rules within common law have been considered by the Supreme Court. The following principles are relevant:<br />
<br />
* “same interest” requirement where the representative must have the same interest or common issues as the persons they represent (within Rule 19.6 CPR)<br />
* “court’s discretion” as to whether to allow the claim to proceed as a representative action. This is an objective assessment as to whether the case can be dealt with justly and at a proportionate cost (within Rules 1.1 and 1.2 CPR)<br />
* “no requirement of consent” or awareness required from the people represented<br />
* “class definition” requirement where the class of people represented must be clearly defined <br />
* “liability for costs” requirement where the persons represented will not have to pay costs of being represented incurred by the representative<br />
* “scope for claiming damages” where claiming damages is limited by the nature of the remedy of damages at common law, or by the fact that damages may reauire an individua assessment<br />
<br />
==== Holding: ====<br />
The UK Supreme court did not object to a representative claim brought to establish whether Google was in breach of DPA 1998. The Supreme Court also determined that the individuals had similar interests or common issues caused by tracking of their behaviour without consent. <br />
<br />
According to the Court, there was no uniform effect caused by Google’s actions across the represented class. Instead, the effect and the amount recoverable by each individual would depend on the circumstances particular to the individuals (eg how often they used Safari or website with DoubleClick Ad content). Contrary to Lloyd’s claim, the Court held that DPA 1998 cannot be read to mean that individuals are entitled to compensation for any contravention of the DPA 1998 without needing to prove financial loss or distress. According to the leading judgement, under Section 13 DPA 1998, it is not enough to prove an infringement by a data controller as “damage” (interpreted as only meaning material damages) or “distress” must be suffered as a result. <br />
<br />
Following an analysis of ''Vidal-Hall v Google Inc'' (discussing Section 13 DPA 1998) and ''Gulati v MGN Ltd'' (discussing tort for misuse of private information) the court outlined that it would be possible for Lloyd to claim (1) damages under Section 13(1) DPA 1998 for distress suffered due to Google’s infringement of the Act; (2) and /or damages for the misuse of private information without the need to show material damage or distress. However, the court outlined that the case was not made for either (claim for misuse of information tort having not be made). Again, the Court reiterated that to recover damages for distress under Section 13(1) DPA 1998, it would be necessary to provide evidence of this distress for each individual represented – making this incompatible with the nature of representative action.<br />
<br />
The UK Supreme Court rejected the argument that an infringement of the DPA 1998 should be dealt with in the same way as the tort of misuse of private information and that therefore damages can be recovered for interference by an organisation without the need to demonstrate material damage or distress. The UK Supreme Court relied on the fact that Section 13(1) DPA 1998 cannot be interpreted using that analogy, as highlighted above. The wording of the DPA 1998 and its interpretation in caselaw cannot be detached from the fact that material damage or distress must be demonstrated. <br />
<br />
''"…the wording of section 13(1) draws a distinction between “damage” suffered by an individual and a “contravention” of a requirement of the Act by a data controller, and provides a right to compensation “for that damage” only if the “damage” occurs “by reason of” the contravention.''" <br />
<br />
Section 14 DPA 1998 also supports the interpretation that a damage, and not purely an infringement of the legislation, must be demonstrated. The Court also relied on the interpretation by the Court of Appeal in ''Vidall-Hall v Google Inc'', which distinguished damage or distress suffered and contravention of a requirement in the DPA 1998. The Court also did not consider that it was possible to rely on an analogy between the tort of misuse of information and Section 13 DPA 1998 simply because they are both founded in the common route of “right to privacy” embodied in Article 8 European Convention on Human Rights. <br />
<br />
Additionally, the Court held that it would be, in any case, necessary to identify damage or distress suffered by each individual for the purpose of awarding compensation (even if it was not necessary to show individual damage or distress as a result of the infringement). Factors like extent of Google’s tracking; quantity of data processed; nature of the data processed (sensitive nature?); use of that information and benefit from it by Google would all need to be assessed for individual cases. Without such individualised assessment, Lloyd’s argument that the “lowest common denominator” on which the claim is based (proof that the individual us part of the class by having an iPhone at the time) would not be sufficient to be something more than trivial (as required under Section 13 DPA 1998). Therefore, compensation could not be quantified beyond 0. <br />
<br />
The UK Supreme Court concluded and decided unanimously that: <br />
<br />
“''In order to recover compensation under the DPA 1998 for any given individual, it would be necessary to show both that Google made some unlawful use of personal data relating to that individual and that the individual suffered some damage as a result.''”<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
Michaelmas Term<br />
[2021] UKSC 50<br />
On appeal from: [2019] EWCA Civ 1599<br />
<br />
<br />
<br />
JUDGMENT<br />
<br />
<br />
Lloyd (Respondent) v Google LLC (Appellant)<br />
<br />
before<br />
<br />
<br />
Lord Reed, President<br />
Lady Arden<br />
Lord Sales<br />
<br />
Lord Leggatt<br />
Lord Burrows<br />
<br />
<br />
JUDGMENT GIVEN ON<br />
10 November 2021<br />
<br />
<br />
Heard on 28 and 29 April 2021 Appellant<br />
Antony White QC<br />
Edward Craven<br />
<br />
(Instructed by Pinsent Masons LLP (London))<br />
<br />
<br />
Respondent<br />
Hugh Tomlinson QC<br />
Oliver Campbell QC<br />
<br />
Victoria Wakefield QC<br />
(Instructed by Milberg London LLP)<br />
<br />
<br />
1st Intervener (Information Commissioner)<br />
Gerry Facenna QC<br />
<br />
Nikolaus Grubeck<br />
(Instructed by Information Commissioner’s Office)<br />
<br />
<br />
2nd Intervener (Open Rights Group)<br />
(written submissions only)<br />
<br />
Robert Palmer QC<br />
Julianne Kerr Morrison<br />
(Instructed by AWO)<br />
<br />
<br />
<br />
3rd Intervener (Association of the British Pharmaceutical Industry and Association of British<br />
HealthTech Industries (ABPI and ABHI))<br />
(written submissions only)<br />
Lord Anderson of Ipswich KBE QC<br />
Robin Hopkins<br />
<br />
Rupert Paines<br />
(Instructed by CMS Cameron McKenna Nabarro Olswang LLP (London))<br />
<br />
<br />
4th Intervener (Liberty, Coram Children’s Legal Centre and Inclusion London)<br />
(written submissions only)<br />
<br />
Dan Squires QC<br />
Aidan Wills<br />
Tim James-Matthews<br />
(Instructed by Liberty, Coram Children’s Legal Centre and Deighton Pierce Glynn)<br />
<br />
<br />
<br />
5th Intervener (Internet Association)<br />
(written submissions only)<br />
Christopher Knight<br />
(Instructed by Linklaters LLP (London))6th Intervener (TECHUK Ltd (trading as techUK))<br />
(written submissions only)<br />
Catrin Evans QC<br />
<br />
Ian Helme<br />
(Instructed by RPC LLP (London))LORD LEGGATT: (with whom Lord Reed, Lady Arden, Lord Sales and Lord Burrows<br />
agree)<br />
<br />
<br />
A. INTRODUCTION<br />
<br />
<br />
1. Mr Richard Lloyd - with financial backing from Therium Litigation Funding IC, a<br />
commercial litigation funder - has issued a claim against Google LLC, alleging breach of<br />
<br />
its duties as a data controller under section 4(4) of the Data Protection Act 1998 (“the<br />
DPA 1998”). The claim alleges that, for several months in late 2011 and early 2012,<br />
Google secretly tracked the internet activity of millions of Apple iPhone users and used<br />
the data collected in this way for commercial purposes without the users’ knowledge<br />
<br />
or consent.<br />
<br />
<br />
2. The factual allegation is not new. In August 2012, Google agreed to pay a civil<br />
penalty of US$22.5m to settle charges brought by the United States Federal Trade<br />
Commission based upon the allegation. In November 2013, Google agreed to pay<br />
US$17m to settle consumer-based actions brought against it in the United States. In<br />
<br />
England and Wales, three individuals sued Google in June 2013 making the same<br />
allegation and claiming compensation under the DPA 1998 and at common law for<br />
misuse of private information: see Vidal-Hall v Google Inc (Information Comr<br />
intervening)[2015] EWCA Civ 311; [2016] QB 1003. Following a dispute over<br />
<br />
jurisdiction, their claims were settled before Google had served a defence. What is<br />
new about the present action is that Mr Lloyd is not just claiming damages in his own<br />
right, as the three claimants did in Vidal-Hall. He claims to represent everyone resident<br />
in England and Wales who owned an Apple iPhone at the relevant time and whose<br />
data were obtained by Google without their consent, and to be entitled to recover<br />
<br />
damages on behalf of all these people. It is estimated that they number more than 4m.<br />
<br />
<br />
3. Class actions, in which a single person is permitted to bring a claim and obtain<br />
redress on behalf of a class of people who have been affected in a similar way by<br />
alleged wrongdoing, have long been possible in the United States and, more recently,<br />
<br />
in Canada and Australia. Whether legislation to establish a class action regime should<br />
be enacted in the UK has been much discussed. In 2009, the Government rejected a<br />
recommendation from the Civil Justice Council to introduce a generic class action<br />
regime applicable to all types of claim, preferring a “sector based approach”. This was<br />
<br />
for two reasons:<br />
<br />
<br />
“Firstly, there are potential structural differences between<br />
the sectors which will require different consideration. …<br />
Secondly, it will be necessary to undertake a full assessment<br />
<br />
Page 2 of the likely economic and other impacts before<br />
implementing any reform.”<br />
<br />
<br />
See the Government’s Response to the Civil Justice Council’s Report: “Improving<br />
Access to Justice through Collective Actions” (2008), paras 12-13.<br />
<br />
<br />
4. Since then, the only sector for which such a regime has so far been enacted is<br />
<br />
that of competition law. Parliament has not legislated to establish a class action regime<br />
in the field of data protection.<br />
<br />
<br />
5. Mr Lloyd has sought to overcome this difficulty by what the Court of Appeal in<br />
this case described as “an unusual and innovative use of the representative procedure”<br />
<br />
in rule 19.6 of the Civil Procedure Rules: see [2019] EWCA Civ 1599; [2020] QB 747,<br />
para 7. This is a procedure of very long standing in England and Wales whereby a claim<br />
can be brought by (or against) one or more persons as representatives of others who<br />
have “the same interest” in the claim. Mr Lloyd accepts that he could not use this<br />
procedure to claim compensation on behalf of other iPhone users if the compensation<br />
<br />
recoverable by each user would have to be individually assessed. But he contends that<br />
such individual assessment is unnecessary. He argues that, as a matter of law,<br />
compensation can be awarded under the DPA 1998 for “loss of control” of personal<br />
data without the need to prove that the claimant suffered any financial loss or mental<br />
<br />
distress as a result of the breach. Mr Lloyd further argues that a “uniform sum” of<br />
damages can properly be awarded in relation to each person whose data protection<br />
rights have been infringed without the need to investigate any circumstances<br />
particular to their individual case. The amount of damages recoverable per person<br />
would be a matter for argument, but a figure of £750 was advanced in a letter of claim.<br />
<br />
Multiplied by the number of people whom Mr Lloyd claims to represent, this would<br />
produce an award of damages of the order of £3 billion.<br />
<br />
<br />
6. Because Google is a Delaware corporation, the claimant needs the court’s<br />
permission to serve the claim form on Google outside the jurisdiction. The application<br />
<br />
for permission has been contested by Google on the grounds that the claim has no real<br />
prospect of success as: (1) damages cannot be awarded under the DPA 1998 for “loss<br />
of control” of data without proof that it caused financial damage or distress; and (2)<br />
the claim in any event is not suitable to proceed as a representative action. In the High<br />
<br />
Court Warby J decided both issues in Google’s favour and therefore refused permission<br />
to serve the proceedings on Google: see [2018] EWHC 2599 (QB); [2019] 1 WLR 1265.<br />
The Court of Appeal reversed that decision, for reasons given in a judgment of the<br />
Chancellor, Sir Geoffrey Vos, with which Davis LJ and Dame Victoria Sharp agreed:<br />
[2019] EWCA Civ 1599; [2020] QB 747.<br />
<br />
<br />
Page 37. On this further appeal, because of the potential ramifications of the issues<br />
raised, as well as hearing the claimant and Google, the court has received written and<br />
oral submissions from the Information Commissioner and written submissions from<br />
five further interested parties.<br />
<br />
<br />
8. In this judgment I will first summarise the facts alleged and the relevant legal<br />
<br />
framework for data protection before considering the different methods currently<br />
available in English procedural law for claiming collective redress and, in particular, the<br />
representative procedure which the claimant is seeking to use. Whether that<br />
procedure is capable of being used in this case critically depends, as the claimant<br />
<br />
accepts, on whether compensation for the alleged breaches of data protection law<br />
would need to be individually assessed. I will then consider the claimant’s arguments<br />
that individual assessment is unnecessary. For the reasons given in detail below, those<br />
arguments cannot in my view withstand scrutiny. In order to recover compensation<br />
under the DPA 1998 for any given individual, it would be necessary to show both that<br />
<br />
Google made some unlawful use of personal data relating to that individual and that<br />
the individual suffered some damage as a result. The claimant’s attempt to recover<br />
compensation under the Act without proving either matter in any individual case is<br />
therefore doomed to fail.<br />
<br />
<br />
<br />
B. FACTUAL BACKGROUND<br />
<br />
<br />
9. The relevant events took place between 9 August 2011 and 15 February 2012<br />
and involved the alleged use by Google of what has been called the “Safari<br />
workaround” to bypass privacy settings on Apple iPhones.<br />
<br />
<br />
10. Safari is an internet browser developed by Apple and installed on its iPhones. At<br />
<br />
the relevant time, unlike most other internet browsers, all relevant versions of Safari<br />
were set by default to block third party cookies. A “cookie” is a small block of data that<br />
is placed on a device when the user visits a website. A “third party cookie” is a cookie<br />
placed on the device not by the website visited by the user but by a third party whose<br />
<br />
content is included on that website. Third party cookies are often used to gather<br />
information about internet use, and in particular web pages visited over time, to<br />
enable the delivery to the user of advertisements tailored to interests inferred from<br />
the user’s browsing history.<br />
<br />
<br />
<br />
11. Google had a cookie known as the “DoubleClick Ad cookie” which could operate<br />
as a third party cookie. It would be placed on a device if the user visited a website that<br />
included DoubleClick Ad content. The DoubleClick Ad cookie enabled Google to<br />
identify visits by the device to any website displaying an advertisement from its vast<br />
<br />
Page 4advertising network and to collect considerable amounts of information. It could tell<br />
the date and time of any visit to a given website, how long the user spent there, which<br />
pages were visited for how long, and what advertisements were viewed for how long.<br />
In some cases, by means of the IP address of the browser, the user’s approximate<br />
geographical location could be identified.<br />
<br />
<br />
<br />
12. Although the default settings for Safari blocked all third party cookies, a blanket<br />
application of these settings would have prevented the use of certain popular web<br />
functions; so Apple devised some exceptions to them. These exceptions were in place<br />
until March 2012, when the system was changed. But in the meantime the exceptions<br />
<br />
made it possible for Google to devise and implement the Safari workaround. Its effect<br />
was to place the DoubleClick Ad cookie on an Apple device, without the user’s<br />
knowledge or consent, immediately, whenever the user visited a website that<br />
contained DoubleClick Ad content.<br />
<br />
<br />
13. It is alleged that, in this way, Google was able to collect or infer information<br />
<br />
relating not only to users’ internet surfing habits and location, but also about such<br />
diverse factors as their interests and pastimes, race or ethnicity, social class, political or<br />
religious beliefs or affiliations, health, sexual interests, age, gender and financial<br />
situation.<br />
<br />
<br />
<br />
14. Further, it is said that Google aggregated browser generated information from<br />
users displaying similar patterns, creating groups with labels such as “football lovers”,<br />
or “current affairs enthusiasts”. Google’s DoubleClick service then offered these group<br />
labels to subscribing advertisers to choose from when selecting the type of people at<br />
whom they wanted to target their advertisements.<br />
<br />
<br />
<br />
C. THE LEGAL FRAMEWORK<br />
<br />
<br />
15. The DPA 1998 was enacted to implement Parliament and Council Directive<br />
95/46/EC of 24 October 1995 “on the protection of individuals with regard to the<br />
processing of personal data and on the free movement of such data” (OJ 1995 L281, p<br />
<br />
31) (the “Data Protection Directive”). The Data Protection Directive has been<br />
superseded by the General Data Protection Regulation, which became law in the UK in<br />
May 2018, supplemented by the Data Protection Act 2018 (“the DPA 2018”). The DPA<br />
2018 repealed and replaced the DPA 1998 except in relation to acts or omissions which<br />
<br />
occurred before it came into force.<br />
<br />
<br />
<br />
<br />
Page 516. Because the acts and omissions giving rise to the present claim occurred in 2011<br />
and 2012, the claim is governed by the old law contained in the DPA 1998 and the Data<br />
Protection Directive. The parties and interveners in their submissions on this appeal<br />
nevertheless made frequent references to provisions of the General Data Protection<br />
Regulation and the DPA 2018. In principle, the meaning and effect of the DPA 1998 and<br />
<br />
the Data Protection Directive cannot be affected by legislation which has been enacted<br />
subsequently. The later legislation therefore cannot help to resolve the issues raised<br />
on this appeal, and I shall leave it to one side.<br />
<br />
<br />
(1) The scheme of the DPA 1998<br />
<br />
<br />
<br />
17. Section 4(4) of the DPA 1998 imposed a duty on a data controller to comply<br />
with “the data protection principles” set out in Schedule 1 “in relation to all personal<br />
data with respect to which he is the data controller”. As defined in section 1(1) of the<br />
Act, “personal data” are, in effect, all recorded information which relate to an<br />
identifiable individual. An individual who is the subject of personal data is referred to<br />
<br />
as the “data subject”. A “data controller” is a person who (either alone or with others)<br />
“determines the purposes for which and the manner in which any personal data are, or<br />
are to be, processed.” The term “processing” is defined very broadly to mean<br />
“obtaining, recording or holding the information or data or carrying out any operation<br />
<br />
or set of operations on the information or data …”. Section 2 of the Act establishes a<br />
category of “sensitive personal data” consisting of information about certain specified<br />
matters, which include the racial or ethnic origin, political opinions, religious beliefs,<br />
physical or mental health or sexual life of the data subject.<br />
<br />
<br />
18. The first of the eight “data protection principles” set out in Schedule 1 is that:<br />
<br />
<br />
<br />
“Personal data shall be processed fairly and lawfully and, in<br />
particular, shall not be processed unless -<br />
<br />
<br />
(a) at least one of the conditions in Schedule 2 is met,<br />
and<br />
<br />
<br />
<br />
(b) in the case of sensitive personal data, at least one<br />
of the conditions in Schedule 3 is also met.”<br />
<br />
<br />
The other seven data protection principles, in summary, require personal data: (2) to<br />
be obtained and processed only for specified and lawful purposes; (3) to be “adequate,<br />
<br />
relevant, and not excessive” in relation to those purposes; (4) to be accurate and,<br />
Page 6where necessary, kept up to date; (5) not to be kept for longer than is necessary for<br />
those purposes; (6) to be processed in accordance with the rights of data subjects<br />
under the Act; (7) to be protected by appropriate technical and organisational security<br />
measures against unauthorised or unlawful processing and against accidental loss or<br />
destruction or damage; and (8) not to be transferred outside the European Economic<br />
<br />
Area unless the destination country or territory provides an adequate level of<br />
protection for data subjects in relation to the processing of personal data.<br />
<br />
<br />
19. As discussed in more detail below, section 13 of the DPA 1998 gives an<br />
individual who suffers damage “by reason of any contravention by a data controller of<br />
<br />
any of the requirements of this Act” a right to compensation from the data controller<br />
for that damage.<br />
<br />
<br />
(2) The allegations of breach of duty<br />
<br />
<br />
20. The claimant, Mr Lloyd, contends that Google processed personal data of each<br />
member of the represented class in breach of the first, second and seventh data<br />
<br />
protection principles. The represented class consists in essence of everyone in England<br />
and Wales who at the relevant time had an Apple iPhone on which Google’s<br />
DoubleClick Ad cookie was placed through the Safari workaround. (The precise<br />
definition of the class is set out at para 19 of Warby J’s judgment.) Two principal<br />
<br />
allegations made are that, in breach of the first data protection principle, (i) the data<br />
obtained by placing the DoubleClick Ad cookie on each class member’s device were not<br />
processed fairly and (ii) none of the conditions in Schedule 2 (or 3) was met.<br />
<br />
<br />
21. Schedule 1, Part II, paragraph 2, provides, in substance, that personal data<br />
obtained from the data subject are not to be treated as processed fairly unless the<br />
<br />
data controller informs the data subject of the purpose for which the data are<br />
intended to be processed - a requirement with which it is said that Google failed to<br />
comply in this case.<br />
<br />
<br />
22. Schedule 2 contains a list of conditions capable of justifying the processing of<br />
<br />
data. To comply with the first data protection principle, at least one of these<br />
conditions must be satisfied. The first condition in Schedule 2 is that “the data subject<br />
has given his consent to the processing”. Other conditions are that the processing is<br />
necessary for (amongst other things): the performance of a contract to which the data<br />
<br />
subject is a party; or compliance with a legal obligation (other than a contractual<br />
obligation) of the data controller; or to protect the vital interests of the data subject;<br />
or for the exercise of any functions of a public nature exercised in the public interest<br />
by any person. The claimant asserts that the members of the represented class whose<br />
<br />
Page 7personal data Google processed had not given their consent to the processing, nor was<br />
any of the other conditions capable of justifying the processing met. Hence for this<br />
reason too Google was in breach of the first data protection principle.<br />
<br />
<br />
23. There is no doubt that the claimant is entitled to advance a claim against Google<br />
on this basis in his own right which has a real prospect of success. The issue is whether<br />
<br />
he can also do so on behalf of all other iPhone users who fall within the represented<br />
class. This depends on the scope of the representative procedure available under the<br />
Civil Procedure Rules (“CPR”). Before I come to that procedure, I will mention in order<br />
to compare them the two other methods of claiming collective redress currently<br />
<br />
available in English procedural law.<br />
<br />
<br />
D. COLLECTIVE REDRESS IN ENGLISH LAW<br />
<br />
<br />
(1) Group Actions<br />
<br />
<br />
24. A group of people who wish to bring claims which give rise to common or<br />
related issues of fact or law can apply to the court for a Group Litigation Order to be<br />
<br />
made under CPR rule 19.11, providing for the claims to be managed together, usually<br />
by a single designated judge. The Group Litigation Order will establish a register of the<br />
claims included in the group, which is maintained by the claimants’ lead solicitor. The<br />
order may also make provision for how the litigation costs are to be shared among the<br />
<br />
claimants. How the claims are managed is a matter for the designated judge, but<br />
procedures typically used are to select one or more claims to be tried as test claims<br />
while the remaining claims are stayed and to decide as preliminary issues common<br />
issues of law or fact which are potentially dispositive of the litigation. Unless the court<br />
orders otherwise, a judgment given or order made in the litigation is binding on all the<br />
<br />
claimants included in the group register: see CPR rule 19.12(1)(a).<br />
<br />
<br />
25. Where the individual claims are of sufficiently high value, group actions can be<br />
an effective way of enabling what are typically several hundred or thousands of claims<br />
to be litigated and managed together, avoiding duplication of the court’s resources<br />
<br />
and allowing the claimants to benefit from sharing costs and litigation risk and by<br />
obtaining a single judgment which is binding in relation to all their claims. However,<br />
the group action procedure suffers from the drawback that it is an “opt-in” regime: in<br />
other words, claimants must take active steps to join the group. This has an<br />
<br />
administrative cost, as a solicitor conducting the litigation has to obtain sufficient<br />
information from a potential claimant to determine whether he or she is eligible to be<br />
added to the group register, give appropriate advice and enter into a retainer with the<br />
client. For claims which individually are only worth a few hundred pounds, this process<br />
<br />
Page 8is not economic as the initial costs alone may easily exceed the potential value of the<br />
claim.<br />
<br />
<br />
26. Another limitation of opt-in proceedings is that experience has shown that only<br />
a relatively small proportion of those eligible to join the group are likely to do so,<br />
particularly if the number of people affected is large and the value of each individual<br />
<br />
claim relatively small. For example, a group action was recently brought against the<br />
Morrisons supermarket chain for compensation for breach of the DPA 1998 arising<br />
from the disclosure on the internet by a Morrisons’ employee of personal data relating<br />
to other employees. Of around 100,000 affected employees, fewer than 10,000 opted<br />
<br />
to join the group action: see Various Claimants v Wm Morrisons Supermarkets plc<br />
[2017] EWHC 3113 (QB); [2019] QB 772 (reversed on the issue of vicarious liability by<br />
the Supreme Court: [2020] UKSC 12; [2020] AC 989). During the period of more than 12<br />
years in which collective proceedings under the Competition Act 1998 (discussed<br />
below) could be brought only on an opt-in basis just one action was commenced,<br />
<br />
based on a finding of price fixing in the sale of replica football shirts. Although around<br />
1.2 – 1.5m people were affected, despite widespread publicity only 130 people opted<br />
into the proceedings: see The Consumers' Association v JJB Sports Plc[2009] CAT 2,<br />
para 5; Civil Justice Council Report “Improving Access to Justice through Collective<br />
<br />
Actions” (2008), Part 6, para 22; and Grave D, McIntosh M and Rowan G (eds), Class<br />
Actions in England and Wales, 1st ed (2018), para 1-068.<br />
<br />
<br />
27. Likely explanations for the low participation rates typically experienced in opt-in<br />
regimes include lack of awareness of the opportunity to join the litigation and the<br />
natural human tendency to do nothing when faced with a choice which requires<br />
<br />
positive action - particularly if there is no immediate benefit to be gained and the<br />
consequences are uncertain and not easy to understand: see eg Thaler R and Sunstein<br />
C, Nudge: The Final Edition (2021), pp 36-38; Samuelson W and Zeckhauser R, “Status<br />
Quo Bias in Decision Making” (1988) 1 Journal of Risk and Uncertainty 7-59. As the<br />
<br />
New Zealand Court of Appeal has recently said of opt-in class actions:<br />
<br />
<br />
“Whichever approach is adopted, many class members are<br />
likely to fail to take any positive action for a range of reasons<br />
that have nothing at all to do with an assessment of whether<br />
<br />
or not it is in their interests to participate in the proceedings.<br />
Some class members will not receive the relevant notice.<br />
Others will not understand the notice, or will have difficulty<br />
understanding what action they are required to take and<br />
completing any relevant form, or will be unsure or hesitant<br />
<br />
about what to do and will do nothing. Even where a class<br />
member considers that it is in their interests to participate in<br />
<br />
Page 9 the proceedings, the significance of inertia in human affairs<br />
should not be underestimated.”<br />
<br />
<br />
Ross v Southern Response Earthquake Services Ltd [2019] NZCA 431, para 98; approved<br />
by the New Zealand Supreme Court at [2020] NZSC 126, para 40.<br />
<br />
<br />
28. A further factor which makes group litigation impractical in cases where the loss<br />
<br />
suffered by each individual is small, even if in aggregate it may amount to a very large<br />
sum of money, is the need to prove the quantum of loss in each individual case. Not<br />
only are eligible individuals less likely to opt into the proceedings where the potential<br />
gain to them is small, but the costs of obtaining evidence from each individual to<br />
<br />
support their claim is again likely to make group litigation uneconomic in such cases.<br />
<br />
<br />
(2) Collective Proceedings<br />
<br />
<br />
29. Compared to group actions, the method of collective redress which is now<br />
available in the field of competition law offers significant advantages for claimants,<br />
particularly where many people have been affected by the defendant’s conduct but<br />
<br />
the value of each individual claim is small. Section 47B of the Competition Act 1998<br />
(added by the Enterprise Act 2002 and as amended by the Consumer Rights Act 2015)<br />
makes provision for bringing “collective proceedings” in the Competition Appeal<br />
Tribunal (“CAT”) combining two or more claims to which section 47A applies<br />
<br />
(essentially, claims in respect of an infringement or alleged infringement of<br />
competition law). Such proceedings must be commenced by a person who proposes to<br />
be the representative of a specified class of persons, and the proceedings may only be<br />
continued if they are certified by the CAT as satisfying criteria set out in section 47B<br />
<br />
and in the CAT Rules. Two features of this regime may be noted.<br />
<br />
<br />
30. First, unlike group litigation, collective proceedings may be brought on either an<br />
“opt-in” or “opt-out” basis. “Opt-out” collective proceedings are proceedings brought<br />
on behalf of each class member except any member who opts out by notifying the<br />
class representative that their claim should not be included in the proceedings: see<br />
<br />
section 47B(11). Where “opt-out” collective proceedings are permitted, a person may<br />
therefore have a claim brought on their behalf without taking any affirmative step and,<br />
potentially, without even knowing of the existence of the proceedings and the fact that<br />
he or she is represented in them.<br />
<br />
<br />
<br />
31. A second significant feature of the collective proceedings regime is that it<br />
enables liability to be established and damages recovered without the need to prove<br />
<br />
Page 10that members of the class have individually suffered loss: it is sufficient to show that<br />
loss has been suffered by the class viewed as a whole. This is the effect of section<br />
47C(2) of the Competition Act, which provides:<br />
<br />
<br />
“The tribunal may make an award of damages in collective<br />
proceedings without undertaking an assessment of the<br />
<br />
amount of damages recoverable in respect of the claim of<br />
each represented person.”<br />
<br />
<br />
Such an award of damages is referred to in the CAT Rules as “an aggregate award of<br />
damages”: see rule 73(2).<br />
<br />
<br />
<br />
32. As Lord Briggs explained in Merricks v Mastercard[2020] UKSC 51; [2021] Bus LR<br />
25, at para 76, section 47C(2) of the Competition Act “radically alters the established<br />
common law compensatory principle by removing the requirement to assess individual<br />
loss”. This is so for the purposes both of making and of paying out an aggregate award<br />
of damages. How an aggregate award of damages is distributed among the members<br />
<br />
of the class is subject to the control of the CAT and, as this court held in Merricks v<br />
Mastercard, the only requirement is that the distribution should be just: see paras 76-<br />
77, 149. No doubt in many cases a just method of distribution will be one which divides<br />
up an aggregate award of damages in a way which takes account of individual loss. But<br />
<br />
particularly where the size of the class is large and the amount of damages awarded<br />
small considered on a per capita basis, it may be impractical or disproportionate to<br />
adopt such a method. In such cases some other method of distribution, such as an<br />
equal division among all the members of the class, may be justified.<br />
<br />
<br />
<br />
(3) Representative Actions<br />
<br />
<br />
33. Collective proceedings are a recent phenomenon in English law. By contrast, the<br />
representative procedure which the claimant is seeking to use in this case has existed<br />
for several hundred years. The current version of the representative rule is CPR rule<br />
19.6, which states:<br />
<br />
<br />
<br />
“(1) Where more than one person has the same interest in<br />
a claim -<br />
<br />
<br />
(a) the claim may be begun; or<br />
<br />
<br />
<br />
Page 11 (b) the court may order that the claim be continued,<br />
<br />
<br />
by or against one or more of the persons who have the same<br />
interest as representatives of any other persons who have<br />
that interest.<br />
<br />
<br />
(2) The court may direct that a person may not act as a<br />
<br />
representative.<br />
<br />
<br />
(3) Any party may apply to the court for an order under<br />
paragraph (2).<br />
<br />
<br />
(4) Unless the court otherwise directs any judgment or<br />
<br />
order given in a claim in which a party is acting as a<br />
representative under this rule -<br />
<br />
<br />
(a) is binding on all persons represented in the claim;<br />
but<br />
<br />
<br />
(b) may only be enforced by or against a person who is<br />
<br />
not a party to the claim with the permission of the<br />
court.”<br />
<br />
<br />
(a) Origins of the rule<br />
<br />
<br />
34. This rule has its origins in the procedure of the Court of Chancery before the<br />
<br />
Judicature Act of 1873. The general rule was that all persons materially interested in<br />
the subject-matter of a suit should be made parties to it, either as claimants or<br />
defendants, so as to ensure that the rights of all persons interested were settled by a<br />
single judgment of the court: see eg Adair v New River Co (1805) 11 Ves Jr 429; 32 ER<br />
<br />
1153; Cockburn v Thompson (1809) 16 Ves Jr 321; 33 ER 1005. However, to join all<br />
interested persons as parties was not always practically convenient- particularly if they<br />
were very numerous. The solution devised was not to abandon the aim of settling the<br />
rights of all interested persons in a single proceeding; rather, it was to relax the<br />
“complete joinder rule” by allowing one or more claimants or defendants to represent<br />
<br />
all others who had the same interest as them: see Sorabji J, “The hidden class action in<br />
English civil procedure” (2009) 28 CJQ 498. All persons represented in this way, as well<br />
as the parties actually before the court, were bound by the court’s decision.<br />
<br />
Page 1235. In the very early cases in the 16th and 17th centuries in which this procedure<br />
was adopted, the persons represented were invariably a cohesive communal group,<br />
such as parishioners or manorial tenants, whose members had agreed to be<br />
represented; and the representatives were often required to show proof of their<br />
authority to represent the group. But as the nature of society changed and new, more<br />
<br />
impersonal institutions such as friendly societies and joint stock companies with<br />
multiple investors emerged, this requirement was dropped. The court allowed persons<br />
to be represented whether or not they had consented to such representation or even<br />
knew of the action, relying on community of interest among the members of the group<br />
<br />
to ensure that the interests of all were adequately protected: see Yeazell, “From Group<br />
Litigation to Class Action, Part I: The Industrialization of Group Litigation” (1980) 27<br />
UCLA Law Review 514.<br />
<br />
<br />
36. Many of the formative cases involved joint stock companies at a time (before<br />
the Joint Stock Companies Acts 1844 to 1858) when such companies were not yet<br />
<br />
recognised as separate legal entities which could sue or be sued. An action had<br />
therefore to be brought by (or against) the members themselves. In Chancey v May<br />
(1722) Precedents in Chancery 592; 24 ER 265, the treasurer and manager of a brass-<br />
works brought an action on behalf of themselves and all other proprietors of the<br />
<br />
undertaking, of whom there were 800 in total, except for the defendants, who were its<br />
former managers, to call the defendants to account for alleged mismanagement and<br />
embezzlement. The defendants objected that the claim should not be allowed to<br />
proceed as the rest of the proprietors had not been made parties. The court dismissed<br />
that objection on the grounds that, first, the action had been brought on behalf of all<br />
<br />
the other proprietors, so that “all the rest were in effect parties”, and secondly:<br />
<br />
<br />
“Because it would be impracticable to make them all parties<br />
by name, and there would be continual abatements by death<br />
and otherwise, and no coming at justice, if all were to be<br />
<br />
made parties.”<br />
<br />
<br />
37. Another notable case involving a joint stock company was Meux v Maltby (1818)<br />
2 Swanston 277; 36 ER 621. In this case the treasurer and directors of the company<br />
were sued as representative defendants on a contract made on behalf of all the<br />
<br />
members of the company to grant a lease. In rejecting an argument that the claim was<br />
defective because not all the proprietors were before the court, Plumer MR explained,<br />
at pp 281-282:<br />
<br />
<br />
“The general rule, which requires the plaintiff to bring before<br />
the court all the parties interested in the subject in question,<br />
<br />
admits of exceptions. The liberality of this court has long held<br />
Page 13 that there is of necessity an exception to the general rule,<br />
when a failure of justice would ensue from its enforcement.”<br />
<br />
<br />
After citing numerous authorities, he concluded, at p 284:<br />
<br />
<br />
“Here is a current of authority, adopting more or less a<br />
general principle of exception, by which the rule, that all<br />
<br />
persons interested must be parties, yields when justice<br />
requires it, in the instance either of plaintiffs or defendants.<br />
… It is quite clear that the present suit has sufficient parties,<br />
and that the defendants may be considered as representing<br />
<br />
the company.”<br />
<br />
<br />
38. In Duke of Bedford v Ellis [1901] AC 1, 8, Lord Macnaghten summarised the<br />
practice of the Court of Chancery in this way:<br />
<br />
<br />
“The old rule in the Court of Chancery was very simple and<br />
perfectly well understood. Under the old practice the Court<br />
<br />
required the presence of all parties interested in the matter<br />
in suit, in order that a final end might be made of the<br />
controversy. But when the parties were so numerous that<br />
you never could ‘come at justice’, to use an expression in one<br />
<br />
of the older cases, if everybody interested was made a party,<br />
the rule was not allowed to stand in the way. It was originally<br />
a rule of convenience: for the sake of convenience it was<br />
relaxed. Given a common interest and a common grievance,<br />
a representative suit was in order if the relief sought was in<br />
<br />
its nature beneficial to all whom the plaintiff proposed to<br />
represent.”<br />
<br />
<br />
(b) Effect of the Judicature Act<br />
<br />
<br />
39. By the Supreme Court of Judicature Act 1873, all the jurisdiction previously<br />
<br />
exercised by the Court of Chancery and the courts of common law was transferred to<br />
and vested in the new High Court of Justice. Rules of procedure for the High Court<br />
were scheduled to the Act, which included as rule 10:<br />
<br />
<br />
“Where there are numerous parties having the same interest<br />
<br />
in one action, one or more of such parties may sue or be<br />
Page 14 sued, or may be authorised by the court to defend in such<br />
action, on behalf or for the benefit of all parties so<br />
interested.”<br />
<br />
<br />
This rule became Order 16, rule 9 of the Rules of the Supreme Court and has remained<br />
in force in the same or similar form ever since. Save that the requirement for<br />
<br />
“numerous parties” has been reduced to “more than one”, there is no significant<br />
difference in the current version of the rule, quoted at para 33 above.<br />
<br />
<br />
40. At first after the enactment of the Judicature Act the courts construed the new<br />
rule narrowly. In Temperton v Russell [1893] 1 QB 435, 438, Lindley LJ, who gave the<br />
<br />
judgment of the Court of Appeal, expressed the view that the rule only applied to<br />
“persons who have or claim some beneficial proprietary right” which they are asserting<br />
or defending in an action that would have come within the jurisdiction of the old Court<br />
of Chancery; hence the rule did not apply to a claim for damages in tort. That view,<br />
however, was repudiated by the House of Lords in Duke of Bedford v Ellis [1901] AC 1.<br />
<br />
Six individuals sued the Duke of Bedford, who owned Covent Garden Market, on behalf<br />
of themselves and all other growers of fruit, flowers, vegetables, roots and herbs, to<br />
enforce certain preferential rights claimed under the Covent Garden Market Act 1828<br />
to stands in the market. They sought declarations of the rights of the growers and an<br />
<br />
injunction to restrain the Duke from acting inconsistently with those rights. They also<br />
claimed - though only for themselves and not on behalf of other growers - an account<br />
and repayment of sums charged to them for selling at the market in excess of what<br />
they would have paid if afforded their alleged preferential rights. The Duke applied to<br />
have the action stayed either on the ground that the claimants had no beneficial<br />
<br />
proprietary right, or on the ground that the joinder in one action of parties claiming<br />
separate and different rights under the Act, both personally and as representing a<br />
class, would embarrass or delay the trial. The House of Lords rejected both grounds<br />
(the first unanimously and the second by a majority of 3 to 2) and held that the action<br />
<br />
could be maintained.<br />
<br />
<br />
41. Lord Macnaghten, who gave the leading speech, expressly disapproved the<br />
restrictive view of the representative rule expressed in Temperton v Russell and<br />
confirmed that its purpose was simply to apply the practice of the Court of Chancery to<br />
<br />
all divisions of the High Court. The only change was therefore that the rule was now<br />
applicable in actions which, before the Judicature Act, could only have been brought in<br />
a court of common law. He said, at pp 10-11, that:<br />
<br />
<br />
“… in all other respects I think the rule as to representative<br />
suits remains very much as it was a hundred years ago. From<br />
<br />
the time it was first established it has been recognised as a<br />
Page 15 simple rule resting merely upon convenience. It is impossible,<br />
I think, to read such judgments as those delivered by Lord<br />
Eldon in Adair v New River Co, in 1805, and in Cockburn v<br />
Thompson, in 1809, without seeing that Lord Eldon took as<br />
broad and liberal a view on this subject as anybody could<br />
<br />
desire. ‘The strict rule’, he said, ‘was that all persons<br />
materially interested in the subject of the suit, however<br />
numerous, ought to be parties … but that being a general rule<br />
established for the convenient administration of justice must<br />
<br />
not be adhered to in cases to which consistently with<br />
practical convenience it is incapable of application’. ‘It was<br />
better’, he added, ‘to go as far as possible towards justice<br />
than to deny it altogether’. He laid out of consideration the<br />
case of persons suing on behalf of themselves and all others,<br />
<br />
‘for in a sense’, he said, ‘they are before the Court’. As<br />
regards defendants, if you cannot make everybody interested<br />
a party, you must bring so many that it can be said they will<br />
fairly and honestly try the right. I do not think, my Lords, that<br />
<br />
we have advanced much beyond that in the last hundred<br />
years …”<br />
<br />
<br />
As Megarry J commented in John v Rees[1970] Ch 345, 370, this explanation made it<br />
plain that the representative rule is to be treated as being “not a rigid matter of<br />
principle but a flexible tool of convenience in the administration of justice”.<br />
<br />
<br />
<br />
42. In Taff Vale Railway Co v Amalgamated Society of Railway Servants [1901] AC<br />
426, 443, Lord Lindley (as he had become) went out of his way to endorse this view<br />
and to retract his earlier observations in Temperton v Russell, stating:<br />
<br />
<br />
“The principle on which the rule is based forbids its<br />
<br />
restriction to cases for which an exact precedent can be<br />
found in the reports. The principle is as applicable to new<br />
cases as to old, and ought to be applied to the exigencies of<br />
modern life as occasion requires. The rule itself has been<br />
<br />
embodied and made applicable to the various Divisions of the<br />
High Court by the Judicature Act, 1873, sections 16 and 23-<br />
25, and Order XVI, rule 9; and the unfortunate observations<br />
made on that rule in Temperton v Russell have been happily<br />
corrected in this House in the Duke of Bedford v Ellis and in<br />
<br />
the course of the argument in the present case.”<br />
<br />
<br />
Page 16 (c) Markt and declarations of rights<br />
<br />
<br />
43. The subsequent decision of the Court of Appeal in Markt & Co Ltd v Knight<br />
Steamship Co Ltd [1910] 2 KB 1021 has sometimes been seen as undermining the<br />
broad and flexible view of the representative rule adumbrated by the House of Lords in<br />
these two cases by imposing significant constraints on its use: see eg Esanda Finance<br />
<br />
Corpn Ltd v Carnie (1992) 29 NSWLR 382, 395; Mulheron R, The Class Action in<br />
Common Law Legal Systems (2004) pp 78-82; Sorabji J, “The hidden class action in<br />
English civil procedure” (2009) 28 CJQ 498. I do not think, however, that the decision<br />
should be understood in this way. Markt was heard together with another action also<br />
<br />
brought against the owners of a cargo vessel which was intercepted by a Russian<br />
cruiser on a voyage to Japan during the Russo-Japanese war, on suspicion of carrying<br />
contraband of war, and sunk. Just before the limitation period expired, two cargo-<br />
owners issued writs “on behalf of themselves and others owners of cargo lately laden<br />
on board” the vessel, claiming “damages for breach of contract and duty in and about<br />
<br />
the carriage of goods by sea”. No further particulars of the claims were given.<br />
<br />
<br />
44. All three members of the Court of Appeal agreed that the claims as formulated<br />
could not be pursued as representative actions as there was no basis for asserting that<br />
all the cargo owners had the same interest in the actions. That was so if only because a<br />
<br />
claim that the shipowners were in breach of duty in carrying contraband goods plainly<br />
could not be maintained on behalf of any cargo-owners who had themselves shipped<br />
such goods; furthermore, each cargo owner would need to prove their individual loss.<br />
Buckley LJ would have allowed the claimants to amend their writs and continue the<br />
proceedings on behalf of themselves and all cargo-owners who were not shippers of<br />
<br />
contraband goods, claiming a declaration that the defendants were in breach of<br />
contract and duty in shipping contraband of war. The other judges, however, did not<br />
agree to this course. Vaughan Williams LJ, at p 1032, rejected it on the grounds that<br />
the proposed amendment had not been brought before the court in a way which gave<br />
<br />
a proper opportunity for argument and doubted anyway whether the amendment<br />
could be so framed as to disclose a common purpose of the shippers or any class of the<br />
shippers. Fletcher Moulton LJ, at p 1042, considered that making a declaration of the<br />
type suggested would be contrary to the practice of the courts and that subsequent<br />
<br />
claims by individual cargo-owners relying on such a declaration to recover damages<br />
would constitute new claims which would be time-barred, as the limitation period had<br />
now expired.<br />
<br />
<br />
45. The readiness of English courts to give judgments declaring legal rights where it<br />
would serve a useful purpose has much increased since 1910. An important step was<br />
<br />
the decision of the Court of Appeal in Guaranty Trust Co of New York v Hannay & Co<br />
[1915] 2 KB 536, which held that a declaration can be granted at the instance of a<br />
<br />
Page 17claimant even if the claimant has no cause of action against the defendant. Two cases<br />
decided together by the Court of Appeal in 1921 showed that there is no reason in<br />
principle why a claim for a declaration of the kind suggested by Buckley LJ in Markt<br />
cannot be brought as a representative action. In David Jones v Cory Bros & Co Ltd<br />
(1921) 56 LJ 302; 152 LT Jo 70, five individuals sued on their own behalf and on behalf<br />
<br />
of all other underground and surface workmen employed at the defendant’s colliery<br />
on three specified days in September 1919. They alleged that on those three days the<br />
safety lamps in use at the colliery were not in accordance with statutory requirements,<br />
were insufficient in number and were not properly examined; and that in consequence<br />
<br />
the workmen justifiably refused to go to work and lost the wages they would<br />
otherwise have earned and were entitled to damages. In Thomas v Great Mountain<br />
Collieries Co, which was heard at the same time, two claimants sued the owner of<br />
another colliery for loss of wages, alleging breach of statutory duty in not having a<br />
weighing machine to weigh coal as near the pit mouth as was reasonably practicable.<br />
<br />
The workmen were divided into two classes - one comprising all workmen whose<br />
wages depended on the amount of coal gotten and the other comprising all other<br />
underground and surface workmen. The claimants sued on their own behalf and on<br />
behalf of the class they respectively represented.<br />
<br />
<br />
<br />
46. In each action the claims were divisible under three heads: (1) claims for<br />
declarations upon matters in which the classes represented were alleged to have a<br />
common interest; (2) claims for damages by the individual named claimants; and (3)<br />
claims for damages by the individual members of the classes represented.<br />
Unfortunately, only a bare summary of the judgments is reported. But this records that<br />
<br />
the Court of Appeal by a majority (Bankes and Atkin LJJ, with Scrutton LJ dissenting)<br />
held that the claimants were entitled to sue in a representative capacity as regards<br />
claims that came within (1) and (2), but not as regards claims for damages by the<br />
individual members of the classes represented.<br />
<br />
<br />
<br />
47. In Prudential Assurance Co Ltd v Newman Industries Ltd [1981] Ch 229 the<br />
claimant brought a derivative action as a minority shareholder of the first defendant<br />
company claiming damages on behalf of the company against two of its directors for<br />
breach of duty and conspiracy. At the start of the hearing the claimant applied to<br />
<br />
amend its statement of claim to add a personal claim against the directors and the<br />
company, brought in a representative capacity on behalf of all the shareholders. The<br />
relief sought was a declaration that those shareholders who had suffered loss asa<br />
result of the alleged conspiracy were entitled to damages. The judge (Vinelott J)<br />
allowed the amendment. He distinguished Markt and followed David Jones v Cory Bros<br />
<br />
in holding that a representative claim for a declaration could be pursued<br />
notwithstanding that each member of the class of persons represented had a separate<br />
cause of action. Although the personal claim was later held by the Court of Appeal in<br />
Prudential Assurance Co Ltd v Newman Industries Ltd (No 2) [1981] Ch 204 at 222 to be<br />
<br />
Page 18misconceived as a matter of substantive law, the Court of Appeal cast no doubt on the<br />
use of the representative procedure.<br />
<br />
<br />
48. This decision was important in demonstrating the potential for a bifurcated<br />
process whereby issues common to the claims of a class of persons may be decided in<br />
a representative action which, if successful, can then form a basis for individual claims<br />
<br />
for redress. More generally, the Prudential case marked a welcome revival of the spirit<br />
of flexibility which characterised the old case law.<br />
<br />
<br />
(d) Claims for damages<br />
<br />
<br />
49. In the cases so far mentioned where claims were held to come within the scope<br />
<br />
of the representative rule, the relief claimed on behalf of the represented class was<br />
limited to a declaration of legal rights. It was accepted or held that the named<br />
claimants could only claim damages or other monetary relief in their personal capacity.<br />
In Markt Fletcher Moulton LJ expressed the view, at pp 1035 and 1040-1041, that<br />
damages are “a personal relief” and that:<br />
<br />
<br />
<br />
“no representative action can lie where the sole relief sought<br />
is damages, because they have to be proved separately in the<br />
case of each plaintiff, and therefore the possibility of<br />
representation ceases.”<br />
<br />
<br />
<br />
50. In many cases, of which Markt was one, it is clearly correct that the assessment<br />
of damages depends on circumstances personal to each individual claimant. In such<br />
cases it is unlikely to be practical or fair to assess damages on a common basis and<br />
without each individual claimant’s participation in the proceedings. However, this is<br />
<br />
not always so, and representative actions for damages have sometimes been allowed.<br />
For example, in the case of insurance underwritten by Lloyd’s syndicates, which are<br />
not separate legal entities, it is standard practice for a single member of the syndicate<br />
(usually the leading underwriter) to be named as a representative claimant or<br />
defendant suing, or being sued, for themselves and all the other members. There is no<br />
<br />
difficulty in awarding damages for or against the representative in such proceedings, as<br />
the calculation of any damages which the members of the syndicate are collectively<br />
entitled to recover or liable to pay does not depend on how the risk is divided among<br />
the members of the syndicate.<br />
<br />
<br />
<br />
51. In Pan Atlantic Insurance Co Ltd v Pine Top Insurance Co Ltd [1989] 1 Lloyd’s Rep<br />
568 the claimant companies sued on behalf of themselves and members of a syndicate<br />
<br />
Page 19which had reinsured on a quota share basis a proportion of the risks they had<br />
underwritten, claiming under contracts which provided excess of loss reinsurance<br />
cover for the claimants and their quota share reinsurers. The Court of Appeal rejected<br />
an argument that the claimants were not entitled to sue in a representative capacity. It<br />
made no difference that there was a dispute between one of the claimants and some<br />
<br />
members of the syndicate about the validity of the quota share reinsurance, since as<br />
Lloyd LJ said, at p 571: “the question is whether the parties have the same interest as<br />
against the defendants; not whether they have the same interest as between<br />
themselves”.<br />
<br />
<br />
<br />
52. In Irish Shipping Ltd v Commercial Union Assurance Co plc (The “Irish Rowan”)<br />
[1991] 2 QB 206 numerous insurers had subscribed in various proportions to a policy of<br />
marine insurance. The Court of Appeal accepted that, as a matter of law, each<br />
subscription constituted a separate contract of insurance (of which there were said to<br />
be 77 in all). Claims for losses allegedly covered by the policy were made by suing two<br />
<br />
of the insurers as representative defendants. The Court of Appeal rejected an<br />
argument that claims for debt or damages could not be included in a representative<br />
action, merely because they are made by numerous claimants individually or resisted<br />
by numerous defendants individually, and held that the action could continue as a<br />
<br />
representative action. While the policy terms contained a broadly worded leading<br />
underwriter clause, the presence of this clause was not essential to the decision: see<br />
Bank of America National Trust and Savings Association v Taylor (The Kyriaki) [1992] 1<br />
Lloyd’s Rep 484, 493-494; National Bank of Greece SA v Outhwaite [2001] CLC 591,<br />
para 31.<br />
<br />
<br />
<br />
53. In EMI Records Ltd v Riley [1981] 1 WLR 923, and in Independiente Ltd v Music<br />
Trading On-Line (HK) Ltd [2003] EWHC 470 (Ch), the claimants sued in a representative<br />
capacity on behalf of all members of the British Phonographic Industry Ltd (“BPI”), a<br />
trade association for the recorded music industry (and also in the latter case on behalf<br />
<br />
of Phonographic Performance Ltd), claiming damages for breach of copyright in selling<br />
pirated sound recordings. In each case the claims were allowed to proceed as<br />
representative actions. Because it was accepted or could safely be assumed that the<br />
owner of the copyright in any pirated recording was a member of the represented<br />
<br />
class, this procedure enabled breach of copyright to be proved and damages to be<br />
awarded without the need to prove which particular pirated recordings had been sold<br />
in what quantities. Again, what mattered was that the members of the class had a<br />
community of interest in suing the defendant.<br />
<br />
<br />
54. In EMI Records it was asserted, and not disputed by the defendants, that the<br />
<br />
members of the BPI had consented to all sums recovered in actions for breach of<br />
copyright being paid to the BPI: see [1981] 1 WLR 923, 925. In Independiente, however,<br />
<br />
Page 20this assertion was disputed and Morritt V-C found that there was no binding<br />
agreement that any money recovered should go to the BPI: see [2003] EWHC 470 (Ch),<br />
paras 16 and 28. He nevertheless held, at paras 28 and 39, that the claim was properly<br />
brought as a representative action, observing that what the claimants did with any<br />
damages recovered was a matter for them or between them, the BPI and the class<br />
<br />
members, and not between them and the defendants.<br />
<br />
<br />
55. Although not cited in these cases, the same point had been made long before in<br />
Warrick v Queen’s College Oxford (No 4) (1871) LR 6 Ch App 716, 726, where Lord<br />
Hatherley LC gave an example of:<br />
<br />
<br />
<br />
“classes of shareholders in a railway company who have<br />
different rights inter se, but they may all have a common<br />
enemy in the shape of a fraudulent director, and they may all<br />
join, of course, in one common suit against that director,<br />
although after the common right is established they may<br />
<br />
have a considerable litigation among themselves as to who<br />
are the persons entitled to the gains obtained through that<br />
suit.”<br />
<br />
<br />
While the right enforced in such a common suit would in modern company law be seen<br />
<br />
as a right belonging to the company itself, rather than its shareholders, it is clear from<br />
the context that Lord Hatherley had in mind a representative action brought on behalf<br />
of shareholders, as he gave this analogy to explain how in that case a representative<br />
claim could be brought on behalf of all the freehold tenants of a manor to establish<br />
common rights against the lord of the manor even though different tenants or classes<br />
<br />
of tenant had different rights as between themselves.<br />
<br />
<br />
(e) Emerald Supplies<br />
<br />
<br />
56. In giving the Court of Appeal’s judgment in the present case, the Chancellor, at<br />
[2020] QB 747, para 73, focused on Emerald Supplies Ltd v British Airways plc [2010]<br />
<br />
EWCA Civ 1284; [2011] Ch 345 as providing the latest authoritative interpretation of<br />
the representative rule. The decision in that case turned, however, on the particular<br />
way in which the class of represented persons had been defined. The claimants alleged<br />
that the defendant airline was a party to agreements or concerted practices with other<br />
<br />
airlines to fix prices for air freight charged for importing cut flowers into the UK. They<br />
claimed on behalf of all “direct or indirect purchasers of air freight services, the prices<br />
for which were inflated by the agreements or concerted practices”, a declaration that<br />
damages were recoverable in principle from the defendant by those purchasers. The<br />
<br />
Page 21Court of Appeal upheld a decision to strike out the representative claim on the basis<br />
that, in the way the class had been defined, the issue of liability would have to be<br />
decided before it could be known whether or not a person was a member of the<br />
represented class and therefore bound by the judgment: see paras 62-63 and 65. Such<br />
an approach would not be just, not least because, if the claim failed, no purchasers of<br />
<br />
air freight services apart from the named claimants would be bound by the result.<br />
<br />
<br />
57. The Court of Appeal in Emerald Supplies also considered that a second difficulty<br />
with the class definition was that the members of the represented class did not all<br />
have the same interest in the claim, as there was a conflict of interest between direct<br />
<br />
and indirect purchasers of air freight services: see paras 28-29 and 64. If it was shown<br />
that prices had been inflated by agreements or concerted practices to which the<br />
defendant was a party, it would be in the interests of direct purchasers to seek to<br />
prove that they had absorbed the higher prices in order to avoid a potential defence<br />
that they had suffered no loss because the higher prices had been passed on to<br />
<br />
“indirect purchasers” (understood to include sub-purchasers). On the other hand, it<br />
would be in the interests of such indirect purchasers to seek to prove that the higher<br />
prices had indeed been passed on to them.<br />
<br />
<br />
58. It seems to me that this second difficulty might have been avoided either by<br />
<br />
altering the class definition to exclude sub-purchasers or by following the approach<br />
adopted in Prudential of claiming a declaration that those members of the class who<br />
had suffered damage as a result of the alleged price fixing were entitled to damages.<br />
However, those possibilities do not appear to have been considered. I think that the<br />
judge in Rendlesham Estates plc v Barr Ltd [2014] EWHC 3968 (TCC); [2015] 1 WLR<br />
<br />
3663 - a case relied on by Google on this appeal - was therefore wrong to conclude<br />
from Emerald Supplies, at para 90, that “if damage is an ingredient of the cause of<br />
action a representative claim could not be maintained”. The Court of Appeal in<br />
Emerald Supplies did not doubt the correctness of the Prudential decision, where a<br />
<br />
representative claim was allowed to proceed although damage was an ingredient of<br />
the cause of action. As Professor Rachael Mulheron, a leading expert in this field, has<br />
persuasively argued, it should likewise have been possible in Emerald Suppliesto adopt<br />
a bifurcated process in which the questions whether prices had been inflated by<br />
<br />
agreements or concerted practices and whether passing on was in principle available<br />
as a defence were decided in a representative action. If successful, this action could<br />
then have formed the basis for further proceedings to prove the fact and amount of<br />
damage in individual cases: see Mulheron R, “Emerald Supplies Ltd v British Airways<br />
plc; A Century Later, The Ghost of Markt Lives On” [2009] Comp Law 159, 171.<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 22 (f) Commonwealth cases<br />
<br />
<br />
59. The highest courts of Australia, Canada and New Zealand have all adopted a<br />
broad and flexible approach in interpreting representative rules derived from the<br />
English rule.<br />
<br />
<br />
(i) Australia<br />
<br />
<br />
<br />
60. In Carnie v Esanda Finance Corpn Ltd (1994) 127 ALR 76 the High Court of<br />
Australia held that the fact that the claims arose under separate contracts did not<br />
prevent the named claimants and the persons represented from having “the same<br />
interest” in proceedings. It was enough to satisfy this requirement that there was a<br />
<br />
community of interest in the determination of a substantial question of law or fact that<br />
arose in the proceedings. Commenting on an argument that the representative rule<br />
was an inadequate basis for a “class action”, which required a comprehensive<br />
legislative regime, Toohey and Gaudron JJ (with whom Mason CJ, Deane and Dawson JJ<br />
generally agreed) said, at p 91:<br />
<br />
<br />
<br />
“... it is true that rule 13 lacks the detail of some other rules<br />
of court. But there is no reason to think that the Supreme<br />
Court of New South Wales lacks the authority to give<br />
directions as to such matters as service, notice and the<br />
<br />
conduct of proceedings which would enable it to monitor and<br />
finally to determine the action with justice to all concerned.<br />
The simplicity of the rule is also one of its strengths, allowing<br />
it to be treated as a flexible rule of convenience in the<br />
administration of justice and applied ‘to the exigencies of<br />
<br />
modern life as occasion requires’. The court retains the<br />
power to reshape proceedings at a later stage if they become<br />
impossibly complex or the defendant is prejudiced.”<br />
<br />
<br />
(ii) Canada<br />
<br />
<br />
<br />
61. In Western Canadian Shopping Centres Inc v Dutton [2001] 2 SCR 534, paras 38-<br />
48, the Supreme Court of Canada held that representative actions should be allowed<br />
to proceed where the following conditions are met: (1) the class is capable of clear<br />
definition; (2) there are issues of fact or law common to all class members; (3) success<br />
<br />
for one class member means success for all (although not necessarily to the same<br />
extent); and (4) the proposed representative adequately represents the interests of<br />
<br />
Page 23the class. If these conditions are met the court must also be satisfied, in the exercise of<br />
its discretion, that there are no countervailing considerations that outweigh the<br />
benefits of allowing the representative action to proceed. The Supreme Court held that<br />
the conditions were met by the claimants in Dutton, who sued as representatives of a<br />
group of investors complaining that the defendant had breached fiduciary duties to the<br />
<br />
investors by mismanaging their funds.<br />
<br />
<br />
62. Giving the judgment of the court, McLachlin CJ, at para 47, distinguished its<br />
earlier decision in General Motors of Canada Ltd v Naken [1983] 1 SCR 72, where a<br />
representative action had been disallowed. In Naken the action was brought on behalf<br />
<br />
of purchasers of new Firenza motor vehicles against the manufacturer, complaining<br />
that the quality of the vehicles had been misrepresented or was not as warranted in<br />
advertisements, other published materials and contracts which were partly oral and<br />
partly written. Damages were claimed limited to $1,000 per person. The claims were<br />
held to be unsuitable for resolution through a representative action, principally<br />
<br />
because determining both liability and damages would have required particularised<br />
evidence and fact-finding in relation to each individual purchaser.<br />
<br />
<br />
63. McLachlin CJ also commented, at para 46, that over the period since Naken was<br />
decided the benefits of class actions had become manifest. She identified, at paras 27-<br />
<br />
29, three important advantages which such actions offer over a multiplicity of<br />
individual suits: (1) avoiding unnecessary duplication in fact-finding and legal analysis;<br />
(2) making economical the prosecution of claims that would otherwise be too costly to<br />
prosecute individually; and (3) serving efficiency and justice by ensuring that actual<br />
and potential wrongdoers who cause widespread but individually minimal harm take<br />
<br />
into account the full costs of their conduct.<br />
<br />
<br />
64. McLachlin CJ further observed, at para 34, that, while it would clearly be<br />
advantageous if there existed a comprehensive legislative framework regulating class<br />
actions, in its absence “the courts must fill the void”.<br />
<br />
<br />
<br />
(iii) New Zealand<br />
<br />
<br />
65. The Supreme Court of New Zealand has recently considered the use of the<br />
representative procedure in Southern Response Earthquake Services Ltd v Ross [2020]<br />
NZSC 126. This was a representative action brought on behalf of some 3,000<br />
<br />
policyholders who had settled insurance claims for damage to their homes caused by<br />
earthquakes in the Canterbury region of New Zealand. The claimants alleged that the<br />
policyholders had been misled by the insurers about the cost of remedying the<br />
damage, with the result that they had settled their claims on a less favourable basis<br />
<br />
Page 24than otherwise would have been the case. The insurers did not oppose the action<br />
being brought on a representative basis, but argued that the class represented should<br />
be limited to policyholders who completed a form electing to opt into the proceedings.<br />
It was agreed that the proceedings would need to be heard in two stages. The first<br />
stage would deal with issues common to all members of the represented class. If the<br />
<br />
claimants succeeded at that stage in whole or in part, there would need to be a second<br />
stage, in which questions of relief were addressed. It was also agreed that, at the<br />
second stage, it would be necessary for all of the policyholders represented to take<br />
active steps - that is, to opt in - if they wished to establish their individual claims.<br />
<br />
<br />
<br />
66. The New Zealand Supreme Court affirmed the decision of the Court of Appeal<br />
that the claim should be allowed to continue on an opt out basis. In doing so, the<br />
Supreme Court rejected an argument that it should not develop an opt out regime in<br />
the absence of a statutory framework and gave guidance on various matters relating to<br />
supervision of opt out representative proceedings.<br />
<br />
<br />
<br />
(g) Principles governing use of the representative procedure<br />
<br />
<br />
67. Although the world has changed out of all recognition since the representative<br />
procedure was devised by the Court of Chancery, it has done so in ways which have<br />
made the problems to which the procedure provided a solution more common and<br />
<br />
often vastly bigger in scale. The mass production of goods and mass provision of<br />
services have had the result that, when legally culpable conduct occurs, a very large<br />
group of people, sometimes numbering in the millions, may be affected. As the<br />
present case illustrates, the development of digital technologies has added to the<br />
potential for mass harm for which legal redress may be sought. In such cases it is<br />
<br />
necessary to reconcile, on the one hand, the inconvenience or complete impracticality<br />
of litigating multiple individual claims with, on the other hand, the inconvenience or<br />
complete impracticality of making every prospective claimant (or defendant) a party to<br />
a single claim. The only practical way to “come at justice” is to combine the claims in a<br />
<br />
single proceeding and allow one or more persons to represent all others who share the<br />
same interest in the outcome. When trying all the individual claims is not feasible, the<br />
adages of Lord Eldon quoted by Lord Macnaghten in Ellis remain as pertinent as ever:<br />
that it is better to go as far as possible towards justice than to deny it altogether and<br />
<br />
that, if you cannot realistically make everybody interested a party, you should ensure<br />
that those who are parties will “fairly and honestly try the right”.<br />
<br />
<br />
68. I agree with the highest courts of Australia, Canada and New Zealand that, while<br />
a detailed legislative framework would be preferable, its absence (outside the field of<br />
competition law) in this country is no reason to decline to apply, or to interpret<br />
<br />
restrictively, the representative rule which has long existed (and has had a legislative<br />
Page 25basis since 1873). I also agree with the view expressed in Carnie that the very simplicity<br />
of the representative rule is in some respects a strength, allowing it to be treated as “a<br />
flexible tool of convenience in the administration of justice” and “applied to the<br />
exigencies of modern life as occasion requires”.<br />
<br />
<br />
(i) The “same interest” requirement<br />
<br />
<br />
<br />
69. In its current form in CPR rule 19.6 the rule imposes no limit (either as a<br />
minimum or maximum) on the number of people who may be represented. Only one<br />
condition must be satisfied before a representative claim may be begun or allowed to<br />
continue: that is, that the representative has “the same interest” in the claim as the<br />
<br />
person(s) represented.<br />
<br />
<br />
70. The phrase “the same interest” is capable of bearing a range of meanings and<br />
requires interpretation. In interpreting the phrase, reference has often been made to<br />
Lord Macnaghten’s statement in Ellis (quoted at para 38 above) that: “Given a<br />
common interest and a common grievance, a representative suit was in order if the<br />
<br />
relief sought was in its nature beneficial to all whom the plaintiff proposed to<br />
represent.” This statement has sometimes been treated as if it were a definition<br />
imposing a tripartite test: see eg Smith v Cardiff Corpn[1954] 1 QB 210. Such an<br />
approach seems to me misguided. It is clear from the context that Lord Macnaghten<br />
<br />
was not attempting to define “the same interest”, but to convey how limiting the rule<br />
to persons having a beneficial proprietary interest in the claim would be contrary to<br />
the old practice in the Court of Chancery. More profoundly, such a reading of Lord<br />
Macnaghten’s speech shows precisely the rigidity of approach to the application of the<br />
representative rule which he disparaged.<br />
<br />
<br />
<br />
71. The phrase “the same interest”, as it is used in the representative rule, needs to<br />
be interpreted purposively in light of the overriding objective of the civil procedure<br />
rules and the rationale for the representative procedure. The premise for a<br />
representative action is that claims are capable of being brought by (or against) a<br />
<br />
number of people which raise a common issue (or issues): hence the potential and<br />
motivation for a judgment which binds them all. The purpose of requiring the<br />
representative to have “the same interest” in the claim as the persons represented is<br />
to ensure that the representative can be relied on to conduct the litigation in a way<br />
<br />
which will effectively promote and protect the interests of all the members of the<br />
represented class. That plainly is not possible where there is a conflict of interest<br />
between class members, in that an argument which would advance the cause of some<br />
would prejudice the position of others. Markt and Emerald Supplies are both examples<br />
of cases where it was found that the proposed representative action, as formulated,<br />
<br />
could not be maintained for this reason.<br />
Page 2672. As Professor Adrian Zuckerman has observed in his valuable book on civil<br />
procedure, however, a distinction needs to be drawn between cases where there are<br />
conflicting interests between class members and cases where there are merely<br />
divergent interests, in that an issue arises or may well arise in relation to the claims of<br />
(or against) some class members but not others. So long as advancing the case of class<br />
<br />
members affected by the issue would not prejudice the position of others, there is no<br />
reason in principle why all should not be represented by the same person: see<br />
Zuckerman on Civil Procedure: Principles of Practice, 4th ed (2021), para 13.49. As<br />
Professor Zuckerman also points out, concerns which may once have existed about<br />
<br />
whether the representative party could be relied on to pursue vigorously lines of<br />
argument not directly applicable to their individual case are misplaced in the modern<br />
context, where the reality is that proceedings brought to seek collective redress are<br />
not normally conducted and controlled by the nominated representative, but rather<br />
are typically driven and funded by lawyers or commercial litigation funders with the<br />
<br />
representative party merely acting as a figurehead. In these circumstances, there is no<br />
reason why a representative party cannot properly represent the interests of all<br />
members of the class, provided there is no true conflict of interest between them.<br />
<br />
<br />
73. This purposive and pragmatic interpretation of the requirement is exemplified<br />
<br />
by The “Irish Rowan”, where Staughton LJ, at pp 227-228, noted that some of the<br />
insurers might wish to resist the claim on a ground that was not available to others. He<br />
rightly did not regard that circumstance as showing that all the insurers did not have<br />
“the same interest” in the action, or that it was not within the rule, and had “no<br />
qualms about a proceeding which allows that ground to be argued on their behalf by<br />
<br />
others”.<br />
<br />
<br />
74. Even if it were considered inconsistent with the “same interest” requirement, or<br />
otherwise inappropriate, for a single person to represent two groups of people in<br />
relation to whom different issues arise although there is no conflict of interest<br />
<br />
between them, any procedural objection could be overcome by bringing two (or more)<br />
representative claims, each with a separate representative claimant or defendant, and<br />
combining them in the same action.<br />
<br />
<br />
(ii) The court’s discretion<br />
<br />
<br />
<br />
75. Where the same interest requirement is satisfied, the court has a discretion<br />
whether to allow a claim to proceed as a representative action. As with any power<br />
given to it by the Civil Procedure Rules, the court must in exercising its discretion seek<br />
to give effect to the overriding objective of dealing with cases justly and at<br />
proportionate cost: see CPR rule 1.2(a). Many of the considerations specifically<br />
<br />
included in that objective (see CPR rule 1.1(2)) - such as ensuring that the parties are<br />
Page 27on an equal footing, saving expense, dealing with the case in ways which are<br />
proportionate to the amount of money involved, ensuring that the case is dealt with<br />
expeditiously and fairly, and allotting to it an appropriate share of the court’s<br />
resources while taking into account the need to allot resources to other cases - are<br />
likely to militate in favour of allowing a claim, where practicable, to be continued as a<br />
<br />
representative action rather than leaving members of the class to pursue claims<br />
individually.<br />
<br />
<br />
76. Four further features of the representative rule deserve mention.<br />
<br />
<br />
(iii) No requirement of consent<br />
<br />
<br />
<br />
77. First, as the ability to act as a representative under the rule does not depend on<br />
the consent of the persons represented but only on community of interest between<br />
them, there is ordinarily no need for a member of the represented class to take any<br />
positive step, or even to be aware of the existence of the action, in order to be bound<br />
by the result. The rule does not confer a right to opt out of the proceedings (though a<br />
<br />
person could, at least in theory, apply to the court for a direction under rule 19.6(3)<br />
that the named claimant (or defendant) may not represent them or under rule 19.6(4)<br />
that any judgment given will not be binding on them). It is, however, always open to<br />
the judge managing the case to impose a requirement to notify members of the class<br />
<br />
of the proceedings and establish a simple procedure for opting out of representation, if<br />
this is considered desirable. Equally, if there are circumstances which make it<br />
appropriate to limit the represented class to persons who have positively opted into<br />
the litigation, it is open to the judge to make this a condition of representation. The<br />
procedure is entirely flexible in these respects.<br />
<br />
<br />
<br />
(iv) The class definition<br />
<br />
<br />
78. Second, while it is plainly desirable that the class of persons represented should<br />
be clearly defined, the adequacy of the definition is a matter which goes to the court’s<br />
discretion in deciding whether it is just and convenient to allow the claim to be<br />
<br />
continued on a representative basis rather than being a precondition for the<br />
application of the rule. Emerald Supplies illustrates a general principle that<br />
membership of the class should not depend on the outcome of the litigation. Beyond<br />
that, whether or to what extent any practical difficulties in identifying the members of<br />
<br />
the class are material must depend on the nature and object of the proceedings. In<br />
Duke of Bedford v Ellis, for example, it did not matter that the number and identities of<br />
growers of fruit etc would have been difficult if not impossible to ascertain or that the<br />
class was a fluctuating one: given that the aim was to establish whether anyone who<br />
<br />
Page 28was a grower had preferential rights, all that mattered was that there would be no real<br />
difficulty in determining whether a particular person who claimed a preferential right<br />
to a vacant stand at Covent Garden was a grower or not: see [1901] AC 1 at 11. In<br />
some cases, however, for example where the viability of a claim for damages depends<br />
on demonstrating the size of the class or who its members are, such practical<br />
<br />
difficulties might well be significant.<br />
<br />
<br />
(v) Liability for costs<br />
<br />
<br />
79. Third, as persons represented by a representative claimant or defendant will<br />
not normally themselves have been joined as parties to the claim, they will not<br />
<br />
ordinarily be liable to pay any costs incurred by the representative in pursuing (or<br />
defending) the claim. That does not prevent the court, if it is in the interests of justice<br />
to do so, from making an order requiring a represented person to pay or contribute to<br />
costs and giving permission for the order to be enforced against that person pursuant<br />
to CPR rule 19.6(4)(b). Alternatively, such an order could be made pursuant to the<br />
<br />
general jurisdiction of the court to make costs orders against non-parties. It is difficult,<br />
however, to envisage circumstances in which it could be just to order a represented<br />
person to contribute to costs incurred by a claimant in bringing a representative claim<br />
which the represented person did not authorise. On the other hand, a commercial<br />
<br />
litigation funder who finances unsuccessful proceedings is likely to be ordered to pay<br />
the successful party’s costs at least to the extent of the funding: see Davey v Money<br />
[2020] EWCA Civ 246; [2020] 1 WLR 1751. That principle is no less applicable where the<br />
proceedings financed are a representative action.<br />
<br />
<br />
(vi) The scope for claiming damages<br />
<br />
<br />
<br />
80. Finally, as already discussed, it is not a bar to a representative claim that each<br />
represented person has in law a separate cause of action nor that the relief claimed<br />
consists of or includes damages or some other monetary relief. The potential for<br />
claiming damages in a representative action is, however, limited by the nature of the<br />
<br />
remedy of damages at common law. What limits the scope for claiming damages in<br />
representative proceedings is the compensatory principle on which damages for a civil<br />
wrong are awarded with the object of putting the claimant - as an individual - in the<br />
same position, as best money can do it, as if the wrong had not occurred. In the<br />
<br />
ordinary course, this necessitates an individualised assessment which raises no<br />
common issue and cannot fairly or effectively be carried out without the participation<br />
in the proceedings of the individuals concerned. A representative action is therefore<br />
not a suitable vehicle for such an exercise.<br />
<br />
<br />
<br />
Page 2981. In cases where damages would require individual assessment, there may<br />
nevertheless be advantages in terms of justice and efficiency in adopting a bifurcated<br />
process - as was done, for example, in the Prudential case - whereby common issues of<br />
law or fact are decided through a representative claim, leaving any issues which<br />
require individual determination - whether they relate to liability or the amount of<br />
<br />
damages - to be dealt with at a subsequent stage of the proceedings. In Prudential<br />
[1981] Ch 229, 255, Vinelott J expressed the view (obiter) that time would continue to<br />
run for the purpose of limitation until individual claims for damages were brought by<br />
the persons represented; see also the dicta of Fletcher Moulton LJ in Markt [1910] 2 KB<br />
<br />
1021, 1042, referred to at para 44 above. The court in Prudential did not have cited to<br />
it, however, the decision of the Court of Appeal in Moon v Atherton [1972] 2 QB 435. In<br />
that case a represented person applied to be substituted for the named claimant after<br />
the limitation period had expired when the claimant (and all the other represented<br />
persons) no longer wished to continue the action. The Court of Appeal, in allowing the<br />
<br />
substitution, held that the defendant was not thereby deprived of a limitation defence,<br />
as for the purpose of limitation the represented person was already a party to the<br />
action, albeit not a “full” party. It might be clearer to say that, although the<br />
represented person did not become a “party” until substituted as the claimant, an<br />
<br />
action was brought within the meaning of the statute of limitation by that person<br />
when the representative claim was initiated. Such an analysis has been adopted in<br />
Australia, including by the New South Wales Court of Appeal in Fostif Pty Ltd v<br />
Campbells Cash & Carry Pty Ltd[2005] NSWCA 83; (2005) 63 NSWLR 203, and by the<br />
New Zealand Supreme Court in Credit Suisse Private Equity v Houghton [2014] NZSC 37.<br />
<br />
<br />
<br />
82. There is no reason why damages or other monetary remedies cannot be<br />
claimed in a representative action if the entitlement can be calculated on a basis that is<br />
common to all the members of the class. Counsel for the claimant, Hugh Tomlinson<br />
QC, gave the example of a claim alleging that every member of the class was wrongly<br />
<br />
charged a fixed fee; another example might be a claim alleging that all the class<br />
members acquired the same product with the same defect which reduced its value by<br />
the same amount. In such cases the defendant’s monetary liability could be<br />
determined as a common issue and no individualised assessment would be needed.<br />
<br />
The same is true where loss suffered by the class as a whole can be calculated without<br />
reference to the losses suffered by individual class members - as in the cases<br />
mentioned at para 53 above. Such an assessment of loss on a global basis is sometimes<br />
described as a “top down” approach, in contrast to a “bottom up” approach of<br />
assessing a sum which each member of the class is individually entitled to recover.<br />
<br />
<br />
<br />
83. The recovery of money in a representative action on either basis may give rise<br />
to problems of distribution to the members of the class, about which the<br />
representative rule is silent. Although in Independiente Morritt V-C was untroubled by<br />
such problems, questions of considerable difficulty would arise if in the present case<br />
<br />
Page 30the claimant was awarded damages in a representative capacity with regard to how<br />
such damages should be distributed, including whether there would be any legal basis<br />
for paying part of the damages to the litigation funders without the consent of each<br />
individual entitled to them: see Mulheron R, “Creating and Distributing Common Funds<br />
under the English Representative Rule” (2021) King’s Law Journal 1-33. Google has not<br />
<br />
relied on such difficulties as a reason for disallowing a representative action, however,<br />
and as these matters were only touched on in argument, I will say no more about<br />
them.<br />
<br />
<br />
E. THE REPRESENTATIVE CLAIM IN THIS CASE<br />
<br />
<br />
<br />
84. In the present case I could see no legitimate objection to a representative claim<br />
brought to establish whether Google was in breach of the DPA 1998 and, if so, seeking<br />
a declaration that any member of the represented class who has suffered damage by<br />
reason of the breach is entitled to be paid compensation. The individual claims that<br />
could theoretically have been brought by each iPhone user who was affected by the<br />
<br />
Safari workaround clearly raise common issues; and it is not suggested that there is<br />
any conflict of interest among the members of the represented class. For the purpose<br />
of CPR rule 19.6(1), all would therefore have the same interest in such a claim as the<br />
representative claimant. There is no suggestion that Mr Lloyd is an unsuitable person<br />
<br />
to act in that capacity. Although Google has argued that there would be practical<br />
difficulties in identifying whether an individual falls within the class definition, even on<br />
Google’s evidence it is evident that the number of people affected by the Safari<br />
workaround was extremely large and it is unclear at this stage of the litigation how<br />
serious the difficulties of proof would actuallybe. Moreover, even if only a few<br />
<br />
individuals were ultimately able to obtain compensation on the basis of a declaratory<br />
judgment, I cannot see why that should provide a reason for refusing to allow a<br />
representative claim to proceed for the purpose of establishing liability.<br />
<br />
<br />
85. The claimant has not proposed such a bifurcated process, however. That is<br />
<br />
doubtless because success in the first, representative stage of such a process would<br />
not itself generate any financial return for the litigation funders or the persons<br />
represented. Funding the proceedings could therefore only be economic if pursuing<br />
separate damages claims on behalf of those individuals who opted into the second<br />
<br />
stage of the process would be economic. For the reasons discussed at paras 25-28<br />
above and emphasised in argument by counsel for the claimant, it clearly would not. In<br />
practice, therefore, as both courts below accepted, a representative action for<br />
damages is the only way in which the claims can be pursued.<br />
<br />
<br />
<br />
<br />
<br />
Page 31(1) The formulation of the claim fordamages<br />
<br />
<br />
86. In formulating the claim made in this action, the claimant has not adopted the<br />
“top down” approach of claiming compensation for damage suffered by the class as a<br />
whole without reference to the entitlements of individual class members. The claim<br />
advanced is for damages calculated from the “bottom up”. The way in which the<br />
<br />
claimant seeks to obviate the need for individualised assessment is by claiming<br />
damages for each class member on what is described as a “uniform per capita basis”.<br />
<br />
<br />
87. The difficulty facing this approach is that the effect of the Safari workaround<br />
was obviously not uniform across the represented class. No challenge is or could<br />
<br />
reasonably be made to the judge’s findings, at [2018] EWHC 2599 (QB); [2019] 1 WLR<br />
1265, para 91, that:<br />
<br />
<br />
“… some affected individuals were ‘super users’- heavy<br />
internet users. They will have been ‘victims’ of multiple<br />
breaches, with considerable amounts of [browser generated<br />
<br />
information] taken and used throughout the Relevant Period.<br />
Others will have engaged in very little internet activity.<br />
Different individuals will have had different kinds of<br />
information taken and used. No fewer than 17 categories of<br />
<br />
personal data are identified in the claim documents. The<br />
specified categories of data vary in their sensitivity, some of<br />
them being ‘sensitive personal data’ within the meaning of<br />
the section 2 of the DPA (such as sexuality, or ethnicity). …<br />
But it is not credible that all the specified categories of data<br />
<br />
were obtained by Google from each represented claimant. …<br />
The results of the acquisition and use will also have varied<br />
according to the individual, and their attitudes towards the<br />
acquisition, disclosure and use of the information in<br />
<br />
question.”<br />
<br />
<br />
If liability is established, the ordinary application of the compensatory principle would<br />
therefore result in different awards of compensation to different individuals.<br />
Furthermore, the amount of any compensation recoverable by any member of the<br />
<br />
class would depend on a variety of circumstances particular to that individual.<br />
Individualised assessment of damages would therefore be required.<br />
<br />
<br />
88. The claimant seeks to overcome this difficulty in one or other of two ways. Both<br />
rely on the proposition that an individual is entitled to compensation for any (non-<br />
<br />
Page 32trivial) contravention of the DPA 1998 without the need to prove that the individual<br />
suffered any financial loss or distress. On that footing it is argued, first of all, that<br />
general damages can be awarded on a uniform per capita basis to each member of the<br />
represented class without the need to prove any facts particular to that individual. The<br />
draft particulars of claim plead that the uniform sum awarded should reflect “the<br />
<br />
serious nature of the breach, in particular (but non-exhaustively):<br />
<br />
<br />
“(a) The lack of consent or knowledge of the<br />
Representative Claimant and each member of the Claimant<br />
Class to the defendant’s collection and use of their personal<br />
<br />
data.<br />
<br />
<br />
(b) The fact that such collection and use was contrary to<br />
the defendant’s public statements.<br />
<br />
<br />
(c) The fact that such collection and use was greatly to<br />
the commercial benefit of the defendant.<br />
<br />
<br />
<br />
(d) The fact that the defendant knew or ought to have<br />
known of the operation of the Safari Workaround from a very<br />
early stage during the Relevant Period. …”<br />
<br />
<br />
I interpose that factor (c), although no doubt true in relation to the class as a whole,<br />
<br />
plainly could not in fact be established in relation to any individual class member<br />
without evidence of what use, if any, was actually made of personal data of that<br />
individual by Google. If there is to be no individualised assessment, this factor must<br />
therefore be left out of account.<br />
<br />
<br />
<br />
89. The alternative case pleaded is that each member of the class is entitled to<br />
damages assessed as an amount which they could reasonably have charged for<br />
releasing Google from the duties which it breached. Again, it is contended that such<br />
damages should be assessed on a uniform per capita basis, “reflecting the generalised<br />
standard terms (rather than individuated basis) on which [Google] does business”.<br />
<br />
<br />
<br />
(2) Section 13 of the DPA 1998<br />
<br />
<br />
90. The claim for compensation made in the present case is founded (exclusively)<br />
on section 13 of the DPA 1998. This provides:<br />
<br />
Page 33 “(1) An individual who suffers damage by reason of any<br />
contravention by a data controller of any of the requirements<br />
of this Act is entitled to compensation from the data<br />
controller for that damage.<br />
<br />
<br />
(2) An individual who suffers distress by reason of any<br />
<br />
contravention by a data controller of any of the requirements<br />
of this Act is entitled to compensation from the data<br />
controller for that distress if -<br />
<br />
<br />
(a) the individual also suffers damage by reason of the<br />
<br />
contravention, or<br />
<br />
<br />
(b) the contravention relates to the processing of<br />
personal data for the special purposes.<br />
<br />
<br />
(3) In proceedings brought against a person by virtue of<br />
this section it is a defence to prove that he had taken such<br />
<br />
care as in all the circumstances was reasonably required to<br />
comply with the requirement concerned.”<br />
<br />
<br />
91. Section 13 was intended to implement article 23 of the Data Protection<br />
Directive. This stated:<br />
<br />
<br />
<br />
“1. Member states shall provide that any person who has<br />
suffered damage as a result of an unlawful processing<br />
operation or of any act incompatible with the national<br />
provisions adopted pursuant to this Directive is entitled to<br />
<br />
receive compensation from the controller for the damage<br />
suffered.<br />
<br />
<br />
2. The controller may be exempted from this liability, in<br />
whole or in part, if he proves that he is not responsible for<br />
the event giving rise to the damage.”<br />
<br />
<br />
<br />
92. Two initial points can be made about the wording and structure of section 13.<br />
First, to recover compensation under this provision it is not enough to prove a breach<br />
by a data controller of its statutory duty under section 4(4) of the Act: an individual is<br />
<br />
Page 34only entitled to compensation under section 13 where “damage” - or in some<br />
circumstances “distress” - is suffered as a consequence of such a breach of duty.<br />
Second, it is plain from subsection (2) that the term “damage” as it is used in section<br />
13 does not include “distress”. The term “material damage” is sometimes used to<br />
describe any financial loss or physical or psychological injury, but excluding distress (or<br />
<br />
other negative emotions not amounting to a recognised psychiatric illness): see eg<br />
Watkins v Secretary of State for the Home Department [2006] UKHL 17; [2006] 2 AC<br />
395, para 7. Adopting this terminology, on a straightforward interpretation the term<br />
“damage” in section 13 refers only to material damage and compensation can only be<br />
<br />
recovered for distress if either of the two conditions set out in subsection (2) is met.<br />
<br />
<br />
(3) Vidal-Hall v Google Inc<br />
<br />
<br />
93. The effect of section 13 was considered by the Court of Appeal in Vidal-Hall v<br />
Google Inc [2016] QB 1003 on facts which, in terms of the generic allegations made,<br />
were identical to those on which the present claim is based. The three claimants<br />
<br />
sought damages arising out of the Safari workaround on two alternative bases: (1) at<br />
common law for misuse of private information; and (2) under section 13 of the DPA<br />
1998. As in the present case, permission to serve the proceedings outside the<br />
jurisdiction was opposed by Google. The main issues raised were: (1) whether misuse<br />
<br />
of private information is a tort for the purpose of the rules providing for service out of<br />
the jurisdiction; and (2) whether compensation can be recovered for distress under<br />
section 13 of the DPA 1998 in the absence of financial loss. The judge decided both<br />
issues in the claimants’ favour and the Court of Appeal affirmed that decision, for<br />
reasons given in a judgment written by Lord Dyson MR and Sharp LJ, with which<br />
<br />
Macfarlane LJ agreed.<br />
<br />
<br />
94. On the second issue Google submitted that, as discussed above, the term<br />
“damage” in section 13 must mean material damage, which for practical purposes<br />
limits its scope to financial loss. Hence section 13(2) has the effect that an individual<br />
<br />
may only recover compensation for distress suffered by reason of a contravention by a<br />
data controller of a requirement of the Act if either (a) the contravention also causes<br />
the individual to suffer financial loss or (b) the contravention relates to the processing<br />
of personal data for “special purposes” - which are defined as journalistic, artistic or<br />
<br />
literary purposes (see section 3). It was not alleged that either of those conditions was<br />
satisfied in the Vidal-Hall case.<br />
<br />
<br />
95. The Court of Appeal accepted that section 13(2) does indeed have this meaning<br />
but held that this makes it incompatible with article 23 of the Data Protection<br />
Directive, which section 13 of the DPA 1998 was meant to implement. This is because<br />
<br />
the word “damage” in article 23 is to be interpreted as including distress, which is the<br />
Page 35primary form of damage likely to be caused by an invasion of data privacy; and article<br />
23 does not permit national laws to restrict the right to receive compensation for<br />
“damage” where it takes the form of distress. The Court of Appeal considered whether<br />
it is possible to interpret section 13 in a way which achieves the result sought by the<br />
Directive, but concluded that the words of section 13 are not capable of being<br />
<br />
interpreted in such a way and that the limits set by Parliament to the right to<br />
compensation for breaches of the DPA 1998 are a fundamental feature of the UK<br />
legislative scheme. In the words of Lord Dyson MR and Sharp LJ in their joint judgment,<br />
at para 93, if the court were to disapply the limits on the right to compensation for<br />
<br />
distress set out in section 13(2), “the court would, in effect, be legislating against the<br />
clearly expressed intention of Parliament on an issue that was central to the scheme as<br />
a whole”.<br />
<br />
<br />
96. The Court of Appeal nevertheless held that section 13(2) should be disapplied<br />
on the ground that it conflicts with articles 7 and 8 of the Charter of Fundamental<br />
<br />
Rights of the European Union (“the EU Charter”). Article 7 of the EU Charter is in<br />
materially similar terms to article 8 of the European Convention for the Protection of<br />
Human Rights and Fundamental Freedoms (“the Convention”) and provides that<br />
“[e]veryone has the right to respect for his or her private and family life, home and<br />
<br />
communications”. Article 8(1) provides that “[e]veryone has the right to the protection<br />
of personal data concerning him or her”. In addition, article 47 requires that<br />
“[e]veryone whose rights and freedoms guaranteed by the law of the Union are<br />
violated has the right to an effective remedy before a tribunal …”. The Court of Appeal<br />
decided that, in order to provide an effective remedy for the rights guaranteed by<br />
<br />
articles 7 and 8 of the EU Charter, it was necessary that national law should give effect<br />
to the obligation under article 23 of the Data Protection Directive to provide a right to<br />
receive compensation from the data controller for any damage, including distress,<br />
suffered as a result of an unlawful processing operation. That result could and should<br />
<br />
be achieved by disapplying section 13(2) of the DPA 1998, thus enabling section 13(1)<br />
to be interpreted compatibly with article 23: see [2016] QB 1003, para 105.<br />
<br />
<br />
(4) Misuse of private information<br />
<br />
<br />
97. The Court of Appeal in Vidal-Hall also held that the claims for damages for<br />
<br />
misuse of private information made by the claimants in that case were properly<br />
classified as claims in tort for the purpose of service out of the jurisdiction and had a<br />
real prospect of success. As described at paras 18-25 of the judgment, the tort of<br />
misuse of private information evolved out of the equitable action for breach of<br />
confidence, influenced by the protection of the right to respect for private life<br />
<br />
guaranteed by article 8 of the Convention. The critical step in its emergence as a<br />
distinct basis for a claim was the identification of privacy of information as worthy of<br />
<br />
Page 36protection in its own right, irrespective of whether the information was imparted in<br />
circumstances which give rise to a duty of confidence: see Campbell v MGN Ltd [2004]<br />
UKHL 22; [2004] 2 AC 457. As Lord Hoffmann put it in Campbell, at para 50:<br />
<br />
<br />
“What human rights law has done is to identify private<br />
information as something worth protecting as an aspect of<br />
<br />
human autonomy and dignity.”<br />
<br />
<br />
98. The complaint in Campbell was about the publication of private information.<br />
Lord Nicholls of Birkenhead described the “essence of the tort”, at para 14, as “misuse<br />
of private information”. He also noted, however, at para 15, that an individual’s privacy<br />
<br />
can be invaded in ways not involving publication of information, and subsequent cases<br />
have held that intrusion on privacy, without any misuse of information, is actionable:<br />
see PJS v News Group Newspapers Ltd [2016] UKSC 26; [2016] 2 AC 1081, paras 58-60.<br />
It is misuse of information, however, which is primarily relevant in this case, and I shall<br />
generally - as counsel did in argument - use the label for the tort of “misuse of private<br />
<br />
information”.<br />
<br />
<br />
99. To establish liability for misuse of private information (or other wrongful<br />
invasion of privacy), it is necessary to show that there was a reasonable expectation of<br />
privacy in the relevant matter. As the Court of Appeal (Sir Anthony Clarke MR, Laws<br />
<br />
and Thomas LJJ) explained in upholding a claim to restrain the publication of<br />
photographs taken in a public place of the child of the well-known author, JK Rowling,<br />
in Murray v Express Newspapers plc [2008] EWCA Civ 446; [2009] Ch 481, para 36:<br />
<br />
<br />
“… the question whether there is a reasonable expectation of<br />
privacy is a broad one, which takes account of all the<br />
<br />
circumstances of the case. They include the attributes of the<br />
claimant, the nature of the activity in which the claimant was<br />
engaged, the place at which it was happening, the nature and<br />
purpose of the intrusion, the absence of consent and<br />
<br />
whether it was known or could be inferred, the effect on the<br />
claimant and the circumstances in which and the purposes<br />
for which the information came into the hands of the<br />
publisher.”<br />
<br />
<br />
<br />
If this test is met, in cases where freedom of expression is involved the court must then<br />
undertake a “balancing exercise” to decide whether in all the circumstances the<br />
interests of the owner of the private information must yield to the right to freedom of<br />
<br />
<br />
Page 37expression conferred on the publisher by article 10 of the Convention: see eg<br />
McKennitt v Ash [2006] EWCA Civ 1714; [2008] QB 73, para 9.<br />
<br />
<br />
(5) Gulati v MGN Ltd<br />
<br />
<br />
100. The measure of damages for wrongful invasion of privacy was considered in<br />
depth in Gulati v MGN Ltd [2015] EWHC 1482 (Ch); [2016] FSR 12 and [2015] EWCA Civ<br />
<br />
1291; [2017] QB 149 by Mann J and by the Court of Appeal. The eight test claimants in<br />
that case were individuals in the public eye whose mobile phones were hacked by<br />
newspapers, leading in some instances to the publication of articles containing<br />
information obtained by this means. The newspapers admitted liability for breach of<br />
<br />
privacy but disputed the amount of damages. Their main argument of principle was<br />
that (in the absence of material damage) all that could be compensated for was<br />
distress caused by their unlawful activities: see [2016] FSR 12, para 108. The judge<br />
rejected that argument. He said, at para 111, that he did not see why “distress (or<br />
some similar emotion), which would admittedly be a likely consequence of an invasion<br />
<br />
of privacy, should be the only touchstone for damages”. In his view:<br />
<br />
<br />
“While the law is used to awarding damages for injured<br />
feelings, there is no reason in principle … why it should not<br />
also make an award to reflect infringements of the right<br />
<br />
itself, if the situation warrants it.”<br />
<br />
<br />
101. The judge referred to cases in which damages have been awarded to very young<br />
children (only ten months or one year old) for misuse of private information by<br />
publishing photographs of them even though, because of their age, they could not<br />
have suffered any distress: see AAA v Associated Newspapers Ltd [2012] EWHC 2103<br />
<br />
(QB); [2013] EMLR 2; and Weller v Associated Newspapers Ltd[2014] EWHC 1163 (QB);<br />
[2014] EMLR 24. He concluded, at para 144:<br />
<br />
<br />
“I shall therefore approach the consideration of quantum in<br />
this case on the footing that compensation can be given for<br />
<br />
things other than distress, and in particular can be given for<br />
the commission of the wrong itself so far as that commission<br />
impacts on the values protected by the right.”<br />
<br />
<br />
Later in the judgment, at para 168, the judge referred back to his finding that:<br />
<br />
<br />
<br />
<br />
Page 38 “the damages should compensate not merely for distress …,<br />
but should also compensate (if appropriate) for the loss of<br />
privacy or autonomy as such arising out [of] the infringement<br />
by hacking (or other mechanism) as such.”<br />
<br />
<br />
102. The Court of Appeal affirmed this decision: [2015] EWCA Civ 1291; [2017] QB<br />
<br />
149. Arden LJ (with whom Rafferty and Kitchin LJJ agreed) held, at para 45, that:<br />
<br />
<br />
“the judge was correct to conclude that the power of the<br />
court to grant general damages was not limited to distress<br />
and could be exercised to compensate the claimants also for<br />
<br />
the misuse of their private information. The essential<br />
principle is that, by misusing their private information, MGN<br />
deprived the claimants of their right to control the use of<br />
private information.”<br />
<br />
<br />
Arden LJ justified this conclusion, at para 46, on the basis that:<br />
<br />
<br />
<br />
“Privacy is a fundamental right. The reasons for having the<br />
right are no doubt manifold. Lord Nicholls of Birkenhead put<br />
it very succinctly in Campbell v MGN Ltd [2004] 2 AC 457,<br />
para 12: ‘[Privacy] lies at the heart of liberty in a modern<br />
<br />
state. A proper degree of privacy is essential for the well-<br />
being and development of an individual.’”<br />
<br />
<br />
103. The Court of Appeal in Gulati rejected a submission, also rejected by the judge,<br />
that granting damages for the fact of intrusion into a person’s privacy independently of<br />
<br />
any distress caused is inconsistent with the holding of this court in R (WL (Congo)) v<br />
Secretary of State for the Home Department [2011] UKSC 12; [2012] 1 AC 245, paras<br />
97-100, that vindicatory damages are not available as a remedy for violation of a<br />
private right. As Arden LJ pointed out at para 48, no question arose of awarding<br />
vindicatory damages of the kind referred to in WL (Congo), which have been awarded<br />
<br />
in some constitutional cases appealed to the Privy Council “to reflect the sense of<br />
public outrage, emphasise the importance of the constitutional right and the gravity of<br />
the breach, and deter further breaches”: see WL (Congo), para 98; Attorney General of<br />
Trinidad and Tobago v Ramanoop [2005] UKPC 15; [2006] 1 AC 328, para 19. Rather,<br />
<br />
the purpose of the relevant part of the awards made in Gulati was “to compensate for<br />
the loss or diminution of a right to control formerly private information”.<br />
<br />
<br />
<br />
Page 39104. Mann J’s reference to “loss of privacy or autonomy” and the Court of Appeal’s<br />
explanation that the claimants could be compensated for misuse of their private<br />
information itself because they were deprived of “their right to control [its] use”<br />
convey the point that English common law now recognises as a fundamental aspect of<br />
personal autonomy a person’s freedom to choose and right to control whether and<br />
<br />
when others have access to his or her private affairs: see on this point the helpful<br />
discussion by NA Moreham, “Compensating for Loss of Dignity and Autonomy” in<br />
Varuhas J and Moreham N (eds), Remedies for Breach of Privacy (2018) ch 5.<br />
<br />
<br />
(6) How the present claim is framed<br />
<br />
<br />
<br />
105. On the basis of the decisions of the Court of Appeal in Vidal-Hall and Gulati,<br />
neither of which is challenged by either party on this appeal, it would be open to Mr<br />
Lloyd to claim, at least in his own right: (1) damages under section 13(1) of the DPA<br />
1998 for any distress suffered by reason of any contravention by Google of any of the<br />
requirements of the Act; and/or (2) damages for the misuse of private information<br />
<br />
without the need to show that it caused any material damage or distress.<br />
<br />
<br />
106. Neither of these claims, however, is made in this case. The reasons why no<br />
claim is made in tort for misuse of private information have not been explained; but<br />
the view may have been taken that, to establish a reasonable expectation of privacy, it<br />
<br />
would be necessary to adduce evidence of facts particular to each individual claimant.<br />
In Vidal-Hall, the claimants produced confidential schedules about their internet use,<br />
showing that the information tracked and collected by Google in their cases was, in the<br />
Court of Appeal’s words at [2016] QB 1003, para 137, “often of an extremely private<br />
nature”. As discussed earlier, the need to obtain evidence in relation to individual<br />
<br />
members of the represented class would be incompatible with the representative<br />
claim which Mr Lloyd is seeking to bring.<br />
<br />
<br />
107. Similarly, to recover damages for distress under section 13(1) of the DPA 1998<br />
would require evidence of such distress from each individual for whom such a claim<br />
<br />
was made. Again, this would be incompatible with claiming damages on a<br />
representative basis.<br />
<br />
<br />
108. Instead of making either of these potential claims, the claimant seeks to break<br />
new legal ground by arguing that the principles identified in Gulati as applicable to the<br />
<br />
assessment of damages for misuse of private information at common law also apply to<br />
the assessment of compensation under section 13(1) of the DPA 1998. The case<br />
advanced, which is also supported by the Information Commissioner, is that the word<br />
<br />
<br />
Page 40“damage” in section 13(1) not only extends beyond material damage to include<br />
distress, as decided in Vidal-Hall, but also includes “loss of control” over personal data.<br />
<br />
<br />
(7) “Loss of control” over personal data<br />
<br />
<br />
109. There is potential for confusion in the use of this description. “Loss of control” is<br />
not an expression used in the DPA 1998 and, as the third interveners (the Association<br />
<br />
of the British Pharmaceutical Industry and Association of British HealthTech Industries)<br />
pointed out in their helpful written submissions, none of the requirements of the Act is<br />
predicated on “control” over personal data by the data subject. Under the legislative<br />
scheme the relevant control is that of the data controller: the entity which<br />
<br />
“determines the purposes for which and the manner in which any personal data are, or<br />
are to be, processed.” The nearest analogue to control as regards the data subject is<br />
his or her “consent to the processing”, being the first condition in Schedule 2 (see para<br />
22 above). Such consent, however, is neither necessary nor sufficient to render the<br />
processing of personal data compliant with the Act.<br />
<br />
<br />
<br />
110. It was made clear in submissions, however, that, in describing the basis for the<br />
compensation claimed as “loss of control” of personal data, the claimant is not seeking<br />
to single out a particular category of breaches of the DPA 1998 by a data controller as<br />
breaches in respect of which the data subject is entitled to compensation without<br />
<br />
proof of material damage or distress. The claimant’s case, which was accepted by the<br />
Court of Appeal, is that an individual is entitled to recover compensation under section<br />
13 of the DPA 1998 without proof of material damage or distress whenever a data<br />
controller fails to comply with any of the requirements of the Act in relation to any<br />
personal data of which that individual is the subject, provided only that the<br />
<br />
contravention is not trivial or de minimis. Any such contravention, on the claimant’s<br />
case, ipso facto involves “loss of control” of data for which compensation is payable.<br />
Only where the individual claiming compensation is not the data subject is it necessary<br />
on the claimant’s case to show that the individual has suffered material damage or<br />
<br />
distress.<br />
<br />
<br />
(8) The common sourceargument<br />
<br />
<br />
111. The claimant’s core argument for this interpretation is that, as a matter of<br />
principle, the same approach to the damage for which compensation can be awarded<br />
<br />
should apply under the data protection legislation as where the claim is brought in tort<br />
for misuse of private information because the two claims, although not coterminous,<br />
have a common source. Both seek to protect the same fundamental right to privacy<br />
<br />
<br />
Page 41guaranteed by article 8 of the Convention. This objective is expressly referred to in<br />
recital (10) of the Data Protection Directive, which states:<br />
<br />
<br />
“Whereas the object of the national laws on the processing<br />
of personal data is to protect fundamental rights and<br />
freedoms, notably the right to privacy, which is recognized<br />
<br />
both in article 8 of the European Convention for the<br />
Protection of Human Rights and Fundamental Freedoms and<br />
in the general principles of [EU] law; whereas, for that<br />
reason, the approximation of those laws must not result in<br />
<br />
any lessening of the protection they afford but must, on the<br />
contrary, seek to ensure a high level of protection in the<br />
[EU];”<br />
<br />
<br />
The aim of protecting the right to privacy with regard to the processing of personal<br />
data is also articulated in recitals (2), (7), (8) and (11) of the Data Protection Directive,<br />
<br />
and is spelt out in article 1 which states:<br />
<br />
<br />
“Object of the Directive<br />
<br />
<br />
In accordance with this Directive, member states shall<br />
protect the fundamental rights and freedoms of natural<br />
<br />
persons, and in particular their right to privacy with respect<br />
to the processing of personal data.”<br />
<br />
<br />
Reliance is also placed on the recognition in article 8 of the EU Charter, quoted at para<br />
96 above, of the right to the protection of personal data as a fundamental right in EU<br />
<br />
law.<br />
<br />
<br />
112. The claimant argues that, given that the tort of misuse of private information<br />
and the data protection legislation are both rooted in the same fundamental right to<br />
privacy, it would be wrong in principle to adopt a different approach to the nature of<br />
the damage which can be compensated under the two regimes. The conclusion should<br />
<br />
therefore be drawn that, in each case, damages can be recovered for interference with<br />
the claimant’s right, without the need to prove that the interference resulted in any<br />
material damage or distress.<br />
<br />
<br />
113. I cannot accept this argument for two reasons. First, even if the suggested<br />
<br />
analogy between the privacy tort and the data protection regime were persuasive,<br />
Page 42section 13(1) of the DPA 1998 cannot, in my opinion, properly be interpreted as having<br />
the meaning for which the claimant contends. Second, the logic of the argument by<br />
analogy is in any event flawed.<br />
<br />
<br />
(a) The wording of the DPA 1998<br />
<br />
<br />
114. I do not accept a submission made by counsel for Google that the interpretation<br />
<br />
of section 13 of the DPA 1998 should be approached on the basis of a general rule that<br />
breaches of statutory duty are not actionable without proof of material damage. The<br />
question in Cullen v Chief Constable of the Royal Ulster Constabulary [2003] UKHL 39;<br />
[2003] 1 WLR 1763, relied on to support this submission, was whether a statute which<br />
<br />
did not expressly confer a right to compensation on a person affected by a breach of<br />
statutory duty nevertheless conferred such a right impliedly. That is not the question<br />
raised in this case, where there is an express entitlement to compensation provided by<br />
section 13 of the DPA 1998. The only question in this case is what the words of the<br />
relevant statutory provision mean.<br />
<br />
<br />
<br />
115. Those words, however, cannot reasonably be interpreted as giving an individual<br />
a right to compensation without proof of material damage or distress whenever a data<br />
controller commits a non-trivial breach of any requirement of the Act in relation to any<br />
personal data of which that individual is the subject. In the first place, as discussed<br />
<br />
above, the wording of section 13(1) draws a distinction between “damage” suffered by<br />
an individual and a “contravention” of a requirement of the Act by a data controller,<br />
and provides a right to compensation “for that damage” only if the “damage” occurs<br />
“by reason of” the contravention. This wording is inconsistent with an entitlement to<br />
compensation based solely on proof of the contravention. To say, as the claimant does<br />
<br />
in its written case, that what is “damaged” is the data subject’s right to have their data<br />
processed in accordance with the requirements of the Act does not meet this point, as<br />
it amounts to an acknowledgement that on the claimant’s case the damage and the<br />
contravention are one and the same.<br />
<br />
<br />
<br />
116. Nor is the claimant’s case assisted by section 14 of the DPA 1998, on which<br />
reliance is placed. Section 14(1) gives the court power, on the application of a data<br />
subject, to order a data controller to rectify, block, erase or destroy personal data if<br />
satisfied that the data are inaccurate. Section 14(4) states:<br />
<br />
<br />
<br />
“If a court is satisfied on the application of a data subject -<br />
<br />
<br />
<br />
<br />
Page 43 (a) that he has suffered damage by reason of any<br />
contravention by a data controller of any of the<br />
requirements of this Act in respect of any personal<br />
data, in circumstances entitling him to compensation<br />
under section 13, and<br />
<br />
<br />
<br />
(b) that there is a substantial risk of further<br />
contravention in respect of those data in such<br />
circumstances,<br />
<br />
<br />
the court may order the rectification, blocking, erasure or<br />
<br />
destruction of any of those data.”<br />
<br />
<br />
117. Counsel for the claimant submitted that, if Google’s case on what is meant by<br />
“damage” is correct, a data subject who does not suffer material damage or distress as<br />
a result of a breach of duty by a data controller cannot claim rectification, blocking,<br />
erasure or destruction of data, unless those data are inaccurate, however egregious<br />
<br />
the breach. This is true, but I can see nothing unreasonable in such a result. Indeed,<br />
section 14 seems to me positively to confirm that “damage” means something distinct<br />
from a contravention of the Act itself. If a contravention by a data controller of the Act<br />
could by itself constitute “damage”, section 14(4)(a) would be otiose and there would<br />
<br />
be no material distinction in the remedies available in cases where the data are<br />
inaccurate and in cases where the data are accurate. The manifest intention behind<br />
section 14 is to limit the remedies of rectification, blocking, erasure or destruction of<br />
accurate data to cases where the contravention of the Act has caused the data subject<br />
some harm distinct from the contravention itself, whereas no such limitation is<br />
<br />
imposed where the contravention involves holding inaccurate personal data.<br />
<br />
<br />
118. The second reason why the claimant’s interpretation is impossible to reconcile<br />
with the language of section 13 is that, as the Court of Appeal recognised in Vidal-Hall,<br />
it is plain from the words enacted by Parliament the term “damage” was intended to<br />
<br />
be limited to material damage and not to extend to “distress”. The only basis on which<br />
the Court of Appeal in Vidal-Hall was able to interpret the term “damage” as<br />
encompassing distress was by disapplying section 13(2) as being incompatible with EU<br />
law. By the same token, if the term “damage” in section 13 is to be interpreted as<br />
<br />
having an even wider meaning and as encompassing an infringement of a data<br />
subject’s rights under the Act which causes no material damage nor even distress, that<br />
could only be because this result is required by EU law. On a purely domestic<br />
interpretation of the DPA 1998, such a reading is untenable.<br />
<br />
<br />
<br />
Page 44 (b) The effect of EU law<br />
<br />
<br />
119. It is not suggested in the present case that section 13(1) should be disapplied:<br />
the claimant’s case is founded on it. No argument of the kind which succeeded in<br />
Vidal-Hall that words of the statute must be disapplied because they conflict with EU<br />
law is therefore available (or is advanced by the claimant). The question is whether the<br />
<br />
term “damage” in section 13(1) can and should be interpreted as having the meaning<br />
for which the claimant contends because such an interpretation is required in order to<br />
make the domestic legislation compatible with EU law. There are two aspects of this<br />
question: (i) what does the term “damage” mean in article 23 of the Data Protection<br />
<br />
Directive, which section 13 of the DPA 1998 was intended to implement; and (ii) if<br />
“damage” in article 23 includes contraventions of the national provisions adopted<br />
pursuant to the Directive which cause no material damage or distress, is it possible to<br />
interpret the term “damage” in section 13(1) of the DPA 1998 as having the same<br />
meaning?<br />
<br />
<br />
<br />
120. To take the second point first, it does not seem to me possible to interpret the<br />
term “damage” in section 13(1) of the DPA 1998 as having the meaning for which the<br />
claimant contends, even if such an interpretation were necessary to make the Act<br />
compatible with the Data Protection Directive. In Vidal-Hall the Court of Appeal held,<br />
<br />
rightly in my opinion, that section 13 of the DPA 1998 could not be construed as<br />
providing a general right to compensation for distress suffered by reason of a<br />
contravention of the Act “without contradicting the clearly expressed intention of<br />
Parliament on an issue that was central to the scheme” of the legislation (see para 95<br />
above). The same is equally, if not all the more, true of the contention that section 13<br />
<br />
of the DPA 1998 can be interpreted as providing a right to compensation for<br />
contraventions of the Act which have not caused any distress, let alone material<br />
damage. The distinction between “damage” suffered by an individual and a<br />
“contravention” of a requirement of the Act by a data controller which causes such<br />
<br />
damage is a fundamental feature of the remedial scheme provided by the Act which,<br />
as indicated above, permeates section 14 as well as section 13. If it were found that<br />
this feature makes the DPA 1998 incompatible with the Data Protection Directive, such<br />
incompatibility could, in my view, only be removed by amending the legislation. That<br />
<br />
could only be done by Parliament.<br />
<br />
<br />
121. No such incompatibility arises, however, as there is no reason to interpret the<br />
term “damage” in article 23 of the Data Protection Directive as extending beyond<br />
material damage and distress. The wording of article 23 draws exactly the same<br />
distinction as section 13(1) of the DPA 1998 between “damage” and an unlawful act of<br />
<br />
which the damage is “a result”. Again, this wording identifies the “damage” for which a<br />
person is entitled to receive compensation as distinct from the wrongful act which<br />
<br />
Page 45causes the damage. This is inconsistent with giving a right to compensation for the<br />
unlawful act itself on the basis that the act constitutes an interference with the<br />
claimant’s data protection rights. Nor has any authority been cited which suggests that<br />
the term “damage”, either generally in EU law or in the specific context of article 23 of<br />
the Data Protection Directive, is to be interpreted as including an infringement of a<br />
<br />
legal right which causes no material damage or distress.<br />
<br />
<br />
122. If there were evidence that at least some national laws on the processing of<br />
personal data which pre-dated the Data Protection Directive and are referred to in<br />
recital (10), quoted at para 111 above, provided a right to compensation for unlawful<br />
<br />
processing without proof of material damage or distress, that might arguably support<br />
an inference that the Directive was intended to ensure a similarly high level of<br />
protection across all member states. But it has not been asserted that any national<br />
laws did so. The Data Protection Act 1984, which was the applicable UK legislation<br />
when the Data Protection Directive was adopted, in sections 22 and 23 gave the data<br />
<br />
subject an entitlement to compensation in certain circumstances for damage or<br />
distress suffered by reason of the inaccuracy of data or the loss or unauthorised<br />
destruction or disclosure of data or unauthorised obtaining of access to data. By clear<br />
implication, UK national law gave no right to compensation for unlawful processing of<br />
<br />
personal data which did not result in material damage or distress. There is no evidence<br />
that the national law of any other member state at that time did so either.<br />
<br />
<br />
123. EU law therefore does not provide a basis for giving a wider meaning to the<br />
term “damage” in section 13 of the DPA 1998 than was given to that term by the Court<br />
of Appeal in Vidal-Hall.<br />
<br />
<br />
<br />
(c) Flaws in the common source argument<br />
<br />
<br />
124. I also reject the claimant’s argument that the decision in Gulati affords any<br />
assistance to its case on this issue. Leaving aside the fact that Gulati was decided many<br />
years after the Data Protection Directive was adopted, there is no reason on the face<br />
<br />
of it why the basis on which damages are awarded for an English domestic tort should<br />
be regarded as relevant to the proper interpretation of the term “damage” in a<br />
statutory provision intended to implement a European directive. The claimant relies on<br />
the fact that both derive from the right to respect for private life protected by article 8<br />
<br />
of the Convention (and incorporated in article 7 of the EU Charter when it was created<br />
in 2007). It does not follow, however, from the fact that two different legal regimes<br />
aim, at a general level, to provide protection for the same fundamental value that they<br />
must do so in the same way or to the same extent or by affording identical remedies.<br />
There are significant differences between the nature and scope of the common law<br />
<br />
privacy tort and the data protection legislation, to which I will draw attention in a<br />
Page 46moment. But the first point to note is that the decision in Gulati that damages can be<br />
awarded for misuse of private information itself was not compelled by article 8 of the<br />
Convention; nor did article 8 require the adoption of the particular legal framework<br />
governing the protection of personal data contained in the Data Protection Directive<br />
and the DPA 1998.<br />
<br />
<br />
<br />
125. The Convention imposes obligations on the states which are parties to it, but<br />
not on private individuals and bodies. In some cases the obligations on state parties<br />
extend beyond negative obligations not to act in ways which violate the Convention<br />
rights and include certain positive obligations on the state to ensure effective<br />
<br />
protection of those rights. That is so as regards the right to respect for private life<br />
guaranteed by article 8. The European Court of Human Rights has held that in certain<br />
circumstances the state’s positive obligations under article 8 are not adequately<br />
fulfilled unless the state secures respect for private life in the relations between<br />
individuals by setting up a legislative framework taking into consideration the various<br />
<br />
interests to be protected in a particular context. However, the court has emphasised<br />
that there are different ways of ensuring respect for private life and that “the choice of<br />
the means calculated to secure compliance with article 8 of the Convention in the<br />
sphere of the relations of individuals between themselves is in principle a matter that<br />
<br />
falls within the contracting states’ margin of appreciation”: see the judgment of the<br />
Grand Chamber in Bărbulescu v Romania [2017] ECHR 754; [2017] IRLR 1032, para 113.<br />
<br />
<br />
126. While the House of Lords in Campbell drew inspiration from article 8, it did not<br />
suggest that the Convention or the Human Rights Act 1998 required the recognition of<br />
a civil claim for damages for misuse of private information in English domestic law, let<br />
<br />
alone that damages should be recoverable in such claim where no material damage or<br />
distress has been caused. In Gulati the Court of Appeal rejected an argument that the<br />
approach to awarding damages for misuse of private information ought to follow the<br />
approach of the European Court of Human Rights in making awards of just satisfaction<br />
<br />
under article 41 of the Convention. As Arden LJ observed, at para 89, in awarding<br />
damages for misuse of private information, the court is not proceeding under section 8<br />
of the Human Rights Act 1998 or article 41 of the Convention, and the conditions of<br />
the tort are governed by English domestic law and not the Convention.<br />
<br />
<br />
<br />
127. For those reasons, I do not regard as relevant the decision of the European<br />
Court of Human Rights in Halford v United Kingdom (1997) 24 EHRR 523, relied on by<br />
counsel for the claimant. In Halford a senior police officer whose telephone calls had<br />
been intercepted by her employer in violation of article 8 was awarded £10,000 as just<br />
satisfaction. As Lord Sales pointed out in argument, on one reading of the judgment,<br />
<br />
which is far from clear, although it could not be shown that the interception of the<br />
applicant’s phone calls, as opposed to other conflicts with her employer, had caused<br />
<br />
Page 47stress for which she had required medical treatment, it was reasonably assumed that<br />
this invasion of privacy had caused her mental harm. Even if the award of just<br />
satisfaction is understood to have been for the invasion of the right to privacy itself<br />
rather than for any distress felt by the applicant, however, it does not follow that, in an<br />
action between private parties under national law for a similar invasion of privacy, the<br />
<br />
Convention requires the court to be able to award damages simply for the loss of<br />
privacy itself.<br />
<br />
<br />
128. Whilst it may be said that pursuant to the general principles of EU law<br />
embodied in articles 7 and 8 of the EU Charter the EU had a positive obligation to<br />
<br />
establish a legislative framework providing for protection of personal data, there was<br />
clearly a wide margin of choice as to the particular regime adopted; and the same<br />
applies to the positive obligation imposed directly on the UK by the Convention. It<br />
could not seriously be argued that the content of those positive obligations included a<br />
requirement to establish a right to receive compensation for any (non-trivial) breach of<br />
<br />
any requirement (in relation to any personal data of which the claimant is the subject)<br />
of whatever legislation the EU and UK chose to enact in this area without the need to<br />
prove that the claimant suffered any material damage or distress as a result of the<br />
breach.<br />
<br />
<br />
<br />
129. Accordingly, the fact that the common law privacy tort and the data protection<br />
legislation have a common source in article 8 of the Convention does not justify<br />
reading across the principles governing the award of damages from one regime to the<br />
other.<br />
<br />
<br />
(d) Material differences between the regimes<br />
<br />
<br />
<br />
130. There are further reasons why no such analogy can properly be drawn<br />
stemming from the differences between the two regimes. It is plain that the detailed<br />
scheme for regulating the processing of personal data established by the Data<br />
Protection Directive extended beyond the scope of article 8 and much more widely<br />
<br />
than the English domestic tort of misusing private information. An important<br />
difference is that the Directive (and the UK national legislation implementing it)<br />
applied to all “personal data” with no requirement that the data are of a confidential<br />
or private nature or that there is a reasonable expectation of privacy protection. By<br />
<br />
contrast, information is protected against misuse by the domestic tort only where<br />
there is a reasonable expectation of privacy. The reasonable expectation of privacy of<br />
the communications illicitly intercepted by the defendants in the phone hacking<br />
litigation was an essential element of the decision in Gulati that the claimants were<br />
entitled to compensation for the commission of the wrong itself. It cannot properly be<br />
<br />
<br />
Page 48inferred that the same entitlement should arise where a reasonable expectation of<br />
privacy is not a necessary element of the claim.<br />
<br />
<br />
131. This point goes to the heart of the approach adopted by the claimant in the<br />
present case. Stripped to its essentials, what the claimant is seeking to do is to claim<br />
for each member of the represented class a form of damages the rationale for which<br />
<br />
depends on there being a violation of privacy, while avoiding the need to show a<br />
violation of privacy in the case of any individual member of the class. This is a flawed<br />
endeavour.<br />
<br />
<br />
132. Another significant difference between the privacy tort and the data protection<br />
<br />
legislation is that a claimant is entitled to compensation for a contravention of the<br />
legislation only where the data controller has failed to exercise reasonable care. Some<br />
contraventions are inherently fault based. For example, the seventh data protection<br />
principle with which a data controller has a duty to comply pursuant to section 4(4) of<br />
the DPA 1998 (and article 17 of the Data Protection Directive) states:<br />
<br />
<br />
<br />
“Appropriate technical and organisational measures shall be<br />
taken against unauthorised or unlawful processing of<br />
personal data and against accidental loss or destruction of, or<br />
damage to, personal data.”<br />
<br />
<br />
<br />
A complaint that a data controller has failed to take such “appropriate technical and<br />
organisational measures” is similar to an allegation of negligence in that it is<br />
predicated on failure to meet an objective standard of care rather than on any<br />
intentional conduct. Even where a contravention of the legislation does not itself<br />
require fault, pursuant to section 13(3), quoted at para 90 above, there is no<br />
<br />
entitlement to compensation if the data controller proves that it took “such care as in<br />
all the circumstances was reasonably required to comply with the requirement<br />
concerned”.<br />
<br />
<br />
133. The privacy tort, like other torts for which damages may be awarded without<br />
<br />
proof of material damage or distress, is a tort involving strict liability for deliberate<br />
acts, not a tort based on a want of care. No inference can be drawn from the fact that<br />
compensation can be awarded for commission of the wrong itself where private<br />
information is misused that the same should be true where the wrong may consist only<br />
<br />
in a failure to take appropriate protective measures and where the right to<br />
compensation is expressly excluded if the defendant took reasonable care.<br />
<br />
<br />
<br />
Page 49134. Indeed, this feature of the data protection legislation seems to me to be a yet<br />
further reason to conclude that the “damage” for which an individual is entitled to<br />
compensation for a breach of any of its requirements does not include the commission<br />
of the wrong itself. It would be anomalous if failure to take reasonable care to protect<br />
personal data gave rise to a right to compensation without proof that the claimant<br />
<br />
suffered any material damage or distress when failure to take care to prevent personal<br />
injury or damage to tangible moveable property does not.<br />
<br />
<br />
135. Accordingly, I do not accept that the decision in Gulati is applicable by analogy<br />
to the DPA 1998. To the contrary, there are significant differences between the privacy<br />
<br />
tort and the data protection legislation which make such an analogy positively<br />
inappropriate.<br />
<br />
<br />
(e) Equivalence and effectiveness<br />
<br />
<br />
136. I add for completeness that the EU law principles of equivalence and<br />
effectiveness, on which the Court of Appeal placed some reliance, do not assist the<br />
<br />
claimant’s case. The principle of equivalence requires that procedural rules governing<br />
claims for breaches of EU law rights must not be less favourable than procedural rules<br />
governing equivalent domestic actions. As explained by Lord Briggs, giving the<br />
judgment of this court, in Totel Ltd v Revenue and Customs Comrs [2018] UKSC 44;<br />
<br />
[2018] 1 WLR 4053, para 7, the principle is “essentially comparative”. Thus:<br />
<br />
<br />
“The identification of one or more similar procedures for the<br />
enforcement of claims arising in domestic law is an essential<br />
prerequisite for its operation. If there is no true comparator,<br />
then the principle of equivalence can have no operation at<br />
<br />
all. The identification of one or more true comparators is<br />
therefore the essential first step in any examination of an<br />
assertion that the principle of equivalence has been<br />
infringed.” [citation omitted]<br />
<br />
<br />
<br />
For the reasons given, even if the measure of damages is regarded as a procedural<br />
rule, a claim for damages for misuse of private information at common law is not a<br />
true comparator of a claim under section 13 of the DPA 1998. The principle of<br />
equivalence can therefore have no operation.<br />
<br />
<br />
<br />
137. The principle of effectiveness invalidates a national procedure if it renders the<br />
enforcement of a right conferred by EU law either virtually impossible or excessively<br />
<br />
Page 50difficult: see again Totel Ltd at para 7. However, the absence of a right to<br />
compensation for a breach of data protection rights which causes no material damage<br />
or distress, even if regarded as a procedural limitation, does not render the<br />
enforcement of such rights virtually impossible or excessively difficult. The right to an<br />
effective remedy does not require awards of compensation for every (non-trivial)<br />
<br />
breach of statutory requirements even if no material damage or distress has been<br />
suffered.<br />
<br />
<br />
(f) Conclusion on the effect of section 13<br />
<br />
<br />
138. For all these reasons, I conclude that section 13 of the DPA 1998 cannot<br />
<br />
reasonably be interpreted as conferring on a data subject a right to compensation for<br />
any (non-trivial) contravention by a data controller of any of the requirements of the<br />
Act without the need to prove that the contravention has caused material damage or<br />
distress to the individual concerned.<br />
<br />
<br />
(9) The claim for user damages<br />
<br />
<br />
<br />
139. “User damages” is the name commonly given to a type of damages readily<br />
awarded in tort where use has wrongfully been made of someone else’s land or<br />
tangible moveable property although there has been no financial loss or physical<br />
damage to the property. The damages are assessed by estimating what a reasonable<br />
<br />
person would have paid for the right of user. Damages are also available on a similar<br />
basis for patent infringement and other breaches of intellectual property rights.<br />
Following the seminal decision of this court in OneStep (Support) Ltd v Morris-Garner<br />
[2018] UKSC 20; [2019] AC 649, it is now clear that user damages are compensatory in<br />
nature, their purpose being to compensate the claimant for interference with a right to<br />
<br />
control the use of property where the right is a commercially valuable asset. As Lord<br />
Reed explained in Morris-Garner, at para 95(1):<br />
<br />
<br />
“The rationale of such awards is that the person who makes<br />
wrongful use of property, where its use is commercially<br />
<br />
valuable, prevents the owner from exercising a valuable right<br />
to control its use, and should therefore compensate him for<br />
the loss of the value of the exercise of that right. He takes<br />
something for nothing, for which the owner was entitled to<br />
<br />
require payment.”<br />
<br />
<br />
<br />
<br />
Page 51140. Lord Reed, at paras 27 and 29, cited authorities which make it clear that the<br />
entitlement to user damages does not depend on whether the owner would in fact<br />
have exercised the right to control the use of the property, had it not been interfered<br />
with. The “loss” for which the claimant is entitled to compensation is not loss of this<br />
“conventional kind” (para 30); rather, it lies in the wrongful use of the claimant’s<br />
<br />
property itself, for which the economic value of the use provides an appropriate<br />
measure. This value can be assessed by postulating a hypothetical negotiation and<br />
estimating what fee would reasonably have been agreed for releasing the defendant<br />
from the duty which it breached. It is this method of assessment on which the claimant<br />
<br />
relies in the alternative formulation of the present claim.<br />
<br />
<br />
141. A claim in tort for misuse of private information based on the factual allegations<br />
made in this case, such as was made in Vidal-Hall, would naturally lend itself to an<br />
award of user damages. The decision in Gulati shows that damages may be awarded<br />
for the misuse of private information itself on the basis that, apart from any material<br />
<br />
damage or distress that it may cause, it prevents the claimant from exercising his or<br />
her right to control the use of the information. Nor can it be doubted that information<br />
about a person’s internet browsing history is a commercially valuable asset. What was<br />
described by the Chancellor in the Court of Appeal [2020] QB 747, para 46, as “the<br />
<br />
underlying reality of this case” is that Google was allegedly able to make a lot of money<br />
by tracking the browsing history of iPhone users without their consent and selling the<br />
information collected to advertisers.<br />
<br />
<br />
142. The view has sometimes been expressed that asserting privacy in information is<br />
inconsistent, or at least in tension, with treating such information as a commercial<br />
<br />
asset: see eg Douglas v Hello! Ltd (No 3) [2005] EWCA Civ 595; [2006] QB 125, para<br />
246; and on appeal sub nom OBG Ltd v Allan [2007] UKHL 21; [2008] AC 1, para 275<br />
(Lord Walker of Gestinghorpe). But once the basis of the right to privacy is understood<br />
to be the protection of a person’s freedom to choose and right to control whether and<br />
<br />
when others have access to his or her private affairs, I think that any tension largely<br />
disappears. It is common experience that some people are happy to exploit for<br />
commercial gain facets of their private lives which others would feel mortified at<br />
having exposed to public view. Save in the most extreme cases, this should be seen as<br />
<br />
a matter of personal choice on which it is not for the courts to pass judgments.<br />
Moreover, where the defendant’s very purpose in wrongfully obtaining and using<br />
private information is to exploit its commercial value, the law should not be prissy<br />
about awarding compensation based on the commercial value of the exercise of the<br />
right. As was confirmed in Morris-Garner, the fact that the claimant would not have<br />
<br />
chosen to exercise the right himself is no answer to a claim for user damages. It is<br />
enough that, as Lord Reed put it at paras 30 and 95(1) of his majority judgment, the<br />
defendant has taken something for nothing, for which the owner of the right was<br />
entitled to require payment.<br />
<br />
Page 52143. The point does not arise in the present case, however, because the claimant is<br />
not claiming damages for misuse of private information. As discussed, the only claim<br />
advanced is under the DPA 1998. Here it follows from the conclusion reached above<br />
about the meaning of section 13 that user damages are not available. This is because,<br />
for the reasons given, compensation can only be awarded under section 13 of the DPA<br />
<br />
1998 for material damage or distress caused by an infringement of a claimant’s right to<br />
have his or her personal data processed in accordance with the requirements of the<br />
Act, and not for the infringement itself. Although his reasoning was in part based on an<br />
understanding of user damages overtaken by this court’s decision in Morris-Garner, it<br />
<br />
follows that Patten J was right to hold in Murray v Express Newspapers Plc[2007]<br />
EWHC 1908 (Ch); [2007] EMLR 22, at para 92, that the principles on which user<br />
damages are awarded do not apply to a claim for compensation under the DPA 1998.<br />
<br />
<br />
F. THE NEED FOR INDIVIDUALISED EVIDENCE OF MISUSE<br />
<br />
<br />
144. There is a further reason why the claimant’s attempt to recover damages under<br />
<br />
section 13 of the DPA 1998 by means of a representative claim cannot succeed. Even if<br />
(contrary to my conclusion) it were unnecessary in order to recover compensation<br />
under this provision to show that an individual has suffered material damage or<br />
distress as a result of unlawful processing of his or her personal data, it would still be<br />
<br />
necessary for this purpose to establish the extent of the unlawful processing in his or<br />
her individual case. In deciding what amount of damages, if any, should be awarded,<br />
relevant factors would include: over what period of time did Google track the<br />
individual’s internet browsing history? What quantity of data was unlawfully<br />
processed? Was any of the information unlawfully processed of a sensitive or private<br />
<br />
nature? What use did Google make of the information and what commercial benefit, if<br />
any, did Google obtain from such use?<br />
<br />
<br />
(1) The claim for the “lowest common denominator”<br />
<br />
<br />
145. The claimant does not dispute that the amount of any compensation awarded<br />
<br />
must in principle depend on such matters. But he contends that it is possible to<br />
identify an “irreducible minimum harm” suffered by every member of the class whom<br />
he represents for which a “uniform sum” of damages can be awarded. This sum is<br />
claimed on the basis that it represents what the Chancellor in the Court of Appeal<br />
<br />
described as the “lowest common denominator” of all the individual claims: see [2020]<br />
QB 747, para 75.<br />
<br />
<br />
146. Google objects that Mr Lloyd, as the self-appointed representative of the class,<br />
has no authority from any individual class member to waive or abandon what may be<br />
<br />
Page 53the major part of their damages claim by disavowing reliance on any circumstances<br />
affecting that individual. Mr Lloyd’s answer, which the Court of Appeal accepted, is a<br />
pragmatic one. He points out that the limitation period for bringing any proceedings<br />
has now expired. For any represented individual there is therefore no longer any<br />
realistic possibility of recovering any compensation at all other than through the<br />
<br />
present action. Furthermore, to make this action viable, it is necessary to confine the<br />
amount of damages claimed for each class member to a uniform sum; and a uniform<br />
sum of damages, even if considerably smaller than an individualised award would be, is<br />
better than nothing.<br />
<br />
<br />
<br />
147. I do not think it necessary to enter into the merits of this issue. I am prepared to<br />
assume, without deciding, that as a matter of discretion the court could - if satisfied<br />
that the persons represented would not be prejudiced and with suitable arrangements<br />
in place enabling them to opt out of the proceedings if they chose - allow a<br />
representative claim to be pursued for only a part of the compensation that could<br />
<br />
potentially be claimed by any given individual. The fundamental problem is that, if no<br />
individual circumstances are taken into account, the facts alleged are insufficient to<br />
establish that any individual member of the represented class is entitled to damages.<br />
That is so even if it is unnecessary to prove that the alleged breaches caused any<br />
<br />
material damage or distress to the individual.<br />
<br />
<br />
(2) The facts common to each individual case<br />
<br />
<br />
148. The facts alleged against Google generically cannot establish that any given<br />
individual is entitled to compensation. To establish any such individual entitlement it<br />
must be shown, at least, that there was unlawful processing by Google of personal<br />
<br />
data of which that particular individual was the subject. In considering whether the<br />
facts alleged, if proved, are capable of establishing an entitlement to damages, it is<br />
therefore necessary to identify what unlawful processing by Google of personal data is<br />
alleged to have occurred in Mr Lloyd’s own case and also in the case of each other<br />
<br />
member of the represented class. What facts is the claimant proposing to prove to<br />
show that Google acted unlawfully in each individual case?<br />
<br />
<br />
149. The answer, on analysis, is: only those facts which are necessary to show that<br />
the individual falls within the definition of the “claimant class”. The premise of the<br />
<br />
claim is that Mr Lloyd and each person whom he represents is entitled to damages<br />
simply on proof that they are members of the class and without the need to prove any<br />
further facts to show that Google wrongfully collected and used their personal data.<br />
Any such further facts would inevitably vary from one individual member of the class<br />
to another and would require individual proof.<br />
<br />
<br />
Page 54150. To fall within the definition of the class, it must be shown, in substance, that the<br />
individual concerned had an iPhone of the appropriate model running a relevant<br />
version of the Apple Safari internet browser which, at any date during the relevant<br />
period whilst present in England and Wales, he or she used to access a website that<br />
was participating in Google’s DoubleClick advertising service. There are exclusions<br />
<br />
from the class definition for anyone who changed the default settings in the Safari<br />
browser, opted out of tracking and collation via Google’s “Ads Preference Manager” or<br />
obtained a DoubleClick Ad cookie via a “first party request” rather than as a “third<br />
party cookie”. The aim of the definition is to identify all those people who had a<br />
<br />
DoubleClick Ad cookie placed on their device unlawfully, through the Safari<br />
workaround, but not to include within the class anyone who did not receive a<br />
DoubleClick Ad cookie during the relevant period or who received the cookie by lawful<br />
means.<br />
<br />
<br />
151. It is sufficient to bring an individual within the class definition that he or she<br />
<br />
used the Safari browser to access a website participating in Google’s DoubleClick<br />
advertising service on a single occasion. The theory is that on that occasion the<br />
DoubleClick Ad cookie will have been placed on the user’s device unlawfully as a third<br />
party cookie. To qualify for membership of the class, it is not necessary to show that<br />
<br />
the individual ever visited a website participating in Google’s DoubleClick advertising<br />
service again during the relevant period. Nor is it alleged that any individual or<br />
individuals did visit such a website on more than one occasion. The “lowest common<br />
denominator” on which the claim is based is therefore someone whose internet usage<br />
- apart from one visit to a single website - was not illicitly tracked and collated and who<br />
<br />
received no targeted advertisements as a result of receiving a DoubleClick Ad cookie.<br />
This is because the claimant has deliberately chosen, in order to advance a claim in a<br />
representative capacity for damages assessed from the bottom up, not to rely on any<br />
facts about the internet activity of any individual iPhone user beyond those which<br />
<br />
bring them within the class of represented persons.<br />
<br />
<br />
152. For reasons given earlier, I am leaving aside the difficulties of proving<br />
membership of the class, significant as they would appear to be, and am assuming that<br />
such difficulties are not an impediment to the claim. But the question that must be<br />
<br />
asked is whether membership of the represented class is sufficient by itself to entitle<br />
an individual to compensation, without proof of any further facts particular to that<br />
individual.<br />
<br />
<br />
153. On the claimant’s own case there is a threshold of seriousness which must be<br />
crossed before a breach of the DPA 1998 will give rise to an entitlement to<br />
<br />
compensation under section 13. I cannot see that the facts which the claimant aims to<br />
prove in each individual case are sufficient to surmount this threshold. If (contrary to<br />
<br />
Page 55the conclusion I have reached) those facts disclose “damage” within the meaning of<br />
section 13 at all, I think it impossible to characterise such damage as more than trivial.<br />
What gives the appearance of substance to the claim is the allegation that Google<br />
secretly tracked the internet activity of millions of Apple iPhone users for several<br />
months and used the data obtained for commercial purposes. But on analysis the<br />
<br />
claimant is seeking to recover damages without attempting to prove that this<br />
allegation is true in the case of any individual for whom damages are claimed. Without<br />
proof of some unlawful processing of an individual’s personal data beyond the bare<br />
minimum required to bring them within the definition of the represented class, a claim<br />
<br />
on behalf of that individual has no prospect of meeting the threshold for an award of<br />
damages.<br />
<br />
<br />
(3) User damages on a lowest common denominator basis<br />
<br />
<br />
154. The claimant’s case is not improved by formulating the claim as one for user<br />
damages quantified by estimating what fee each member of the represented class<br />
<br />
could reasonably have charged - or which would reasonably have been agreed in a<br />
hypothetical negotiation - for releasing Google from the duties which it breached. I<br />
have already indicated why, in my opinion, user damages cannot be recovered for<br />
breaches of the DPA 1998. But even if (contrary to that conclusion) user damages<br />
<br />
could in principle be recovered, the inability or unwillingness to prove what, if any,<br />
wrongful use was made by Google of the personal data of any individual again means<br />
that any damages awarded would be nil.<br />
<br />
<br />
155. The claimant asserts, and I am content to assume, that if, instead of bypassing<br />
privacy settings through the Safari workaround, Google had offered to pay a fee to<br />
<br />
each affected Apple iPhone user for the right to place its DoubleClick Ad cookie on<br />
their device, the fee would have been a standard one, agreed in advance, rather than a<br />
fee which varied according to the quantity or commercial value to Google of the<br />
information which was subsequently collected as a result of the user’s acceptance of<br />
<br />
the cookie. However, imagining the negotiation of a fee in advance in this way is not<br />
the correct premise for the valuation.<br />
<br />
<br />
156. As explained in Morris-Garner, the object of an award of user damages is to<br />
compensate the claimant for use wrongfully made by the defendant of a valuable asset<br />
<br />
protected by the right infringed. The starting point for the valuation exercise is thus to<br />
identify what the extent of such wrongful use actually was: only then can an estimate<br />
be made of what sum of money could reasonably have been charged for that use or,<br />
put another way, for releasing the wrongdoer from the duties which it breached in the<br />
wrongful use that it made of the asset. Imagining a hypothetical negotiation, as Lord<br />
<br />
Reed explained at para 91 of Morris-Garner, is merely “a tool” for arriving at this<br />
Page 56estimated sum. As in any case where compensation is awarded, the aim is to place the<br />
claimant as nearly as possible in the same position as if the wrongdoing had not<br />
occurred. Accordingly, as Patten LJ put it in Eaton Mansions (Westminster) Ltd v Stinger<br />
Compania de Inversion SA [2013] EWCA Civ 1308; [2014] 1 P & CR 5, para 21:<br />
<br />
<br />
“The valuation construct is that the parties must be treated<br />
<br />
as having negotiated for a licence which covered the acts of<br />
trespass that actually occurred. The defendant is not required<br />
to pay damages for anything else.”<br />
<br />
<br />
See also Enfield London Borough Council v Outdoor Plus Ltd[2012] EWCA Civ 608, para<br />
<br />
47; and Marathon Asset Management LLP v Seddon [2017] EWHC 300 (Comm); [2017]<br />
ICR 791, paras 254-262.<br />
<br />
<br />
157. Applying that approach, the starting point would therefore need to be to<br />
establish what unlawful processing by Google of the claimant’s personal data actually<br />
occurred. Only when the wrongful use actually made by Google of such data is known<br />
<br />
is it possible to estimate its commercial value. As discussed, in order to avoid individual<br />
assessment, the only wrongful act which the claimant proposes to prove in the case of<br />
each represented person is that the DoubleClick Ad cookie was unlawfully placed on<br />
their device: no evidence is - or could without individual assessment - be adduced to<br />
<br />
show that, by means of this third party cookie, Google collected or used any personal<br />
data relating to that individual. The relevant valuation construct is therefore to ask<br />
what fee would hypothetically have been negotiated for a licence to place the<br />
DoubleClick Ad cookie on an individual user’s phone as a third party cookie, but<br />
without releasing Google from its obligations not to collect or use any information<br />
<br />
about that person’s internet browsing history. It is plain that such a licence would be<br />
valueless and that the fee which could reasonably be charged or negotiated for it<br />
would accordingly be nil.<br />
<br />
<br />
G. CONCLUSION<br />
<br />
<br />
<br />
158. The judge took the view that, even if the legal foundation for the claim made in<br />
this action were sound, he should exercise the discretion conferred by CPR rule 19.6(2)<br />
by refusing to allow the claim to be continued as a representative action. He<br />
characterised the claim as “officious litigation, embarked upon on behalf of individuals<br />
<br />
who have not authorised it” and in which the main beneficiaries of any award of<br />
damages would be the funders and the lawyers. He thought that the representative<br />
claimant “should not be permitted to consume substantial resources in the pursuit of<br />
litigation on behalf of others who have little to gain from it, and have not authorised<br />
<br />
Page 57the pursuit of the claim, nor indicated any concern about the matters to be litigated”:<br />
[2019] 1 WLR 1265, paras 102-104. The Court of Appeal formed a very different view<br />
of the merits of the representative claim. They regarded the fact that the members of<br />
the represented class had not authorised the claim as an irrelevant factor, which the<br />
judge had wrongly taken into account, and considered that it was open to them to<br />
<br />
exercise the discretion afresh. They saw this litigation as the only way of obtaining a<br />
civil compensatory remedy for what, if proved, was a “wholesale and deliberate<br />
misuse of personal data without consent, undertaken with a view to commercial<br />
profit”: see [2020] QB 747, para 86. In these circumstances the Court of Appeal took<br />
<br />
the view that, as a matter of discretion, the claim should be allowed to proceed.<br />
<br />
<br />
159. It is unnecessary to decide whether the Court of Appeal was entitled to<br />
interfere with the judge’s discretionary ruling or whether it would be desirable for a<br />
commercially funded class action to be available on the facts alleged in this case. This is<br />
because, regardless of what view of it is taken, the claim has no real prospect of<br />
<br />
success. That in turn is because, in the way the claim has been framed in order to try to<br />
bring it as a representative action, the claimant seeks damages under section 13 of the<br />
DPA 1998 for each individual member of the represented class without attempting to<br />
show that any wrongful use was made by Google of personal data relating to that<br />
<br />
individual or that the individual suffered any material damage or distress as a result of<br />
a breach of the requirements of the Act by Google. For the reasons explained in this<br />
judgment, without proof of these matters, a claim for damages cannot succeed.<br />
<br />
<br />
160. I would therefore allow the appeal and restore the order made by the judge<br />
refusing the claimant’s application for permission to serve the proceedings on Google<br />
<br />
outside the jurisdiction of the courts of England and Wales.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 58<br />
</pre></div>Mariam-hwthhttps://gdprhub.eu/index.php?title=UKSC_-_Richard_Lloyd_v_Google_LLC_(2021)_UKSC_50&diff=21384UKSC - Richard Lloyd v Google LLC (2021) UKSC 502021-11-23T18:37:11Z<p>Mariam-hwth: /* Holding: */</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=UKSC<br />
|Court_With_Country=UKSC (United Kingdom)<br />
<br />
|Case_Number_Name=Richard Lloyd v Google LLC (2021) UKSC 50<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=The Supreme Court of the United Kingdom<br />
|Original_Source_Link_1=https://www.supremecourt.uk/cases/docs/uksc-2019-0213-judgment.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Date_Decided=10.11.2021<br />
|Date_Published=10.11.2021<br />
|Year=2021<br />
<br />
<br />
|EU_Law_Name_1=Article 23 of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:31995L0046<br />
<br />
|National_Law_Name_1=Rule 19.6 of the Civil Procedure Rules<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=Section 13 of the Data Protection Act 1998<br />
|National_Law_Link_2=https://www.legislation.gov.uk/ukpga/1998/29/contents<br />
|National_Law_Name_3=Section 14 of the Data Protection Act 1998<br />
|National_Law_Link_3=https://www.legislation.gov.uk/ukpga/1998/29/contents<br />
|National_Law_Name_4=Section 4(4) of the Data Protection Act 1998<br />
|National_Law_Link_4=https://www.legislation.gov.uk/ukpga/1998/29/contents<br />
|National_Law_Name_5=Rule 19.11 of the Civil Procedure Rules<br />
|National_Law_Link_5=<br />
<br />
|Party_Name_1=Richard Lloyd<br />
|Party_Link_1=<br />
|Party_Name_2=Google LLC<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=England and Wales Court of Appeal (Civil Division)<br />
|Appeal_From_Case_Number_Name=Lloyd v Google LLC (2019) EWCA Civ 1599<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=https://www.bailii.org/ew/cases/EWCA/Civ/2019/1599.html<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=MH<br />
|<br />
}}<br />
<br />
The UK Supreme Court held that to claim compensation for an infringement of the Data Protection Act 1998, it was necessary to demonstrate material damage or distress suffered by each individual. A representative action was therefore not suitable. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Google secretly tracked Apple iPhone users between late 2011 and early 2012 and using their data collected in that way for commercial purposes. Google bypassed privacy settings on Apple iPhones and the default blocking of third party cookies on Safari with its “DoubleClick Ad” cookie by relying on an exception devised by Apple. Google placed this cookie without the user’s knowledge or consent. This cookie was enabled if users visited a website that included DoubleClick Ad content (advertising content). The cookie identified visits by a specific device on websites using this advertising content, including data and time of visit; time spent by the user on the website; what advertisement was viewed for how long; and using IP address, the user’s geographical location. <br />
<br />
As a result, Google could infer the user’s internet surfing habits, location, as well as interests, race or ethnicity, social class, political or religious beliefs, health, sexual interests, age, gender and financial situation. Google then used this aggregated information to give them labels (eg “football lovers”) and eventually offering these group labels to advertising organisations looking to target specific groups when using Google’s DoubleClick service. <br />
<br />
This allegation was brought in the US and Google settled a charge of $22.5 million with the US Federal Trade Commission and $17 million to settle consumer based actions in the US. <br />
<br />
Three individuals in the UK sued Google in 2013 for the same allegation and their claim was settled by Google (Vidal-Hall v Google Inc). <br />
<br />
Lloyd has filed a claim before the UK courts on behalf of everyone that resides in England and Wales and owned an Apple iPhone at the time of the secret tracking. Lloyd filed this class action with the intention of recovering damages for more than 4 million people affected. He claimed that compensation (£750 suggested) should be awarded under the Data Protection Act 1998 for loss of control of personal data without having to demonstrate that the claimant suffered financial or mental distress as a result of the infringement.<br />
<br />
=== Holding ===<br />
<br />
==== Legal framework: ====<br />
Section 4(4) of the Data Protection Act 1998 (DPA 1998) imposes a duty on data controllers to comply with data protection principles. These are laid out in Schedule 1 of the DPA 1998.<br />
<br />
Section 13 of the DPA 1998 gives individuals a right to compensation from the controller if they suffer damage as a result of a contravention of the Act by that controller.<br />
<br />
Individuals can bring claims which give rise to a common issue of fact or law can apply for a Group Litigation Order to be made under Rule 19.11 of the Civil Procedure Rules. This is an “opt-in” regime where claimants must take steps to join the group. <br />
<br />
They can also do so under a representative action, reflected in Rule 19.6 of the Civil Procedure Rules (CPR). However, as a detailed legislative framework is missing, the representative action rules within common law have been considered by the Supreme Court. The following principles are relevant:<br />
<br />
* “same interest” requirement where the representative must have the same interest or common issues as the persons they represent (within Rule 19.6 CPR)<br />
* “court’s discretion” as to whether to allow the claim to proceed as a representative action. This is an objective assessment as to whether the case can be dealt with justly and at a proportionate cost (within Rules 1.1 and 1.2 CPR)<br />
* “no requirement of consent” or awareness required from the people represented<br />
* “class definition” requirement where the class of people represented must be clearly defined <br />
* “liability for costs” requirement where the persons represented will not have to pay costs of being represented incurred by the representative<br />
* “scope for claiming damages” where claiming damages is limited by the nature of the remedy of damages at common law, or by the fact that damages may reauire an individua assessment<br />
<br />
==== Holding: ====<br />
The UK Supreme court did not object to a representative claim brought to establish whether Google was in breach of DPA 1998. The Supreme Court also determined that the individuals had similar interests or common issues caused by tracking of their behaviour without consent. <br />
<br />
According to the Court, there was no uniform effect caused by Google’s actions across the represented class. Instead, the effect and the amount recoverable by each individual would depend on the circumstances particular to the individuals (eg how often they used Safari or website with DoubleClick Ad content). Contrary to Lloyd’s claim, the Court held that DPA 1998 cannot be read to mean that individuals are entitled to compensation for any contravention of the DPA 1998 without needing to prove financial loss or distress. According to the leading judgement, under Section 13 DPA 1998, it is not enough to prove an infringement by a data controller as “damage” (interpreted as only meaning material damages) or “distress” must be suffered as a result. <br />
<br />
Following an analysis of Vidal-Hall v Google Inc (discussing Section 13 DPA 1998) and Gulati v MGN Ltd (discussing tort for misuse of private information) the court outlined that it would be possible for Lloyd to claim (1) damages under Section 13(1) DPA 1998 for distress suffered due to Google’s infringement of the Act; (2) and /or damages for the misuse of private information without the need to show material damage or distress. However, the court outlined that the case was not made for either (claim for misuse of information tort having not be made). Again, the Court reiterated that to recover damages for distress under Section 13(1) DPA 1998, it would be necessary to provide evidence of this distress for each individual represented – making this incompatible with the nature of representative action.<br />
<br />
The UK Supreme Court rejected the argument that an infringement of the DPA 1998 should be dealt with in the same way as the tort of misuse of private information and that therefore damages can be recovered for interference by an organisation without the need to demonstrate material damage or distress. The UK Supreme Court relied on the fact that Section 13(1) DPA 1998 cannot be interpreted using that analogy, as highlighted above. The wording of the DPA 1998 and its interpretation in caselaw cannot be detached from the fact that material damage or distress must be demonstrated. <br />
<br />
''"…the wording of section 13(1) draws a distinction between “damage” suffered by an individual and a “contravention” of a requirement of the Act by a data controller, and provides a right to compensation “for that damage” only if the “damage” occurs “by reason of” the contravention.''" <br />
<br />
Section 14 DPA 1998 also supports the interpretation that a damage, and not purely an infringement of the legislation, must be demonstrated. The Court also relied on the interpretation by the Court of Appeal in Vidall-Hall v Google Inc, which distinguished damage or distress suffered and contravention of a requirement in the DPA 1998. The Court also did not consider that it was possible to rely on an analogy between the tort of misuse of information and Section 13 DPA 1998 simply because they are both founded in the common route of “right to privacy” embodied in Article 8 European Convention on Human Rights. <br />
<br />
Additionally, the Court held that it would be, in any case, necessary to identify damage or distress suffered by each individual for the purpose of awarding compensation (even if it was not necessary to show individual damage or distress as a result of the infringement). Factors like extent of Google’s tracking; quantity of data processed; nature of the data processed (sensitive nature?); use of that information and benefit from it by Google would all need to be assessed for individual cases. Without such individualised assessment, Lloyd’s argument that the “lowest common denominator” on which the claim is based (proof that the individual us part of the class by having an iPhone at the time) would not be sufficient to be something more than trivial (as required under Section 13 DPA 1998). Therefore, compensation could not be quantified beyond 0. <br />
<br />
The UK Supreme Court concluded and decided unanimously that: <br />
<br />
“''In order to recover compensation under the DPA 1998 for any given individual, it would be necessary to show both that Google made some unlawful use of personal data relating to that individual and that the individual suffered some damage as a result.''”<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
Michaelmas Term<br />
[2021] UKSC 50<br />
On appeal from: [2019] EWCA Civ 1599<br />
<br />
<br />
<br />
JUDGMENT<br />
<br />
<br />
Lloyd (Respondent) v Google LLC (Appellant)<br />
<br />
before<br />
<br />
<br />
Lord Reed, President<br />
Lady Arden<br />
Lord Sales<br />
<br />
Lord Leggatt<br />
Lord Burrows<br />
<br />
<br />
JUDGMENT GIVEN ON<br />
10 November 2021<br />
<br />
<br />
Heard on 28 and 29 April 2021 Appellant<br />
Antony White QC<br />
Edward Craven<br />
<br />
(Instructed by Pinsent Masons LLP (London))<br />
<br />
<br />
Respondent<br />
Hugh Tomlinson QC<br />
Oliver Campbell QC<br />
<br />
Victoria Wakefield QC<br />
(Instructed by Milberg London LLP)<br />
<br />
<br />
1st Intervener (Information Commissioner)<br />
Gerry Facenna QC<br />
<br />
Nikolaus Grubeck<br />
(Instructed by Information Commissioner’s Office)<br />
<br />
<br />
2nd Intervener (Open Rights Group)<br />
(written submissions only)<br />
<br />
Robert Palmer QC<br />
Julianne Kerr Morrison<br />
(Instructed by AWO)<br />
<br />
<br />
<br />
3rd Intervener (Association of the British Pharmaceutical Industry and Association of British<br />
HealthTech Industries (ABPI and ABHI))<br />
(written submissions only)<br />
Lord Anderson of Ipswich KBE QC<br />
Robin Hopkins<br />
<br />
Rupert Paines<br />
(Instructed by CMS Cameron McKenna Nabarro Olswang LLP (London))<br />
<br />
<br />
4th Intervener (Liberty, Coram Children’s Legal Centre and Inclusion London)<br />
(written submissions only)<br />
<br />
Dan Squires QC<br />
Aidan Wills<br />
Tim James-Matthews<br />
(Instructed by Liberty, Coram Children’s Legal Centre and Deighton Pierce Glynn)<br />
<br />
<br />
<br />
5th Intervener (Internet Association)<br />
(written submissions only)<br />
Christopher Knight<br />
(Instructed by Linklaters LLP (London))6th Intervener (TECHUK Ltd (trading as techUK))<br />
(written submissions only)<br />
Catrin Evans QC<br />
<br />
Ian Helme<br />
(Instructed by RPC LLP (London))LORD LEGGATT: (with whom Lord Reed, Lady Arden, Lord Sales and Lord Burrows<br />
agree)<br />
<br />
<br />
A. INTRODUCTION<br />
<br />
<br />
1. Mr Richard Lloyd - with financial backing from Therium Litigation Funding IC, a<br />
commercial litigation funder - has issued a claim against Google LLC, alleging breach of<br />
<br />
its duties as a data controller under section 4(4) of the Data Protection Act 1998 (“the<br />
DPA 1998”). The claim alleges that, for several months in late 2011 and early 2012,<br />
Google secretly tracked the internet activity of millions of Apple iPhone users and used<br />
the data collected in this way for commercial purposes without the users’ knowledge<br />
<br />
or consent.<br />
<br />
<br />
2. The factual allegation is not new. In August 2012, Google agreed to pay a civil<br />
penalty of US$22.5m to settle charges brought by the United States Federal Trade<br />
Commission based upon the allegation. In November 2013, Google agreed to pay<br />
US$17m to settle consumer-based actions brought against it in the United States. In<br />
<br />
England and Wales, three individuals sued Google in June 2013 making the same<br />
allegation and claiming compensation under the DPA 1998 and at common law for<br />
misuse of private information: see Vidal-Hall v Google Inc (Information Comr<br />
intervening)[2015] EWCA Civ 311; [2016] QB 1003. Following a dispute over<br />
<br />
jurisdiction, their claims were settled before Google had served a defence. What is<br />
new about the present action is that Mr Lloyd is not just claiming damages in his own<br />
right, as the three claimants did in Vidal-Hall. He claims to represent everyone resident<br />
in England and Wales who owned an Apple iPhone at the relevant time and whose<br />
data were obtained by Google without their consent, and to be entitled to recover<br />
<br />
damages on behalf of all these people. It is estimated that they number more than 4m.<br />
<br />
<br />
3. Class actions, in which a single person is permitted to bring a claim and obtain<br />
redress on behalf of a class of people who have been affected in a similar way by<br />
alleged wrongdoing, have long been possible in the United States and, more recently,<br />
<br />
in Canada and Australia. Whether legislation to establish a class action regime should<br />
be enacted in the UK has been much discussed. In 2009, the Government rejected a<br />
recommendation from the Civil Justice Council to introduce a generic class action<br />
regime applicable to all types of claim, preferring a “sector based approach”. This was<br />
<br />
for two reasons:<br />
<br />
<br />
“Firstly, there are potential structural differences between<br />
the sectors which will require different consideration. …<br />
Secondly, it will be necessary to undertake a full assessment<br />
<br />
Page 2 of the likely economic and other impacts before<br />
implementing any reform.”<br />
<br />
<br />
See the Government’s Response to the Civil Justice Council’s Report: “Improving<br />
Access to Justice through Collective Actions” (2008), paras 12-13.<br />
<br />
<br />
4. Since then, the only sector for which such a regime has so far been enacted is<br />
<br />
that of competition law. Parliament has not legislated to establish a class action regime<br />
in the field of data protection.<br />
<br />
<br />
5. Mr Lloyd has sought to overcome this difficulty by what the Court of Appeal in<br />
this case described as “an unusual and innovative use of the representative procedure”<br />
<br />
in rule 19.6 of the Civil Procedure Rules: see [2019] EWCA Civ 1599; [2020] QB 747,<br />
para 7. This is a procedure of very long standing in England and Wales whereby a claim<br />
can be brought by (or against) one or more persons as representatives of others who<br />
have “the same interest” in the claim. Mr Lloyd accepts that he could not use this<br />
procedure to claim compensation on behalf of other iPhone users if the compensation<br />
<br />
recoverable by each user would have to be individually assessed. But he contends that<br />
such individual assessment is unnecessary. He argues that, as a matter of law,<br />
compensation can be awarded under the DPA 1998 for “loss of control” of personal<br />
data without the need to prove that the claimant suffered any financial loss or mental<br />
<br />
distress as a result of the breach. Mr Lloyd further argues that a “uniform sum” of<br />
damages can properly be awarded in relation to each person whose data protection<br />
rights have been infringed without the need to investigate any circumstances<br />
particular to their individual case. The amount of damages recoverable per person<br />
would be a matter for argument, but a figure of £750 was advanced in a letter of claim.<br />
<br />
Multiplied by the number of people whom Mr Lloyd claims to represent, this would<br />
produce an award of damages of the order of £3 billion.<br />
<br />
<br />
6. Because Google is a Delaware corporation, the claimant needs the court’s<br />
permission to serve the claim form on Google outside the jurisdiction. The application<br />
<br />
for permission has been contested by Google on the grounds that the claim has no real<br />
prospect of success as: (1) damages cannot be awarded under the DPA 1998 for “loss<br />
of control” of data without proof that it caused financial damage or distress; and (2)<br />
the claim in any event is not suitable to proceed as a representative action. In the High<br />
<br />
Court Warby J decided both issues in Google’s favour and therefore refused permission<br />
to serve the proceedings on Google: see [2018] EWHC 2599 (QB); [2019] 1 WLR 1265.<br />
The Court of Appeal reversed that decision, for reasons given in a judgment of the<br />
Chancellor, Sir Geoffrey Vos, with which Davis LJ and Dame Victoria Sharp agreed:<br />
[2019] EWCA Civ 1599; [2020] QB 747.<br />
<br />
<br />
Page 37. On this further appeal, because of the potential ramifications of the issues<br />
raised, as well as hearing the claimant and Google, the court has received written and<br />
oral submissions from the Information Commissioner and written submissions from<br />
five further interested parties.<br />
<br />
<br />
8. In this judgment I will first summarise the facts alleged and the relevant legal<br />
<br />
framework for data protection before considering the different methods currently<br />
available in English procedural law for claiming collective redress and, in particular, the<br />
representative procedure which the claimant is seeking to use. Whether that<br />
procedure is capable of being used in this case critically depends, as the claimant<br />
<br />
accepts, on whether compensation for the alleged breaches of data protection law<br />
would need to be individually assessed. I will then consider the claimant’s arguments<br />
that individual assessment is unnecessary. For the reasons given in detail below, those<br />
arguments cannot in my view withstand scrutiny. In order to recover compensation<br />
under the DPA 1998 for any given individual, it would be necessary to show both that<br />
<br />
Google made some unlawful use of personal data relating to that individual and that<br />
the individual suffered some damage as a result. The claimant’s attempt to recover<br />
compensation under the Act without proving either matter in any individual case is<br />
therefore doomed to fail.<br />
<br />
<br />
<br />
B. FACTUAL BACKGROUND<br />
<br />
<br />
9. The relevant events took place between 9 August 2011 and 15 February 2012<br />
and involved the alleged use by Google of what has been called the “Safari<br />
workaround” to bypass privacy settings on Apple iPhones.<br />
<br />
<br />
10. Safari is an internet browser developed by Apple and installed on its iPhones. At<br />
<br />
the relevant time, unlike most other internet browsers, all relevant versions of Safari<br />
were set by default to block third party cookies. A “cookie” is a small block of data that<br />
is placed on a device when the user visits a website. A “third party cookie” is a cookie<br />
placed on the device not by the website visited by the user but by a third party whose<br />
<br />
content is included on that website. Third party cookies are often used to gather<br />
information about internet use, and in particular web pages visited over time, to<br />
enable the delivery to the user of advertisements tailored to interests inferred from<br />
the user’s browsing history.<br />
<br />
<br />
<br />
11. Google had a cookie known as the “DoubleClick Ad cookie” which could operate<br />
as a third party cookie. It would be placed on a device if the user visited a website that<br />
included DoubleClick Ad content. The DoubleClick Ad cookie enabled Google to<br />
identify visits by the device to any website displaying an advertisement from its vast<br />
<br />
Page 4advertising network and to collect considerable amounts of information. It could tell<br />
the date and time of any visit to a given website, how long the user spent there, which<br />
pages were visited for how long, and what advertisements were viewed for how long.<br />
In some cases, by means of the IP address of the browser, the user’s approximate<br />
geographical location could be identified.<br />
<br />
<br />
<br />
12. Although the default settings for Safari blocked all third party cookies, a blanket<br />
application of these settings would have prevented the use of certain popular web<br />
functions; so Apple devised some exceptions to them. These exceptions were in place<br />
until March 2012, when the system was changed. But in the meantime the exceptions<br />
<br />
made it possible for Google to devise and implement the Safari workaround. Its effect<br />
was to place the DoubleClick Ad cookie on an Apple device, without the user’s<br />
knowledge or consent, immediately, whenever the user visited a website that<br />
contained DoubleClick Ad content.<br />
<br />
<br />
13. It is alleged that, in this way, Google was able to collect or infer information<br />
<br />
relating not only to users’ internet surfing habits and location, but also about such<br />
diverse factors as their interests and pastimes, race or ethnicity, social class, political or<br />
religious beliefs or affiliations, health, sexual interests, age, gender and financial<br />
situation.<br />
<br />
<br />
<br />
14. Further, it is said that Google aggregated browser generated information from<br />
users displaying similar patterns, creating groups with labels such as “football lovers”,<br />
or “current affairs enthusiasts”. Google’s DoubleClick service then offered these group<br />
labels to subscribing advertisers to choose from when selecting the type of people at<br />
whom they wanted to target their advertisements.<br />
<br />
<br />
<br />
C. THE LEGAL FRAMEWORK<br />
<br />
<br />
15. The DPA 1998 was enacted to implement Parliament and Council Directive<br />
95/46/EC of 24 October 1995 “on the protection of individuals with regard to the<br />
processing of personal data and on the free movement of such data” (OJ 1995 L281, p<br />
<br />
31) (the “Data Protection Directive”). The Data Protection Directive has been<br />
superseded by the General Data Protection Regulation, which became law in the UK in<br />
May 2018, supplemented by the Data Protection Act 2018 (“the DPA 2018”). The DPA<br />
2018 repealed and replaced the DPA 1998 except in relation to acts or omissions which<br />
<br />
occurred before it came into force.<br />
<br />
<br />
<br />
<br />
Page 516. Because the acts and omissions giving rise to the present claim occurred in 2011<br />
and 2012, the claim is governed by the old law contained in the DPA 1998 and the Data<br />
Protection Directive. The parties and interveners in their submissions on this appeal<br />
nevertheless made frequent references to provisions of the General Data Protection<br />
Regulation and the DPA 2018. In principle, the meaning and effect of the DPA 1998 and<br />
<br />
the Data Protection Directive cannot be affected by legislation which has been enacted<br />
subsequently. The later legislation therefore cannot help to resolve the issues raised<br />
on this appeal, and I shall leave it to one side.<br />
<br />
<br />
(1) The scheme of the DPA 1998<br />
<br />
<br />
<br />
17. Section 4(4) of the DPA 1998 imposed a duty on a data controller to comply<br />
with “the data protection principles” set out in Schedule 1 “in relation to all personal<br />
data with respect to which he is the data controller”. As defined in section 1(1) of the<br />
Act, “personal data” are, in effect, all recorded information which relate to an<br />
identifiable individual. An individual who is the subject of personal data is referred to<br />
<br />
as the “data subject”. A “data controller” is a person who (either alone or with others)<br />
“determines the purposes for which and the manner in which any personal data are, or<br />
are to be, processed.” The term “processing” is defined very broadly to mean<br />
“obtaining, recording or holding the information or data or carrying out any operation<br />
<br />
or set of operations on the information or data …”. Section 2 of the Act establishes a<br />
category of “sensitive personal data” consisting of information about certain specified<br />
matters, which include the racial or ethnic origin, political opinions, religious beliefs,<br />
physical or mental health or sexual life of the data subject.<br />
<br />
<br />
18. The first of the eight “data protection principles” set out in Schedule 1 is that:<br />
<br />
<br />
<br />
“Personal data shall be processed fairly and lawfully and, in<br />
particular, shall not be processed unless -<br />
<br />
<br />
(a) at least one of the conditions in Schedule 2 is met,<br />
and<br />
<br />
<br />
<br />
(b) in the case of sensitive personal data, at least one<br />
of the conditions in Schedule 3 is also met.”<br />
<br />
<br />
The other seven data protection principles, in summary, require personal data: (2) to<br />
be obtained and processed only for specified and lawful purposes; (3) to be “adequate,<br />
<br />
relevant, and not excessive” in relation to those purposes; (4) to be accurate and,<br />
Page 6where necessary, kept up to date; (5) not to be kept for longer than is necessary for<br />
those purposes; (6) to be processed in accordance with the rights of data subjects<br />
under the Act; (7) to be protected by appropriate technical and organisational security<br />
measures against unauthorised or unlawful processing and against accidental loss or<br />
destruction or damage; and (8) not to be transferred outside the European Economic<br />
<br />
Area unless the destination country or territory provides an adequate level of<br />
protection for data subjects in relation to the processing of personal data.<br />
<br />
<br />
19. As discussed in more detail below, section 13 of the DPA 1998 gives an<br />
individual who suffers damage “by reason of any contravention by a data controller of<br />
<br />
any of the requirements of this Act” a right to compensation from the data controller<br />
for that damage.<br />
<br />
<br />
(2) The allegations of breach of duty<br />
<br />
<br />
20. The claimant, Mr Lloyd, contends that Google processed personal data of each<br />
member of the represented class in breach of the first, second and seventh data<br />
<br />
protection principles. The represented class consists in essence of everyone in England<br />
and Wales who at the relevant time had an Apple iPhone on which Google’s<br />
DoubleClick Ad cookie was placed through the Safari workaround. (The precise<br />
definition of the class is set out at para 19 of Warby J’s judgment.) Two principal<br />
<br />
allegations made are that, in breach of the first data protection principle, (i) the data<br />
obtained by placing the DoubleClick Ad cookie on each class member’s device were not<br />
processed fairly and (ii) none of the conditions in Schedule 2 (or 3) was met.<br />
<br />
<br />
21. Schedule 1, Part II, paragraph 2, provides, in substance, that personal data<br />
obtained from the data subject are not to be treated as processed fairly unless the<br />
<br />
data controller informs the data subject of the purpose for which the data are<br />
intended to be processed - a requirement with which it is said that Google failed to<br />
comply in this case.<br />
<br />
<br />
22. Schedule 2 contains a list of conditions capable of justifying the processing of<br />
<br />
data. To comply with the first data protection principle, at least one of these<br />
conditions must be satisfied. The first condition in Schedule 2 is that “the data subject<br />
has given his consent to the processing”. Other conditions are that the processing is<br />
necessary for (amongst other things): the performance of a contract to which the data<br />
<br />
subject is a party; or compliance with a legal obligation (other than a contractual<br />
obligation) of the data controller; or to protect the vital interests of the data subject;<br />
or for the exercise of any functions of a public nature exercised in the public interest<br />
by any person. The claimant asserts that the members of the represented class whose<br />
<br />
Page 7personal data Google processed had not given their consent to the processing, nor was<br />
any of the other conditions capable of justifying the processing met. Hence for this<br />
reason too Google was in breach of the first data protection principle.<br />
<br />
<br />
23. There is no doubt that the claimant is entitled to advance a claim against Google<br />
on this basis in his own right which has a real prospect of success. The issue is whether<br />
<br />
he can also do so on behalf of all other iPhone users who fall within the represented<br />
class. This depends on the scope of the representative procedure available under the<br />
Civil Procedure Rules (“CPR”). Before I come to that procedure, I will mention in order<br />
to compare them the two other methods of claiming collective redress currently<br />
<br />
available in English procedural law.<br />
<br />
<br />
D. COLLECTIVE REDRESS IN ENGLISH LAW<br />
<br />
<br />
(1) Group Actions<br />
<br />
<br />
24. A group of people who wish to bring claims which give rise to common or<br />
related issues of fact or law can apply to the court for a Group Litigation Order to be<br />
<br />
made under CPR rule 19.11, providing for the claims to be managed together, usually<br />
by a single designated judge. The Group Litigation Order will establish a register of the<br />
claims included in the group, which is maintained by the claimants’ lead solicitor. The<br />
order may also make provision for how the litigation costs are to be shared among the<br />
<br />
claimants. How the claims are managed is a matter for the designated judge, but<br />
procedures typically used are to select one or more claims to be tried as test claims<br />
while the remaining claims are stayed and to decide as preliminary issues common<br />
issues of law or fact which are potentially dispositive of the litigation. Unless the court<br />
orders otherwise, a judgment given or order made in the litigation is binding on all the<br />
<br />
claimants included in the group register: see CPR rule 19.12(1)(a).<br />
<br />
<br />
25. Where the individual claims are of sufficiently high value, group actions can be<br />
an effective way of enabling what are typically several hundred or thousands of claims<br />
to be litigated and managed together, avoiding duplication of the court’s resources<br />
<br />
and allowing the claimants to benefit from sharing costs and litigation risk and by<br />
obtaining a single judgment which is binding in relation to all their claims. However,<br />
the group action procedure suffers from the drawback that it is an “opt-in” regime: in<br />
other words, claimants must take active steps to join the group. This has an<br />
<br />
administrative cost, as a solicitor conducting the litigation has to obtain sufficient<br />
information from a potential claimant to determine whether he or she is eligible to be<br />
added to the group register, give appropriate advice and enter into a retainer with the<br />
client. For claims which individually are only worth a few hundred pounds, this process<br />
<br />
Page 8is not economic as the initial costs alone may easily exceed the potential value of the<br />
claim.<br />
<br />
<br />
26. Another limitation of opt-in proceedings is that experience has shown that only<br />
a relatively small proportion of those eligible to join the group are likely to do so,<br />
particularly if the number of people affected is large and the value of each individual<br />
<br />
claim relatively small. For example, a group action was recently brought against the<br />
Morrisons supermarket chain for compensation for breach of the DPA 1998 arising<br />
from the disclosure on the internet by a Morrisons’ employee of personal data relating<br />
to other employees. Of around 100,000 affected employees, fewer than 10,000 opted<br />
<br />
to join the group action: see Various Claimants v Wm Morrisons Supermarkets plc<br />
[2017] EWHC 3113 (QB); [2019] QB 772 (reversed on the issue of vicarious liability by<br />
the Supreme Court: [2020] UKSC 12; [2020] AC 989). During the period of more than 12<br />
years in which collective proceedings under the Competition Act 1998 (discussed<br />
below) could be brought only on an opt-in basis just one action was commenced,<br />
<br />
based on a finding of price fixing in the sale of replica football shirts. Although around<br />
1.2 – 1.5m people were affected, despite widespread publicity only 130 people opted<br />
into the proceedings: see The Consumers' Association v JJB Sports Plc[2009] CAT 2,<br />
para 5; Civil Justice Council Report “Improving Access to Justice through Collective<br />
<br />
Actions” (2008), Part 6, para 22; and Grave D, McIntosh M and Rowan G (eds), Class<br />
Actions in England and Wales, 1st ed (2018), para 1-068.<br />
<br />
<br />
27. Likely explanations for the low participation rates typically experienced in opt-in<br />
regimes include lack of awareness of the opportunity to join the litigation and the<br />
natural human tendency to do nothing when faced with a choice which requires<br />
<br />
positive action - particularly if there is no immediate benefit to be gained and the<br />
consequences are uncertain and not easy to understand: see eg Thaler R and Sunstein<br />
C, Nudge: The Final Edition (2021), pp 36-38; Samuelson W and Zeckhauser R, “Status<br />
Quo Bias in Decision Making” (1988) 1 Journal of Risk and Uncertainty 7-59. As the<br />
<br />
New Zealand Court of Appeal has recently said of opt-in class actions:<br />
<br />
<br />
“Whichever approach is adopted, many class members are<br />
likely to fail to take any positive action for a range of reasons<br />
that have nothing at all to do with an assessment of whether<br />
<br />
or not it is in their interests to participate in the proceedings.<br />
Some class members will not receive the relevant notice.<br />
Others will not understand the notice, or will have difficulty<br />
understanding what action they are required to take and<br />
completing any relevant form, or will be unsure or hesitant<br />
<br />
about what to do and will do nothing. Even where a class<br />
member considers that it is in their interests to participate in<br />
<br />
Page 9 the proceedings, the significance of inertia in human affairs<br />
should not be underestimated.”<br />
<br />
<br />
Ross v Southern Response Earthquake Services Ltd [2019] NZCA 431, para 98; approved<br />
by the New Zealand Supreme Court at [2020] NZSC 126, para 40.<br />
<br />
<br />
28. A further factor which makes group litigation impractical in cases where the loss<br />
<br />
suffered by each individual is small, even if in aggregate it may amount to a very large<br />
sum of money, is the need to prove the quantum of loss in each individual case. Not<br />
only are eligible individuals less likely to opt into the proceedings where the potential<br />
gain to them is small, but the costs of obtaining evidence from each individual to<br />
<br />
support their claim is again likely to make group litigation uneconomic in such cases.<br />
<br />
<br />
(2) Collective Proceedings<br />
<br />
<br />
29. Compared to group actions, the method of collective redress which is now<br />
available in the field of competition law offers significant advantages for claimants,<br />
particularly where many people have been affected by the defendant’s conduct but<br />
<br />
the value of each individual claim is small. Section 47B of the Competition Act 1998<br />
(added by the Enterprise Act 2002 and as amended by the Consumer Rights Act 2015)<br />
makes provision for bringing “collective proceedings” in the Competition Appeal<br />
Tribunal (“CAT”) combining two or more claims to which section 47A applies<br />
<br />
(essentially, claims in respect of an infringement or alleged infringement of<br />
competition law). Such proceedings must be commenced by a person who proposes to<br />
be the representative of a specified class of persons, and the proceedings may only be<br />
continued if they are certified by the CAT as satisfying criteria set out in section 47B<br />
<br />
and in the CAT Rules. Two features of this regime may be noted.<br />
<br />
<br />
30. First, unlike group litigation, collective proceedings may be brought on either an<br />
“opt-in” or “opt-out” basis. “Opt-out” collective proceedings are proceedings brought<br />
on behalf of each class member except any member who opts out by notifying the<br />
class representative that their claim should not be included in the proceedings: see<br />
<br />
section 47B(11). Where “opt-out” collective proceedings are permitted, a person may<br />
therefore have a claim brought on their behalf without taking any affirmative step and,<br />
potentially, without even knowing of the existence of the proceedings and the fact that<br />
he or she is represented in them.<br />
<br />
<br />
<br />
31. A second significant feature of the collective proceedings regime is that it<br />
enables liability to be established and damages recovered without the need to prove<br />
<br />
Page 10that members of the class have individually suffered loss: it is sufficient to show that<br />
loss has been suffered by the class viewed as a whole. This is the effect of section<br />
47C(2) of the Competition Act, which provides:<br />
<br />
<br />
“The tribunal may make an award of damages in collective<br />
proceedings without undertaking an assessment of the<br />
<br />
amount of damages recoverable in respect of the claim of<br />
each represented person.”<br />
<br />
<br />
Such an award of damages is referred to in the CAT Rules as “an aggregate award of<br />
damages”: see rule 73(2).<br />
<br />
<br />
<br />
32. As Lord Briggs explained in Merricks v Mastercard[2020] UKSC 51; [2021] Bus LR<br />
25, at para 76, section 47C(2) of the Competition Act “radically alters the established<br />
common law compensatory principle by removing the requirement to assess individual<br />
loss”. This is so for the purposes both of making and of paying out an aggregate award<br />
of damages. How an aggregate award of damages is distributed among the members<br />
<br />
of the class is subject to the control of the CAT and, as this court held in Merricks v<br />
Mastercard, the only requirement is that the distribution should be just: see paras 76-<br />
77, 149. No doubt in many cases a just method of distribution will be one which divides<br />
up an aggregate award of damages in a way which takes account of individual loss. But<br />
<br />
particularly where the size of the class is large and the amount of damages awarded<br />
small considered on a per capita basis, it may be impractical or disproportionate to<br />
adopt such a method. In such cases some other method of distribution, such as an<br />
equal division among all the members of the class, may be justified.<br />
<br />
<br />
<br />
(3) Representative Actions<br />
<br />
<br />
33. Collective proceedings are a recent phenomenon in English law. By contrast, the<br />
representative procedure which the claimant is seeking to use in this case has existed<br />
for several hundred years. The current version of the representative rule is CPR rule<br />
19.6, which states:<br />
<br />
<br />
<br />
“(1) Where more than one person has the same interest in<br />
a claim -<br />
<br />
<br />
(a) the claim may be begun; or<br />
<br />
<br />
<br />
Page 11 (b) the court may order that the claim be continued,<br />
<br />
<br />
by or against one or more of the persons who have the same<br />
interest as representatives of any other persons who have<br />
that interest.<br />
<br />
<br />
(2) The court may direct that a person may not act as a<br />
<br />
representative.<br />
<br />
<br />
(3) Any party may apply to the court for an order under<br />
paragraph (2).<br />
<br />
<br />
(4) Unless the court otherwise directs any judgment or<br />
<br />
order given in a claim in which a party is acting as a<br />
representative under this rule -<br />
<br />
<br />
(a) is binding on all persons represented in the claim;<br />
but<br />
<br />
<br />
(b) may only be enforced by or against a person who is<br />
<br />
not a party to the claim with the permission of the<br />
court.”<br />
<br />
<br />
(a) Origins of the rule<br />
<br />
<br />
34. This rule has its origins in the procedure of the Court of Chancery before the<br />
<br />
Judicature Act of 1873. The general rule was that all persons materially interested in<br />
the subject-matter of a suit should be made parties to it, either as claimants or<br />
defendants, so as to ensure that the rights of all persons interested were settled by a<br />
single judgment of the court: see eg Adair v New River Co (1805) 11 Ves Jr 429; 32 ER<br />
<br />
1153; Cockburn v Thompson (1809) 16 Ves Jr 321; 33 ER 1005. However, to join all<br />
interested persons as parties was not always practically convenient- particularly if they<br />
were very numerous. The solution devised was not to abandon the aim of settling the<br />
rights of all interested persons in a single proceeding; rather, it was to relax the<br />
“complete joinder rule” by allowing one or more claimants or defendants to represent<br />
<br />
all others who had the same interest as them: see Sorabji J, “The hidden class action in<br />
English civil procedure” (2009) 28 CJQ 498. All persons represented in this way, as well<br />
as the parties actually before the court, were bound by the court’s decision.<br />
<br />
Page 1235. In the very early cases in the 16th and 17th centuries in which this procedure<br />
was adopted, the persons represented were invariably a cohesive communal group,<br />
such as parishioners or manorial tenants, whose members had agreed to be<br />
represented; and the representatives were often required to show proof of their<br />
authority to represent the group. But as the nature of society changed and new, more<br />
<br />
impersonal institutions such as friendly societies and joint stock companies with<br />
multiple investors emerged, this requirement was dropped. The court allowed persons<br />
to be represented whether or not they had consented to such representation or even<br />
knew of the action, relying on community of interest among the members of the group<br />
<br />
to ensure that the interests of all were adequately protected: see Yeazell, “From Group<br />
Litigation to Class Action, Part I: The Industrialization of Group Litigation” (1980) 27<br />
UCLA Law Review 514.<br />
<br />
<br />
36. Many of the formative cases involved joint stock companies at a time (before<br />
the Joint Stock Companies Acts 1844 to 1858) when such companies were not yet<br />
<br />
recognised as separate legal entities which could sue or be sued. An action had<br />
therefore to be brought by (or against) the members themselves. In Chancey v May<br />
(1722) Precedents in Chancery 592; 24 ER 265, the treasurer and manager of a brass-<br />
works brought an action on behalf of themselves and all other proprietors of the<br />
<br />
undertaking, of whom there were 800 in total, except for the defendants, who were its<br />
former managers, to call the defendants to account for alleged mismanagement and<br />
embezzlement. The defendants objected that the claim should not be allowed to<br />
proceed as the rest of the proprietors had not been made parties. The court dismissed<br />
that objection on the grounds that, first, the action had been brought on behalf of all<br />
<br />
the other proprietors, so that “all the rest were in effect parties”, and secondly:<br />
<br />
<br />
“Because it would be impracticable to make them all parties<br />
by name, and there would be continual abatements by death<br />
and otherwise, and no coming at justice, if all were to be<br />
<br />
made parties.”<br />
<br />
<br />
37. Another notable case involving a joint stock company was Meux v Maltby (1818)<br />
2 Swanston 277; 36 ER 621. In this case the treasurer and directors of the company<br />
were sued as representative defendants on a contract made on behalf of all the<br />
<br />
members of the company to grant a lease. In rejecting an argument that the claim was<br />
defective because not all the proprietors were before the court, Plumer MR explained,<br />
at pp 281-282:<br />
<br />
<br />
“The general rule, which requires the plaintiff to bring before<br />
the court all the parties interested in the subject in question,<br />
<br />
admits of exceptions. The liberality of this court has long held<br />
Page 13 that there is of necessity an exception to the general rule,<br />
when a failure of justice would ensue from its enforcement.”<br />
<br />
<br />
After citing numerous authorities, he concluded, at p 284:<br />
<br />
<br />
“Here is a current of authority, adopting more or less a<br />
general principle of exception, by which the rule, that all<br />
<br />
persons interested must be parties, yields when justice<br />
requires it, in the instance either of plaintiffs or defendants.<br />
… It is quite clear that the present suit has sufficient parties,<br />
and that the defendants may be considered as representing<br />
<br />
the company.”<br />
<br />
<br />
38. In Duke of Bedford v Ellis [1901] AC 1, 8, Lord Macnaghten summarised the<br />
practice of the Court of Chancery in this way:<br />
<br />
<br />
“The old rule in the Court of Chancery was very simple and<br />
perfectly well understood. Under the old practice the Court<br />
<br />
required the presence of all parties interested in the matter<br />
in suit, in order that a final end might be made of the<br />
controversy. But when the parties were so numerous that<br />
you never could ‘come at justice’, to use an expression in one<br />
<br />
of the older cases, if everybody interested was made a party,<br />
the rule was not allowed to stand in the way. It was originally<br />
a rule of convenience: for the sake of convenience it was<br />
relaxed. Given a common interest and a common grievance,<br />
a representative suit was in order if the relief sought was in<br />
<br />
its nature beneficial to all whom the plaintiff proposed to<br />
represent.”<br />
<br />
<br />
(b) Effect of the Judicature Act<br />
<br />
<br />
39. By the Supreme Court of Judicature Act 1873, all the jurisdiction previously<br />
<br />
exercised by the Court of Chancery and the courts of common law was transferred to<br />
and vested in the new High Court of Justice. Rules of procedure for the High Court<br />
were scheduled to the Act, which included as rule 10:<br />
<br />
<br />
“Where there are numerous parties having the same interest<br />
<br />
in one action, one or more of such parties may sue or be<br />
Page 14 sued, or may be authorised by the court to defend in such<br />
action, on behalf or for the benefit of all parties so<br />
interested.”<br />
<br />
<br />
This rule became Order 16, rule 9 of the Rules of the Supreme Court and has remained<br />
in force in the same or similar form ever since. Save that the requirement for<br />
<br />
“numerous parties” has been reduced to “more than one”, there is no significant<br />
difference in the current version of the rule, quoted at para 33 above.<br />
<br />
<br />
40. At first after the enactment of the Judicature Act the courts construed the new<br />
rule narrowly. In Temperton v Russell [1893] 1 QB 435, 438, Lindley LJ, who gave the<br />
<br />
judgment of the Court of Appeal, expressed the view that the rule only applied to<br />
“persons who have or claim some beneficial proprietary right” which they are asserting<br />
or defending in an action that would have come within the jurisdiction of the old Court<br />
of Chancery; hence the rule did not apply to a claim for damages in tort. That view,<br />
however, was repudiated by the House of Lords in Duke of Bedford v Ellis [1901] AC 1.<br />
<br />
Six individuals sued the Duke of Bedford, who owned Covent Garden Market, on behalf<br />
of themselves and all other growers of fruit, flowers, vegetables, roots and herbs, to<br />
enforce certain preferential rights claimed under the Covent Garden Market Act 1828<br />
to stands in the market. They sought declarations of the rights of the growers and an<br />
<br />
injunction to restrain the Duke from acting inconsistently with those rights. They also<br />
claimed - though only for themselves and not on behalf of other growers - an account<br />
and repayment of sums charged to them for selling at the market in excess of what<br />
they would have paid if afforded their alleged preferential rights. The Duke applied to<br />
have the action stayed either on the ground that the claimants had no beneficial<br />
<br />
proprietary right, or on the ground that the joinder in one action of parties claiming<br />
separate and different rights under the Act, both personally and as representing a<br />
class, would embarrass or delay the trial. The House of Lords rejected both grounds<br />
(the first unanimously and the second by a majority of 3 to 2) and held that the action<br />
<br />
could be maintained.<br />
<br />
<br />
41. Lord Macnaghten, who gave the leading speech, expressly disapproved the<br />
restrictive view of the representative rule expressed in Temperton v Russell and<br />
confirmed that its purpose was simply to apply the practice of the Court of Chancery to<br />
<br />
all divisions of the High Court. The only change was therefore that the rule was now<br />
applicable in actions which, before the Judicature Act, could only have been brought in<br />
a court of common law. He said, at pp 10-11, that:<br />
<br />
<br />
“… in all other respects I think the rule as to representative<br />
suits remains very much as it was a hundred years ago. From<br />
<br />
the time it was first established it has been recognised as a<br />
Page 15 simple rule resting merely upon convenience. It is impossible,<br />
I think, to read such judgments as those delivered by Lord<br />
Eldon in Adair v New River Co, in 1805, and in Cockburn v<br />
Thompson, in 1809, without seeing that Lord Eldon took as<br />
broad and liberal a view on this subject as anybody could<br />
<br />
desire. ‘The strict rule’, he said, ‘was that all persons<br />
materially interested in the subject of the suit, however<br />
numerous, ought to be parties … but that being a general rule<br />
established for the convenient administration of justice must<br />
<br />
not be adhered to in cases to which consistently with<br />
practical convenience it is incapable of application’. ‘It was<br />
better’, he added, ‘to go as far as possible towards justice<br />
than to deny it altogether’. He laid out of consideration the<br />
case of persons suing on behalf of themselves and all others,<br />
<br />
‘for in a sense’, he said, ‘they are before the Court’. As<br />
regards defendants, if you cannot make everybody interested<br />
a party, you must bring so many that it can be said they will<br />
fairly and honestly try the right. I do not think, my Lords, that<br />
<br />
we have advanced much beyond that in the last hundred<br />
years …”<br />
<br />
<br />
As Megarry J commented in John v Rees[1970] Ch 345, 370, this explanation made it<br />
plain that the representative rule is to be treated as being “not a rigid matter of<br />
principle but a flexible tool of convenience in the administration of justice”.<br />
<br />
<br />
<br />
42. In Taff Vale Railway Co v Amalgamated Society of Railway Servants [1901] AC<br />
426, 443, Lord Lindley (as he had become) went out of his way to endorse this view<br />
and to retract his earlier observations in Temperton v Russell, stating:<br />
<br />
<br />
“The principle on which the rule is based forbids its<br />
<br />
restriction to cases for which an exact precedent can be<br />
found in the reports. The principle is as applicable to new<br />
cases as to old, and ought to be applied to the exigencies of<br />
modern life as occasion requires. The rule itself has been<br />
<br />
embodied and made applicable to the various Divisions of the<br />
High Court by the Judicature Act, 1873, sections 16 and 23-<br />
25, and Order XVI, rule 9; and the unfortunate observations<br />
made on that rule in Temperton v Russell have been happily<br />
corrected in this House in the Duke of Bedford v Ellis and in<br />
<br />
the course of the argument in the present case.”<br />
<br />
<br />
Page 16 (c) Markt and declarations of rights<br />
<br />
<br />
43. The subsequent decision of the Court of Appeal in Markt & Co Ltd v Knight<br />
Steamship Co Ltd [1910] 2 KB 1021 has sometimes been seen as undermining the<br />
broad and flexible view of the representative rule adumbrated by the House of Lords in<br />
these two cases by imposing significant constraints on its use: see eg Esanda Finance<br />
<br />
Corpn Ltd v Carnie (1992) 29 NSWLR 382, 395; Mulheron R, The Class Action in<br />
Common Law Legal Systems (2004) pp 78-82; Sorabji J, “The hidden class action in<br />
English civil procedure” (2009) 28 CJQ 498. I do not think, however, that the decision<br />
should be understood in this way. Markt was heard together with another action also<br />
<br />
brought against the owners of a cargo vessel which was intercepted by a Russian<br />
cruiser on a voyage to Japan during the Russo-Japanese war, on suspicion of carrying<br />
contraband of war, and sunk. Just before the limitation period expired, two cargo-<br />
owners issued writs “on behalf of themselves and others owners of cargo lately laden<br />
on board” the vessel, claiming “damages for breach of contract and duty in and about<br />
<br />
the carriage of goods by sea”. No further particulars of the claims were given.<br />
<br />
<br />
44. All three members of the Court of Appeal agreed that the claims as formulated<br />
could not be pursued as representative actions as there was no basis for asserting that<br />
all the cargo owners had the same interest in the actions. That was so if only because a<br />
<br />
claim that the shipowners were in breach of duty in carrying contraband goods plainly<br />
could not be maintained on behalf of any cargo-owners who had themselves shipped<br />
such goods; furthermore, each cargo owner would need to prove their individual loss.<br />
Buckley LJ would have allowed the claimants to amend their writs and continue the<br />
proceedings on behalf of themselves and all cargo-owners who were not shippers of<br />
<br />
contraband goods, claiming a declaration that the defendants were in breach of<br />
contract and duty in shipping contraband of war. The other judges, however, did not<br />
agree to this course. Vaughan Williams LJ, at p 1032, rejected it on the grounds that<br />
the proposed amendment had not been brought before the court in a way which gave<br />
<br />
a proper opportunity for argument and doubted anyway whether the amendment<br />
could be so framed as to disclose a common purpose of the shippers or any class of the<br />
shippers. Fletcher Moulton LJ, at p 1042, considered that making a declaration of the<br />
type suggested would be contrary to the practice of the courts and that subsequent<br />
<br />
claims by individual cargo-owners relying on such a declaration to recover damages<br />
would constitute new claims which would be time-barred, as the limitation period had<br />
now expired.<br />
<br />
<br />
45. The readiness of English courts to give judgments declaring legal rights where it<br />
would serve a useful purpose has much increased since 1910. An important step was<br />
<br />
the decision of the Court of Appeal in Guaranty Trust Co of New York v Hannay & Co<br />
[1915] 2 KB 536, which held that a declaration can be granted at the instance of a<br />
<br />
Page 17claimant even if the claimant has no cause of action against the defendant. Two cases<br />
decided together by the Court of Appeal in 1921 showed that there is no reason in<br />
principle why a claim for a declaration of the kind suggested by Buckley LJ in Markt<br />
cannot be brought as a representative action. In David Jones v Cory Bros & Co Ltd<br />
(1921) 56 LJ 302; 152 LT Jo 70, five individuals sued on their own behalf and on behalf<br />
<br />
of all other underground and surface workmen employed at the defendant’s colliery<br />
on three specified days in September 1919. They alleged that on those three days the<br />
safety lamps in use at the colliery were not in accordance with statutory requirements,<br />
were insufficient in number and were not properly examined; and that in consequence<br />
<br />
the workmen justifiably refused to go to work and lost the wages they would<br />
otherwise have earned and were entitled to damages. In Thomas v Great Mountain<br />
Collieries Co, which was heard at the same time, two claimants sued the owner of<br />
another colliery for loss of wages, alleging breach of statutory duty in not having a<br />
weighing machine to weigh coal as near the pit mouth as was reasonably practicable.<br />
<br />
The workmen were divided into two classes - one comprising all workmen whose<br />
wages depended on the amount of coal gotten and the other comprising all other<br />
underground and surface workmen. The claimants sued on their own behalf and on<br />
behalf of the class they respectively represented.<br />
<br />
<br />
<br />
46. In each action the claims were divisible under three heads: (1) claims for<br />
declarations upon matters in which the classes represented were alleged to have a<br />
common interest; (2) claims for damages by the individual named claimants; and (3)<br />
claims for damages by the individual members of the classes represented.<br />
Unfortunately, only a bare summary of the judgments is reported. But this records that<br />
<br />
the Court of Appeal by a majority (Bankes and Atkin LJJ, with Scrutton LJ dissenting)<br />
held that the claimants were entitled to sue in a representative capacity as regards<br />
claims that came within (1) and (2), but not as regards claims for damages by the<br />
individual members of the classes represented.<br />
<br />
<br />
<br />
47. In Prudential Assurance Co Ltd v Newman Industries Ltd [1981] Ch 229 the<br />
claimant brought a derivative action as a minority shareholder of the first defendant<br />
company claiming damages on behalf of the company against two of its directors for<br />
breach of duty and conspiracy. At the start of the hearing the claimant applied to<br />
<br />
amend its statement of claim to add a personal claim against the directors and the<br />
company, brought in a representative capacity on behalf of all the shareholders. The<br />
relief sought was a declaration that those shareholders who had suffered loss asa<br />
result of the alleged conspiracy were entitled to damages. The judge (Vinelott J)<br />
allowed the amendment. He distinguished Markt and followed David Jones v Cory Bros<br />
<br />
in holding that a representative claim for a declaration could be pursued<br />
notwithstanding that each member of the class of persons represented had a separate<br />
cause of action. Although the personal claim was later held by the Court of Appeal in<br />
Prudential Assurance Co Ltd v Newman Industries Ltd (No 2) [1981] Ch 204 at 222 to be<br />
<br />
Page 18misconceived as a matter of substantive law, the Court of Appeal cast no doubt on the<br />
use of the representative procedure.<br />
<br />
<br />
48. This decision was important in demonstrating the potential for a bifurcated<br />
process whereby issues common to the claims of a class of persons may be decided in<br />
a representative action which, if successful, can then form a basis for individual claims<br />
<br />
for redress. More generally, the Prudential case marked a welcome revival of the spirit<br />
of flexibility which characterised the old case law.<br />
<br />
<br />
(d) Claims for damages<br />
<br />
<br />
49. In the cases so far mentioned where claims were held to come within the scope<br />
<br />
of the representative rule, the relief claimed on behalf of the represented class was<br />
limited to a declaration of legal rights. It was accepted or held that the named<br />
claimants could only claim damages or other monetary relief in their personal capacity.<br />
In Markt Fletcher Moulton LJ expressed the view, at pp 1035 and 1040-1041, that<br />
damages are “a personal relief” and that:<br />
<br />
<br />
<br />
“no representative action can lie where the sole relief sought<br />
is damages, because they have to be proved separately in the<br />
case of each plaintiff, and therefore the possibility of<br />
representation ceases.”<br />
<br />
<br />
<br />
50. In many cases, of which Markt was one, it is clearly correct that the assessment<br />
of damages depends on circumstances personal to each individual claimant. In such<br />
cases it is unlikely to be practical or fair to assess damages on a common basis and<br />
without each individual claimant’s participation in the proceedings. However, this is<br />
<br />
not always so, and representative actions for damages have sometimes been allowed.<br />
For example, in the case of insurance underwritten by Lloyd’s syndicates, which are<br />
not separate legal entities, it is standard practice for a single member of the syndicate<br />
(usually the leading underwriter) to be named as a representative claimant or<br />
defendant suing, or being sued, for themselves and all the other members. There is no<br />
<br />
difficulty in awarding damages for or against the representative in such proceedings, as<br />
the calculation of any damages which the members of the syndicate are collectively<br />
entitled to recover or liable to pay does not depend on how the risk is divided among<br />
the members of the syndicate.<br />
<br />
<br />
<br />
51. In Pan Atlantic Insurance Co Ltd v Pine Top Insurance Co Ltd [1989] 1 Lloyd’s Rep<br />
568 the claimant companies sued on behalf of themselves and members of a syndicate<br />
<br />
Page 19which had reinsured on a quota share basis a proportion of the risks they had<br />
underwritten, claiming under contracts which provided excess of loss reinsurance<br />
cover for the claimants and their quota share reinsurers. The Court of Appeal rejected<br />
an argument that the claimants were not entitled to sue in a representative capacity. It<br />
made no difference that there was a dispute between one of the claimants and some<br />
<br />
members of the syndicate about the validity of the quota share reinsurance, since as<br />
Lloyd LJ said, at p 571: “the question is whether the parties have the same interest as<br />
against the defendants; not whether they have the same interest as between<br />
themselves”.<br />
<br />
<br />
<br />
52. In Irish Shipping Ltd v Commercial Union Assurance Co plc (The “Irish Rowan”)<br />
[1991] 2 QB 206 numerous insurers had subscribed in various proportions to a policy of<br />
marine insurance. The Court of Appeal accepted that, as a matter of law, each<br />
subscription constituted a separate contract of insurance (of which there were said to<br />
be 77 in all). Claims for losses allegedly covered by the policy were made by suing two<br />
<br />
of the insurers as representative defendants. The Court of Appeal rejected an<br />
argument that claims for debt or damages could not be included in a representative<br />
action, merely because they are made by numerous claimants individually or resisted<br />
by numerous defendants individually, and held that the action could continue as a<br />
<br />
representative action. While the policy terms contained a broadly worded leading<br />
underwriter clause, the presence of this clause was not essential to the decision: see<br />
Bank of America National Trust and Savings Association v Taylor (The Kyriaki) [1992] 1<br />
Lloyd’s Rep 484, 493-494; National Bank of Greece SA v Outhwaite [2001] CLC 591,<br />
para 31.<br />
<br />
<br />
<br />
53. In EMI Records Ltd v Riley [1981] 1 WLR 923, and in Independiente Ltd v Music<br />
Trading On-Line (HK) Ltd [2003] EWHC 470 (Ch), the claimants sued in a representative<br />
capacity on behalf of all members of the British Phonographic Industry Ltd (“BPI”), a<br />
trade association for the recorded music industry (and also in the latter case on behalf<br />
<br />
of Phonographic Performance Ltd), claiming damages for breach of copyright in selling<br />
pirated sound recordings. In each case the claims were allowed to proceed as<br />
representative actions. Because it was accepted or could safely be assumed that the<br />
owner of the copyright in any pirated recording was a member of the represented<br />
<br />
class, this procedure enabled breach of copyright to be proved and damages to be<br />
awarded without the need to prove which particular pirated recordings had been sold<br />
in what quantities. Again, what mattered was that the members of the class had a<br />
community of interest in suing the defendant.<br />
<br />
<br />
54. In EMI Records it was asserted, and not disputed by the defendants, that the<br />
<br />
members of the BPI had consented to all sums recovered in actions for breach of<br />
copyright being paid to the BPI: see [1981] 1 WLR 923, 925. In Independiente, however,<br />
<br />
Page 20this assertion was disputed and Morritt V-C found that there was no binding<br />
agreement that any money recovered should go to the BPI: see [2003] EWHC 470 (Ch),<br />
paras 16 and 28. He nevertheless held, at paras 28 and 39, that the claim was properly<br />
brought as a representative action, observing that what the claimants did with any<br />
damages recovered was a matter for them or between them, the BPI and the class<br />
<br />
members, and not between them and the defendants.<br />
<br />
<br />
55. Although not cited in these cases, the same point had been made long before in<br />
Warrick v Queen’s College Oxford (No 4) (1871) LR 6 Ch App 716, 726, where Lord<br />
Hatherley LC gave an example of:<br />
<br />
<br />
<br />
“classes of shareholders in a railway company who have<br />
different rights inter se, but they may all have a common<br />
enemy in the shape of a fraudulent director, and they may all<br />
join, of course, in one common suit against that director,<br />
although after the common right is established they may<br />
<br />
have a considerable litigation among themselves as to who<br />
are the persons entitled to the gains obtained through that<br />
suit.”<br />
<br />
<br />
While the right enforced in such a common suit would in modern company law be seen<br />
<br />
as a right belonging to the company itself, rather than its shareholders, it is clear from<br />
the context that Lord Hatherley had in mind a representative action brought on behalf<br />
of shareholders, as he gave this analogy to explain how in that case a representative<br />
claim could be brought on behalf of all the freehold tenants of a manor to establish<br />
common rights against the lord of the manor even though different tenants or classes<br />
<br />
of tenant had different rights as between themselves.<br />
<br />
<br />
(e) Emerald Supplies<br />
<br />
<br />
56. In giving the Court of Appeal’s judgment in the present case, the Chancellor, at<br />
[2020] QB 747, para 73, focused on Emerald Supplies Ltd v British Airways plc [2010]<br />
<br />
EWCA Civ 1284; [2011] Ch 345 as providing the latest authoritative interpretation of<br />
the representative rule. The decision in that case turned, however, on the particular<br />
way in which the class of represented persons had been defined. The claimants alleged<br />
that the defendant airline was a party to agreements or concerted practices with other<br />
<br />
airlines to fix prices for air freight charged for importing cut flowers into the UK. They<br />
claimed on behalf of all “direct or indirect purchasers of air freight services, the prices<br />
for which were inflated by the agreements or concerted practices”, a declaration that<br />
damages were recoverable in principle from the defendant by those purchasers. The<br />
<br />
Page 21Court of Appeal upheld a decision to strike out the representative claim on the basis<br />
that, in the way the class had been defined, the issue of liability would have to be<br />
decided before it could be known whether or not a person was a member of the<br />
represented class and therefore bound by the judgment: see paras 62-63 and 65. Such<br />
an approach would not be just, not least because, if the claim failed, no purchasers of<br />
<br />
air freight services apart from the named claimants would be bound by the result.<br />
<br />
<br />
57. The Court of Appeal in Emerald Supplies also considered that a second difficulty<br />
with the class definition was that the members of the represented class did not all<br />
have the same interest in the claim, as there was a conflict of interest between direct<br />
<br />
and indirect purchasers of air freight services: see paras 28-29 and 64. If it was shown<br />
that prices had been inflated by agreements or concerted practices to which the<br />
defendant was a party, it would be in the interests of direct purchasers to seek to<br />
prove that they had absorbed the higher prices in order to avoid a potential defence<br />
that they had suffered no loss because the higher prices had been passed on to<br />
<br />
“indirect purchasers” (understood to include sub-purchasers). On the other hand, it<br />
would be in the interests of such indirect purchasers to seek to prove that the higher<br />
prices had indeed been passed on to them.<br />
<br />
<br />
58. It seems to me that this second difficulty might have been avoided either by<br />
<br />
altering the class definition to exclude sub-purchasers or by following the approach<br />
adopted in Prudential of claiming a declaration that those members of the class who<br />
had suffered damage as a result of the alleged price fixing were entitled to damages.<br />
However, those possibilities do not appear to have been considered. I think that the<br />
judge in Rendlesham Estates plc v Barr Ltd [2014] EWHC 3968 (TCC); [2015] 1 WLR<br />
<br />
3663 - a case relied on by Google on this appeal - was therefore wrong to conclude<br />
from Emerald Supplies, at para 90, that “if damage is an ingredient of the cause of<br />
action a representative claim could not be maintained”. The Court of Appeal in<br />
Emerald Supplies did not doubt the correctness of the Prudential decision, where a<br />
<br />
representative claim was allowed to proceed although damage was an ingredient of<br />
the cause of action. As Professor Rachael Mulheron, a leading expert in this field, has<br />
persuasively argued, it should likewise have been possible in Emerald Suppliesto adopt<br />
a bifurcated process in which the questions whether prices had been inflated by<br />
<br />
agreements or concerted practices and whether passing on was in principle available<br />
as a defence were decided in a representative action. If successful, this action could<br />
then have formed the basis for further proceedings to prove the fact and amount of<br />
damage in individual cases: see Mulheron R, “Emerald Supplies Ltd v British Airways<br />
plc; A Century Later, The Ghost of Markt Lives On” [2009] Comp Law 159, 171.<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 22 (f) Commonwealth cases<br />
<br />
<br />
59. The highest courts of Australia, Canada and New Zealand have all adopted a<br />
broad and flexible approach in interpreting representative rules derived from the<br />
English rule.<br />
<br />
<br />
(i) Australia<br />
<br />
<br />
<br />
60. In Carnie v Esanda Finance Corpn Ltd (1994) 127 ALR 76 the High Court of<br />
Australia held that the fact that the claims arose under separate contracts did not<br />
prevent the named claimants and the persons represented from having “the same<br />
interest” in proceedings. It was enough to satisfy this requirement that there was a<br />
<br />
community of interest in the determination of a substantial question of law or fact that<br />
arose in the proceedings. Commenting on an argument that the representative rule<br />
was an inadequate basis for a “class action”, which required a comprehensive<br />
legislative regime, Toohey and Gaudron JJ (with whom Mason CJ, Deane and Dawson JJ<br />
generally agreed) said, at p 91:<br />
<br />
<br />
<br />
“... it is true that rule 13 lacks the detail of some other rules<br />
of court. But there is no reason to think that the Supreme<br />
Court of New South Wales lacks the authority to give<br />
directions as to such matters as service, notice and the<br />
<br />
conduct of proceedings which would enable it to monitor and<br />
finally to determine the action with justice to all concerned.<br />
The simplicity of the rule is also one of its strengths, allowing<br />
it to be treated as a flexible rule of convenience in the<br />
administration of justice and applied ‘to the exigencies of<br />
<br />
modern life as occasion requires’. The court retains the<br />
power to reshape proceedings at a later stage if they become<br />
impossibly complex or the defendant is prejudiced.”<br />
<br />
<br />
(ii) Canada<br />
<br />
<br />
<br />
61. In Western Canadian Shopping Centres Inc v Dutton [2001] 2 SCR 534, paras 38-<br />
48, the Supreme Court of Canada held that representative actions should be allowed<br />
to proceed where the following conditions are met: (1) the class is capable of clear<br />
definition; (2) there are issues of fact or law common to all class members; (3) success<br />
<br />
for one class member means success for all (although not necessarily to the same<br />
extent); and (4) the proposed representative adequately represents the interests of<br />
<br />
Page 23the class. If these conditions are met the court must also be satisfied, in the exercise of<br />
its discretion, that there are no countervailing considerations that outweigh the<br />
benefits of allowing the representative action to proceed. The Supreme Court held that<br />
the conditions were met by the claimants in Dutton, who sued as representatives of a<br />
group of investors complaining that the defendant had breached fiduciary duties to the<br />
<br />
investors by mismanaging their funds.<br />
<br />
<br />
62. Giving the judgment of the court, McLachlin CJ, at para 47, distinguished its<br />
earlier decision in General Motors of Canada Ltd v Naken [1983] 1 SCR 72, where a<br />
representative action had been disallowed. In Naken the action was brought on behalf<br />
<br />
of purchasers of new Firenza motor vehicles against the manufacturer, complaining<br />
that the quality of the vehicles had been misrepresented or was not as warranted in<br />
advertisements, other published materials and contracts which were partly oral and<br />
partly written. Damages were claimed limited to $1,000 per person. The claims were<br />
held to be unsuitable for resolution through a representative action, principally<br />
<br />
because determining both liability and damages would have required particularised<br />
evidence and fact-finding in relation to each individual purchaser.<br />
<br />
<br />
63. McLachlin CJ also commented, at para 46, that over the period since Naken was<br />
decided the benefits of class actions had become manifest. She identified, at paras 27-<br />
<br />
29, three important advantages which such actions offer over a multiplicity of<br />
individual suits: (1) avoiding unnecessary duplication in fact-finding and legal analysis;<br />
(2) making economical the prosecution of claims that would otherwise be too costly to<br />
prosecute individually; and (3) serving efficiency and justice by ensuring that actual<br />
and potential wrongdoers who cause widespread but individually minimal harm take<br />
<br />
into account the full costs of their conduct.<br />
<br />
<br />
64. McLachlin CJ further observed, at para 34, that, while it would clearly be<br />
advantageous if there existed a comprehensive legislative framework regulating class<br />
actions, in its absence “the courts must fill the void”.<br />
<br />
<br />
<br />
(iii) New Zealand<br />
<br />
<br />
65. The Supreme Court of New Zealand has recently considered the use of the<br />
representative procedure in Southern Response Earthquake Services Ltd v Ross [2020]<br />
NZSC 126. This was a representative action brought on behalf of some 3,000<br />
<br />
policyholders who had settled insurance claims for damage to their homes caused by<br />
earthquakes in the Canterbury region of New Zealand. The claimants alleged that the<br />
policyholders had been misled by the insurers about the cost of remedying the<br />
damage, with the result that they had settled their claims on a less favourable basis<br />
<br />
Page 24than otherwise would have been the case. The insurers did not oppose the action<br />
being brought on a representative basis, but argued that the class represented should<br />
be limited to policyholders who completed a form electing to opt into the proceedings.<br />
It was agreed that the proceedings would need to be heard in two stages. The first<br />
stage would deal with issues common to all members of the represented class. If the<br />
<br />
claimants succeeded at that stage in whole or in part, there would need to be a second<br />
stage, in which questions of relief were addressed. It was also agreed that, at the<br />
second stage, it would be necessary for all of the policyholders represented to take<br />
active steps - that is, to opt in - if they wished to establish their individual claims.<br />
<br />
<br />
<br />
66. The New Zealand Supreme Court affirmed the decision of the Court of Appeal<br />
that the claim should be allowed to continue on an opt out basis. In doing so, the<br />
Supreme Court rejected an argument that it should not develop an opt out regime in<br />
the absence of a statutory framework and gave guidance on various matters relating to<br />
supervision of opt out representative proceedings.<br />
<br />
<br />
<br />
(g) Principles governing use of the representative procedure<br />
<br />
<br />
67. Although the world has changed out of all recognition since the representative<br />
procedure was devised by the Court of Chancery, it has done so in ways which have<br />
made the problems to which the procedure provided a solution more common and<br />
<br />
often vastly bigger in scale. The mass production of goods and mass provision of<br />
services have had the result that, when legally culpable conduct occurs, a very large<br />
group of people, sometimes numbering in the millions, may be affected. As the<br />
present case illustrates, the development of digital technologies has added to the<br />
potential for mass harm for which legal redress may be sought. In such cases it is<br />
<br />
necessary to reconcile, on the one hand, the inconvenience or complete impracticality<br />
of litigating multiple individual claims with, on the other hand, the inconvenience or<br />
complete impracticality of making every prospective claimant (or defendant) a party to<br />
a single claim. The only practical way to “come at justice” is to combine the claims in a<br />
<br />
single proceeding and allow one or more persons to represent all others who share the<br />
same interest in the outcome. When trying all the individual claims is not feasible, the<br />
adages of Lord Eldon quoted by Lord Macnaghten in Ellis remain as pertinent as ever:<br />
that it is better to go as far as possible towards justice than to deny it altogether and<br />
<br />
that, if you cannot realistically make everybody interested a party, you should ensure<br />
that those who are parties will “fairly and honestly try the right”.<br />
<br />
<br />
68. I agree with the highest courts of Australia, Canada and New Zealand that, while<br />
a detailed legislative framework would be preferable, its absence (outside the field of<br />
competition law) in this country is no reason to decline to apply, or to interpret<br />
<br />
restrictively, the representative rule which has long existed (and has had a legislative<br />
Page 25basis since 1873). I also agree with the view expressed in Carnie that the very simplicity<br />
of the representative rule is in some respects a strength, allowing it to be treated as “a<br />
flexible tool of convenience in the administration of justice” and “applied to the<br />
exigencies of modern life as occasion requires”.<br />
<br />
<br />
(i) The “same interest” requirement<br />
<br />
<br />
<br />
69. In its current form in CPR rule 19.6 the rule imposes no limit (either as a<br />
minimum or maximum) on the number of people who may be represented. Only one<br />
condition must be satisfied before a representative claim may be begun or allowed to<br />
continue: that is, that the representative has “the same interest” in the claim as the<br />
<br />
person(s) represented.<br />
<br />
<br />
70. The phrase “the same interest” is capable of bearing a range of meanings and<br />
requires interpretation. In interpreting the phrase, reference has often been made to<br />
Lord Macnaghten’s statement in Ellis (quoted at para 38 above) that: “Given a<br />
common interest and a common grievance, a representative suit was in order if the<br />
<br />
relief sought was in its nature beneficial to all whom the plaintiff proposed to<br />
represent.” This statement has sometimes been treated as if it were a definition<br />
imposing a tripartite test: see eg Smith v Cardiff Corpn[1954] 1 QB 210. Such an<br />
approach seems to me misguided. It is clear from the context that Lord Macnaghten<br />
<br />
was not attempting to define “the same interest”, but to convey how limiting the rule<br />
to persons having a beneficial proprietary interest in the claim would be contrary to<br />
the old practice in the Court of Chancery. More profoundly, such a reading of Lord<br />
Macnaghten’s speech shows precisely the rigidity of approach to the application of the<br />
representative rule which he disparaged.<br />
<br />
<br />
<br />
71. The phrase “the same interest”, as it is used in the representative rule, needs to<br />
be interpreted purposively in light of the overriding objective of the civil procedure<br />
rules and the rationale for the representative procedure. The premise for a<br />
representative action is that claims are capable of being brought by (or against) a<br />
<br />
number of people which raise a common issue (or issues): hence the potential and<br />
motivation for a judgment which binds them all. The purpose of requiring the<br />
representative to have “the same interest” in the claim as the persons represented is<br />
to ensure that the representative can be relied on to conduct the litigation in a way<br />
<br />
which will effectively promote and protect the interests of all the members of the<br />
represented class. That plainly is not possible where there is a conflict of interest<br />
between class members, in that an argument which would advance the cause of some<br />
would prejudice the position of others. Markt and Emerald Supplies are both examples<br />
of cases where it was found that the proposed representative action, as formulated,<br />
<br />
could not be maintained for this reason.<br />
Page 2672. As Professor Adrian Zuckerman has observed in his valuable book on civil<br />
procedure, however, a distinction needs to be drawn between cases where there are<br />
conflicting interests between class members and cases where there are merely<br />
divergent interests, in that an issue arises or may well arise in relation to the claims of<br />
(or against) some class members but not others. So long as advancing the case of class<br />
<br />
members affected by the issue would not prejudice the position of others, there is no<br />
reason in principle why all should not be represented by the same person: see<br />
Zuckerman on Civil Procedure: Principles of Practice, 4th ed (2021), para 13.49. As<br />
Professor Zuckerman also points out, concerns which may once have existed about<br />
<br />
whether the representative party could be relied on to pursue vigorously lines of<br />
argument not directly applicable to their individual case are misplaced in the modern<br />
context, where the reality is that proceedings brought to seek collective redress are<br />
not normally conducted and controlled by the nominated representative, but rather<br />
are typically driven and funded by lawyers or commercial litigation funders with the<br />
<br />
representative party merely acting as a figurehead. In these circumstances, there is no<br />
reason why a representative party cannot properly represent the interests of all<br />
members of the class, provided there is no true conflict of interest between them.<br />
<br />
<br />
73. This purposive and pragmatic interpretation of the requirement is exemplified<br />
<br />
by The “Irish Rowan”, where Staughton LJ, at pp 227-228, noted that some of the<br />
insurers might wish to resist the claim on a ground that was not available to others. He<br />
rightly did not regard that circumstance as showing that all the insurers did not have<br />
“the same interest” in the action, or that it was not within the rule, and had “no<br />
qualms about a proceeding which allows that ground to be argued on their behalf by<br />
<br />
others”.<br />
<br />
<br />
74. Even if it were considered inconsistent with the “same interest” requirement, or<br />
otherwise inappropriate, for a single person to represent two groups of people in<br />
relation to whom different issues arise although there is no conflict of interest<br />
<br />
between them, any procedural objection could be overcome by bringing two (or more)<br />
representative claims, each with a separate representative claimant or defendant, and<br />
combining them in the same action.<br />
<br />
<br />
(ii) The court’s discretion<br />
<br />
<br />
<br />
75. Where the same interest requirement is satisfied, the court has a discretion<br />
whether to allow a claim to proceed as a representative action. As with any power<br />
given to it by the Civil Procedure Rules, the court must in exercising its discretion seek<br />
to give effect to the overriding objective of dealing with cases justly and at<br />
proportionate cost: see CPR rule 1.2(a). Many of the considerations specifically<br />
<br />
included in that objective (see CPR rule 1.1(2)) - such as ensuring that the parties are<br />
Page 27on an equal footing, saving expense, dealing with the case in ways which are<br />
proportionate to the amount of money involved, ensuring that the case is dealt with<br />
expeditiously and fairly, and allotting to it an appropriate share of the court’s<br />
resources while taking into account the need to allot resources to other cases - are<br />
likely to militate in favour of allowing a claim, where practicable, to be continued as a<br />
<br />
representative action rather than leaving members of the class to pursue claims<br />
individually.<br />
<br />
<br />
76. Four further features of the representative rule deserve mention.<br />
<br />
<br />
(iii) No requirement of consent<br />
<br />
<br />
<br />
77. First, as the ability to act as a representative under the rule does not depend on<br />
the consent of the persons represented but only on community of interest between<br />
them, there is ordinarily no need for a member of the represented class to take any<br />
positive step, or even to be aware of the existence of the action, in order to be bound<br />
by the result. The rule does not confer a right to opt out of the proceedings (though a<br />
<br />
person could, at least in theory, apply to the court for a direction under rule 19.6(3)<br />
that the named claimant (or defendant) may not represent them or under rule 19.6(4)<br />
that any judgment given will not be binding on them). It is, however, always open to<br />
the judge managing the case to impose a requirement to notify members of the class<br />
<br />
of the proceedings and establish a simple procedure for opting out of representation, if<br />
this is considered desirable. Equally, if there are circumstances which make it<br />
appropriate to limit the represented class to persons who have positively opted into<br />
the litigation, it is open to the judge to make this a condition of representation. The<br />
procedure is entirely flexible in these respects.<br />
<br />
<br />
<br />
(iv) The class definition<br />
<br />
<br />
78. Second, while it is plainly desirable that the class of persons represented should<br />
be clearly defined, the adequacy of the definition is a matter which goes to the court’s<br />
discretion in deciding whether it is just and convenient to allow the claim to be<br />
<br />
continued on a representative basis rather than being a precondition for the<br />
application of the rule. Emerald Supplies illustrates a general principle that<br />
membership of the class should not depend on the outcome of the litigation. Beyond<br />
that, whether or to what extent any practical difficulties in identifying the members of<br />
<br />
the class are material must depend on the nature and object of the proceedings. In<br />
Duke of Bedford v Ellis, for example, it did not matter that the number and identities of<br />
growers of fruit etc would have been difficult if not impossible to ascertain or that the<br />
class was a fluctuating one: given that the aim was to establish whether anyone who<br />
<br />
Page 28was a grower had preferential rights, all that mattered was that there would be no real<br />
difficulty in determining whether a particular person who claimed a preferential right<br />
to a vacant stand at Covent Garden was a grower or not: see [1901] AC 1 at 11. In<br />
some cases, however, for example where the viability of a claim for damages depends<br />
on demonstrating the size of the class or who its members are, such practical<br />
<br />
difficulties might well be significant.<br />
<br />
<br />
(v) Liability for costs<br />
<br />
<br />
79. Third, as persons represented by a representative claimant or defendant will<br />
not normally themselves have been joined as parties to the claim, they will not<br />
<br />
ordinarily be liable to pay any costs incurred by the representative in pursuing (or<br />
defending) the claim. That does not prevent the court, if it is in the interests of justice<br />
to do so, from making an order requiring a represented person to pay or contribute to<br />
costs and giving permission for the order to be enforced against that person pursuant<br />
to CPR rule 19.6(4)(b). Alternatively, such an order could be made pursuant to the<br />
<br />
general jurisdiction of the court to make costs orders against non-parties. It is difficult,<br />
however, to envisage circumstances in which it could be just to order a represented<br />
person to contribute to costs incurred by a claimant in bringing a representative claim<br />
which the represented person did not authorise. On the other hand, a commercial<br />
<br />
litigation funder who finances unsuccessful proceedings is likely to be ordered to pay<br />
the successful party’s costs at least to the extent of the funding: see Davey v Money<br />
[2020] EWCA Civ 246; [2020] 1 WLR 1751. That principle is no less applicable where the<br />
proceedings financed are a representative action.<br />
<br />
<br />
(vi) The scope for claiming damages<br />
<br />
<br />
<br />
80. Finally, as already discussed, it is not a bar to a representative claim that each<br />
represented person has in law a separate cause of action nor that the relief claimed<br />
consists of or includes damages or some other monetary relief. The potential for<br />
claiming damages in a representative action is, however, limited by the nature of the<br />
<br />
remedy of damages at common law. What limits the scope for claiming damages in<br />
representative proceedings is the compensatory principle on which damages for a civil<br />
wrong are awarded with the object of putting the claimant - as an individual - in the<br />
same position, as best money can do it, as if the wrong had not occurred. In the<br />
<br />
ordinary course, this necessitates an individualised assessment which raises no<br />
common issue and cannot fairly or effectively be carried out without the participation<br />
in the proceedings of the individuals concerned. A representative action is therefore<br />
not a suitable vehicle for such an exercise.<br />
<br />
<br />
<br />
Page 2981. In cases where damages would require individual assessment, there may<br />
nevertheless be advantages in terms of justice and efficiency in adopting a bifurcated<br />
process - as was done, for example, in the Prudential case - whereby common issues of<br />
law or fact are decided through a representative claim, leaving any issues which<br />
require individual determination - whether they relate to liability or the amount of<br />
<br />
damages - to be dealt with at a subsequent stage of the proceedings. In Prudential<br />
[1981] Ch 229, 255, Vinelott J expressed the view (obiter) that time would continue to<br />
run for the purpose of limitation until individual claims for damages were brought by<br />
the persons represented; see also the dicta of Fletcher Moulton LJ in Markt [1910] 2 KB<br />
<br />
1021, 1042, referred to at para 44 above. The court in Prudential did not have cited to<br />
it, however, the decision of the Court of Appeal in Moon v Atherton [1972] 2 QB 435. In<br />
that case a represented person applied to be substituted for the named claimant after<br />
the limitation period had expired when the claimant (and all the other represented<br />
persons) no longer wished to continue the action. The Court of Appeal, in allowing the<br />
<br />
substitution, held that the defendant was not thereby deprived of a limitation defence,<br />
as for the purpose of limitation the represented person was already a party to the<br />
action, albeit not a “full” party. It might be clearer to say that, although the<br />
represented person did not become a “party” until substituted as the claimant, an<br />
<br />
action was brought within the meaning of the statute of limitation by that person<br />
when the representative claim was initiated. Such an analysis has been adopted in<br />
Australia, including by the New South Wales Court of Appeal in Fostif Pty Ltd v<br />
Campbells Cash & Carry Pty Ltd[2005] NSWCA 83; (2005) 63 NSWLR 203, and by the<br />
New Zealand Supreme Court in Credit Suisse Private Equity v Houghton [2014] NZSC 37.<br />
<br />
<br />
<br />
82. There is no reason why damages or other monetary remedies cannot be<br />
claimed in a representative action if the entitlement can be calculated on a basis that is<br />
common to all the members of the class. Counsel for the claimant, Hugh Tomlinson<br />
QC, gave the example of a claim alleging that every member of the class was wrongly<br />
<br />
charged a fixed fee; another example might be a claim alleging that all the class<br />
members acquired the same product with the same defect which reduced its value by<br />
the same amount. In such cases the defendant’s monetary liability could be<br />
determined as a common issue and no individualised assessment would be needed.<br />
<br />
The same is true where loss suffered by the class as a whole can be calculated without<br />
reference to the losses suffered by individual class members - as in the cases<br />
mentioned at para 53 above. Such an assessment of loss on a global basis is sometimes<br />
described as a “top down” approach, in contrast to a “bottom up” approach of<br />
assessing a sum which each member of the class is individually entitled to recover.<br />
<br />
<br />
<br />
83. The recovery of money in a representative action on either basis may give rise<br />
to problems of distribution to the members of the class, about which the<br />
representative rule is silent. Although in Independiente Morritt V-C was untroubled by<br />
such problems, questions of considerable difficulty would arise if in the present case<br />
<br />
Page 30the claimant was awarded damages in a representative capacity with regard to how<br />
such damages should be distributed, including whether there would be any legal basis<br />
for paying part of the damages to the litigation funders without the consent of each<br />
individual entitled to them: see Mulheron R, “Creating and Distributing Common Funds<br />
under the English Representative Rule” (2021) King’s Law Journal 1-33. Google has not<br />
<br />
relied on such difficulties as a reason for disallowing a representative action, however,<br />
and as these matters were only touched on in argument, I will say no more about<br />
them.<br />
<br />
<br />
E. THE REPRESENTATIVE CLAIM IN THIS CASE<br />
<br />
<br />
<br />
84. In the present case I could see no legitimate objection to a representative claim<br />
brought to establish whether Google was in breach of the DPA 1998 and, if so, seeking<br />
a declaration that any member of the represented class who has suffered damage by<br />
reason of the breach is entitled to be paid compensation. The individual claims that<br />
could theoretically have been brought by each iPhone user who was affected by the<br />
<br />
Safari workaround clearly raise common issues; and it is not suggested that there is<br />
any conflict of interest among the members of the represented class. For the purpose<br />
of CPR rule 19.6(1), all would therefore have the same interest in such a claim as the<br />
representative claimant. There is no suggestion that Mr Lloyd is an unsuitable person<br />
<br />
to act in that capacity. Although Google has argued that there would be practical<br />
difficulties in identifying whether an individual falls within the class definition, even on<br />
Google’s evidence it is evident that the number of people affected by the Safari<br />
workaround was extremely large and it is unclear at this stage of the litigation how<br />
serious the difficulties of proof would actuallybe. Moreover, even if only a few<br />
<br />
individuals were ultimately able to obtain compensation on the basis of a declaratory<br />
judgment, I cannot see why that should provide a reason for refusing to allow a<br />
representative claim to proceed for the purpose of establishing liability.<br />
<br />
<br />
85. The claimant has not proposed such a bifurcated process, however. That is<br />
<br />
doubtless because success in the first, representative stage of such a process would<br />
not itself generate any financial return for the litigation funders or the persons<br />
represented. Funding the proceedings could therefore only be economic if pursuing<br />
separate damages claims on behalf of those individuals who opted into the second<br />
<br />
stage of the process would be economic. For the reasons discussed at paras 25-28<br />
above and emphasised in argument by counsel for the claimant, it clearly would not. In<br />
practice, therefore, as both courts below accepted, a representative action for<br />
damages is the only way in which the claims can be pursued.<br />
<br />
<br />
<br />
<br />
<br />
Page 31(1) The formulation of the claim fordamages<br />
<br />
<br />
86. In formulating the claim made in this action, the claimant has not adopted the<br />
“top down” approach of claiming compensation for damage suffered by the class as a<br />
whole without reference to the entitlements of individual class members. The claim<br />
advanced is for damages calculated from the “bottom up”. The way in which the<br />
<br />
claimant seeks to obviate the need for individualised assessment is by claiming<br />
damages for each class member on what is described as a “uniform per capita basis”.<br />
<br />
<br />
87. The difficulty facing this approach is that the effect of the Safari workaround<br />
was obviously not uniform across the represented class. No challenge is or could<br />
<br />
reasonably be made to the judge’s findings, at [2018] EWHC 2599 (QB); [2019] 1 WLR<br />
1265, para 91, that:<br />
<br />
<br />
“… some affected individuals were ‘super users’- heavy<br />
internet users. They will have been ‘victims’ of multiple<br />
breaches, with considerable amounts of [browser generated<br />
<br />
information] taken and used throughout the Relevant Period.<br />
Others will have engaged in very little internet activity.<br />
Different individuals will have had different kinds of<br />
information taken and used. No fewer than 17 categories of<br />
<br />
personal data are identified in the claim documents. The<br />
specified categories of data vary in their sensitivity, some of<br />
them being ‘sensitive personal data’ within the meaning of<br />
the section 2 of the DPA (such as sexuality, or ethnicity). …<br />
But it is not credible that all the specified categories of data<br />
<br />
were obtained by Google from each represented claimant. …<br />
The results of the acquisition and use will also have varied<br />
according to the individual, and their attitudes towards the<br />
acquisition, disclosure and use of the information in<br />
<br />
question.”<br />
<br />
<br />
If liability is established, the ordinary application of the compensatory principle would<br />
therefore result in different awards of compensation to different individuals.<br />
Furthermore, the amount of any compensation recoverable by any member of the<br />
<br />
class would depend on a variety of circumstances particular to that individual.<br />
Individualised assessment of damages would therefore be required.<br />
<br />
<br />
88. The claimant seeks to overcome this difficulty in one or other of two ways. Both<br />
rely on the proposition that an individual is entitled to compensation for any (non-<br />
<br />
Page 32trivial) contravention of the DPA 1998 without the need to prove that the individual<br />
suffered any financial loss or distress. On that footing it is argued, first of all, that<br />
general damages can be awarded on a uniform per capita basis to each member of the<br />
represented class without the need to prove any facts particular to that individual. The<br />
draft particulars of claim plead that the uniform sum awarded should reflect “the<br />
<br />
serious nature of the breach, in particular (but non-exhaustively):<br />
<br />
<br />
“(a) The lack of consent or knowledge of the<br />
Representative Claimant and each member of the Claimant<br />
Class to the defendant’s collection and use of their personal<br />
<br />
data.<br />
<br />
<br />
(b) The fact that such collection and use was contrary to<br />
the defendant’s public statements.<br />
<br />
<br />
(c) The fact that such collection and use was greatly to<br />
the commercial benefit of the defendant.<br />
<br />
<br />
<br />
(d) The fact that the defendant knew or ought to have<br />
known of the operation of the Safari Workaround from a very<br />
early stage during the Relevant Period. …”<br />
<br />
<br />
I interpose that factor (c), although no doubt true in relation to the class as a whole,<br />
<br />
plainly could not in fact be established in relation to any individual class member<br />
without evidence of what use, if any, was actually made of personal data of that<br />
individual by Google. If there is to be no individualised assessment, this factor must<br />
therefore be left out of account.<br />
<br />
<br />
<br />
89. The alternative case pleaded is that each member of the class is entitled to<br />
damages assessed as an amount which they could reasonably have charged for<br />
releasing Google from the duties which it breached. Again, it is contended that such<br />
damages should be assessed on a uniform per capita basis, “reflecting the generalised<br />
standard terms (rather than individuated basis) on which [Google] does business”.<br />
<br />
<br />
<br />
(2) Section 13 of the DPA 1998<br />
<br />
<br />
90. The claim for compensation made in the present case is founded (exclusively)<br />
on section 13 of the DPA 1998. This provides:<br />
<br />
Page 33 “(1) An individual who suffers damage by reason of any<br />
contravention by a data controller of any of the requirements<br />
of this Act is entitled to compensation from the data<br />
controller for that damage.<br />
<br />
<br />
(2) An individual who suffers distress by reason of any<br />
<br />
contravention by a data controller of any of the requirements<br />
of this Act is entitled to compensation from the data<br />
controller for that distress if -<br />
<br />
<br />
(a) the individual also suffers damage by reason of the<br />
<br />
contravention, or<br />
<br />
<br />
(b) the contravention relates to the processing of<br />
personal data for the special purposes.<br />
<br />
<br />
(3) In proceedings brought against a person by virtue of<br />
this section it is a defence to prove that he had taken such<br />
<br />
care as in all the circumstances was reasonably required to<br />
comply with the requirement concerned.”<br />
<br />
<br />
91. Section 13 was intended to implement article 23 of the Data Protection<br />
Directive. This stated:<br />
<br />
<br />
<br />
“1. Member states shall provide that any person who has<br />
suffered damage as a result of an unlawful processing<br />
operation or of any act incompatible with the national<br />
provisions adopted pursuant to this Directive is entitled to<br />
<br />
receive compensation from the controller for the damage<br />
suffered.<br />
<br />
<br />
2. The controller may be exempted from this liability, in<br />
whole or in part, if he proves that he is not responsible for<br />
the event giving rise to the damage.”<br />
<br />
<br />
<br />
92. Two initial points can be made about the wording and structure of section 13.<br />
First, to recover compensation under this provision it is not enough to prove a breach<br />
by a data controller of its statutory duty under section 4(4) of the Act: an individual is<br />
<br />
Page 34only entitled to compensation under section 13 where “damage” - or in some<br />
circumstances “distress” - is suffered as a consequence of such a breach of duty.<br />
Second, it is plain from subsection (2) that the term “damage” as it is used in section<br />
13 does not include “distress”. The term “material damage” is sometimes used to<br />
describe any financial loss or physical or psychological injury, but excluding distress (or<br />
<br />
other negative emotions not amounting to a recognised psychiatric illness): see eg<br />
Watkins v Secretary of State for the Home Department [2006] UKHL 17; [2006] 2 AC<br />
395, para 7. Adopting this terminology, on a straightforward interpretation the term<br />
“damage” in section 13 refers only to material damage and compensation can only be<br />
<br />
recovered for distress if either of the two conditions set out in subsection (2) is met.<br />
<br />
<br />
(3) Vidal-Hall v Google Inc<br />
<br />
<br />
93. The effect of section 13 was considered by the Court of Appeal in Vidal-Hall v<br />
Google Inc [2016] QB 1003 on facts which, in terms of the generic allegations made,<br />
were identical to those on which the present claim is based. The three claimants<br />
<br />
sought damages arising out of the Safari workaround on two alternative bases: (1) at<br />
common law for misuse of private information; and (2) under section 13 of the DPA<br />
1998. As in the present case, permission to serve the proceedings outside the<br />
jurisdiction was opposed by Google. The main issues raised were: (1) whether misuse<br />
<br />
of private information is a tort for the purpose of the rules providing for service out of<br />
the jurisdiction; and (2) whether compensation can be recovered for distress under<br />
section 13 of the DPA 1998 in the absence of financial loss. The judge decided both<br />
issues in the claimants’ favour and the Court of Appeal affirmed that decision, for<br />
reasons given in a judgment written by Lord Dyson MR and Sharp LJ, with which<br />
<br />
Macfarlane LJ agreed.<br />
<br />
<br />
94. On the second issue Google submitted that, as discussed above, the term<br />
“damage” in section 13 must mean material damage, which for practical purposes<br />
limits its scope to financial loss. Hence section 13(2) has the effect that an individual<br />
<br />
may only recover compensation for distress suffered by reason of a contravention by a<br />
data controller of a requirement of the Act if either (a) the contravention also causes<br />
the individual to suffer financial loss or (b) the contravention relates to the processing<br />
of personal data for “special purposes” - which are defined as journalistic, artistic or<br />
<br />
literary purposes (see section 3). It was not alleged that either of those conditions was<br />
satisfied in the Vidal-Hall case.<br />
<br />
<br />
95. The Court of Appeal accepted that section 13(2) does indeed have this meaning<br />
but held that this makes it incompatible with article 23 of the Data Protection<br />
Directive, which section 13 of the DPA 1998 was meant to implement. This is because<br />
<br />
the word “damage” in article 23 is to be interpreted as including distress, which is the<br />
Page 35primary form of damage likely to be caused by an invasion of data privacy; and article<br />
23 does not permit national laws to restrict the right to receive compensation for<br />
“damage” where it takes the form of distress. The Court of Appeal considered whether<br />
it is possible to interpret section 13 in a way which achieves the result sought by the<br />
Directive, but concluded that the words of section 13 are not capable of being<br />
<br />
interpreted in such a way and that the limits set by Parliament to the right to<br />
compensation for breaches of the DPA 1998 are a fundamental feature of the UK<br />
legislative scheme. In the words of Lord Dyson MR and Sharp LJ in their joint judgment,<br />
at para 93, if the court were to disapply the limits on the right to compensation for<br />
<br />
distress set out in section 13(2), “the court would, in effect, be legislating against the<br />
clearly expressed intention of Parliament on an issue that was central to the scheme as<br />
a whole”.<br />
<br />
<br />
96. The Court of Appeal nevertheless held that section 13(2) should be disapplied<br />
on the ground that it conflicts with articles 7 and 8 of the Charter of Fundamental<br />
<br />
Rights of the European Union (“the EU Charter”). Article 7 of the EU Charter is in<br />
materially similar terms to article 8 of the European Convention for the Protection of<br />
Human Rights and Fundamental Freedoms (“the Convention”) and provides that<br />
“[e]veryone has the right to respect for his or her private and family life, home and<br />
<br />
communications”. Article 8(1) provides that “[e]veryone has the right to the protection<br />
of personal data concerning him or her”. In addition, article 47 requires that<br />
“[e]veryone whose rights and freedoms guaranteed by the law of the Union are<br />
violated has the right to an effective remedy before a tribunal …”. The Court of Appeal<br />
decided that, in order to provide an effective remedy for the rights guaranteed by<br />
<br />
articles 7 and 8 of the EU Charter, it was necessary that national law should give effect<br />
to the obligation under article 23 of the Data Protection Directive to provide a right to<br />
receive compensation from the data controller for any damage, including distress,<br />
suffered as a result of an unlawful processing operation. That result could and should<br />
<br />
be achieved by disapplying section 13(2) of the DPA 1998, thus enabling section 13(1)<br />
to be interpreted compatibly with article 23: see [2016] QB 1003, para 105.<br />
<br />
<br />
(4) Misuse of private information<br />
<br />
<br />
97. The Court of Appeal in Vidal-Hall also held that the claims for damages for<br />
<br />
misuse of private information made by the claimants in that case were properly<br />
classified as claims in tort for the purpose of service out of the jurisdiction and had a<br />
real prospect of success. As described at paras 18-25 of the judgment, the tort of<br />
misuse of private information evolved out of the equitable action for breach of<br />
confidence, influenced by the protection of the right to respect for private life<br />
<br />
guaranteed by article 8 of the Convention. The critical step in its emergence as a<br />
distinct basis for a claim was the identification of privacy of information as worthy of<br />
<br />
Page 36protection in its own right, irrespective of whether the information was imparted in<br />
circumstances which give rise to a duty of confidence: see Campbell v MGN Ltd [2004]<br />
UKHL 22; [2004] 2 AC 457. As Lord Hoffmann put it in Campbell, at para 50:<br />
<br />
<br />
“What human rights law has done is to identify private<br />
information as something worth protecting as an aspect of<br />
<br />
human autonomy and dignity.”<br />
<br />
<br />
98. The complaint in Campbell was about the publication of private information.<br />
Lord Nicholls of Birkenhead described the “essence of the tort”, at para 14, as “misuse<br />
of private information”. He also noted, however, at para 15, that an individual’s privacy<br />
<br />
can be invaded in ways not involving publication of information, and subsequent cases<br />
have held that intrusion on privacy, without any misuse of information, is actionable:<br />
see PJS v News Group Newspapers Ltd [2016] UKSC 26; [2016] 2 AC 1081, paras 58-60.<br />
It is misuse of information, however, which is primarily relevant in this case, and I shall<br />
generally - as counsel did in argument - use the label for the tort of “misuse of private<br />
<br />
information”.<br />
<br />
<br />
99. To establish liability for misuse of private information (or other wrongful<br />
invasion of privacy), it is necessary to show that there was a reasonable expectation of<br />
privacy in the relevant matter. As the Court of Appeal (Sir Anthony Clarke MR, Laws<br />
<br />
and Thomas LJJ) explained in upholding a claim to restrain the publication of<br />
photographs taken in a public place of the child of the well-known author, JK Rowling,<br />
in Murray v Express Newspapers plc [2008] EWCA Civ 446; [2009] Ch 481, para 36:<br />
<br />
<br />
“… the question whether there is a reasonable expectation of<br />
privacy is a broad one, which takes account of all the<br />
<br />
circumstances of the case. They include the attributes of the<br />
claimant, the nature of the activity in which the claimant was<br />
engaged, the place at which it was happening, the nature and<br />
purpose of the intrusion, the absence of consent and<br />
<br />
whether it was known or could be inferred, the effect on the<br />
claimant and the circumstances in which and the purposes<br />
for which the information came into the hands of the<br />
publisher.”<br />
<br />
<br />
<br />
If this test is met, in cases where freedom of expression is involved the court must then<br />
undertake a “balancing exercise” to decide whether in all the circumstances the<br />
interests of the owner of the private information must yield to the right to freedom of<br />
<br />
<br />
Page 37expression conferred on the publisher by article 10 of the Convention: see eg<br />
McKennitt v Ash [2006] EWCA Civ 1714; [2008] QB 73, para 9.<br />
<br />
<br />
(5) Gulati v MGN Ltd<br />
<br />
<br />
100. The measure of damages for wrongful invasion of privacy was considered in<br />
depth in Gulati v MGN Ltd [2015] EWHC 1482 (Ch); [2016] FSR 12 and [2015] EWCA Civ<br />
<br />
1291; [2017] QB 149 by Mann J and by the Court of Appeal. The eight test claimants in<br />
that case were individuals in the public eye whose mobile phones were hacked by<br />
newspapers, leading in some instances to the publication of articles containing<br />
information obtained by this means. The newspapers admitted liability for breach of<br />
<br />
privacy but disputed the amount of damages. Their main argument of principle was<br />
that (in the absence of material damage) all that could be compensated for was<br />
distress caused by their unlawful activities: see [2016] FSR 12, para 108. The judge<br />
rejected that argument. He said, at para 111, that he did not see why “distress (or<br />
some similar emotion), which would admittedly be a likely consequence of an invasion<br />
<br />
of privacy, should be the only touchstone for damages”. In his view:<br />
<br />
<br />
“While the law is used to awarding damages for injured<br />
feelings, there is no reason in principle … why it should not<br />
also make an award to reflect infringements of the right<br />
<br />
itself, if the situation warrants it.”<br />
<br />
<br />
101. The judge referred to cases in which damages have been awarded to very young<br />
children (only ten months or one year old) for misuse of private information by<br />
publishing photographs of them even though, because of their age, they could not<br />
have suffered any distress: see AAA v Associated Newspapers Ltd [2012] EWHC 2103<br />
<br />
(QB); [2013] EMLR 2; and Weller v Associated Newspapers Ltd[2014] EWHC 1163 (QB);<br />
[2014] EMLR 24. He concluded, at para 144:<br />
<br />
<br />
“I shall therefore approach the consideration of quantum in<br />
this case on the footing that compensation can be given for<br />
<br />
things other than distress, and in particular can be given for<br />
the commission of the wrong itself so far as that commission<br />
impacts on the values protected by the right.”<br />
<br />
<br />
Later in the judgment, at para 168, the judge referred back to his finding that:<br />
<br />
<br />
<br />
<br />
Page 38 “the damages should compensate not merely for distress …,<br />
but should also compensate (if appropriate) for the loss of<br />
privacy or autonomy as such arising out [of] the infringement<br />
by hacking (or other mechanism) as such.”<br />
<br />
<br />
102. The Court of Appeal affirmed this decision: [2015] EWCA Civ 1291; [2017] QB<br />
<br />
149. Arden LJ (with whom Rafferty and Kitchin LJJ agreed) held, at para 45, that:<br />
<br />
<br />
“the judge was correct to conclude that the power of the<br />
court to grant general damages was not limited to distress<br />
and could be exercised to compensate the claimants also for<br />
<br />
the misuse of their private information. The essential<br />
principle is that, by misusing their private information, MGN<br />
deprived the claimants of their right to control the use of<br />
private information.”<br />
<br />
<br />
Arden LJ justified this conclusion, at para 46, on the basis that:<br />
<br />
<br />
<br />
“Privacy is a fundamental right. The reasons for having the<br />
right are no doubt manifold. Lord Nicholls of Birkenhead put<br />
it very succinctly in Campbell v MGN Ltd [2004] 2 AC 457,<br />
para 12: ‘[Privacy] lies at the heart of liberty in a modern<br />
<br />
state. A proper degree of privacy is essential for the well-<br />
being and development of an individual.’”<br />
<br />
<br />
103. The Court of Appeal in Gulati rejected a submission, also rejected by the judge,<br />
that granting damages for the fact of intrusion into a person’s privacy independently of<br />
<br />
any distress caused is inconsistent with the holding of this court in R (WL (Congo)) v<br />
Secretary of State for the Home Department [2011] UKSC 12; [2012] 1 AC 245, paras<br />
97-100, that vindicatory damages are not available as a remedy for violation of a<br />
private right. As Arden LJ pointed out at para 48, no question arose of awarding<br />
vindicatory damages of the kind referred to in WL (Congo), which have been awarded<br />
<br />
in some constitutional cases appealed to the Privy Council “to reflect the sense of<br />
public outrage, emphasise the importance of the constitutional right and the gravity of<br />
the breach, and deter further breaches”: see WL (Congo), para 98; Attorney General of<br />
Trinidad and Tobago v Ramanoop [2005] UKPC 15; [2006] 1 AC 328, para 19. Rather,<br />
<br />
the purpose of the relevant part of the awards made in Gulati was “to compensate for<br />
the loss or diminution of a right to control formerly private information”.<br />
<br />
<br />
<br />
Page 39104. Mann J’s reference to “loss of privacy or autonomy” and the Court of Appeal’s<br />
explanation that the claimants could be compensated for misuse of their private<br />
information itself because they were deprived of “their right to control [its] use”<br />
convey the point that English common law now recognises as a fundamental aspect of<br />
personal autonomy a person’s freedom to choose and right to control whether and<br />
<br />
when others have access to his or her private affairs: see on this point the helpful<br />
discussion by NA Moreham, “Compensating for Loss of Dignity and Autonomy” in<br />
Varuhas J and Moreham N (eds), Remedies for Breach of Privacy (2018) ch 5.<br />
<br />
<br />
(6) How the present claim is framed<br />
<br />
<br />
<br />
105. On the basis of the decisions of the Court of Appeal in Vidal-Hall and Gulati,<br />
neither of which is challenged by either party on this appeal, it would be open to Mr<br />
Lloyd to claim, at least in his own right: (1) damages under section 13(1) of the DPA<br />
1998 for any distress suffered by reason of any contravention by Google of any of the<br />
requirements of the Act; and/or (2) damages for the misuse of private information<br />
<br />
without the need to show that it caused any material damage or distress.<br />
<br />
<br />
106. Neither of these claims, however, is made in this case. The reasons why no<br />
claim is made in tort for misuse of private information have not been explained; but<br />
the view may have been taken that, to establish a reasonable expectation of privacy, it<br />
<br />
would be necessary to adduce evidence of facts particular to each individual claimant.<br />
In Vidal-Hall, the claimants produced confidential schedules about their internet use,<br />
showing that the information tracked and collected by Google in their cases was, in the<br />
Court of Appeal’s words at [2016] QB 1003, para 137, “often of an extremely private<br />
nature”. As discussed earlier, the need to obtain evidence in relation to individual<br />
<br />
members of the represented class would be incompatible with the representative<br />
claim which Mr Lloyd is seeking to bring.<br />
<br />
<br />
107. Similarly, to recover damages for distress under section 13(1) of the DPA 1998<br />
would require evidence of such distress from each individual for whom such a claim<br />
<br />
was made. Again, this would be incompatible with claiming damages on a<br />
representative basis.<br />
<br />
<br />
108. Instead of making either of these potential claims, the claimant seeks to break<br />
new legal ground by arguing that the principles identified in Gulati as applicable to the<br />
<br />
assessment of damages for misuse of private information at common law also apply to<br />
the assessment of compensation under section 13(1) of the DPA 1998. The case<br />
advanced, which is also supported by the Information Commissioner, is that the word<br />
<br />
<br />
Page 40“damage” in section 13(1) not only extends beyond material damage to include<br />
distress, as decided in Vidal-Hall, but also includes “loss of control” over personal data.<br />
<br />
<br />
(7) “Loss of control” over personal data<br />
<br />
<br />
109. There is potential for confusion in the use of this description. “Loss of control” is<br />
not an expression used in the DPA 1998 and, as the third interveners (the Association<br />
<br />
of the British Pharmaceutical Industry and Association of British HealthTech Industries)<br />
pointed out in their helpful written submissions, none of the requirements of the Act is<br />
predicated on “control” over personal data by the data subject. Under the legislative<br />
scheme the relevant control is that of the data controller: the entity which<br />
<br />
“determines the purposes for which and the manner in which any personal data are, or<br />
are to be, processed.” The nearest analogue to control as regards the data subject is<br />
his or her “consent to the processing”, being the first condition in Schedule 2 (see para<br />
22 above). Such consent, however, is neither necessary nor sufficient to render the<br />
processing of personal data compliant with the Act.<br />
<br />
<br />
<br />
110. It was made clear in submissions, however, that, in describing the basis for the<br />
compensation claimed as “loss of control” of personal data, the claimant is not seeking<br />
to single out a particular category of breaches of the DPA 1998 by a data controller as<br />
breaches in respect of which the data subject is entitled to compensation without<br />
<br />
proof of material damage or distress. The claimant’s case, which was accepted by the<br />
Court of Appeal, is that an individual is entitled to recover compensation under section<br />
13 of the DPA 1998 without proof of material damage or distress whenever a data<br />
controller fails to comply with any of the requirements of the Act in relation to any<br />
personal data of which that individual is the subject, provided only that the<br />
<br />
contravention is not trivial or de minimis. Any such contravention, on the claimant’s<br />
case, ipso facto involves “loss of control” of data for which compensation is payable.<br />
Only where the individual claiming compensation is not the data subject is it necessary<br />
on the claimant’s case to show that the individual has suffered material damage or<br />
<br />
distress.<br />
<br />
<br />
(8) The common sourceargument<br />
<br />
<br />
111. The claimant’s core argument for this interpretation is that, as a matter of<br />
principle, the same approach to the damage for which compensation can be awarded<br />
<br />
should apply under the data protection legislation as where the claim is brought in tort<br />
for misuse of private information because the two claims, although not coterminous,<br />
have a common source. Both seek to protect the same fundamental right to privacy<br />
<br />
<br />
Page 41guaranteed by article 8 of the Convention. This objective is expressly referred to in<br />
recital (10) of the Data Protection Directive, which states:<br />
<br />
<br />
“Whereas the object of the national laws on the processing<br />
of personal data is to protect fundamental rights and<br />
freedoms, notably the right to privacy, which is recognized<br />
<br />
both in article 8 of the European Convention for the<br />
Protection of Human Rights and Fundamental Freedoms and<br />
in the general principles of [EU] law; whereas, for that<br />
reason, the approximation of those laws must not result in<br />
<br />
any lessening of the protection they afford but must, on the<br />
contrary, seek to ensure a high level of protection in the<br />
[EU];”<br />
<br />
<br />
The aim of protecting the right to privacy with regard to the processing of personal<br />
data is also articulated in recitals (2), (7), (8) and (11) of the Data Protection Directive,<br />
<br />
and is spelt out in article 1 which states:<br />
<br />
<br />
“Object of the Directive<br />
<br />
<br />
In accordance with this Directive, member states shall<br />
protect the fundamental rights and freedoms of natural<br />
<br />
persons, and in particular their right to privacy with respect<br />
to the processing of personal data.”<br />
<br />
<br />
Reliance is also placed on the recognition in article 8 of the EU Charter, quoted at para<br />
96 above, of the right to the protection of personal data as a fundamental right in EU<br />
<br />
law.<br />
<br />
<br />
112. The claimant argues that, given that the tort of misuse of private information<br />
and the data protection legislation are both rooted in the same fundamental right to<br />
privacy, it would be wrong in principle to adopt a different approach to the nature of<br />
the damage which can be compensated under the two regimes. The conclusion should<br />
<br />
therefore be drawn that, in each case, damages can be recovered for interference with<br />
the claimant’s right, without the need to prove that the interference resulted in any<br />
material damage or distress.<br />
<br />
<br />
113. I cannot accept this argument for two reasons. First, even if the suggested<br />
<br />
analogy between the privacy tort and the data protection regime were persuasive,<br />
Page 42section 13(1) of the DPA 1998 cannot, in my opinion, properly be interpreted as having<br />
the meaning for which the claimant contends. Second, the logic of the argument by<br />
analogy is in any event flawed.<br />
<br />
<br />
(a) The wording of the DPA 1998<br />
<br />
<br />
114. I do not accept a submission made by counsel for Google that the interpretation<br />
<br />
of section 13 of the DPA 1998 should be approached on the basis of a general rule that<br />
breaches of statutory duty are not actionable without proof of material damage. The<br />
question in Cullen v Chief Constable of the Royal Ulster Constabulary [2003] UKHL 39;<br />
[2003] 1 WLR 1763, relied on to support this submission, was whether a statute which<br />
<br />
did not expressly confer a right to compensation on a person affected by a breach of<br />
statutory duty nevertheless conferred such a right impliedly. That is not the question<br />
raised in this case, where there is an express entitlement to compensation provided by<br />
section 13 of the DPA 1998. The only question in this case is what the words of the<br />
relevant statutory provision mean.<br />
<br />
<br />
<br />
115. Those words, however, cannot reasonably be interpreted as giving an individual<br />
a right to compensation without proof of material damage or distress whenever a data<br />
controller commits a non-trivial breach of any requirement of the Act in relation to any<br />
personal data of which that individual is the subject. In the first place, as discussed<br />
<br />
above, the wording of section 13(1) draws a distinction between “damage” suffered by<br />
an individual and a “contravention” of a requirement of the Act by a data controller,<br />
and provides a right to compensation “for that damage” only if the “damage” occurs<br />
“by reason of” the contravention. This wording is inconsistent with an entitlement to<br />
compensation based solely on proof of the contravention. To say, as the claimant does<br />
<br />
in its written case, that what is “damaged” is the data subject’s right to have their data<br />
processed in accordance with the requirements of the Act does not meet this point, as<br />
it amounts to an acknowledgement that on the claimant’s case the damage and the<br />
contravention are one and the same.<br />
<br />
<br />
<br />
116. Nor is the claimant’s case assisted by section 14 of the DPA 1998, on which<br />
reliance is placed. Section 14(1) gives the court power, on the application of a data<br />
subject, to order a data controller to rectify, block, erase or destroy personal data if<br />
satisfied that the data are inaccurate. Section 14(4) states:<br />
<br />
<br />
<br />
“If a court is satisfied on the application of a data subject -<br />
<br />
<br />
<br />
<br />
Page 43 (a) that he has suffered damage by reason of any<br />
contravention by a data controller of any of the<br />
requirements of this Act in respect of any personal<br />
data, in circumstances entitling him to compensation<br />
under section 13, and<br />
<br />
<br />
<br />
(b) that there is a substantial risk of further<br />
contravention in respect of those data in such<br />
circumstances,<br />
<br />
<br />
the court may order the rectification, blocking, erasure or<br />
<br />
destruction of any of those data.”<br />
<br />
<br />
117. Counsel for the claimant submitted that, if Google’s case on what is meant by<br />
“damage” is correct, a data subject who does not suffer material damage or distress as<br />
a result of a breach of duty by a data controller cannot claim rectification, blocking,<br />
erasure or destruction of data, unless those data are inaccurate, however egregious<br />
<br />
the breach. This is true, but I can see nothing unreasonable in such a result. Indeed,<br />
section 14 seems to me positively to confirm that “damage” means something distinct<br />
from a contravention of the Act itself. If a contravention by a data controller of the Act<br />
could by itself constitute “damage”, section 14(4)(a) would be otiose and there would<br />
<br />
be no material distinction in the remedies available in cases where the data are<br />
inaccurate and in cases where the data are accurate. The manifest intention behind<br />
section 14 is to limit the remedies of rectification, blocking, erasure or destruction of<br />
accurate data to cases where the contravention of the Act has caused the data subject<br />
some harm distinct from the contravention itself, whereas no such limitation is<br />
<br />
imposed where the contravention involves holding inaccurate personal data.<br />
<br />
<br />
118. The second reason why the claimant’s interpretation is impossible to reconcile<br />
with the language of section 13 is that, as the Court of Appeal recognised in Vidal-Hall,<br />
it is plain from the words enacted by Parliament the term “damage” was intended to<br />
<br />
be limited to material damage and not to extend to “distress”. The only basis on which<br />
the Court of Appeal in Vidal-Hall was able to interpret the term “damage” as<br />
encompassing distress was by disapplying section 13(2) as being incompatible with EU<br />
law. By the same token, if the term “damage” in section 13 is to be interpreted as<br />
<br />
having an even wider meaning and as encompassing an infringement of a data<br />
subject’s rights under the Act which causes no material damage nor even distress, that<br />
could only be because this result is required by EU law. On a purely domestic<br />
interpretation of the DPA 1998, such a reading is untenable.<br />
<br />
<br />
<br />
Page 44 (b) The effect of EU law<br />
<br />
<br />
119. It is not suggested in the present case that section 13(1) should be disapplied:<br />
the claimant’s case is founded on it. No argument of the kind which succeeded in<br />
Vidal-Hall that words of the statute must be disapplied because they conflict with EU<br />
law is therefore available (or is advanced by the claimant). The question is whether the<br />
<br />
term “damage” in section 13(1) can and should be interpreted as having the meaning<br />
for which the claimant contends because such an interpretation is required in order to<br />
make the domestic legislation compatible with EU law. There are two aspects of this<br />
question: (i) what does the term “damage” mean in article 23 of the Data Protection<br />
<br />
Directive, which section 13 of the DPA 1998 was intended to implement; and (ii) if<br />
“damage” in article 23 includes contraventions of the national provisions adopted<br />
pursuant to the Directive which cause no material damage or distress, is it possible to<br />
interpret the term “damage” in section 13(1) of the DPA 1998 as having the same<br />
meaning?<br />
<br />
<br />
<br />
120. To take the second point first, it does not seem to me possible to interpret the<br />
term “damage” in section 13(1) of the DPA 1998 as having the meaning for which the<br />
claimant contends, even if such an interpretation were necessary to make the Act<br />
compatible with the Data Protection Directive. In Vidal-Hall the Court of Appeal held,<br />
<br />
rightly in my opinion, that section 13 of the DPA 1998 could not be construed as<br />
providing a general right to compensation for distress suffered by reason of a<br />
contravention of the Act “without contradicting the clearly expressed intention of<br />
Parliament on an issue that was central to the scheme” of the legislation (see para 95<br />
above). The same is equally, if not all the more, true of the contention that section 13<br />
<br />
of the DPA 1998 can be interpreted as providing a right to compensation for<br />
contraventions of the Act which have not caused any distress, let alone material<br />
damage. The distinction between “damage” suffered by an individual and a<br />
“contravention” of a requirement of the Act by a data controller which causes such<br />
<br />
damage is a fundamental feature of the remedial scheme provided by the Act which,<br />
as indicated above, permeates section 14 as well as section 13. If it were found that<br />
this feature makes the DPA 1998 incompatible with the Data Protection Directive, such<br />
incompatibility could, in my view, only be removed by amending the legislation. That<br />
<br />
could only be done by Parliament.<br />
<br />
<br />
121. No such incompatibility arises, however, as there is no reason to interpret the<br />
term “damage” in article 23 of the Data Protection Directive as extending beyond<br />
material damage and distress. The wording of article 23 draws exactly the same<br />
distinction as section 13(1) of the DPA 1998 between “damage” and an unlawful act of<br />
<br />
which the damage is “a result”. Again, this wording identifies the “damage” for which a<br />
person is entitled to receive compensation as distinct from the wrongful act which<br />
<br />
Page 45causes the damage. This is inconsistent with giving a right to compensation for the<br />
unlawful act itself on the basis that the act constitutes an interference with the<br />
claimant’s data protection rights. Nor has any authority been cited which suggests that<br />
the term “damage”, either generally in EU law or in the specific context of article 23 of<br />
the Data Protection Directive, is to be interpreted as including an infringement of a<br />
<br />
legal right which causes no material damage or distress.<br />
<br />
<br />
122. If there were evidence that at least some national laws on the processing of<br />
personal data which pre-dated the Data Protection Directive and are referred to in<br />
recital (10), quoted at para 111 above, provided a right to compensation for unlawful<br />
<br />
processing without proof of material damage or distress, that might arguably support<br />
an inference that the Directive was intended to ensure a similarly high level of<br />
protection across all member states. But it has not been asserted that any national<br />
laws did so. The Data Protection Act 1984, which was the applicable UK legislation<br />
when the Data Protection Directive was adopted, in sections 22 and 23 gave the data<br />
<br />
subject an entitlement to compensation in certain circumstances for damage or<br />
distress suffered by reason of the inaccuracy of data or the loss or unauthorised<br />
destruction or disclosure of data or unauthorised obtaining of access to data. By clear<br />
implication, UK national law gave no right to compensation for unlawful processing of<br />
<br />
personal data which did not result in material damage or distress. There is no evidence<br />
that the national law of any other member state at that time did so either.<br />
<br />
<br />
123. EU law therefore does not provide a basis for giving a wider meaning to the<br />
term “damage” in section 13 of the DPA 1998 than was given to that term by the Court<br />
of Appeal in Vidal-Hall.<br />
<br />
<br />
<br />
(c) Flaws in the common source argument<br />
<br />
<br />
124. I also reject the claimant’s argument that the decision in Gulati affords any<br />
assistance to its case on this issue. Leaving aside the fact that Gulati was decided many<br />
years after the Data Protection Directive was adopted, there is no reason on the face<br />
<br />
of it why the basis on which damages are awarded for an English domestic tort should<br />
be regarded as relevant to the proper interpretation of the term “damage” in a<br />
statutory provision intended to implement a European directive. The claimant relies on<br />
the fact that both derive from the right to respect for private life protected by article 8<br />
<br />
of the Convention (and incorporated in article 7 of the EU Charter when it was created<br />
in 2007). It does not follow, however, from the fact that two different legal regimes<br />
aim, at a general level, to provide protection for the same fundamental value that they<br />
must do so in the same way or to the same extent or by affording identical remedies.<br />
There are significant differences between the nature and scope of the common law<br />
<br />
privacy tort and the data protection legislation, to which I will draw attention in a<br />
Page 46moment. But the first point to note is that the decision in Gulati that damages can be<br />
awarded for misuse of private information itself was not compelled by article 8 of the<br />
Convention; nor did article 8 require the adoption of the particular legal framework<br />
governing the protection of personal data contained in the Data Protection Directive<br />
and the DPA 1998.<br />
<br />
<br />
<br />
125. The Convention imposes obligations on the states which are parties to it, but<br />
not on private individuals and bodies. In some cases the obligations on state parties<br />
extend beyond negative obligations not to act in ways which violate the Convention<br />
rights and include certain positive obligations on the state to ensure effective<br />
<br />
protection of those rights. That is so as regards the right to respect for private life<br />
guaranteed by article 8. The European Court of Human Rights has held that in certain<br />
circumstances the state’s positive obligations under article 8 are not adequately<br />
fulfilled unless the state secures respect for private life in the relations between<br />
individuals by setting up a legislative framework taking into consideration the various<br />
<br />
interests to be protected in a particular context. However, the court has emphasised<br />
that there are different ways of ensuring respect for private life and that “the choice of<br />
the means calculated to secure compliance with article 8 of the Convention in the<br />
sphere of the relations of individuals between themselves is in principle a matter that<br />
<br />
falls within the contracting states’ margin of appreciation”: see the judgment of the<br />
Grand Chamber in Bărbulescu v Romania [2017] ECHR 754; [2017] IRLR 1032, para 113.<br />
<br />
<br />
126. While the House of Lords in Campbell drew inspiration from article 8, it did not<br />
suggest that the Convention or the Human Rights Act 1998 required the recognition of<br />
a civil claim for damages for misuse of private information in English domestic law, let<br />
<br />
alone that damages should be recoverable in such claim where no material damage or<br />
distress has been caused. In Gulati the Court of Appeal rejected an argument that the<br />
approach to awarding damages for misuse of private information ought to follow the<br />
approach of the European Court of Human Rights in making awards of just satisfaction<br />
<br />
under article 41 of the Convention. As Arden LJ observed, at para 89, in awarding<br />
damages for misuse of private information, the court is not proceeding under section 8<br />
of the Human Rights Act 1998 or article 41 of the Convention, and the conditions of<br />
the tort are governed by English domestic law and not the Convention.<br />
<br />
<br />
<br />
127. For those reasons, I do not regard as relevant the decision of the European<br />
Court of Human Rights in Halford v United Kingdom (1997) 24 EHRR 523, relied on by<br />
counsel for the claimant. In Halford a senior police officer whose telephone calls had<br />
been intercepted by her employer in violation of article 8 was awarded £10,000 as just<br />
satisfaction. As Lord Sales pointed out in argument, on one reading of the judgment,<br />
<br />
which is far from clear, although it could not be shown that the interception of the<br />
applicant’s phone calls, as opposed to other conflicts with her employer, had caused<br />
<br />
Page 47stress for which she had required medical treatment, it was reasonably assumed that<br />
this invasion of privacy had caused her mental harm. Even if the award of just<br />
satisfaction is understood to have been for the invasion of the right to privacy itself<br />
rather than for any distress felt by the applicant, however, it does not follow that, in an<br />
action between private parties under national law for a similar invasion of privacy, the<br />
<br />
Convention requires the court to be able to award damages simply for the loss of<br />
privacy itself.<br />
<br />
<br />
128. Whilst it may be said that pursuant to the general principles of EU law<br />
embodied in articles 7 and 8 of the EU Charter the EU had a positive obligation to<br />
<br />
establish a legislative framework providing for protection of personal data, there was<br />
clearly a wide margin of choice as to the particular regime adopted; and the same<br />
applies to the positive obligation imposed directly on the UK by the Convention. It<br />
could not seriously be argued that the content of those positive obligations included a<br />
requirement to establish a right to receive compensation for any (non-trivial) breach of<br />
<br />
any requirement (in relation to any personal data of which the claimant is the subject)<br />
of whatever legislation the EU and UK chose to enact in this area without the need to<br />
prove that the claimant suffered any material damage or distress as a result of the<br />
breach.<br />
<br />
<br />
<br />
129. Accordingly, the fact that the common law privacy tort and the data protection<br />
legislation have a common source in article 8 of the Convention does not justify<br />
reading across the principles governing the award of damages from one regime to the<br />
other.<br />
<br />
<br />
(d) Material differences between the regimes<br />
<br />
<br />
<br />
130. There are further reasons why no such analogy can properly be drawn<br />
stemming from the differences between the two regimes. It is plain that the detailed<br />
scheme for regulating the processing of personal data established by the Data<br />
Protection Directive extended beyond the scope of article 8 and much more widely<br />
<br />
than the English domestic tort of misusing private information. An important<br />
difference is that the Directive (and the UK national legislation implementing it)<br />
applied to all “personal data” with no requirement that the data are of a confidential<br />
or private nature or that there is a reasonable expectation of privacy protection. By<br />
<br />
contrast, information is protected against misuse by the domestic tort only where<br />
there is a reasonable expectation of privacy. The reasonable expectation of privacy of<br />
the communications illicitly intercepted by the defendants in the phone hacking<br />
litigation was an essential element of the decision in Gulati that the claimants were<br />
entitled to compensation for the commission of the wrong itself. It cannot properly be<br />
<br />
<br />
Page 48inferred that the same entitlement should arise where a reasonable expectation of<br />
privacy is not a necessary element of the claim.<br />
<br />
<br />
131. This point goes to the heart of the approach adopted by the claimant in the<br />
present case. Stripped to its essentials, what the claimant is seeking to do is to claim<br />
for each member of the represented class a form of damages the rationale for which<br />
<br />
depends on there being a violation of privacy, while avoiding the need to show a<br />
violation of privacy in the case of any individual member of the class. This is a flawed<br />
endeavour.<br />
<br />
<br />
132. Another significant difference between the privacy tort and the data protection<br />
<br />
legislation is that a claimant is entitled to compensation for a contravention of the<br />
legislation only where the data controller has failed to exercise reasonable care. Some<br />
contraventions are inherently fault based. For example, the seventh data protection<br />
principle with which a data controller has a duty to comply pursuant to section 4(4) of<br />
the DPA 1998 (and article 17 of the Data Protection Directive) states:<br />
<br />
<br />
<br />
“Appropriate technical and organisational measures shall be<br />
taken against unauthorised or unlawful processing of<br />
personal data and against accidental loss or destruction of, or<br />
damage to, personal data.”<br />
<br />
<br />
<br />
A complaint that a data controller has failed to take such “appropriate technical and<br />
organisational measures” is similar to an allegation of negligence in that it is<br />
predicated on failure to meet an objective standard of care rather than on any<br />
intentional conduct. Even where a contravention of the legislation does not itself<br />
require fault, pursuant to section 13(3), quoted at para 90 above, there is no<br />
<br />
entitlement to compensation if the data controller proves that it took “such care as in<br />
all the circumstances was reasonably required to comply with the requirement<br />
concerned”.<br />
<br />
<br />
133. The privacy tort, like other torts for which damages may be awarded without<br />
<br />
proof of material damage or distress, is a tort involving strict liability for deliberate<br />
acts, not a tort based on a want of care. No inference can be drawn from the fact that<br />
compensation can be awarded for commission of the wrong itself where private<br />
information is misused that the same should be true where the wrong may consist only<br />
<br />
in a failure to take appropriate protective measures and where the right to<br />
compensation is expressly excluded if the defendant took reasonable care.<br />
<br />
<br />
<br />
Page 49134. Indeed, this feature of the data protection legislation seems to me to be a yet<br />
further reason to conclude that the “damage” for which an individual is entitled to<br />
compensation for a breach of any of its requirements does not include the commission<br />
of the wrong itself. It would be anomalous if failure to take reasonable care to protect<br />
personal data gave rise to a right to compensation without proof that the claimant<br />
<br />
suffered any material damage or distress when failure to take care to prevent personal<br />
injury or damage to tangible moveable property does not.<br />
<br />
<br />
135. Accordingly, I do not accept that the decision in Gulati is applicable by analogy<br />
to the DPA 1998. To the contrary, there are significant differences between the privacy<br />
<br />
tort and the data protection legislation which make such an analogy positively<br />
inappropriate.<br />
<br />
<br />
(e) Equivalence and effectiveness<br />
<br />
<br />
136. I add for completeness that the EU law principles of equivalence and<br />
effectiveness, on which the Court of Appeal placed some reliance, do not assist the<br />
<br />
claimant’s case. The principle of equivalence requires that procedural rules governing<br />
claims for breaches of EU law rights must not be less favourable than procedural rules<br />
governing equivalent domestic actions. As explained by Lord Briggs, giving the<br />
judgment of this court, in Totel Ltd v Revenue and Customs Comrs [2018] UKSC 44;<br />
<br />
[2018] 1 WLR 4053, para 7, the principle is “essentially comparative”. Thus:<br />
<br />
<br />
“The identification of one or more similar procedures for the<br />
enforcement of claims arising in domestic law is an essential<br />
prerequisite for its operation. If there is no true comparator,<br />
then the principle of equivalence can have no operation at<br />
<br />
all. The identification of one or more true comparators is<br />
therefore the essential first step in any examination of an<br />
assertion that the principle of equivalence has been<br />
infringed.” [citation omitted]<br />
<br />
<br />
<br />
For the reasons given, even if the measure of damages is regarded as a procedural<br />
rule, a claim for damages for misuse of private information at common law is not a<br />
true comparator of a claim under section 13 of the DPA 1998. The principle of<br />
equivalence can therefore have no operation.<br />
<br />
<br />
<br />
137. The principle of effectiveness invalidates a national procedure if it renders the<br />
enforcement of a right conferred by EU law either virtually impossible or excessively<br />
<br />
Page 50difficult: see again Totel Ltd at para 7. However, the absence of a right to<br />
compensation for a breach of data protection rights which causes no material damage<br />
or distress, even if regarded as a procedural limitation, does not render the<br />
enforcement of such rights virtually impossible or excessively difficult. The right to an<br />
effective remedy does not require awards of compensation for every (non-trivial)<br />
<br />
breach of statutory requirements even if no material damage or distress has been<br />
suffered.<br />
<br />
<br />
(f) Conclusion on the effect of section 13<br />
<br />
<br />
138. For all these reasons, I conclude that section 13 of the DPA 1998 cannot<br />
<br />
reasonably be interpreted as conferring on a data subject a right to compensation for<br />
any (non-trivial) contravention by a data controller of any of the requirements of the<br />
Act without the need to prove that the contravention has caused material damage or<br />
distress to the individual concerned.<br />
<br />
<br />
(9) The claim for user damages<br />
<br />
<br />
<br />
139. “User damages” is the name commonly given to a type of damages readily<br />
awarded in tort where use has wrongfully been made of someone else’s land or<br />
tangible moveable property although there has been no financial loss or physical<br />
damage to the property. The damages are assessed by estimating what a reasonable<br />
<br />
person would have paid for the right of user. Damages are also available on a similar<br />
basis for patent infringement and other breaches of intellectual property rights.<br />
Following the seminal decision of this court in OneStep (Support) Ltd v Morris-Garner<br />
[2018] UKSC 20; [2019] AC 649, it is now clear that user damages are compensatory in<br />
nature, their purpose being to compensate the claimant for interference with a right to<br />
<br />
control the use of property where the right is a commercially valuable asset. As Lord<br />
Reed explained in Morris-Garner, at para 95(1):<br />
<br />
<br />
“The rationale of such awards is that the person who makes<br />
wrongful use of property, where its use is commercially<br />
<br />
valuable, prevents the owner from exercising a valuable right<br />
to control its use, and should therefore compensate him for<br />
the loss of the value of the exercise of that right. He takes<br />
something for nothing, for which the owner was entitled to<br />
<br />
require payment.”<br />
<br />
<br />
<br />
<br />
Page 51140. Lord Reed, at paras 27 and 29, cited authorities which make it clear that the<br />
entitlement to user damages does not depend on whether the owner would in fact<br />
have exercised the right to control the use of the property, had it not been interfered<br />
with. The “loss” for which the claimant is entitled to compensation is not loss of this<br />
“conventional kind” (para 30); rather, it lies in the wrongful use of the claimant’s<br />
<br />
property itself, for which the economic value of the use provides an appropriate<br />
measure. This value can be assessed by postulating a hypothetical negotiation and<br />
estimating what fee would reasonably have been agreed for releasing the defendant<br />
from the duty which it breached. It is this method of assessment on which the claimant<br />
<br />
relies in the alternative formulation of the present claim.<br />
<br />
<br />
141. A claim in tort for misuse of private information based on the factual allegations<br />
made in this case, such as was made in Vidal-Hall, would naturally lend itself to an<br />
award of user damages. The decision in Gulati shows that damages may be awarded<br />
for the misuse of private information itself on the basis that, apart from any material<br />
<br />
damage or distress that it may cause, it prevents the claimant from exercising his or<br />
her right to control the use of the information. Nor can it be doubted that information<br />
about a person’s internet browsing history is a commercially valuable asset. What was<br />
described by the Chancellor in the Court of Appeal [2020] QB 747, para 46, as “the<br />
<br />
underlying reality of this case” is that Google was allegedly able to make a lot of money<br />
by tracking the browsing history of iPhone users without their consent and selling the<br />
information collected to advertisers.<br />
<br />
<br />
142. The view has sometimes been expressed that asserting privacy in information is<br />
inconsistent, or at least in tension, with treating such information as a commercial<br />
<br />
asset: see eg Douglas v Hello! Ltd (No 3) [2005] EWCA Civ 595; [2006] QB 125, para<br />
246; and on appeal sub nom OBG Ltd v Allan [2007] UKHL 21; [2008] AC 1, para 275<br />
(Lord Walker of Gestinghorpe). But once the basis of the right to privacy is understood<br />
to be the protection of a person’s freedom to choose and right to control whether and<br />
<br />
when others have access to his or her private affairs, I think that any tension largely<br />
disappears. It is common experience that some people are happy to exploit for<br />
commercial gain facets of their private lives which others would feel mortified at<br />
having exposed to public view. Save in the most extreme cases, this should be seen as<br />
<br />
a matter of personal choice on which it is not for the courts to pass judgments.<br />
Moreover, where the defendant’s very purpose in wrongfully obtaining and using<br />
private information is to exploit its commercial value, the law should not be prissy<br />
about awarding compensation based on the commercial value of the exercise of the<br />
right. As was confirmed in Morris-Garner, the fact that the claimant would not have<br />
<br />
chosen to exercise the right himself is no answer to a claim for user damages. It is<br />
enough that, as Lord Reed put it at paras 30 and 95(1) of his majority judgment, the<br />
defendant has taken something for nothing, for which the owner of the right was<br />
entitled to require payment.<br />
<br />
Page 52143. The point does not arise in the present case, however, because the claimant is<br />
not claiming damages for misuse of private information. As discussed, the only claim<br />
advanced is under the DPA 1998. Here it follows from the conclusion reached above<br />
about the meaning of section 13 that user damages are not available. This is because,<br />
for the reasons given, compensation can only be awarded under section 13 of the DPA<br />
<br />
1998 for material damage or distress caused by an infringement of a claimant’s right to<br />
have his or her personal data processed in accordance with the requirements of the<br />
Act, and not for the infringement itself. Although his reasoning was in part based on an<br />
understanding of user damages overtaken by this court’s decision in Morris-Garner, it<br />
<br />
follows that Patten J was right to hold in Murray v Express Newspapers Plc[2007]<br />
EWHC 1908 (Ch); [2007] EMLR 22, at para 92, that the principles on which user<br />
damages are awarded do not apply to a claim for compensation under the DPA 1998.<br />
<br />
<br />
F. THE NEED FOR INDIVIDUALISED EVIDENCE OF MISUSE<br />
<br />
<br />
144. There is a further reason why the claimant’s attempt to recover damages under<br />
<br />
section 13 of the DPA 1998 by means of a representative claim cannot succeed. Even if<br />
(contrary to my conclusion) it were unnecessary in order to recover compensation<br />
under this provision to show that an individual has suffered material damage or<br />
distress as a result of unlawful processing of his or her personal data, it would still be<br />
<br />
necessary for this purpose to establish the extent of the unlawful processing in his or<br />
her individual case. In deciding what amount of damages, if any, should be awarded,<br />
relevant factors would include: over what period of time did Google track the<br />
individual’s internet browsing history? What quantity of data was unlawfully<br />
processed? Was any of the information unlawfully processed of a sensitive or private<br />
<br />
nature? What use did Google make of the information and what commercial benefit, if<br />
any, did Google obtain from such use?<br />
<br />
<br />
(1) The claim for the “lowest common denominator”<br />
<br />
<br />
145. The claimant does not dispute that the amount of any compensation awarded<br />
<br />
must in principle depend on such matters. But he contends that it is possible to<br />
identify an “irreducible minimum harm” suffered by every member of the class whom<br />
he represents for which a “uniform sum” of damages can be awarded. This sum is<br />
claimed on the basis that it represents what the Chancellor in the Court of Appeal<br />
<br />
described as the “lowest common denominator” of all the individual claims: see [2020]<br />
QB 747, para 75.<br />
<br />
<br />
146. Google objects that Mr Lloyd, as the self-appointed representative of the class,<br />
has no authority from any individual class member to waive or abandon what may be<br />
<br />
Page 53the major part of their damages claim by disavowing reliance on any circumstances<br />
affecting that individual. Mr Lloyd’s answer, which the Court of Appeal accepted, is a<br />
pragmatic one. He points out that the limitation period for bringing any proceedings<br />
has now expired. For any represented individual there is therefore no longer any<br />
realistic possibility of recovering any compensation at all other than through the<br />
<br />
present action. Furthermore, to make this action viable, it is necessary to confine the<br />
amount of damages claimed for each class member to a uniform sum; and a uniform<br />
sum of damages, even if considerably smaller than an individualised award would be, is<br />
better than nothing.<br />
<br />
<br />
<br />
147. I do not think it necessary to enter into the merits of this issue. I am prepared to<br />
assume, without deciding, that as a matter of discretion the court could - if satisfied<br />
that the persons represented would not be prejudiced and with suitable arrangements<br />
in place enabling them to opt out of the proceedings if they chose - allow a<br />
representative claim to be pursued for only a part of the compensation that could<br />
<br />
potentially be claimed by any given individual. The fundamental problem is that, if no<br />
individual circumstances are taken into account, the facts alleged are insufficient to<br />
establish that any individual member of the represented class is entitled to damages.<br />
That is so even if it is unnecessary to prove that the alleged breaches caused any<br />
<br />
material damage or distress to the individual.<br />
<br />
<br />
(2) The facts common to each individual case<br />
<br />
<br />
148. The facts alleged against Google generically cannot establish that any given<br />
individual is entitled to compensation. To establish any such individual entitlement it<br />
must be shown, at least, that there was unlawful processing by Google of personal<br />
<br />
data of which that particular individual was the subject. In considering whether the<br />
facts alleged, if proved, are capable of establishing an entitlement to damages, it is<br />
therefore necessary to identify what unlawful processing by Google of personal data is<br />
alleged to have occurred in Mr Lloyd’s own case and also in the case of each other<br />
<br />
member of the represented class. What facts is the claimant proposing to prove to<br />
show that Google acted unlawfully in each individual case?<br />
<br />
<br />
149. The answer, on analysis, is: only those facts which are necessary to show that<br />
the individual falls within the definition of the “claimant class”. The premise of the<br />
<br />
claim is that Mr Lloyd and each person whom he represents is entitled to damages<br />
simply on proof that they are members of the class and without the need to prove any<br />
further facts to show that Google wrongfully collected and used their personal data.<br />
Any such further facts would inevitably vary from one individual member of the class<br />
to another and would require individual proof.<br />
<br />
<br />
Page 54150. To fall within the definition of the class, it must be shown, in substance, that the<br />
individual concerned had an iPhone of the appropriate model running a relevant<br />
version of the Apple Safari internet browser which, at any date during the relevant<br />
period whilst present in England and Wales, he or she used to access a website that<br />
was participating in Google’s DoubleClick advertising service. There are exclusions<br />
<br />
from the class definition for anyone who changed the default settings in the Safari<br />
browser, opted out of tracking and collation via Google’s “Ads Preference Manager” or<br />
obtained a DoubleClick Ad cookie via a “first party request” rather than as a “third<br />
party cookie”. The aim of the definition is to identify all those people who had a<br />
<br />
DoubleClick Ad cookie placed on their device unlawfully, through the Safari<br />
workaround, but not to include within the class anyone who did not receive a<br />
DoubleClick Ad cookie during the relevant period or who received the cookie by lawful<br />
means.<br />
<br />
<br />
151. It is sufficient to bring an individual within the class definition that he or she<br />
<br />
used the Safari browser to access a website participating in Google’s DoubleClick<br />
advertising service on a single occasion. The theory is that on that occasion the<br />
DoubleClick Ad cookie will have been placed on the user’s device unlawfully as a third<br />
party cookie. To qualify for membership of the class, it is not necessary to show that<br />
<br />
the individual ever visited a website participating in Google’s DoubleClick advertising<br />
service again during the relevant period. Nor is it alleged that any individual or<br />
individuals did visit such a website on more than one occasion. The “lowest common<br />
denominator” on which the claim is based is therefore someone whose internet usage<br />
- apart from one visit to a single website - was not illicitly tracked and collated and who<br />
<br />
received no targeted advertisements as a result of receiving a DoubleClick Ad cookie.<br />
This is because the claimant has deliberately chosen, in order to advance a claim in a<br />
representative capacity for damages assessed from the bottom up, not to rely on any<br />
facts about the internet activity of any individual iPhone user beyond those which<br />
<br />
bring them within the class of represented persons.<br />
<br />
<br />
152. For reasons given earlier, I am leaving aside the difficulties of proving<br />
membership of the class, significant as they would appear to be, and am assuming that<br />
such difficulties are not an impediment to the claim. But the question that must be<br />
<br />
asked is whether membership of the represented class is sufficient by itself to entitle<br />
an individual to compensation, without proof of any further facts particular to that<br />
individual.<br />
<br />
<br />
153. On the claimant’s own case there is a threshold of seriousness which must be<br />
crossed before a breach of the DPA 1998 will give rise to an entitlement to<br />
<br />
compensation under section 13. I cannot see that the facts which the claimant aims to<br />
prove in each individual case are sufficient to surmount this threshold. If (contrary to<br />
<br />
Page 55the conclusion I have reached) those facts disclose “damage” within the meaning of<br />
section 13 at all, I think it impossible to characterise such damage as more than trivial.<br />
What gives the appearance of substance to the claim is the allegation that Google<br />
secretly tracked the internet activity of millions of Apple iPhone users for several<br />
months and used the data obtained for commercial purposes. But on analysis the<br />
<br />
claimant is seeking to recover damages without attempting to prove that this<br />
allegation is true in the case of any individual for whom damages are claimed. Without<br />
proof of some unlawful processing of an individual’s personal data beyond the bare<br />
minimum required to bring them within the definition of the represented class, a claim<br />
<br />
on behalf of that individual has no prospect of meeting the threshold for an award of<br />
damages.<br />
<br />
<br />
(3) User damages on a lowest common denominator basis<br />
<br />
<br />
154. The claimant’s case is not improved by formulating the claim as one for user<br />
damages quantified by estimating what fee each member of the represented class<br />
<br />
could reasonably have charged - or which would reasonably have been agreed in a<br />
hypothetical negotiation - for releasing Google from the duties which it breached. I<br />
have already indicated why, in my opinion, user damages cannot be recovered for<br />
breaches of the DPA 1998. But even if (contrary to that conclusion) user damages<br />
<br />
could in principle be recovered, the inability or unwillingness to prove what, if any,<br />
wrongful use was made by Google of the personal data of any individual again means<br />
that any damages awarded would be nil.<br />
<br />
<br />
155. The claimant asserts, and I am content to assume, that if, instead of bypassing<br />
privacy settings through the Safari workaround, Google had offered to pay a fee to<br />
<br />
each affected Apple iPhone user for the right to place its DoubleClick Ad cookie on<br />
their device, the fee would have been a standard one, agreed in advance, rather than a<br />
fee which varied according to the quantity or commercial value to Google of the<br />
information which was subsequently collected as a result of the user’s acceptance of<br />
<br />
the cookie. However, imagining the negotiation of a fee in advance in this way is not<br />
the correct premise for the valuation.<br />
<br />
<br />
156. As explained in Morris-Garner, the object of an award of user damages is to<br />
compensate the claimant for use wrongfully made by the defendant of a valuable asset<br />
<br />
protected by the right infringed. The starting point for the valuation exercise is thus to<br />
identify what the extent of such wrongful use actually was: only then can an estimate<br />
be made of what sum of money could reasonably have been charged for that use or,<br />
put another way, for releasing the wrongdoer from the duties which it breached in the<br />
wrongful use that it made of the asset. Imagining a hypothetical negotiation, as Lord<br />
<br />
Reed explained at para 91 of Morris-Garner, is merely “a tool” for arriving at this<br />
Page 56estimated sum. As in any case where compensation is awarded, the aim is to place the<br />
claimant as nearly as possible in the same position as if the wrongdoing had not<br />
occurred. Accordingly, as Patten LJ put it in Eaton Mansions (Westminster) Ltd v Stinger<br />
Compania de Inversion SA [2013] EWCA Civ 1308; [2014] 1 P & CR 5, para 21:<br />
<br />
<br />
“The valuation construct is that the parties must be treated<br />
<br />
as having negotiated for a licence which covered the acts of<br />
trespass that actually occurred. The defendant is not required<br />
to pay damages for anything else.”<br />
<br />
<br />
See also Enfield London Borough Council v Outdoor Plus Ltd[2012] EWCA Civ 608, para<br />
<br />
47; and Marathon Asset Management LLP v Seddon [2017] EWHC 300 (Comm); [2017]<br />
ICR 791, paras 254-262.<br />
<br />
<br />
157. Applying that approach, the starting point would therefore need to be to<br />
establish what unlawful processing by Google of the claimant’s personal data actually<br />
occurred. Only when the wrongful use actually made by Google of such data is known<br />
<br />
is it possible to estimate its commercial value. As discussed, in order to avoid individual<br />
assessment, the only wrongful act which the claimant proposes to prove in the case of<br />
each represented person is that the DoubleClick Ad cookie was unlawfully placed on<br />
their device: no evidence is - or could without individual assessment - be adduced to<br />
<br />
show that, by means of this third party cookie, Google collected or used any personal<br />
data relating to that individual. The relevant valuation construct is therefore to ask<br />
what fee would hypothetically have been negotiated for a licence to place the<br />
DoubleClick Ad cookie on an individual user’s phone as a third party cookie, but<br />
without releasing Google from its obligations not to collect or use any information<br />
<br />
about that person’s internet browsing history. It is plain that such a licence would be<br />
valueless and that the fee which could reasonably be charged or negotiated for it<br />
would accordingly be nil.<br />
<br />
<br />
G. CONCLUSION<br />
<br />
<br />
<br />
158. The judge took the view that, even if the legal foundation for the claim made in<br />
this action were sound, he should exercise the discretion conferred by CPR rule 19.6(2)<br />
by refusing to allow the claim to be continued as a representative action. He<br />
characterised the claim as “officious litigation, embarked upon on behalf of individuals<br />
<br />
who have not authorised it” and in which the main beneficiaries of any award of<br />
damages would be the funders and the lawyers. He thought that the representative<br />
claimant “should not be permitted to consume substantial resources in the pursuit of<br />
litigation on behalf of others who have little to gain from it, and have not authorised<br />
<br />
Page 57the pursuit of the claim, nor indicated any concern about the matters to be litigated”:<br />
[2019] 1 WLR 1265, paras 102-104. The Court of Appeal formed a very different view<br />
of the merits of the representative claim. They regarded the fact that the members of<br />
the represented class had not authorised the claim as an irrelevant factor, which the<br />
judge had wrongly taken into account, and considered that it was open to them to<br />
<br />
exercise the discretion afresh. They saw this litigation as the only way of obtaining a<br />
civil compensatory remedy for what, if proved, was a “wholesale and deliberate<br />
misuse of personal data without consent, undertaken with a view to commercial<br />
profit”: see [2020] QB 747, para 86. In these circumstances the Court of Appeal took<br />
<br />
the view that, as a matter of discretion, the claim should be allowed to proceed.<br />
<br />
<br />
159. It is unnecessary to decide whether the Court of Appeal was entitled to<br />
interfere with the judge’s discretionary ruling or whether it would be desirable for a<br />
commercially funded class action to be available on the facts alleged in this case. This is<br />
because, regardless of what view of it is taken, the claim has no real prospect of<br />
<br />
success. That in turn is because, in the way the claim has been framed in order to try to<br />
bring it as a representative action, the claimant seeks damages under section 13 of the<br />
DPA 1998 for each individual member of the represented class without attempting to<br />
show that any wrongful use was made by Google of personal data relating to that<br />
<br />
individual or that the individual suffered any material damage or distress as a result of<br />
a breach of the requirements of the Act by Google. For the reasons explained in this<br />
judgment, without proof of these matters, a claim for damages cannot succeed.<br />
<br />
<br />
160. I would therefore allow the appeal and restore the order made by the judge<br />
refusing the claimant’s application for permission to serve the proceedings on Google<br />
<br />
outside the jurisdiction of the courts of England and Wales.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 58<br />
</pre></div>Mariam-hwthhttps://gdprhub.eu/index.php?title=UKSC_-_Richard_Lloyd_v_Google_LLC_(2021)_UKSC_50&diff=21383UKSC - Richard Lloyd v Google LLC (2021) UKSC 502021-11-23T18:36:20Z<p>Mariam-hwth: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=UKSC<br />
|Court_With_Country=UKSC (United Kingdom)<br />
<br />
|Case_Number_Name=Richard Lloyd v Google LLC (2021) UKSC 50<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=The Supreme Court of the United Kingdom<br />
|Original_Source_Link_1=https://www.supremecourt.uk/cases/docs/uksc-2019-0213-judgment.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Date_Decided=10.11.2021<br />
|Date_Published=10.11.2021<br />
|Year=2021<br />
<br />
<br />
|EU_Law_Name_1=Article 23 of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:31995L0046<br />
<br />
|National_Law_Name_1=Rule 19.6 of the Civil Procedure Rules<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=Section 13 of the Data Protection Act 1998<br />
|National_Law_Link_2=https://www.legislation.gov.uk/ukpga/1998/29/contents<br />
|National_Law_Name_3=Section 14 of the Data Protection Act 1998<br />
|National_Law_Link_3=https://www.legislation.gov.uk/ukpga/1998/29/contents<br />
|National_Law_Name_4=Section 4(4) of the Data Protection Act 1998<br />
|National_Law_Link_4=https://www.legislation.gov.uk/ukpga/1998/29/contents<br />
|National_Law_Name_5=Rule 19.11 of the Civil Procedure Rules<br />
|National_Law_Link_5=<br />
<br />
|Party_Name_1=Richard Lloyd<br />
|Party_Link_1=<br />
|Party_Name_2=Google LLC<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=England and Wales Court of Appeal (Civil Division)<br />
|Appeal_From_Case_Number_Name=Lloyd v Google LLC (2019) EWCA Civ 1599<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=https://www.bailii.org/ew/cases/EWCA/Civ/2019/1599.html<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=MH<br />
|<br />
}}<br />
<br />
The UK Supreme Court held that to claim compensation for an infringement of the Data Protection Act 1998, it was necessary to demonstrate material damage or distress suffered by each individual. A representative action was therefore not suitable. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Google secretly tracked Apple iPhone users between late 2011 and early 2012 and using their data collected in that way for commercial purposes. Google bypassed privacy settings on Apple iPhones and the default blocking of third party cookies on Safari with its “DoubleClick Ad” cookie by relying on an exception devised by Apple. Google placed this cookie without the user’s knowledge or consent. This cookie was enabled if users visited a website that included DoubleClick Ad content (advertising content). The cookie identified visits by a specific device on websites using this advertising content, including data and time of visit; time spent by the user on the website; what advertisement was viewed for how long; and using IP address, the user’s geographical location. <br />
<br />
As a result, Google could infer the user’s internet surfing habits, location, as well as interests, race or ethnicity, social class, political or religious beliefs, health, sexual interests, age, gender and financial situation. Google then used this aggregated information to give them labels (eg “football lovers”) and eventually offering these group labels to advertising organisations looking to target specific groups when using Google’s DoubleClick service. <br />
<br />
This allegation was brought in the US and Google settled a charge of $22.5 million with the US Federal Trade Commission and $17 million to settle consumer based actions in the US. <br />
<br />
Three individuals in the UK sued Google in 2013 for the same allegation and their claim was settled by Google (Vidal-Hall v Google Inc). <br />
<br />
Lloyd has filed a claim before the UK courts on behalf of everyone that resides in England and Wales and owned an Apple iPhone at the time of the secret tracking. Lloyd filed this class action with the intention of recovering damages for more than 4 million people affected. He claimed that compensation (£750 suggested) should be awarded under the Data Protection Act 1998 for loss of control of personal data without having to demonstrate that the claimant suffered financial or mental distress as a result of the infringement.<br />
<br />
=== Holding ===<br />
<br />
==== Legal framework: ====<br />
Section 4(4) of the Data Protection Act 1998 (DPA 1998) imposes a duty on data controllers to comply with data protection principles. These are laid out in Schedule 1 of the DPA 1998.<br />
<br />
Section 13 of the DPA 1998 gives individuals a right to compensation from the controller if they suffer damage as a result of a contravention of the Act by that controller.<br />
<br />
Individuals can bring claims which give rise to a common issue of fact or law can apply for a Group Litigation Order to be made under Rule 19.11 of the Civil Procedure Rules. This is an “opt-in” regime where claimants must take steps to join the group. <br />
<br />
They can also do so under a representative action, reflected in Rule 19.6 of the Civil Procedure Rules (CPR). However, as a detailed legislative framework is missing, the representative action rules within common law have been considered by the Supreme Court. The following principles are relevant:<br />
<br />
* “same interest” requirement where the representative must have the same interest or common issues as the persons they represent (within Rule 19.6 CPR)<br />
* “court’s discretion” as to whether to allow the claim to proceed as a representative action. This is an objective assessment as to whether the case can be dealt with justly and at a proportionate cost (within Rules 1.1 and 1.2 CPR)<br />
* “no requirement of consent” or awareness required from the people represented<br />
* “class definition” requirement where the class of people represented must be clearly defined <br />
* “liability for costs” requirement where the persons represented will not have to pay costs of being represented incurred by the representative<br />
* “scope for claiming damages” where claiming damages is limited by the nature of the remedy of damages at common law, or by the fact that damages may reauire an individua assessment<br />
<br />
==== Holding: ====<br />
The UK Supreme court did not object to a representative claim brought to establish whether Google was in breach of DPA 1998 as individual claims could theoretically be brought. The Supreme Court also determined that the individuals had similar interests or common issues caused by tracking of their behaviour without consent. <br />
<br />
According to the Court, there was no uniform effect caused by Google’s actions across the represented class. Instead, the effect and the amount recoverable by each individual would depend on the circumstances particular to the individuals (eg how often they used Safari or website with DoubleClick Ad content). Contrary to Lloyd’s claim, the Court held that DPA 1998 cannot be read to mean that individuals are entitled to compensation for any contravention of the DPA 1998 without needing to prove financial loss or distress. According to the leading judgement, under Section 13 DPA 1998, it is not enough to prove an infringement by a data controller as “damage” (interpreted as only meaning material damages) or “distress” must be suffered as a result. <br />
<br />
Following an analysis of Vidal-Hall v Google Inc (discussing Section 13 DPA 1998) and Gulati v MGN Ltd (discussing tort for misuse of private information) the court outlined that it would be possible for Lloyd to claim (1) damages under Section 13(1) DPA 1998 for distress suffered due to Google’s infringement of the Act; (2) and /or damages for the misuse of private information without the need to show material damage or distress. However, the court outlined that the case was not made for either (claim for misuse of information tort having not be made). Again, the Court reiterated that to recover damages for distress under Section 13(1) DPA 1998, it would be necessary to provide evidence of this distress for each individual represented – making this incompatible with the nature of representative action.<br />
<br />
The UK Supreme Court rejected the argument that an infringement of the DPA 1998 should be dealt with in the same way as the tort of misuse of private information and that therefore damages can be recovered for interference by an organisation without the need to demonstrate material damage or distress. The UK Supreme Court relied on the fact that Section 13(1) DPA 1998 cannot be interpreted using that analogy, as highlighted above. The wording of the DPA 1998 and its interpretation in caselaw cannot be detached from the fact that material damage or distress must be demonstrated. <br />
<br />
''"…the wording of section 13(1) draws a distinction between “damage” suffered by an individual and a “contravention” of a requirement of the Act by a data controller, and provides a right to compensation “for that damage” only if the “damage” occurs “by reason of” the contravention.''" <br />
<br />
Section 14 DPA 1998 also supports the interpretation that a damage, and not purely an infringement of the legislation, must be demonstrated. The Court also relied on the interpretation by the Court of Appeal in Vidall-Hall v Google Inc, which distinguished damage or distress suffered and contravention of a requirement in the DPA 1998. The Court also did not consider that it was possible to rely on an analogy between the tort of misuse of information and Section 13 DPA 1998 simply because they are both founded in the common route of “right to privacy” embodied in Article 8 European Convention on Human Rights. <br />
<br />
Additionally, the Court held that it would be, in any case, necessary to identify damage or distress suffered by each individual for the purpose of awarding compensation (even if it was not necessary to show individual damage or distress as a result of the infringement). Factors like extent of Google’s tracking; quantity of data processed; nature of the data processed (sensitive nature?); use of that information and benefit from it by Google would all need to be assessed for individual cases. Without such individualised assessment, Lloyd’s argument that the “lowest common denominator” on which the claim is based (proof that the individual us part of the class by having an iPhone at the time) would not be sufficient to be something more than trivial (as required under Section 13 DPA 1998). Therefore, compensation could not be quantified beyond 0. <br />
<br />
The UK Supreme Court concluded and decided unanimously that: <br />
<br />
“''In order to recover compensation under the DPA 1998 for any given individual, it would be necessary to show both that Google made some unlawful use of personal data relating to that individual and that the individual suffered some damage as a result.''”<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
Michaelmas Term<br />
[2021] UKSC 50<br />
On appeal from: [2019] EWCA Civ 1599<br />
<br />
<br />
<br />
JUDGMENT<br />
<br />
<br />
Lloyd (Respondent) v Google LLC (Appellant)<br />
<br />
before<br />
<br />
<br />
Lord Reed, President<br />
Lady Arden<br />
Lord Sales<br />
<br />
Lord Leggatt<br />
Lord Burrows<br />
<br />
<br />
JUDGMENT GIVEN ON<br />
10 November 2021<br />
<br />
<br />
Heard on 28 and 29 April 2021 Appellant<br />
Antony White QC<br />
Edward Craven<br />
<br />
(Instructed by Pinsent Masons LLP (London))<br />
<br />
<br />
Respondent<br />
Hugh Tomlinson QC<br />
Oliver Campbell QC<br />
<br />
Victoria Wakefield QC<br />
(Instructed by Milberg London LLP)<br />
<br />
<br />
1st Intervener (Information Commissioner)<br />
Gerry Facenna QC<br />
<br />
Nikolaus Grubeck<br />
(Instructed by Information Commissioner’s Office)<br />
<br />
<br />
2nd Intervener (Open Rights Group)<br />
(written submissions only)<br />
<br />
Robert Palmer QC<br />
Julianne Kerr Morrison<br />
(Instructed by AWO)<br />
<br />
<br />
<br />
3rd Intervener (Association of the British Pharmaceutical Industry and Association of British<br />
HealthTech Industries (ABPI and ABHI))<br />
(written submissions only)<br />
Lord Anderson of Ipswich KBE QC<br />
Robin Hopkins<br />
<br />
Rupert Paines<br />
(Instructed by CMS Cameron McKenna Nabarro Olswang LLP (London))<br />
<br />
<br />
4th Intervener (Liberty, Coram Children’s Legal Centre and Inclusion London)<br />
(written submissions only)<br />
<br />
Dan Squires QC<br />
Aidan Wills<br />
Tim James-Matthews<br />
(Instructed by Liberty, Coram Children’s Legal Centre and Deighton Pierce Glynn)<br />
<br />
<br />
<br />
5th Intervener (Internet Association)<br />
(written submissions only)<br />
Christopher Knight<br />
(Instructed by Linklaters LLP (London))6th Intervener (TECHUK Ltd (trading as techUK))<br />
(written submissions only)<br />
Catrin Evans QC<br />
<br />
Ian Helme<br />
(Instructed by RPC LLP (London))LORD LEGGATT: (with whom Lord Reed, Lady Arden, Lord Sales and Lord Burrows<br />
agree)<br />
<br />
<br />
A. INTRODUCTION<br />
<br />
<br />
1. Mr Richard Lloyd - with financial backing from Therium Litigation Funding IC, a<br />
commercial litigation funder - has issued a claim against Google LLC, alleging breach of<br />
<br />
its duties as a data controller under section 4(4) of the Data Protection Act 1998 (“the<br />
DPA 1998”). The claim alleges that, for several months in late 2011 and early 2012,<br />
Google secretly tracked the internet activity of millions of Apple iPhone users and used<br />
the data collected in this way for commercial purposes without the users’ knowledge<br />
<br />
or consent.<br />
<br />
<br />
2. The factual allegation is not new. In August 2012, Google agreed to pay a civil<br />
penalty of US$22.5m to settle charges brought by the United States Federal Trade<br />
Commission based upon the allegation. In November 2013, Google agreed to pay<br />
US$17m to settle consumer-based actions brought against it in the United States. In<br />
<br />
England and Wales, three individuals sued Google in June 2013 making the same<br />
allegation and claiming compensation under the DPA 1998 and at common law for<br />
misuse of private information: see Vidal-Hall v Google Inc (Information Comr<br />
intervening)[2015] EWCA Civ 311; [2016] QB 1003. Following a dispute over<br />
<br />
jurisdiction, their claims were settled before Google had served a defence. What is<br />
new about the present action is that Mr Lloyd is not just claiming damages in his own<br />
right, as the three claimants did in Vidal-Hall. He claims to represent everyone resident<br />
in England and Wales who owned an Apple iPhone at the relevant time and whose<br />
data were obtained by Google without their consent, and to be entitled to recover<br />
<br />
damages on behalf of all these people. It is estimated that they number more than 4m.<br />
<br />
<br />
3. Class actions, in which a single person is permitted to bring a claim and obtain<br />
redress on behalf of a class of people who have been affected in a similar way by<br />
alleged wrongdoing, have long been possible in the United States and, more recently,<br />
<br />
in Canada and Australia. Whether legislation to establish a class action regime should<br />
be enacted in the UK has been much discussed. In 2009, the Government rejected a<br />
recommendation from the Civil Justice Council to introduce a generic class action<br />
regime applicable to all types of claim, preferring a “sector based approach”. This was<br />
<br />
for two reasons:<br />
<br />
<br />
“Firstly, there are potential structural differences between<br />
the sectors which will require different consideration. …<br />
Secondly, it will be necessary to undertake a full assessment<br />
<br />
Page 2 of the likely economic and other impacts before<br />
implementing any reform.”<br />
<br />
<br />
See the Government’s Response to the Civil Justice Council’s Report: “Improving<br />
Access to Justice through Collective Actions” (2008), paras 12-13.<br />
<br />
<br />
4. Since then, the only sector for which such a regime has so far been enacted is<br />
<br />
that of competition law. Parliament has not legislated to establish a class action regime<br />
in the field of data protection.<br />
<br />
<br />
5. Mr Lloyd has sought to overcome this difficulty by what the Court of Appeal in<br />
this case described as “an unusual and innovative use of the representative procedure”<br />
<br />
in rule 19.6 of the Civil Procedure Rules: see [2019] EWCA Civ 1599; [2020] QB 747,<br />
para 7. This is a procedure of very long standing in England and Wales whereby a claim<br />
can be brought by (or against) one or more persons as representatives of others who<br />
have “the same interest” in the claim. Mr Lloyd accepts that he could not use this<br />
procedure to claim compensation on behalf of other iPhone users if the compensation<br />
<br />
recoverable by each user would have to be individually assessed. But he contends that<br />
such individual assessment is unnecessary. He argues that, as a matter of law,<br />
compensation can be awarded under the DPA 1998 for “loss of control” of personal<br />
data without the need to prove that the claimant suffered any financial loss or mental<br />
<br />
distress as a result of the breach. Mr Lloyd further argues that a “uniform sum” of<br />
damages can properly be awarded in relation to each person whose data protection<br />
rights have been infringed without the need to investigate any circumstances<br />
particular to their individual case. The amount of damages recoverable per person<br />
would be a matter for argument, but a figure of £750 was advanced in a letter of claim.<br />
<br />
Multiplied by the number of people whom Mr Lloyd claims to represent, this would<br />
produce an award of damages of the order of £3 billion.<br />
<br />
<br />
6. Because Google is a Delaware corporation, the claimant needs the court’s<br />
permission to serve the claim form on Google outside the jurisdiction. The application<br />
<br />
for permission has been contested by Google on the grounds that the claim has no real<br />
prospect of success as: (1) damages cannot be awarded under the DPA 1998 for “loss<br />
of control” of data without proof that it caused financial damage or distress; and (2)<br />
the claim in any event is not suitable to proceed as a representative action. In the High<br />
<br />
Court Warby J decided both issues in Google’s favour and therefore refused permission<br />
to serve the proceedings on Google: see [2018] EWHC 2599 (QB); [2019] 1 WLR 1265.<br />
The Court of Appeal reversed that decision, for reasons given in a judgment of the<br />
Chancellor, Sir Geoffrey Vos, with which Davis LJ and Dame Victoria Sharp agreed:<br />
[2019] EWCA Civ 1599; [2020] QB 747.<br />
<br />
<br />
Page 37. On this further appeal, because of the potential ramifications of the issues<br />
raised, as well as hearing the claimant and Google, the court has received written and<br />
oral submissions from the Information Commissioner and written submissions from<br />
five further interested parties.<br />
<br />
<br />
8. In this judgment I will first summarise the facts alleged and the relevant legal<br />
<br />
framework for data protection before considering the different methods currently<br />
available in English procedural law for claiming collective redress and, in particular, the<br />
representative procedure which the claimant is seeking to use. Whether that<br />
procedure is capable of being used in this case critically depends, as the claimant<br />
<br />
accepts, on whether compensation for the alleged breaches of data protection law<br />
would need to be individually assessed. I will then consider the claimant’s arguments<br />
that individual assessment is unnecessary. For the reasons given in detail below, those<br />
arguments cannot in my view withstand scrutiny. In order to recover compensation<br />
under the DPA 1998 for any given individual, it would be necessary to show both that<br />
<br />
Google made some unlawful use of personal data relating to that individual and that<br />
the individual suffered some damage as a result. The claimant’s attempt to recover<br />
compensation under the Act without proving either matter in any individual case is<br />
therefore doomed to fail.<br />
<br />
<br />
<br />
B. FACTUAL BACKGROUND<br />
<br />
<br />
9. The relevant events took place between 9 August 2011 and 15 February 2012<br />
and involved the alleged use by Google of what has been called the “Safari<br />
workaround” to bypass privacy settings on Apple iPhones.<br />
<br />
<br />
10. Safari is an internet browser developed by Apple and installed on its iPhones. At<br />
<br />
the relevant time, unlike most other internet browsers, all relevant versions of Safari<br />
were set by default to block third party cookies. A “cookie” is a small block of data that<br />
is placed on a device when the user visits a website. A “third party cookie” is a cookie<br />
placed on the device not by the website visited by the user but by a third party whose<br />
<br />
content is included on that website. Third party cookies are often used to gather<br />
information about internet use, and in particular web pages visited over time, to<br />
enable the delivery to the user of advertisements tailored to interests inferred from<br />
the user’s browsing history.<br />
<br />
<br />
<br />
11. Google had a cookie known as the “DoubleClick Ad cookie” which could operate<br />
as a third party cookie. It would be placed on a device if the user visited a website that<br />
included DoubleClick Ad content. The DoubleClick Ad cookie enabled Google to<br />
identify visits by the device to any website displaying an advertisement from its vast<br />
<br />
Page 4advertising network and to collect considerable amounts of information. It could tell<br />
the date and time of any visit to a given website, how long the user spent there, which<br />
pages were visited for how long, and what advertisements were viewed for how long.<br />
In some cases, by means of the IP address of the browser, the user’s approximate<br />
geographical location could be identified.<br />
<br />
<br />
<br />
12. Although the default settings for Safari blocked all third party cookies, a blanket<br />
application of these settings would have prevented the use of certain popular web<br />
functions; so Apple devised some exceptions to them. These exceptions were in place<br />
until March 2012, when the system was changed. But in the meantime the exceptions<br />
<br />
made it possible for Google to devise and implement the Safari workaround. Its effect<br />
was to place the DoubleClick Ad cookie on an Apple device, without the user’s<br />
knowledge or consent, immediately, whenever the user visited a website that<br />
contained DoubleClick Ad content.<br />
<br />
<br />
13. It is alleged that, in this way, Google was able to collect or infer information<br />
<br />
relating not only to users’ internet surfing habits and location, but also about such<br />
diverse factors as their interests and pastimes, race or ethnicity, social class, political or<br />
religious beliefs or affiliations, health, sexual interests, age, gender and financial<br />
situation.<br />
<br />
<br />
<br />
14. Further, it is said that Google aggregated browser generated information from<br />
users displaying similar patterns, creating groups with labels such as “football lovers”,<br />
or “current affairs enthusiasts”. Google’s DoubleClick service then offered these group<br />
labels to subscribing advertisers to choose from when selecting the type of people at<br />
whom they wanted to target their advertisements.<br />
<br />
<br />
<br />
C. THE LEGAL FRAMEWORK<br />
<br />
<br />
15. The DPA 1998 was enacted to implement Parliament and Council Directive<br />
95/46/EC of 24 October 1995 “on the protection of individuals with regard to the<br />
processing of personal data and on the free movement of such data” (OJ 1995 L281, p<br />
<br />
31) (the “Data Protection Directive”). The Data Protection Directive has been<br />
superseded by the General Data Protection Regulation, which became law in the UK in<br />
May 2018, supplemented by the Data Protection Act 2018 (“the DPA 2018”). The DPA<br />
2018 repealed and replaced the DPA 1998 except in relation to acts or omissions which<br />
<br />
occurred before it came into force.<br />
<br />
<br />
<br />
<br />
Page 516. Because the acts and omissions giving rise to the present claim occurred in 2011<br />
and 2012, the claim is governed by the old law contained in the DPA 1998 and the Data<br />
Protection Directive. The parties and interveners in their submissions on this appeal<br />
nevertheless made frequent references to provisions of the General Data Protection<br />
Regulation and the DPA 2018. In principle, the meaning and effect of the DPA 1998 and<br />
<br />
the Data Protection Directive cannot be affected by legislation which has been enacted<br />
subsequently. The later legislation therefore cannot help to resolve the issues raised<br />
on this appeal, and I shall leave it to one side.<br />
<br />
<br />
(1) The scheme of the DPA 1998<br />
<br />
<br />
<br />
17. Section 4(4) of the DPA 1998 imposed a duty on a data controller to comply<br />
with “the data protection principles” set out in Schedule 1 “in relation to all personal<br />
data with respect to which he is the data controller”. As defined in section 1(1) of the<br />
Act, “personal data” are, in effect, all recorded information which relate to an<br />
identifiable individual. An individual who is the subject of personal data is referred to<br />
<br />
as the “data subject”. A “data controller” is a person who (either alone or with others)<br />
“determines the purposes for which and the manner in which any personal data are, or<br />
are to be, processed.” The term “processing” is defined very broadly to mean<br />
“obtaining, recording or holding the information or data or carrying out any operation<br />
<br />
or set of operations on the information or data …”. Section 2 of the Act establishes a<br />
category of “sensitive personal data” consisting of information about certain specified<br />
matters, which include the racial or ethnic origin, political opinions, religious beliefs,<br />
physical or mental health or sexual life of the data subject.<br />
<br />
<br />
18. The first of the eight “data protection principles” set out in Schedule 1 is that:<br />
<br />
<br />
<br />
“Personal data shall be processed fairly and lawfully and, in<br />
particular, shall not be processed unless -<br />
<br />
<br />
(a) at least one of the conditions in Schedule 2 is met,<br />
and<br />
<br />
<br />
<br />
(b) in the case of sensitive personal data, at least one<br />
of the conditions in Schedule 3 is also met.”<br />
<br />
<br />
The other seven data protection principles, in summary, require personal data: (2) to<br />
be obtained and processed only for specified and lawful purposes; (3) to be “adequate,<br />
<br />
relevant, and not excessive” in relation to those purposes; (4) to be accurate and,<br />
Page 6where necessary, kept up to date; (5) not to be kept for longer than is necessary for<br />
those purposes; (6) to be processed in accordance with the rights of data subjects<br />
under the Act; (7) to be protected by appropriate technical and organisational security<br />
measures against unauthorised or unlawful processing and against accidental loss or<br />
destruction or damage; and (8) not to be transferred outside the European Economic<br />
<br />
Area unless the destination country or territory provides an adequate level of<br />
protection for data subjects in relation to the processing of personal data.<br />
<br />
<br />
19. As discussed in more detail below, section 13 of the DPA 1998 gives an<br />
individual who suffers damage “by reason of any contravention by a data controller of<br />
<br />
any of the requirements of this Act” a right to compensation from the data controller<br />
for that damage.<br />
<br />
<br />
(2) The allegations of breach of duty<br />
<br />
<br />
20. The claimant, Mr Lloyd, contends that Google processed personal data of each<br />
member of the represented class in breach of the first, second and seventh data<br />
<br />
protection principles. The represented class consists in essence of everyone in England<br />
and Wales who at the relevant time had an Apple iPhone on which Google’s<br />
DoubleClick Ad cookie was placed through the Safari workaround. (The precise<br />
definition of the class is set out at para 19 of Warby J’s judgment.) Two principal<br />
<br />
allegations made are that, in breach of the first data protection principle, (i) the data<br />
obtained by placing the DoubleClick Ad cookie on each class member’s device were not<br />
processed fairly and (ii) none of the conditions in Schedule 2 (or 3) was met.<br />
<br />
<br />
21. Schedule 1, Part II, paragraph 2, provides, in substance, that personal data<br />
obtained from the data subject are not to be treated as processed fairly unless the<br />
<br />
data controller informs the data subject of the purpose for which the data are<br />
intended to be processed - a requirement with which it is said that Google failed to<br />
comply in this case.<br />
<br />
<br />
22. Schedule 2 contains a list of conditions capable of justifying the processing of<br />
<br />
data. To comply with the first data protection principle, at least one of these<br />
conditions must be satisfied. The first condition in Schedule 2 is that “the data subject<br />
has given his consent to the processing”. Other conditions are that the processing is<br />
necessary for (amongst other things): the performance of a contract to which the data<br />
<br />
subject is a party; or compliance with a legal obligation (other than a contractual<br />
obligation) of the data controller; or to protect the vital interests of the data subject;<br />
or for the exercise of any functions of a public nature exercised in the public interest<br />
by any person. The claimant asserts that the members of the represented class whose<br />
<br />
Page 7personal data Google processed had not given their consent to the processing, nor was<br />
any of the other conditions capable of justifying the processing met. Hence for this<br />
reason too Google was in breach of the first data protection principle.<br />
<br />
<br />
23. There is no doubt that the claimant is entitled to advance a claim against Google<br />
on this basis in his own right which has a real prospect of success. The issue is whether<br />
<br />
he can also do so on behalf of all other iPhone users who fall within the represented<br />
class. This depends on the scope of the representative procedure available under the<br />
Civil Procedure Rules (“CPR”). Before I come to that procedure, I will mention in order<br />
to compare them the two other methods of claiming collective redress currently<br />
<br />
available in English procedural law.<br />
<br />
<br />
D. COLLECTIVE REDRESS IN ENGLISH LAW<br />
<br />
<br />
(1) Group Actions<br />
<br />
<br />
24. A group of people who wish to bring claims which give rise to common or<br />
related issues of fact or law can apply to the court for a Group Litigation Order to be<br />
<br />
made under CPR rule 19.11, providing for the claims to be managed together, usually<br />
by a single designated judge. The Group Litigation Order will establish a register of the<br />
claims included in the group, which is maintained by the claimants’ lead solicitor. The<br />
order may also make provision for how the litigation costs are to be shared among the<br />
<br />
claimants. How the claims are managed is a matter for the designated judge, but<br />
procedures typically used are to select one or more claims to be tried as test claims<br />
while the remaining claims are stayed and to decide as preliminary issues common<br />
issues of law or fact which are potentially dispositive of the litigation. Unless the court<br />
orders otherwise, a judgment given or order made in the litigation is binding on all the<br />
<br />
claimants included in the group register: see CPR rule 19.12(1)(a).<br />
<br />
<br />
25. Where the individual claims are of sufficiently high value, group actions can be<br />
an effective way of enabling what are typically several hundred or thousands of claims<br />
to be litigated and managed together, avoiding duplication of the court’s resources<br />
<br />
and allowing the claimants to benefit from sharing costs and litigation risk and by<br />
obtaining a single judgment which is binding in relation to all their claims. However,<br />
the group action procedure suffers from the drawback that it is an “opt-in” regime: in<br />
other words, claimants must take active steps to join the group. This has an<br />
<br />
administrative cost, as a solicitor conducting the litigation has to obtain sufficient<br />
information from a potential claimant to determine whether he or she is eligible to be<br />
added to the group register, give appropriate advice and enter into a retainer with the<br />
client. For claims which individually are only worth a few hundred pounds, this process<br />
<br />
Page 8is not economic as the initial costs alone may easily exceed the potential value of the<br />
claim.<br />
<br />
<br />
26. Another limitation of opt-in proceedings is that experience has shown that only<br />
a relatively small proportion of those eligible to join the group are likely to do so,<br />
particularly if the number of people affected is large and the value of each individual<br />
<br />
claim relatively small. For example, a group action was recently brought against the<br />
Morrisons supermarket chain for compensation for breach of the DPA 1998 arising<br />
from the disclosure on the internet by a Morrisons’ employee of personal data relating<br />
to other employees. Of around 100,000 affected employees, fewer than 10,000 opted<br />
<br />
to join the group action: see Various Claimants v Wm Morrisons Supermarkets plc<br />
[2017] EWHC 3113 (QB); [2019] QB 772 (reversed on the issue of vicarious liability by<br />
the Supreme Court: [2020] UKSC 12; [2020] AC 989). During the period of more than 12<br />
years in which collective proceedings under the Competition Act 1998 (discussed<br />
below) could be brought only on an opt-in basis just one action was commenced,<br />
<br />
based on a finding of price fixing in the sale of replica football shirts. Although around<br />
1.2 – 1.5m people were affected, despite widespread publicity only 130 people opted<br />
into the proceedings: see The Consumers' Association v JJB Sports Plc[2009] CAT 2,<br />
para 5; Civil Justice Council Report “Improving Access to Justice through Collective<br />
<br />
Actions” (2008), Part 6, para 22; and Grave D, McIntosh M and Rowan G (eds), Class<br />
Actions in England and Wales, 1st ed (2018), para 1-068.<br />
<br />
<br />
27. Likely explanations for the low participation rates typically experienced in opt-in<br />
regimes include lack of awareness of the opportunity to join the litigation and the<br />
natural human tendency to do nothing when faced with a choice which requires<br />
<br />
positive action - particularly if there is no immediate benefit to be gained and the<br />
consequences are uncertain and not easy to understand: see eg Thaler R and Sunstein<br />
C, Nudge: The Final Edition (2021), pp 36-38; Samuelson W and Zeckhauser R, “Status<br />
Quo Bias in Decision Making” (1988) 1 Journal of Risk and Uncertainty 7-59. As the<br />
<br />
New Zealand Court of Appeal has recently said of opt-in class actions:<br />
<br />
<br />
“Whichever approach is adopted, many class members are<br />
likely to fail to take any positive action for a range of reasons<br />
that have nothing at all to do with an assessment of whether<br />
<br />
or not it is in their interests to participate in the proceedings.<br />
Some class members will not receive the relevant notice.<br />
Others will not understand the notice, or will have difficulty<br />
understanding what action they are required to take and<br />
completing any relevant form, or will be unsure or hesitant<br />
<br />
about what to do and will do nothing. Even where a class<br />
member considers that it is in their interests to participate in<br />
<br />
Page 9 the proceedings, the significance of inertia in human affairs<br />
should not be underestimated.”<br />
<br />
<br />
Ross v Southern Response Earthquake Services Ltd [2019] NZCA 431, para 98; approved<br />
by the New Zealand Supreme Court at [2020] NZSC 126, para 40.<br />
<br />
<br />
28. A further factor which makes group litigation impractical in cases where the loss<br />
<br />
suffered by each individual is small, even if in aggregate it may amount to a very large<br />
sum of money, is the need to prove the quantum of loss in each individual case. Not<br />
only are eligible individuals less likely to opt into the proceedings where the potential<br />
gain to them is small, but the costs of obtaining evidence from each individual to<br />
<br />
support their claim is again likely to make group litigation uneconomic in such cases.<br />
<br />
<br />
(2) Collective Proceedings<br />
<br />
<br />
29. Compared to group actions, the method of collective redress which is now<br />
available in the field of competition law offers significant advantages for claimants,<br />
particularly where many people have been affected by the defendant’s conduct but<br />
<br />
the value of each individual claim is small. Section 47B of the Competition Act 1998<br />
(added by the Enterprise Act 2002 and as amended by the Consumer Rights Act 2015)<br />
makes provision for bringing “collective proceedings” in the Competition Appeal<br />
Tribunal (“CAT”) combining two or more claims to which section 47A applies<br />
<br />
(essentially, claims in respect of an infringement or alleged infringement of<br />
competition law). Such proceedings must be commenced by a person who proposes to<br />
be the representative of a specified class of persons, and the proceedings may only be<br />
continued if they are certified by the CAT as satisfying criteria set out in section 47B<br />
<br />
and in the CAT Rules. Two features of this regime may be noted.<br />
<br />
<br />
30. First, unlike group litigation, collective proceedings may be brought on either an<br />
“opt-in” or “opt-out” basis. “Opt-out” collective proceedings are proceedings brought<br />
on behalf of each class member except any member who opts out by notifying the<br />
class representative that their claim should not be included in the proceedings: see<br />
<br />
section 47B(11). Where “opt-out” collective proceedings are permitted, a person may<br />
therefore have a claim brought on their behalf without taking any affirmative step and,<br />
potentially, without even knowing of the existence of the proceedings and the fact that<br />
he or she is represented in them.<br />
<br />
<br />
<br />
31. A second significant feature of the collective proceedings regime is that it<br />
enables liability to be established and damages recovered without the need to prove<br />
<br />
Page 10that members of the class have individually suffered loss: it is sufficient to show that<br />
loss has been suffered by the class viewed as a whole. This is the effect of section<br />
47C(2) of the Competition Act, which provides:<br />
<br />
<br />
“The tribunal may make an award of damages in collective<br />
proceedings without undertaking an assessment of the<br />
<br />
amount of damages recoverable in respect of the claim of<br />
each represented person.”<br />
<br />
<br />
Such an award of damages is referred to in the CAT Rules as “an aggregate award of<br />
damages”: see rule 73(2).<br />
<br />
<br />
<br />
32. As Lord Briggs explained in Merricks v Mastercard[2020] UKSC 51; [2021] Bus LR<br />
25, at para 76, section 47C(2) of the Competition Act “radically alters the established<br />
common law compensatory principle by removing the requirement to assess individual<br />
loss”. This is so for the purposes both of making and of paying out an aggregate award<br />
of damages. How an aggregate award of damages is distributed among the members<br />
<br />
of the class is subject to the control of the CAT and, as this court held in Merricks v<br />
Mastercard, the only requirement is that the distribution should be just: see paras 76-<br />
77, 149. No doubt in many cases a just method of distribution will be one which divides<br />
up an aggregate award of damages in a way which takes account of individual loss. But<br />
<br />
particularly where the size of the class is large and the amount of damages awarded<br />
small considered on a per capita basis, it may be impractical or disproportionate to<br />
adopt such a method. In such cases some other method of distribution, such as an<br />
equal division among all the members of the class, may be justified.<br />
<br />
<br />
<br />
(3) Representative Actions<br />
<br />
<br />
33. Collective proceedings are a recent phenomenon in English law. By contrast, the<br />
representative procedure which the claimant is seeking to use in this case has existed<br />
for several hundred years. The current version of the representative rule is CPR rule<br />
19.6, which states:<br />
<br />
<br />
<br />
“(1) Where more than one person has the same interest in<br />
a claim -<br />
<br />
<br />
(a) the claim may be begun; or<br />
<br />
<br />
<br />
Page 11 (b) the court may order that the claim be continued,<br />
<br />
<br />
by or against one or more of the persons who have the same<br />
interest as representatives of any other persons who have<br />
that interest.<br />
<br />
<br />
(2) The court may direct that a person may not act as a<br />
<br />
representative.<br />
<br />
<br />
(3) Any party may apply to the court for an order under<br />
paragraph (2).<br />
<br />
<br />
(4) Unless the court otherwise directs any judgment or<br />
<br />
order given in a claim in which a party is acting as a<br />
representative under this rule -<br />
<br />
<br />
(a) is binding on all persons represented in the claim;<br />
but<br />
<br />
<br />
(b) may only be enforced by or against a person who is<br />
<br />
not a party to the claim with the permission of the<br />
court.”<br />
<br />
<br />
(a) Origins of the rule<br />
<br />
<br />
34. This rule has its origins in the procedure of the Court of Chancery before the<br />
<br />
Judicature Act of 1873. The general rule was that all persons materially interested in<br />
the subject-matter of a suit should be made parties to it, either as claimants or<br />
defendants, so as to ensure that the rights of all persons interested were settled by a<br />
single judgment of the court: see eg Adair v New River Co (1805) 11 Ves Jr 429; 32 ER<br />
<br />
1153; Cockburn v Thompson (1809) 16 Ves Jr 321; 33 ER 1005. However, to join all<br />
interested persons as parties was not always practically convenient- particularly if they<br />
were very numerous. The solution devised was not to abandon the aim of settling the<br />
rights of all interested persons in a single proceeding; rather, it was to relax the<br />
“complete joinder rule” by allowing one or more claimants or defendants to represent<br />
<br />
all others who had the same interest as them: see Sorabji J, “The hidden class action in<br />
English civil procedure” (2009) 28 CJQ 498. All persons represented in this way, as well<br />
as the parties actually before the court, were bound by the court’s decision.<br />
<br />
Page 1235. In the very early cases in the 16th and 17th centuries in which this procedure<br />
was adopted, the persons represented were invariably a cohesive communal group,<br />
such as parishioners or manorial tenants, whose members had agreed to be<br />
represented; and the representatives were often required to show proof of their<br />
authority to represent the group. But as the nature of society changed and new, more<br />
<br />
impersonal institutions such as friendly societies and joint stock companies with<br />
multiple investors emerged, this requirement was dropped. The court allowed persons<br />
to be represented whether or not they had consented to such representation or even<br />
knew of the action, relying on community of interest among the members of the group<br />
<br />
to ensure that the interests of all were adequately protected: see Yeazell, “From Group<br />
Litigation to Class Action, Part I: The Industrialization of Group Litigation” (1980) 27<br />
UCLA Law Review 514.<br />
<br />
<br />
36. Many of the formative cases involved joint stock companies at a time (before<br />
the Joint Stock Companies Acts 1844 to 1858) when such companies were not yet<br />
<br />
recognised as separate legal entities which could sue or be sued. An action had<br />
therefore to be brought by (or against) the members themselves. In Chancey v May<br />
(1722) Precedents in Chancery 592; 24 ER 265, the treasurer and manager of a brass-<br />
works brought an action on behalf of themselves and all other proprietors of the<br />
<br />
undertaking, of whom there were 800 in total, except for the defendants, who were its<br />
former managers, to call the defendants to account for alleged mismanagement and<br />
embezzlement. The defendants objected that the claim should not be allowed to<br />
proceed as the rest of the proprietors had not been made parties. The court dismissed<br />
that objection on the grounds that, first, the action had been brought on behalf of all<br />
<br />
the other proprietors, so that “all the rest were in effect parties”, and secondly:<br />
<br />
<br />
“Because it would be impracticable to make them all parties<br />
by name, and there would be continual abatements by death<br />
and otherwise, and no coming at justice, if all were to be<br />
<br />
made parties.”<br />
<br />
<br />
37. Another notable case involving a joint stock company was Meux v Maltby (1818)<br />
2 Swanston 277; 36 ER 621. In this case the treasurer and directors of the company<br />
were sued as representative defendants on a contract made on behalf of all the<br />
<br />
members of the company to grant a lease. In rejecting an argument that the claim was<br />
defective because not all the proprietors were before the court, Plumer MR explained,<br />
at pp 281-282:<br />
<br />
<br />
“The general rule, which requires the plaintiff to bring before<br />
the court all the parties interested in the subject in question,<br />
<br />
admits of exceptions. The liberality of this court has long held<br />
Page 13 that there is of necessity an exception to the general rule,<br />
when a failure of justice would ensue from its enforcement.”<br />
<br />
<br />
After citing numerous authorities, he concluded, at p 284:<br />
<br />
<br />
“Here is a current of authority, adopting more or less a<br />
general principle of exception, by which the rule, that all<br />
<br />
persons interested must be parties, yields when justice<br />
requires it, in the instance either of plaintiffs or defendants.<br />
… It is quite clear that the present suit has sufficient parties,<br />
and that the defendants may be considered as representing<br />
<br />
the company.”<br />
<br />
<br />
38. In Duke of Bedford v Ellis [1901] AC 1, 8, Lord Macnaghten summarised the<br />
practice of the Court of Chancery in this way:<br />
<br />
<br />
“The old rule in the Court of Chancery was very simple and<br />
perfectly well understood. Under the old practice the Court<br />
<br />
required the presence of all parties interested in the matter<br />
in suit, in order that a final end might be made of the<br />
controversy. But when the parties were so numerous that<br />
you never could ‘come at justice’, to use an expression in one<br />
<br />
of the older cases, if everybody interested was made a party,<br />
the rule was not allowed to stand in the way. It was originally<br />
a rule of convenience: for the sake of convenience it was<br />
relaxed. Given a common interest and a common grievance,<br />
a representative suit was in order if the relief sought was in<br />
<br />
its nature beneficial to all whom the plaintiff proposed to<br />
represent.”<br />
<br />
<br />
(b) Effect of the Judicature Act<br />
<br />
<br />
39. By the Supreme Court of Judicature Act 1873, all the jurisdiction previously<br />
<br />
exercised by the Court of Chancery and the courts of common law was transferred to<br />
and vested in the new High Court of Justice. Rules of procedure for the High Court<br />
were scheduled to the Act, which included as rule 10:<br />
<br />
<br />
“Where there are numerous parties having the same interest<br />
<br />
in one action, one or more of such parties may sue or be<br />
Page 14 sued, or may be authorised by the court to defend in such<br />
action, on behalf or for the benefit of all parties so<br />
interested.”<br />
<br />
<br />
This rule became Order 16, rule 9 of the Rules of the Supreme Court and has remained<br />
in force in the same or similar form ever since. Save that the requirement for<br />
<br />
“numerous parties” has been reduced to “more than one”, there is no significant<br />
difference in the current version of the rule, quoted at para 33 above.<br />
<br />
<br />
40. At first after the enactment of the Judicature Act the courts construed the new<br />
rule narrowly. In Temperton v Russell [1893] 1 QB 435, 438, Lindley LJ, who gave the<br />
<br />
judgment of the Court of Appeal, expressed the view that the rule only applied to<br />
“persons who have or claim some beneficial proprietary right” which they are asserting<br />
or defending in an action that would have come within the jurisdiction of the old Court<br />
of Chancery; hence the rule did not apply to a claim for damages in tort. That view,<br />
however, was repudiated by the House of Lords in Duke of Bedford v Ellis [1901] AC 1.<br />
<br />
Six individuals sued the Duke of Bedford, who owned Covent Garden Market, on behalf<br />
of themselves and all other growers of fruit, flowers, vegetables, roots and herbs, to<br />
enforce certain preferential rights claimed under the Covent Garden Market Act 1828<br />
to stands in the market. They sought declarations of the rights of the growers and an<br />
<br />
injunction to restrain the Duke from acting inconsistently with those rights. They also<br />
claimed - though only for themselves and not on behalf of other growers - an account<br />
and repayment of sums charged to them for selling at the market in excess of what<br />
they would have paid if afforded their alleged preferential rights. The Duke applied to<br />
have the action stayed either on the ground that the claimants had no beneficial<br />
<br />
proprietary right, or on the ground that the joinder in one action of parties claiming<br />
separate and different rights under the Act, both personally and as representing a<br />
class, would embarrass or delay the trial. The House of Lords rejected both grounds<br />
(the first unanimously and the second by a majority of 3 to 2) and held that the action<br />
<br />
could be maintained.<br />
<br />
<br />
41. Lord Macnaghten, who gave the leading speech, expressly disapproved the<br />
restrictive view of the representative rule expressed in Temperton v Russell and<br />
confirmed that its purpose was simply to apply the practice of the Court of Chancery to<br />
<br />
all divisions of the High Court. The only change was therefore that the rule was now<br />
applicable in actions which, before the Judicature Act, could only have been brought in<br />
a court of common law. He said, at pp 10-11, that:<br />
<br />
<br />
“… in all other respects I think the rule as to representative<br />
suits remains very much as it was a hundred years ago. From<br />
<br />
the time it was first established it has been recognised as a<br />
Page 15 simple rule resting merely upon convenience. It is impossible,<br />
I think, to read such judgments as those delivered by Lord<br />
Eldon in Adair v New River Co, in 1805, and in Cockburn v<br />
Thompson, in 1809, without seeing that Lord Eldon took as<br />
broad and liberal a view on this subject as anybody could<br />
<br />
desire. ‘The strict rule’, he said, ‘was that all persons<br />
materially interested in the subject of the suit, however<br />
numerous, ought to be parties … but that being a general rule<br />
established for the convenient administration of justice must<br />
<br />
not be adhered to in cases to which consistently with<br />
practical convenience it is incapable of application’. ‘It was<br />
better’, he added, ‘to go as far as possible towards justice<br />
than to deny it altogether’. He laid out of consideration the<br />
case of persons suing on behalf of themselves and all others,<br />
<br />
‘for in a sense’, he said, ‘they are before the Court’. As<br />
regards defendants, if you cannot make everybody interested<br />
a party, you must bring so many that it can be said they will<br />
fairly and honestly try the right. I do not think, my Lords, that<br />
<br />
we have advanced much beyond that in the last hundred<br />
years …”<br />
<br />
<br />
As Megarry J commented in John v Rees[1970] Ch 345, 370, this explanation made it<br />
plain that the representative rule is to be treated as being “not a rigid matter of<br />
principle but a flexible tool of convenience in the administration of justice”.<br />
<br />
<br />
<br />
42. In Taff Vale Railway Co v Amalgamated Society of Railway Servants [1901] AC<br />
426, 443, Lord Lindley (as he had become) went out of his way to endorse this view<br />
and to retract his earlier observations in Temperton v Russell, stating:<br />
<br />
<br />
“The principle on which the rule is based forbids its<br />
<br />
restriction to cases for which an exact precedent can be<br />
found in the reports. The principle is as applicable to new<br />
cases as to old, and ought to be applied to the exigencies of<br />
modern life as occasion requires. The rule itself has been<br />
<br />
embodied and made applicable to the various Divisions of the<br />
High Court by the Judicature Act, 1873, sections 16 and 23-<br />
25, and Order XVI, rule 9; and the unfortunate observations<br />
made on that rule in Temperton v Russell have been happily<br />
corrected in this House in the Duke of Bedford v Ellis and in<br />
<br />
the course of the argument in the present case.”<br />
<br />
<br />
Page 16 (c) Markt and declarations of rights<br />
<br />
<br />
43. The subsequent decision of the Court of Appeal in Markt & Co Ltd v Knight<br />
Steamship Co Ltd [1910] 2 KB 1021 has sometimes been seen as undermining the<br />
broad and flexible view of the representative rule adumbrated by the House of Lords in<br />
these two cases by imposing significant constraints on its use: see eg Esanda Finance<br />
<br />
Corpn Ltd v Carnie (1992) 29 NSWLR 382, 395; Mulheron R, The Class Action in<br />
Common Law Legal Systems (2004) pp 78-82; Sorabji J, “The hidden class action in<br />
English civil procedure” (2009) 28 CJQ 498. I do not think, however, that the decision<br />
should be understood in this way. Markt was heard together with another action also<br />
<br />
brought against the owners of a cargo vessel which was intercepted by a Russian<br />
cruiser on a voyage to Japan during the Russo-Japanese war, on suspicion of carrying<br />
contraband of war, and sunk. Just before the limitation period expired, two cargo-<br />
owners issued writs “on behalf of themselves and others owners of cargo lately laden<br />
on board” the vessel, claiming “damages for breach of contract and duty in and about<br />
<br />
the carriage of goods by sea”. No further particulars of the claims were given.<br />
<br />
<br />
44. All three members of the Court of Appeal agreed that the claims as formulated<br />
could not be pursued as representative actions as there was no basis for asserting that<br />
all the cargo owners had the same interest in the actions. That was so if only because a<br />
<br />
claim that the shipowners were in breach of duty in carrying contraband goods plainly<br />
could not be maintained on behalf of any cargo-owners who had themselves shipped<br />
such goods; furthermore, each cargo owner would need to prove their individual loss.<br />
Buckley LJ would have allowed the claimants to amend their writs and continue the<br />
proceedings on behalf of themselves and all cargo-owners who were not shippers of<br />
<br />
contraband goods, claiming a declaration that the defendants were in breach of<br />
contract and duty in shipping contraband of war. The other judges, however, did not<br />
agree to this course. Vaughan Williams LJ, at p 1032, rejected it on the grounds that<br />
the proposed amendment had not been brought before the court in a way which gave<br />
<br />
a proper opportunity for argument and doubted anyway whether the amendment<br />
could be so framed as to disclose a common purpose of the shippers or any class of the<br />
shippers. Fletcher Moulton LJ, at p 1042, considered that making a declaration of the<br />
type suggested would be contrary to the practice of the courts and that subsequent<br />
<br />
claims by individual cargo-owners relying on such a declaration to recover damages<br />
would constitute new claims which would be time-barred, as the limitation period had<br />
now expired.<br />
<br />
<br />
45. The readiness of English courts to give judgments declaring legal rights where it<br />
would serve a useful purpose has much increased since 1910. An important step was<br />
<br />
the decision of the Court of Appeal in Guaranty Trust Co of New York v Hannay & Co<br />
[1915] 2 KB 536, which held that a declaration can be granted at the instance of a<br />
<br />
Page 17claimant even if the claimant has no cause of action against the defendant. Two cases<br />
decided together by the Court of Appeal in 1921 showed that there is no reason in<br />
principle why a claim for a declaration of the kind suggested by Buckley LJ in Markt<br />
cannot be brought as a representative action. In David Jones v Cory Bros & Co Ltd<br />
(1921) 56 LJ 302; 152 LT Jo 70, five individuals sued on their own behalf and on behalf<br />
<br />
of all other underground and surface workmen employed at the defendant’s colliery<br />
on three specified days in September 1919. They alleged that on those three days the<br />
safety lamps in use at the colliery were not in accordance with statutory requirements,<br />
were insufficient in number and were not properly examined; and that in consequence<br />
<br />
the workmen justifiably refused to go to work and lost the wages they would<br />
otherwise have earned and were entitled to damages. In Thomas v Great Mountain<br />
Collieries Co, which was heard at the same time, two claimants sued the owner of<br />
another colliery for loss of wages, alleging breach of statutory duty in not having a<br />
weighing machine to weigh coal as near the pit mouth as was reasonably practicable.<br />
<br />
The workmen were divided into two classes - one comprising all workmen whose<br />
wages depended on the amount of coal gotten and the other comprising all other<br />
underground and surface workmen. The claimants sued on their own behalf and on<br />
behalf of the class they respectively represented.<br />
<br />
<br />
<br />
46. In each action the claims were divisible under three heads: (1) claims for<br />
declarations upon matters in which the classes represented were alleged to have a<br />
common interest; (2) claims for damages by the individual named claimants; and (3)<br />
claims for damages by the individual members of the classes represented.<br />
Unfortunately, only a bare summary of the judgments is reported. But this records that<br />
<br />
the Court of Appeal by a majority (Bankes and Atkin LJJ, with Scrutton LJ dissenting)<br />
held that the claimants were entitled to sue in a representative capacity as regards<br />
claims that came within (1) and (2), but not as regards claims for damages by the<br />
individual members of the classes represented.<br />
<br />
<br />
<br />
47. In Prudential Assurance Co Ltd v Newman Industries Ltd [1981] Ch 229 the<br />
claimant brought a derivative action as a minority shareholder of the first defendant<br />
company claiming damages on behalf of the company against two of its directors for<br />
breach of duty and conspiracy. At the start of the hearing the claimant applied to<br />
<br />
amend its statement of claim to add a personal claim against the directors and the<br />
company, brought in a representative capacity on behalf of all the shareholders. The<br />
relief sought was a declaration that those shareholders who had suffered loss asa<br />
result of the alleged conspiracy were entitled to damages. The judge (Vinelott J)<br />
allowed the amendment. He distinguished Markt and followed David Jones v Cory Bros<br />
<br />
in holding that a representative claim for a declaration could be pursued<br />
notwithstanding that each member of the class of persons represented had a separate<br />
cause of action. Although the personal claim was later held by the Court of Appeal in<br />
Prudential Assurance Co Ltd v Newman Industries Ltd (No 2) [1981] Ch 204 at 222 to be<br />
<br />
Page 18misconceived as a matter of substantive law, the Court of Appeal cast no doubt on the<br />
use of the representative procedure.<br />
<br />
<br />
48. This decision was important in demonstrating the potential for a bifurcated<br />
process whereby issues common to the claims of a class of persons may be decided in<br />
a representative action which, if successful, can then form a basis for individual claims<br />
<br />
for redress. More generally, the Prudential case marked a welcome revival of the spirit<br />
of flexibility which characterised the old case law.<br />
<br />
<br />
(d) Claims for damages<br />
<br />
<br />
49. In the cases so far mentioned where claims were held to come within the scope<br />
<br />
of the representative rule, the relief claimed on behalf of the represented class was<br />
limited to a declaration of legal rights. It was accepted or held that the named<br />
claimants could only claim damages or other monetary relief in their personal capacity.<br />
In Markt Fletcher Moulton LJ expressed the view, at pp 1035 and 1040-1041, that<br />
damages are “a personal relief” and that:<br />
<br />
<br />
<br />
“no representative action can lie where the sole relief sought<br />
is damages, because they have to be proved separately in the<br />
case of each plaintiff, and therefore the possibility of<br />
representation ceases.”<br />
<br />
<br />
<br />
50. In many cases, of which Markt was one, it is clearly correct that the assessment<br />
of damages depends on circumstances personal to each individual claimant. In such<br />
cases it is unlikely to be practical or fair to assess damages on a common basis and<br />
without each individual claimant’s participation in the proceedings. However, this is<br />
<br />
not always so, and representative actions for damages have sometimes been allowed.<br />
For example, in the case of insurance underwritten by Lloyd’s syndicates, which are<br />
not separate legal entities, it is standard practice for a single member of the syndicate<br />
(usually the leading underwriter) to be named as a representative claimant or<br />
defendant suing, or being sued, for themselves and all the other members. There is no<br />
<br />
difficulty in awarding damages for or against the representative in such proceedings, as<br />
the calculation of any damages which the members of the syndicate are collectively<br />
entitled to recover or liable to pay does not depend on how the risk is divided among<br />
the members of the syndicate.<br />
<br />
<br />
<br />
51. In Pan Atlantic Insurance Co Ltd v Pine Top Insurance Co Ltd [1989] 1 Lloyd’s Rep<br />
568 the claimant companies sued on behalf of themselves and members of a syndicate<br />
<br />
Page 19which had reinsured on a quota share basis a proportion of the risks they had<br />
underwritten, claiming under contracts which provided excess of loss reinsurance<br />
cover for the claimants and their quota share reinsurers. The Court of Appeal rejected<br />
an argument that the claimants were not entitled to sue in a representative capacity. It<br />
made no difference that there was a dispute between one of the claimants and some<br />
<br />
members of the syndicate about the validity of the quota share reinsurance, since as<br />
Lloyd LJ said, at p 571: “the question is whether the parties have the same interest as<br />
against the defendants; not whether they have the same interest as between<br />
themselves”.<br />
<br />
<br />
<br />
52. In Irish Shipping Ltd v Commercial Union Assurance Co plc (The “Irish Rowan”)<br />
[1991] 2 QB 206 numerous insurers had subscribed in various proportions to a policy of<br />
marine insurance. The Court of Appeal accepted that, as a matter of law, each<br />
subscription constituted a separate contract of insurance (of which there were said to<br />
be 77 in all). Claims for losses allegedly covered by the policy were made by suing two<br />
<br />
of the insurers as representative defendants. The Court of Appeal rejected an<br />
argument that claims for debt or damages could not be included in a representative<br />
action, merely because they are made by numerous claimants individually or resisted<br />
by numerous defendants individually, and held that the action could continue as a<br />
<br />
representative action. While the policy terms contained a broadly worded leading<br />
underwriter clause, the presence of this clause was not essential to the decision: see<br />
Bank of America National Trust and Savings Association v Taylor (The Kyriaki) [1992] 1<br />
Lloyd’s Rep 484, 493-494; National Bank of Greece SA v Outhwaite [2001] CLC 591,<br />
para 31.<br />
<br />
<br />
<br />
53. In EMI Records Ltd v Riley [1981] 1 WLR 923, and in Independiente Ltd v Music<br />
Trading On-Line (HK) Ltd [2003] EWHC 470 (Ch), the claimants sued in a representative<br />
capacity on behalf of all members of the British Phonographic Industry Ltd (“BPI”), a<br />
trade association for the recorded music industry (and also in the latter case on behalf<br />
<br />
of Phonographic Performance Ltd), claiming damages for breach of copyright in selling<br />
pirated sound recordings. In each case the claims were allowed to proceed as<br />
representative actions. Because it was accepted or could safely be assumed that the<br />
owner of the copyright in any pirated recording was a member of the represented<br />
<br />
class, this procedure enabled breach of copyright to be proved and damages to be<br />
awarded without the need to prove which particular pirated recordings had been sold<br />
in what quantities. Again, what mattered was that the members of the class had a<br />
community of interest in suing the defendant.<br />
<br />
<br />
54. In EMI Records it was asserted, and not disputed by the defendants, that the<br />
<br />
members of the BPI had consented to all sums recovered in actions for breach of<br />
copyright being paid to the BPI: see [1981] 1 WLR 923, 925. In Independiente, however,<br />
<br />
Page 20this assertion was disputed and Morritt V-C found that there was no binding<br />
agreement that any money recovered should go to the BPI: see [2003] EWHC 470 (Ch),<br />
paras 16 and 28. He nevertheless held, at paras 28 and 39, that the claim was properly<br />
brought as a representative action, observing that what the claimants did with any<br />
damages recovered was a matter for them or between them, the BPI and the class<br />
<br />
members, and not between them and the defendants.<br />
<br />
<br />
55. Although not cited in these cases, the same point had been made long before in<br />
Warrick v Queen’s College Oxford (No 4) (1871) LR 6 Ch App 716, 726, where Lord<br />
Hatherley LC gave an example of:<br />
<br />
<br />
<br />
“classes of shareholders in a railway company who have<br />
different rights inter se, but they may all have a common<br />
enemy in the shape of a fraudulent director, and they may all<br />
join, of course, in one common suit against that director,<br />
although after the common right is established they may<br />
<br />
have a considerable litigation among themselves as to who<br />
are the persons entitled to the gains obtained through that<br />
suit.”<br />
<br />
<br />
While the right enforced in such a common suit would in modern company law be seen<br />
<br />
as a right belonging to the company itself, rather than its shareholders, it is clear from<br />
the context that Lord Hatherley had in mind a representative action brought on behalf<br />
of shareholders, as he gave this analogy to explain how in that case a representative<br />
claim could be brought on behalf of all the freehold tenants of a manor to establish<br />
common rights against the lord of the manor even though different tenants or classes<br />
<br />
of tenant had different rights as between themselves.<br />
<br />
<br />
(e) Emerald Supplies<br />
<br />
<br />
56. In giving the Court of Appeal’s judgment in the present case, the Chancellor, at<br />
[2020] QB 747, para 73, focused on Emerald Supplies Ltd v British Airways plc [2010]<br />
<br />
EWCA Civ 1284; [2011] Ch 345 as providing the latest authoritative interpretation of<br />
the representative rule. The decision in that case turned, however, on the particular<br />
way in which the class of represented persons had been defined. The claimants alleged<br />
that the defendant airline was a party to agreements or concerted practices with other<br />
<br />
airlines to fix prices for air freight charged for importing cut flowers into the UK. They<br />
claimed on behalf of all “direct or indirect purchasers of air freight services, the prices<br />
for which were inflated by the agreements or concerted practices”, a declaration that<br />
damages were recoverable in principle from the defendant by those purchasers. The<br />
<br />
Page 21Court of Appeal upheld a decision to strike out the representative claim on the basis<br />
that, in the way the class had been defined, the issue of liability would have to be<br />
decided before it could be known whether or not a person was a member of the<br />
represented class and therefore bound by the judgment: see paras 62-63 and 65. Such<br />
an approach would not be just, not least because, if the claim failed, no purchasers of<br />
<br />
air freight services apart from the named claimants would be bound by the result.<br />
<br />
<br />
57. The Court of Appeal in Emerald Supplies also considered that a second difficulty<br />
with the class definition was that the members of the represented class did not all<br />
have the same interest in the claim, as there was a conflict of interest between direct<br />
<br />
and indirect purchasers of air freight services: see paras 28-29 and 64. If it was shown<br />
that prices had been inflated by agreements or concerted practices to which the<br />
defendant was a party, it would be in the interests of direct purchasers to seek to<br />
prove that they had absorbed the higher prices in order to avoid a potential defence<br />
that they had suffered no loss because the higher prices had been passed on to<br />
<br />
“indirect purchasers” (understood to include sub-purchasers). On the other hand, it<br />
would be in the interests of such indirect purchasers to seek to prove that the higher<br />
prices had indeed been passed on to them.<br />
<br />
<br />
58. It seems to me that this second difficulty might have been avoided either by<br />
<br />
altering the class definition to exclude sub-purchasers or by following the approach<br />
adopted in Prudential of claiming a declaration that those members of the class who<br />
had suffered damage as a result of the alleged price fixing were entitled to damages.<br />
However, those possibilities do not appear to have been considered. I think that the<br />
judge in Rendlesham Estates plc v Barr Ltd [2014] EWHC 3968 (TCC); [2015] 1 WLR<br />
<br />
3663 - a case relied on by Google on this appeal - was therefore wrong to conclude<br />
from Emerald Supplies, at para 90, that “if damage is an ingredient of the cause of<br />
action a representative claim could not be maintained”. The Court of Appeal in<br />
Emerald Supplies did not doubt the correctness of the Prudential decision, where a<br />
<br />
representative claim was allowed to proceed although damage was an ingredient of<br />
the cause of action. As Professor Rachael Mulheron, a leading expert in this field, has<br />
persuasively argued, it should likewise have been possible in Emerald Suppliesto adopt<br />
a bifurcated process in which the questions whether prices had been inflated by<br />
<br />
agreements or concerted practices and whether passing on was in principle available<br />
as a defence were decided in a representative action. If successful, this action could<br />
then have formed the basis for further proceedings to prove the fact and amount of<br />
damage in individual cases: see Mulheron R, “Emerald Supplies Ltd v British Airways<br />
plc; A Century Later, The Ghost of Markt Lives On” [2009] Comp Law 159, 171.<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 22 (f) Commonwealth cases<br />
<br />
<br />
59. The highest courts of Australia, Canada and New Zealand have all adopted a<br />
broad and flexible approach in interpreting representative rules derived from the<br />
English rule.<br />
<br />
<br />
(i) Australia<br />
<br />
<br />
<br />
60. In Carnie v Esanda Finance Corpn Ltd (1994) 127 ALR 76 the High Court of<br />
Australia held that the fact that the claims arose under separate contracts did not<br />
prevent the named claimants and the persons represented from having “the same<br />
interest” in proceedings. It was enough to satisfy this requirement that there was a<br />
<br />
community of interest in the determination of a substantial question of law or fact that<br />
arose in the proceedings. Commenting on an argument that the representative rule<br />
was an inadequate basis for a “class action”, which required a comprehensive<br />
legislative regime, Toohey and Gaudron JJ (with whom Mason CJ, Deane and Dawson JJ<br />
generally agreed) said, at p 91:<br />
<br />
<br />
<br />
“... it is true that rule 13 lacks the detail of some other rules<br />
of court. But there is no reason to think that the Supreme<br />
Court of New South Wales lacks the authority to give<br />
directions as to such matters as service, notice and the<br />
<br />
conduct of proceedings which would enable it to monitor and<br />
finally to determine the action with justice to all concerned.<br />
The simplicity of the rule is also one of its strengths, allowing<br />
it to be treated as a flexible rule of convenience in the<br />
administration of justice and applied ‘to the exigencies of<br />
<br />
modern life as occasion requires’. The court retains the<br />
power to reshape proceedings at a later stage if they become<br />
impossibly complex or the defendant is prejudiced.”<br />
<br />
<br />
(ii) Canada<br />
<br />
<br />
<br />
61. In Western Canadian Shopping Centres Inc v Dutton [2001] 2 SCR 534, paras 38-<br />
48, the Supreme Court of Canada held that representative actions should be allowed<br />
to proceed where the following conditions are met: (1) the class is capable of clear<br />
definition; (2) there are issues of fact or law common to all class members; (3) success<br />
<br />
for one class member means success for all (although not necessarily to the same<br />
extent); and (4) the proposed representative adequately represents the interests of<br />
<br />
Page 23the class. If these conditions are met the court must also be satisfied, in the exercise of<br />
its discretion, that there are no countervailing considerations that outweigh the<br />
benefits of allowing the representative action to proceed. The Supreme Court held that<br />
the conditions were met by the claimants in Dutton, who sued as representatives of a<br />
group of investors complaining that the defendant had breached fiduciary duties to the<br />
<br />
investors by mismanaging their funds.<br />
<br />
<br />
62. Giving the judgment of the court, McLachlin CJ, at para 47, distinguished its<br />
earlier decision in General Motors of Canada Ltd v Naken [1983] 1 SCR 72, where a<br />
representative action had been disallowed. In Naken the action was brought on behalf<br />
<br />
of purchasers of new Firenza motor vehicles against the manufacturer, complaining<br />
that the quality of the vehicles had been misrepresented or was not as warranted in<br />
advertisements, other published materials and contracts which were partly oral and<br />
partly written. Damages were claimed limited to $1,000 per person. The claims were<br />
held to be unsuitable for resolution through a representative action, principally<br />
<br />
because determining both liability and damages would have required particularised<br />
evidence and fact-finding in relation to each individual purchaser.<br />
<br />
<br />
63. McLachlin CJ also commented, at para 46, that over the period since Naken was<br />
decided the benefits of class actions had become manifest. She identified, at paras 27-<br />
<br />
29, three important advantages which such actions offer over a multiplicity of<br />
individual suits: (1) avoiding unnecessary duplication in fact-finding and legal analysis;<br />
(2) making economical the prosecution of claims that would otherwise be too costly to<br />
prosecute individually; and (3) serving efficiency and justice by ensuring that actual<br />
and potential wrongdoers who cause widespread but individually minimal harm take<br />
<br />
into account the full costs of their conduct.<br />
<br />
<br />
64. McLachlin CJ further observed, at para 34, that, while it would clearly be<br />
advantageous if there existed a comprehensive legislative framework regulating class<br />
actions, in its absence “the courts must fill the void”.<br />
<br />
<br />
<br />
(iii) New Zealand<br />
<br />
<br />
65. The Supreme Court of New Zealand has recently considered the use of the<br />
representative procedure in Southern Response Earthquake Services Ltd v Ross [2020]<br />
NZSC 126. This was a representative action brought on behalf of some 3,000<br />
<br />
policyholders who had settled insurance claims for damage to their homes caused by<br />
earthquakes in the Canterbury region of New Zealand. The claimants alleged that the<br />
policyholders had been misled by the insurers about the cost of remedying the<br />
damage, with the result that they had settled their claims on a less favourable basis<br />
<br />
Page 24than otherwise would have been the case. The insurers did not oppose the action<br />
being brought on a representative basis, but argued that the class represented should<br />
be limited to policyholders who completed a form electing to opt into the proceedings.<br />
It was agreed that the proceedings would need to be heard in two stages. The first<br />
stage would deal with issues common to all members of the represented class. If the<br />
<br />
claimants succeeded at that stage in whole or in part, there would need to be a second<br />
stage, in which questions of relief were addressed. It was also agreed that, at the<br />
second stage, it would be necessary for all of the policyholders represented to take<br />
active steps - that is, to opt in - if they wished to establish their individual claims.<br />
<br />
<br />
<br />
66. The New Zealand Supreme Court affirmed the decision of the Court of Appeal<br />
that the claim should be allowed to continue on an opt out basis. In doing so, the<br />
Supreme Court rejected an argument that it should not develop an opt out regime in<br />
the absence of a statutory framework and gave guidance on various matters relating to<br />
supervision of opt out representative proceedings.<br />
<br />
<br />
<br />
(g) Principles governing use of the representative procedure<br />
<br />
<br />
67. Although the world has changed out of all recognition since the representative<br />
procedure was devised by the Court of Chancery, it has done so in ways which have<br />
made the problems to which the procedure provided a solution more common and<br />
<br />
often vastly bigger in scale. The mass production of goods and mass provision of<br />
services have had the result that, when legally culpable conduct occurs, a very large<br />
group of people, sometimes numbering in the millions, may be affected. As the<br />
present case illustrates, the development of digital technologies has added to the<br />
potential for mass harm for which legal redress may be sought. In such cases it is<br />
<br />
necessary to reconcile, on the one hand, the inconvenience or complete impracticality<br />
of litigating multiple individual claims with, on the other hand, the inconvenience or<br />
complete impracticality of making every prospective claimant (or defendant) a party to<br />
a single claim. The only practical way to “come at justice” is to combine the claims in a<br />
<br />
single proceeding and allow one or more persons to represent all others who share the<br />
same interest in the outcome. When trying all the individual claims is not feasible, the<br />
adages of Lord Eldon quoted by Lord Macnaghten in Ellis remain as pertinent as ever:<br />
that it is better to go as far as possible towards justice than to deny it altogether and<br />
<br />
that, if you cannot realistically make everybody interested a party, you should ensure<br />
that those who are parties will “fairly and honestly try the right”.<br />
<br />
<br />
68. I agree with the highest courts of Australia, Canada and New Zealand that, while<br />
a detailed legislative framework would be preferable, its absence (outside the field of<br />
competition law) in this country is no reason to decline to apply, or to interpret<br />
<br />
restrictively, the representative rule which has long existed (and has had a legislative<br />
Page 25basis since 1873). I also agree with the view expressed in Carnie that the very simplicity<br />
of the representative rule is in some respects a strength, allowing it to be treated as “a<br />
flexible tool of convenience in the administration of justice” and “applied to the<br />
exigencies of modern life as occasion requires”.<br />
<br />
<br />
(i) The “same interest” requirement<br />
<br />
<br />
<br />
69. In its current form in CPR rule 19.6 the rule imposes no limit (either as a<br />
minimum or maximum) on the number of people who may be represented. Only one<br />
condition must be satisfied before a representative claim may be begun or allowed to<br />
continue: that is, that the representative has “the same interest” in the claim as the<br />
<br />
person(s) represented.<br />
<br />
<br />
70. The phrase “the same interest” is capable of bearing a range of meanings and<br />
requires interpretation. In interpreting the phrase, reference has often been made to<br />
Lord Macnaghten’s statement in Ellis (quoted at para 38 above) that: “Given a<br />
common interest and a common grievance, a representative suit was in order if the<br />
<br />
relief sought was in its nature beneficial to all whom the plaintiff proposed to<br />
represent.” This statement has sometimes been treated as if it were a definition<br />
imposing a tripartite test: see eg Smith v Cardiff Corpn[1954] 1 QB 210. Such an<br />
approach seems to me misguided. It is clear from the context that Lord Macnaghten<br />
<br />
was not attempting to define “the same interest”, but to convey how limiting the rule<br />
to persons having a beneficial proprietary interest in the claim would be contrary to<br />
the old practice in the Court of Chancery. More profoundly, such a reading of Lord<br />
Macnaghten’s speech shows precisely the rigidity of approach to the application of the<br />
representative rule which he disparaged.<br />
<br />
<br />
<br />
71. The phrase “the same interest”, as it is used in the representative rule, needs to<br />
be interpreted purposively in light of the overriding objective of the civil procedure<br />
rules and the rationale for the representative procedure. The premise for a<br />
representative action is that claims are capable of being brought by (or against) a<br />
<br />
number of people which raise a common issue (or issues): hence the potential and<br />
motivation for a judgment which binds them all. The purpose of requiring the<br />
representative to have “the same interest” in the claim as the persons represented is<br />
to ensure that the representative can be relied on to conduct the litigation in a way<br />
<br />
which will effectively promote and protect the interests of all the members of the<br />
represented class. That plainly is not possible where there is a conflict of interest<br />
between class members, in that an argument which would advance the cause of some<br />
would prejudice the position of others. Markt and Emerald Supplies are both examples<br />
of cases where it was found that the proposed representative action, as formulated,<br />
<br />
could not be maintained for this reason.<br />
Page 2672. As Professor Adrian Zuckerman has observed in his valuable book on civil<br />
procedure, however, a distinction needs to be drawn between cases where there are<br />
conflicting interests between class members and cases where there are merely<br />
divergent interests, in that an issue arises or may well arise in relation to the claims of<br />
(or against) some class members but not others. So long as advancing the case of class<br />
<br />
members affected by the issue would not prejudice the position of others, there is no<br />
reason in principle why all should not be represented by the same person: see<br />
Zuckerman on Civil Procedure: Principles of Practice, 4th ed (2021), para 13.49. As<br />
Professor Zuckerman also points out, concerns which may once have existed about<br />
<br />
whether the representative party could be relied on to pursue vigorously lines of<br />
argument not directly applicable to their individual case are misplaced in the modern<br />
context, where the reality is that proceedings brought to seek collective redress are<br />
not normally conducted and controlled by the nominated representative, but rather<br />
are typically driven and funded by lawyers or commercial litigation funders with the<br />
<br />
representative party merely acting as a figurehead. In these circumstances, there is no<br />
reason why a representative party cannot properly represent the interests of all<br />
members of the class, provided there is no true conflict of interest between them.<br />
<br />
<br />
73. This purposive and pragmatic interpretation of the requirement is exemplified<br />
<br />
by The “Irish Rowan”, where Staughton LJ, at pp 227-228, noted that some of the<br />
insurers might wish to resist the claim on a ground that was not available to others. He<br />
rightly did not regard that circumstance as showing that all the insurers did not have<br />
“the same interest” in the action, or that it was not within the rule, and had “no<br />
qualms about a proceeding which allows that ground to be argued on their behalf by<br />
<br />
others”.<br />
<br />
<br />
74. Even if it were considered inconsistent with the “same interest” requirement, or<br />
otherwise inappropriate, for a single person to represent two groups of people in<br />
relation to whom different issues arise although there is no conflict of interest<br />
<br />
between them, any procedural objection could be overcome by bringing two (or more)<br />
representative claims, each with a separate representative claimant or defendant, and<br />
combining them in the same action.<br />
<br />
<br />
(ii) The court’s discretion<br />
<br />
<br />
<br />
75. Where the same interest requirement is satisfied, the court has a discretion<br />
whether to allow a claim to proceed as a representative action. As with any power<br />
given to it by the Civil Procedure Rules, the court must in exercising its discretion seek<br />
to give effect to the overriding objective of dealing with cases justly and at<br />
proportionate cost: see CPR rule 1.2(a). Many of the considerations specifically<br />
<br />
included in that objective (see CPR rule 1.1(2)) - such as ensuring that the parties are<br />
Page 27on an equal footing, saving expense, dealing with the case in ways which are<br />
proportionate to the amount of money involved, ensuring that the case is dealt with<br />
expeditiously and fairly, and allotting to it an appropriate share of the court’s<br />
resources while taking into account the need to allot resources to other cases - are<br />
likely to militate in favour of allowing a claim, where practicable, to be continued as a<br />
<br />
representative action rather than leaving members of the class to pursue claims<br />
individually.<br />
<br />
<br />
76. Four further features of the representative rule deserve mention.<br />
<br />
<br />
(iii) No requirement of consent<br />
<br />
<br />
<br />
77. First, as the ability to act as a representative under the rule does not depend on<br />
the consent of the persons represented but only on community of interest between<br />
them, there is ordinarily no need for a member of the represented class to take any<br />
positive step, or even to be aware of the existence of the action, in order to be bound<br />
by the result. The rule does not confer a right to opt out of the proceedings (though a<br />
<br />
person could, at least in theory, apply to the court for a direction under rule 19.6(3)<br />
that the named claimant (or defendant) may not represent them or under rule 19.6(4)<br />
that any judgment given will not be binding on them). It is, however, always open to<br />
the judge managing the case to impose a requirement to notify members of the class<br />
<br />
of the proceedings and establish a simple procedure for opting out of representation, if<br />
this is considered desirable. Equally, if there are circumstances which make it<br />
appropriate to limit the represented class to persons who have positively opted into<br />
the litigation, it is open to the judge to make this a condition of representation. The<br />
procedure is entirely flexible in these respects.<br />
<br />
<br />
<br />
(iv) The class definition<br />
<br />
<br />
78. Second, while it is plainly desirable that the class of persons represented should<br />
be clearly defined, the adequacy of the definition is a matter which goes to the court’s<br />
discretion in deciding whether it is just and convenient to allow the claim to be<br />
<br />
continued on a representative basis rather than being a precondition for the<br />
application of the rule. Emerald Supplies illustrates a general principle that<br />
membership of the class should not depend on the outcome of the litigation. Beyond<br />
that, whether or to what extent any practical difficulties in identifying the members of<br />
<br />
the class are material must depend on the nature and object of the proceedings. In<br />
Duke of Bedford v Ellis, for example, it did not matter that the number and identities of<br />
growers of fruit etc would have been difficult if not impossible to ascertain or that the<br />
class was a fluctuating one: given that the aim was to establish whether anyone who<br />
<br />
Page 28was a grower had preferential rights, all that mattered was that there would be no real<br />
difficulty in determining whether a particular person who claimed a preferential right<br />
to a vacant stand at Covent Garden was a grower or not: see [1901] AC 1 at 11. In<br />
some cases, however, for example where the viability of a claim for damages depends<br />
on demonstrating the size of the class or who its members are, such practical<br />
<br />
difficulties might well be significant.<br />
<br />
<br />
(v) Liability for costs<br />
<br />
<br />
79. Third, as persons represented by a representative claimant or defendant will<br />
not normally themselves have been joined as parties to the claim, they will not<br />
<br />
ordinarily be liable to pay any costs incurred by the representative in pursuing (or<br />
defending) the claim. That does not prevent the court, if it is in the interests of justice<br />
to do so, from making an order requiring a represented person to pay or contribute to<br />
costs and giving permission for the order to be enforced against that person pursuant<br />
to CPR rule 19.6(4)(b). Alternatively, such an order could be made pursuant to the<br />
<br />
general jurisdiction of the court to make costs orders against non-parties. It is difficult,<br />
however, to envisage circumstances in which it could be just to order a represented<br />
person to contribute to costs incurred by a claimant in bringing a representative claim<br />
which the represented person did not authorise. On the other hand, a commercial<br />
<br />
litigation funder who finances unsuccessful proceedings is likely to be ordered to pay<br />
the successful party’s costs at least to the extent of the funding: see Davey v Money<br />
[2020] EWCA Civ 246; [2020] 1 WLR 1751. That principle is no less applicable where the<br />
proceedings financed are a representative action.<br />
<br />
<br />
(vi) The scope for claiming damages<br />
<br />
<br />
<br />
80. Finally, as already discussed, it is not a bar to a representative claim that each<br />
represented person has in law a separate cause of action nor that the relief claimed<br />
consists of or includes damages or some other monetary relief. The potential for<br />
claiming damages in a representative action is, however, limited by the nature of the<br />
<br />
remedy of damages at common law. What limits the scope for claiming damages in<br />
representative proceedings is the compensatory principle on which damages for a civil<br />
wrong are awarded with the object of putting the claimant - as an individual - in the<br />
same position, as best money can do it, as if the wrong had not occurred. In the<br />
<br />
ordinary course, this necessitates an individualised assessment which raises no<br />
common issue and cannot fairly or effectively be carried out without the participation<br />
in the proceedings of the individuals concerned. A representative action is therefore<br />
not a suitable vehicle for such an exercise.<br />
<br />
<br />
<br />
Page 2981. In cases where damages would require individual assessment, there may<br />
nevertheless be advantages in terms of justice and efficiency in adopting a bifurcated<br />
process - as was done, for example, in the Prudential case - whereby common issues of<br />
law or fact are decided through a representative claim, leaving any issues which<br />
require individual determination - whether they relate to liability or the amount of<br />
<br />
damages - to be dealt with at a subsequent stage of the proceedings. In Prudential<br />
[1981] Ch 229, 255, Vinelott J expressed the view (obiter) that time would continue to<br />
run for the purpose of limitation until individual claims for damages were brought by<br />
the persons represented; see also the dicta of Fletcher Moulton LJ in Markt [1910] 2 KB<br />
<br />
1021, 1042, referred to at para 44 above. The court in Prudential did not have cited to<br />
it, however, the decision of the Court of Appeal in Moon v Atherton [1972] 2 QB 435. In<br />
that case a represented person applied to be substituted for the named claimant after<br />
the limitation period had expired when the claimant (and all the other represented<br />
persons) no longer wished to continue the action. The Court of Appeal, in allowing the<br />
<br />
substitution, held that the defendant was not thereby deprived of a limitation defence,<br />
as for the purpose of limitation the represented person was already a party to the<br />
action, albeit not a “full” party. It might be clearer to say that, although the<br />
represented person did not become a “party” until substituted as the claimant, an<br />
<br />
action was brought within the meaning of the statute of limitation by that person<br />
when the representative claim was initiated. Such an analysis has been adopted in<br />
Australia, including by the New South Wales Court of Appeal in Fostif Pty Ltd v<br />
Campbells Cash & Carry Pty Ltd[2005] NSWCA 83; (2005) 63 NSWLR 203, and by the<br />
New Zealand Supreme Court in Credit Suisse Private Equity v Houghton [2014] NZSC 37.<br />
<br />
<br />
<br />
82. There is no reason why damages or other monetary remedies cannot be<br />
claimed in a representative action if the entitlement can be calculated on a basis that is<br />
common to all the members of the class. Counsel for the claimant, Hugh Tomlinson<br />
QC, gave the example of a claim alleging that every member of the class was wrongly<br />
<br />
charged a fixed fee; another example might be a claim alleging that all the class<br />
members acquired the same product with the same defect which reduced its value by<br />
the same amount. In such cases the defendant’s monetary liability could be<br />
determined as a common issue and no individualised assessment would be needed.<br />
<br />
The same is true where loss suffered by the class as a whole can be calculated without<br />
reference to the losses suffered by individual class members - as in the cases<br />
mentioned at para 53 above. Such an assessment of loss on a global basis is sometimes<br />
described as a “top down” approach, in contrast to a “bottom up” approach of<br />
assessing a sum which each member of the class is individually entitled to recover.<br />
<br />
<br />
<br />
83. The recovery of money in a representative action on either basis may give rise<br />
to problems of distribution to the members of the class, about which the<br />
representative rule is silent. Although in Independiente Morritt V-C was untroubled by<br />
such problems, questions of considerable difficulty would arise if in the present case<br />
<br />
Page 30the claimant was awarded damages in a representative capacity with regard to how<br />
such damages should be distributed, including whether there would be any legal basis<br />
for paying part of the damages to the litigation funders without the consent of each<br />
individual entitled to them: see Mulheron R, “Creating and Distributing Common Funds<br />
under the English Representative Rule” (2021) King’s Law Journal 1-33. Google has not<br />
<br />
relied on such difficulties as a reason for disallowing a representative action, however,<br />
and as these matters were only touched on in argument, I will say no more about<br />
them.<br />
<br />
<br />
E. THE REPRESENTATIVE CLAIM IN THIS CASE<br />
<br />
<br />
<br />
84. In the present case I could see no legitimate objection to a representative claim<br />
brought to establish whether Google was in breach of the DPA 1998 and, if so, seeking<br />
a declaration that any member of the represented class who has suffered damage by<br />
reason of the breach is entitled to be paid compensation. The individual claims that<br />
could theoretically have been brought by each iPhone user who was affected by the<br />
<br />
Safari workaround clearly raise common issues; and it is not suggested that there is<br />
any conflict of interest among the members of the represented class. For the purpose<br />
of CPR rule 19.6(1), all would therefore have the same interest in such a claim as the<br />
representative claimant. There is no suggestion that Mr Lloyd is an unsuitable person<br />
<br />
to act in that capacity. Although Google has argued that there would be practical<br />
difficulties in identifying whether an individual falls within the class definition, even on<br />
Google’s evidence it is evident that the number of people affected by the Safari<br />
workaround was extremely large and it is unclear at this stage of the litigation how<br />
serious the difficulties of proof would actuallybe. Moreover, even if only a few<br />
<br />
individuals were ultimately able to obtain compensation on the basis of a declaratory<br />
judgment, I cannot see why that should provide a reason for refusing to allow a<br />
representative claim to proceed for the purpose of establishing liability.<br />
<br />
<br />
85. The claimant has not proposed such a bifurcated process, however. That is<br />
<br />
doubtless because success in the first, representative stage of such a process would<br />
not itself generate any financial return for the litigation funders or the persons<br />
represented. Funding the proceedings could therefore only be economic if pursuing<br />
separate damages claims on behalf of those individuals who opted into the second<br />
<br />
stage of the process would be economic. For the reasons discussed at paras 25-28<br />
above and emphasised in argument by counsel for the claimant, it clearly would not. In<br />
practice, therefore, as both courts below accepted, a representative action for<br />
damages is the only way in which the claims can be pursued.<br />
<br />
<br />
<br />
<br />
<br />
Page 31(1) The formulation of the claim fordamages<br />
<br />
<br />
86. In formulating the claim made in this action, the claimant has not adopted the<br />
“top down” approach of claiming compensation for damage suffered by the class as a<br />
whole without reference to the entitlements of individual class members. The claim<br />
advanced is for damages calculated from the “bottom up”. The way in which the<br />
<br />
claimant seeks to obviate the need for individualised assessment is by claiming<br />
damages for each class member on what is described as a “uniform per capita basis”.<br />
<br />
<br />
87. The difficulty facing this approach is that the effect of the Safari workaround<br />
was obviously not uniform across the represented class. No challenge is or could<br />
<br />
reasonably be made to the judge’s findings, at [2018] EWHC 2599 (QB); [2019] 1 WLR<br />
1265, para 91, that:<br />
<br />
<br />
“… some affected individuals were ‘super users’- heavy<br />
internet users. They will have been ‘victims’ of multiple<br />
breaches, with considerable amounts of [browser generated<br />
<br />
information] taken and used throughout the Relevant Period.<br />
Others will have engaged in very little internet activity.<br />
Different individuals will have had different kinds of<br />
information taken and used. No fewer than 17 categories of<br />
<br />
personal data are identified in the claim documents. The<br />
specified categories of data vary in their sensitivity, some of<br />
them being ‘sensitive personal data’ within the meaning of<br />
the section 2 of the DPA (such as sexuality, or ethnicity). …<br />
But it is not credible that all the specified categories of data<br />
<br />
were obtained by Google from each represented claimant. …<br />
The results of the acquisition and use will also have varied<br />
according to the individual, and their attitudes towards the<br />
acquisition, disclosure and use of the information in<br />
<br />
question.”<br />
<br />
<br />
If liability is established, the ordinary application of the compensatory principle would<br />
therefore result in different awards of compensation to different individuals.<br />
Furthermore, the amount of any compensation recoverable by any member of the<br />
<br />
class would depend on a variety of circumstances particular to that individual.<br />
Individualised assessment of damages would therefore be required.<br />
<br />
<br />
88. The claimant seeks to overcome this difficulty in one or other of two ways. Both<br />
rely on the proposition that an individual is entitled to compensation for any (non-<br />
<br />
Page 32trivial) contravention of the DPA 1998 without the need to prove that the individual<br />
suffered any financial loss or distress. On that footing it is argued, first of all, that<br />
general damages can be awarded on a uniform per capita basis to each member of the<br />
represented class without the need to prove any facts particular to that individual. The<br />
draft particulars of claim plead that the uniform sum awarded should reflect “the<br />
<br />
serious nature of the breach, in particular (but non-exhaustively):<br />
<br />
<br />
“(a) The lack of consent or knowledge of the<br />
Representative Claimant and each member of the Claimant<br />
Class to the defendant’s collection and use of their personal<br />
<br />
data.<br />
<br />
<br />
(b) The fact that such collection and use was contrary to<br />
the defendant’s public statements.<br />
<br />
<br />
(c) The fact that such collection and use was greatly to<br />
the commercial benefit of the defendant.<br />
<br />
<br />
<br />
(d) The fact that the defendant knew or ought to have<br />
known of the operation of the Safari Workaround from a very<br />
early stage during the Relevant Period. …”<br />
<br />
<br />
I interpose that factor (c), although no doubt true in relation to the class as a whole,<br />
<br />
plainly could not in fact be established in relation to any individual class member<br />
without evidence of what use, if any, was actually made of personal data of that<br />
individual by Google. If there is to be no individualised assessment, this factor must<br />
therefore be left out of account.<br />
<br />
<br />
<br />
89. The alternative case pleaded is that each member of the class is entitled to<br />
damages assessed as an amount which they could reasonably have charged for<br />
releasing Google from the duties which it breached. Again, it is contended that such<br />
damages should be assessed on a uniform per capita basis, “reflecting the generalised<br />
standard terms (rather than individuated basis) on which [Google] does business”.<br />
<br />
<br />
<br />
(2) Section 13 of the DPA 1998<br />
<br />
<br />
90. The claim for compensation made in the present case is founded (exclusively)<br />
on section 13 of the DPA 1998. This provides:<br />
<br />
Page 33 “(1) An individual who suffers damage by reason of any<br />
contravention by a data controller of any of the requirements<br />
of this Act is entitled to compensation from the data<br />
controller for that damage.<br />
<br />
<br />
(2) An individual who suffers distress by reason of any<br />
<br />
contravention by a data controller of any of the requirements<br />
of this Act is entitled to compensation from the data<br />
controller for that distress if -<br />
<br />
<br />
(a) the individual also suffers damage by reason of the<br />
<br />
contravention, or<br />
<br />
<br />
(b) the contravention relates to the processing of<br />
personal data for the special purposes.<br />
<br />
<br />
(3) In proceedings brought against a person by virtue of<br />
this section it is a defence to prove that he had taken such<br />
<br />
care as in all the circumstances was reasonably required to<br />
comply with the requirement concerned.”<br />
<br />
<br />
91. Section 13 was intended to implement article 23 of the Data Protection<br />
Directive. This stated:<br />
<br />
<br />
<br />
“1. Member states shall provide that any person who has<br />
suffered damage as a result of an unlawful processing<br />
operation or of any act incompatible with the national<br />
provisions adopted pursuant to this Directive is entitled to<br />
<br />
receive compensation from the controller for the damage<br />
suffered.<br />
<br />
<br />
2. The controller may be exempted from this liability, in<br />
whole or in part, if he proves that he is not responsible for<br />
the event giving rise to the damage.”<br />
<br />
<br />
<br />
92. Two initial points can be made about the wording and structure of section 13.<br />
First, to recover compensation under this provision it is not enough to prove a breach<br />
by a data controller of its statutory duty under section 4(4) of the Act: an individual is<br />
<br />
Page 34only entitled to compensation under section 13 where “damage” - or in some<br />
circumstances “distress” - is suffered as a consequence of such a breach of duty.<br />
Second, it is plain from subsection (2) that the term “damage” as it is used in section<br />
13 does not include “distress”. The term “material damage” is sometimes used to<br />
describe any financial loss or physical or psychological injury, but excluding distress (or<br />
<br />
other negative emotions not amounting to a recognised psychiatric illness): see eg<br />
Watkins v Secretary of State for the Home Department [2006] UKHL 17; [2006] 2 AC<br />
395, para 7. Adopting this terminology, on a straightforward interpretation the term<br />
“damage” in section 13 refers only to material damage and compensation can only be<br />
<br />
recovered for distress if either of the two conditions set out in subsection (2) is met.<br />
<br />
<br />
(3) Vidal-Hall v Google Inc<br />
<br />
<br />
93. The effect of section 13 was considered by the Court of Appeal in Vidal-Hall v<br />
Google Inc [2016] QB 1003 on facts which, in terms of the generic allegations made,<br />
were identical to those on which the present claim is based. The three claimants<br />
<br />
sought damages arising out of the Safari workaround on two alternative bases: (1) at<br />
common law for misuse of private information; and (2) under section 13 of the DPA<br />
1998. As in the present case, permission to serve the proceedings outside the<br />
jurisdiction was opposed by Google. The main issues raised were: (1) whether misuse<br />
<br />
of private information is a tort for the purpose of the rules providing for service out of<br />
the jurisdiction; and (2) whether compensation can be recovered for distress under<br />
section 13 of the DPA 1998 in the absence of financial loss. The judge decided both<br />
issues in the claimants’ favour and the Court of Appeal affirmed that decision, for<br />
reasons given in a judgment written by Lord Dyson MR and Sharp LJ, with which<br />
<br />
Macfarlane LJ agreed.<br />
<br />
<br />
94. On the second issue Google submitted that, as discussed above, the term<br />
“damage” in section 13 must mean material damage, which for practical purposes<br />
limits its scope to financial loss. Hence section 13(2) has the effect that an individual<br />
<br />
may only recover compensation for distress suffered by reason of a contravention by a<br />
data controller of a requirement of the Act if either (a) the contravention also causes<br />
the individual to suffer financial loss or (b) the contravention relates to the processing<br />
of personal data for “special purposes” - which are defined as journalistic, artistic or<br />
<br />
literary purposes (see section 3). It was not alleged that either of those conditions was<br />
satisfied in the Vidal-Hall case.<br />
<br />
<br />
95. The Court of Appeal accepted that section 13(2) does indeed have this meaning<br />
but held that this makes it incompatible with article 23 of the Data Protection<br />
Directive, which section 13 of the DPA 1998 was meant to implement. This is because<br />
<br />
the word “damage” in article 23 is to be interpreted as including distress, which is the<br />
Page 35primary form of damage likely to be caused by an invasion of data privacy; and article<br />
23 does not permit national laws to restrict the right to receive compensation for<br />
“damage” where it takes the form of distress. The Court of Appeal considered whether<br />
it is possible to interpret section 13 in a way which achieves the result sought by the<br />
Directive, but concluded that the words of section 13 are not capable of being<br />
<br />
interpreted in such a way and that the limits set by Parliament to the right to<br />
compensation for breaches of the DPA 1998 are a fundamental feature of the UK<br />
legislative scheme. In the words of Lord Dyson MR and Sharp LJ in their joint judgment,<br />
at para 93, if the court were to disapply the limits on the right to compensation for<br />
<br />
distress set out in section 13(2), “the court would, in effect, be legislating against the<br />
clearly expressed intention of Parliament on an issue that was central to the scheme as<br />
a whole”.<br />
<br />
<br />
96. The Court of Appeal nevertheless held that section 13(2) should be disapplied<br />
on the ground that it conflicts with articles 7 and 8 of the Charter of Fundamental<br />
<br />
Rights of the European Union (“the EU Charter”). Article 7 of the EU Charter is in<br />
materially similar terms to article 8 of the European Convention for the Protection of<br />
Human Rights and Fundamental Freedoms (“the Convention”) and provides that<br />
“[e]veryone has the right to respect for his or her private and family life, home and<br />
<br />
communications”. Article 8(1) provides that “[e]veryone has the right to the protection<br />
of personal data concerning him or her”. In addition, article 47 requires that<br />
“[e]veryone whose rights and freedoms guaranteed by the law of the Union are<br />
violated has the right to an effective remedy before a tribunal …”. The Court of Appeal<br />
decided that, in order to provide an effective remedy for the rights guaranteed by<br />
<br />
articles 7 and 8 of the EU Charter, it was necessary that national law should give effect<br />
to the obligation under article 23 of the Data Protection Directive to provide a right to<br />
receive compensation from the data controller for any damage, including distress,<br />
suffered as a result of an unlawful processing operation. That result could and should<br />
<br />
be achieved by disapplying section 13(2) of the DPA 1998, thus enabling section 13(1)<br />
to be interpreted compatibly with article 23: see [2016] QB 1003, para 105.<br />
<br />
<br />
(4) Misuse of private information<br />
<br />
<br />
97. The Court of Appeal in Vidal-Hall also held that the claims for damages for<br />
<br />
misuse of private information made by the claimants in that case were properly<br />
classified as claims in tort for the purpose of service out of the jurisdiction and had a<br />
real prospect of success. As described at paras 18-25 of the judgment, the tort of<br />
misuse of private information evolved out of the equitable action for breach of<br />
confidence, influenced by the protection of the right to respect for private life<br />
<br />
guaranteed by article 8 of the Convention. The critical step in its emergence as a<br />
distinct basis for a claim was the identification of privacy of information as worthy of<br />
<br />
Page 36protection in its own right, irrespective of whether the information was imparted in<br />
circumstances which give rise to a duty of confidence: see Campbell v MGN Ltd [2004]<br />
UKHL 22; [2004] 2 AC 457. As Lord Hoffmann put it in Campbell, at para 50:<br />
<br />
<br />
“What human rights law has done is to identify private<br />
information as something worth protecting as an aspect of<br />
<br />
human autonomy and dignity.”<br />
<br />
<br />
98. The complaint in Campbell was about the publication of private information.<br />
Lord Nicholls of Birkenhead described the “essence of the tort”, at para 14, as “misuse<br />
of private information”. He also noted, however, at para 15, that an individual’s privacy<br />
<br />
can be invaded in ways not involving publication of information, and subsequent cases<br />
have held that intrusion on privacy, without any misuse of information, is actionable:<br />
see PJS v News Group Newspapers Ltd [2016] UKSC 26; [2016] 2 AC 1081, paras 58-60.<br />
It is misuse of information, however, which is primarily relevant in this case, and I shall<br />
generally - as counsel did in argument - use the label for the tort of “misuse of private<br />
<br />
information”.<br />
<br />
<br />
99. To establish liability for misuse of private information (or other wrongful<br />
invasion of privacy), it is necessary to show that there was a reasonable expectation of<br />
privacy in the relevant matter. As the Court of Appeal (Sir Anthony Clarke MR, Laws<br />
<br />
and Thomas LJJ) explained in upholding a claim to restrain the publication of<br />
photographs taken in a public place of the child of the well-known author, JK Rowling,<br />
in Murray v Express Newspapers plc [2008] EWCA Civ 446; [2009] Ch 481, para 36:<br />
<br />
<br />
“… the question whether there is a reasonable expectation of<br />
privacy is a broad one, which takes account of all the<br />
<br />
circumstances of the case. They include the attributes of the<br />
claimant, the nature of the activity in which the claimant was<br />
engaged, the place at which it was happening, the nature and<br />
purpose of the intrusion, the absence of consent and<br />
<br />
whether it was known or could be inferred, the effect on the<br />
claimant and the circumstances in which and the purposes<br />
for which the information came into the hands of the<br />
publisher.”<br />
<br />
<br />
<br />
If this test is met, in cases where freedom of expression is involved the court must then<br />
undertake a “balancing exercise” to decide whether in all the circumstances the<br />
interests of the owner of the private information must yield to the right to freedom of<br />
<br />
<br />
Page 37expression conferred on the publisher by article 10 of the Convention: see eg<br />
McKennitt v Ash [2006] EWCA Civ 1714; [2008] QB 73, para 9.<br />
<br />
<br />
(5) Gulati v MGN Ltd<br />
<br />
<br />
100. The measure of damages for wrongful invasion of privacy was considered in<br />
depth in Gulati v MGN Ltd [2015] EWHC 1482 (Ch); [2016] FSR 12 and [2015] EWCA Civ<br />
<br />
1291; [2017] QB 149 by Mann J and by the Court of Appeal. The eight test claimants in<br />
that case were individuals in the public eye whose mobile phones were hacked by<br />
newspapers, leading in some instances to the publication of articles containing<br />
information obtained by this means. The newspapers admitted liability for breach of<br />
<br />
privacy but disputed the amount of damages. Their main argument of principle was<br />
that (in the absence of material damage) all that could be compensated for was<br />
distress caused by their unlawful activities: see [2016] FSR 12, para 108. The judge<br />
rejected that argument. He said, at para 111, that he did not see why “distress (or<br />
some similar emotion), which would admittedly be a likely consequence of an invasion<br />
<br />
of privacy, should be the only touchstone for damages”. In his view:<br />
<br />
<br />
“While the law is used to awarding damages for injured<br />
feelings, there is no reason in principle … why it should not<br />
also make an award to reflect infringements of the right<br />
<br />
itself, if the situation warrants it.”<br />
<br />
<br />
101. The judge referred to cases in which damages have been awarded to very young<br />
children (only ten months or one year old) for misuse of private information by<br />
publishing photographs of them even though, because of their age, they could not<br />
have suffered any distress: see AAA v Associated Newspapers Ltd [2012] EWHC 2103<br />
<br />
(QB); [2013] EMLR 2; and Weller v Associated Newspapers Ltd[2014] EWHC 1163 (QB);<br />
[2014] EMLR 24. He concluded, at para 144:<br />
<br />
<br />
“I shall therefore approach the consideration of quantum in<br />
this case on the footing that compensation can be given for<br />
<br />
things other than distress, and in particular can be given for<br />
the commission of the wrong itself so far as that commission<br />
impacts on the values protected by the right.”<br />
<br />
<br />
Later in the judgment, at para 168, the judge referred back to his finding that:<br />
<br />
<br />
<br />
<br />
Page 38 “the damages should compensate not merely for distress …,<br />
but should also compensate (if appropriate) for the loss of<br />
privacy or autonomy as such arising out [of] the infringement<br />
by hacking (or other mechanism) as such.”<br />
<br />
<br />
102. The Court of Appeal affirmed this decision: [2015] EWCA Civ 1291; [2017] QB<br />
<br />
149. Arden LJ (with whom Rafferty and Kitchin LJJ agreed) held, at para 45, that:<br />
<br />
<br />
“the judge was correct to conclude that the power of the<br />
court to grant general damages was not limited to distress<br />
and could be exercised to compensate the claimants also for<br />
<br />
the misuse of their private information. The essential<br />
principle is that, by misusing their private information, MGN<br />
deprived the claimants of their right to control the use of<br />
private information.”<br />
<br />
<br />
Arden LJ justified this conclusion, at para 46, on the basis that:<br />
<br />
<br />
<br />
“Privacy is a fundamental right. The reasons for having the<br />
right are no doubt manifold. Lord Nicholls of Birkenhead put<br />
it very succinctly in Campbell v MGN Ltd [2004] 2 AC 457,<br />
para 12: ‘[Privacy] lies at the heart of liberty in a modern<br />
<br />
state. A proper degree of privacy is essential for the well-<br />
being and development of an individual.’”<br />
<br />
<br />
103. The Court of Appeal in Gulati rejected a submission, also rejected by the judge,<br />
that granting damages for the fact of intrusion into a person’s privacy independently of<br />
<br />
any distress caused is inconsistent with the holding of this court in R (WL (Congo)) v<br />
Secretary of State for the Home Department [2011] UKSC 12; [2012] 1 AC 245, paras<br />
97-100, that vindicatory damages are not available as a remedy for violation of a<br />
private right. As Arden LJ pointed out at para 48, no question arose of awarding<br />
vindicatory damages of the kind referred to in WL (Congo), which have been awarded<br />
<br />
in some constitutional cases appealed to the Privy Council “to reflect the sense of<br />
public outrage, emphasise the importance of the constitutional right and the gravity of<br />
the breach, and deter further breaches”: see WL (Congo), para 98; Attorney General of<br />
Trinidad and Tobago v Ramanoop [2005] UKPC 15; [2006] 1 AC 328, para 19. Rather,<br />
<br />
the purpose of the relevant part of the awards made in Gulati was “to compensate for<br />
the loss or diminution of a right to control formerly private information”.<br />
<br />
<br />
<br />
Page 39104. Mann J’s reference to “loss of privacy or autonomy” and the Court of Appeal’s<br />
explanation that the claimants could be compensated for misuse of their private<br />
information itself because they were deprived of “their right to control [its] use”<br />
convey the point that English common law now recognises as a fundamental aspect of<br />
personal autonomy a person’s freedom to choose and right to control whether and<br />
<br />
when others have access to his or her private affairs: see on this point the helpful<br />
discussion by NA Moreham, “Compensating for Loss of Dignity and Autonomy” in<br />
Varuhas J and Moreham N (eds), Remedies for Breach of Privacy (2018) ch 5.<br />
<br />
<br />
(6) How the present claim is framed<br />
<br />
<br />
<br />
105. On the basis of the decisions of the Court of Appeal in Vidal-Hall and Gulati,<br />
neither of which is challenged by either party on this appeal, it would be open to Mr<br />
Lloyd to claim, at least in his own right: (1) damages under section 13(1) of the DPA<br />
1998 for any distress suffered by reason of any contravention by Google of any of the<br />
requirements of the Act; and/or (2) damages for the misuse of private information<br />
<br />
without the need to show that it caused any material damage or distress.<br />
<br />
<br />
106. Neither of these claims, however, is made in this case. The reasons why no<br />
claim is made in tort for misuse of private information have not been explained; but<br />
the view may have been taken that, to establish a reasonable expectation of privacy, it<br />
<br />
would be necessary to adduce evidence of facts particular to each individual claimant.<br />
In Vidal-Hall, the claimants produced confidential schedules about their internet use,<br />
showing that the information tracked and collected by Google in their cases was, in the<br />
Court of Appeal’s words at [2016] QB 1003, para 137, “often of an extremely private<br />
nature”. As discussed earlier, the need to obtain evidence in relation to individual<br />
<br />
members of the represented class would be incompatible with the representative<br />
claim which Mr Lloyd is seeking to bring.<br />
<br />
<br />
107. Similarly, to recover damages for distress under section 13(1) of the DPA 1998<br />
would require evidence of such distress from each individual for whom such a claim<br />
<br />
was made. Again, this would be incompatible with claiming damages on a<br />
representative basis.<br />
<br />
<br />
108. Instead of making either of these potential claims, the claimant seeks to break<br />
new legal ground by arguing that the principles identified in Gulati as applicable to the<br />
<br />
assessment of damages for misuse of private information at common law also apply to<br />
the assessment of compensation under section 13(1) of the DPA 1998. The case<br />
advanced, which is also supported by the Information Commissioner, is that the word<br />
<br />
<br />
Page 40“damage” in section 13(1) not only extends beyond material damage to include<br />
distress, as decided in Vidal-Hall, but also includes “loss of control” over personal data.<br />
<br />
<br />
(7) “Loss of control” over personal data<br />
<br />
<br />
109. There is potential for confusion in the use of this description. “Loss of control” is<br />
not an expression used in the DPA 1998 and, as the third interveners (the Association<br />
<br />
of the British Pharmaceutical Industry and Association of British HealthTech Industries)<br />
pointed out in their helpful written submissions, none of the requirements of the Act is<br />
predicated on “control” over personal data by the data subject. Under the legislative<br />
scheme the relevant control is that of the data controller: the entity which<br />
<br />
“determines the purposes for which and the manner in which any personal data are, or<br />
are to be, processed.” The nearest analogue to control as regards the data subject is<br />
his or her “consent to the processing”, being the first condition in Schedule 2 (see para<br />
22 above). Such consent, however, is neither necessary nor sufficient to render the<br />
processing of personal data compliant with the Act.<br />
<br />
<br />
<br />
110. It was made clear in submissions, however, that, in describing the basis for the<br />
compensation claimed as “loss of control” of personal data, the claimant is not seeking<br />
to single out a particular category of breaches of the DPA 1998 by a data controller as<br />
breaches in respect of which the data subject is entitled to compensation without<br />
<br />
proof of material damage or distress. The claimant’s case, which was accepted by the<br />
Court of Appeal, is that an individual is entitled to recover compensation under section<br />
13 of the DPA 1998 without proof of material damage or distress whenever a data<br />
controller fails to comply with any of the requirements of the Act in relation to any<br />
personal data of which that individual is the subject, provided only that the<br />
<br />
contravention is not trivial or de minimis. Any such contravention, on the claimant’s<br />
case, ipso facto involves “loss of control” of data for which compensation is payable.<br />
Only where the individual claiming compensation is not the data subject is it necessary<br />
on the claimant’s case to show that the individual has suffered material damage or<br />
<br />
distress.<br />
<br />
<br />
(8) The common sourceargument<br />
<br />
<br />
111. The claimant’s core argument for this interpretation is that, as a matter of<br />
principle, the same approach to the damage for which compensation can be awarded<br />
<br />
should apply under the data protection legislation as where the claim is brought in tort<br />
for misuse of private information because the two claims, although not coterminous,<br />
have a common source. Both seek to protect the same fundamental right to privacy<br />
<br />
<br />
Page 41guaranteed by article 8 of the Convention. This objective is expressly referred to in<br />
recital (10) of the Data Protection Directive, which states:<br />
<br />
<br />
“Whereas the object of the national laws on the processing<br />
of personal data is to protect fundamental rights and<br />
freedoms, notably the right to privacy, which is recognized<br />
<br />
both in article 8 of the European Convention for the<br />
Protection of Human Rights and Fundamental Freedoms and<br />
in the general principles of [EU] law; whereas, for that<br />
reason, the approximation of those laws must not result in<br />
<br />
any lessening of the protection they afford but must, on the<br />
contrary, seek to ensure a high level of protection in the<br />
[EU];”<br />
<br />
<br />
The aim of protecting the right to privacy with regard to the processing of personal<br />
data is also articulated in recitals (2), (7), (8) and (11) of the Data Protection Directive,<br />
<br />
and is spelt out in article 1 which states:<br />
<br />
<br />
“Object of the Directive<br />
<br />
<br />
In accordance with this Directive, member states shall<br />
protect the fundamental rights and freedoms of natural<br />
<br />
persons, and in particular their right to privacy with respect<br />
to the processing of personal data.”<br />
<br />
<br />
Reliance is also placed on the recognition in article 8 of the EU Charter, quoted at para<br />
96 above, of the right to the protection of personal data as a fundamental right in EU<br />
<br />
law.<br />
<br />
<br />
112. The claimant argues that, given that the tort of misuse of private information<br />
and the data protection legislation are both rooted in the same fundamental right to<br />
privacy, it would be wrong in principle to adopt a different approach to the nature of<br />
the damage which can be compensated under the two regimes. The conclusion should<br />
<br />
therefore be drawn that, in each case, damages can be recovered for interference with<br />
the claimant’s right, without the need to prove that the interference resulted in any<br />
material damage or distress.<br />
<br />
<br />
113. I cannot accept this argument for two reasons. First, even if the suggested<br />
<br />
analogy between the privacy tort and the data protection regime were persuasive,<br />
Page 42section 13(1) of the DPA 1998 cannot, in my opinion, properly be interpreted as having<br />
the meaning for which the claimant contends. Second, the logic of the argument by<br />
analogy is in any event flawed.<br />
<br />
<br />
(a) The wording of the DPA 1998<br />
<br />
<br />
114. I do not accept a submission made by counsel for Google that the interpretation<br />
<br />
of section 13 of the DPA 1998 should be approached on the basis of a general rule that<br />
breaches of statutory duty are not actionable without proof of material damage. The<br />
question in Cullen v Chief Constable of the Royal Ulster Constabulary [2003] UKHL 39;<br />
[2003] 1 WLR 1763, relied on to support this submission, was whether a statute which<br />
<br />
did not expressly confer a right to compensation on a person affected by a breach of<br />
statutory duty nevertheless conferred such a right impliedly. That is not the question<br />
raised in this case, where there is an express entitlement to compensation provided by<br />
section 13 of the DPA 1998. The only question in this case is what the words of the<br />
relevant statutory provision mean.<br />
<br />
<br />
<br />
115. Those words, however, cannot reasonably be interpreted as giving an individual<br />
a right to compensation without proof of material damage or distress whenever a data<br />
controller commits a non-trivial breach of any requirement of the Act in relation to any<br />
personal data of which that individual is the subject. In the first place, as discussed<br />
<br />
above, the wording of section 13(1) draws a distinction between “damage” suffered by<br />
an individual and a “contravention” of a requirement of the Act by a data controller,<br />
and provides a right to compensation “for that damage” only if the “damage” occurs<br />
“by reason of” the contravention. This wording is inconsistent with an entitlement to<br />
compensation based solely on proof of the contravention. To say, as the claimant does<br />
<br />
in its written case, that what is “damaged” is the data subject’s right to have their data<br />
processed in accordance with the requirements of the Act does not meet this point, as<br />
it amounts to an acknowledgement that on the claimant’s case the damage and the<br />
contravention are one and the same.<br />
<br />
<br />
<br />
116. Nor is the claimant’s case assisted by section 14 of the DPA 1998, on which<br />
reliance is placed. Section 14(1) gives the court power, on the application of a data<br />
subject, to order a data controller to rectify, block, erase or destroy personal data if<br />
satisfied that the data are inaccurate. Section 14(4) states:<br />
<br />
<br />
<br />
“If a court is satisfied on the application of a data subject -<br />
<br />
<br />
<br />
<br />
Page 43 (a) that he has suffered damage by reason of any<br />
contravention by a data controller of any of the<br />
requirements of this Act in respect of any personal<br />
data, in circumstances entitling him to compensation<br />
under section 13, and<br />
<br />
<br />
<br />
(b) that there is a substantial risk of further<br />
contravention in respect of those data in such<br />
circumstances,<br />
<br />
<br />
the court may order the rectification, blocking, erasure or<br />
<br />
destruction of any of those data.”<br />
<br />
<br />
117. Counsel for the claimant submitted that, if Google’s case on what is meant by<br />
“damage” is correct, a data subject who does not suffer material damage or distress as<br />
a result of a breach of duty by a data controller cannot claim rectification, blocking,<br />
erasure or destruction of data, unless those data are inaccurate, however egregious<br />
<br />
the breach. This is true, but I can see nothing unreasonable in such a result. Indeed,<br />
section 14 seems to me positively to confirm that “damage” means something distinct<br />
from a contravention of the Act itself. If a contravention by a data controller of the Act<br />
could by itself constitute “damage”, section 14(4)(a) would be otiose and there would<br />
<br />
be no material distinction in the remedies available in cases where the data are<br />
inaccurate and in cases where the data are accurate. The manifest intention behind<br />
section 14 is to limit the remedies of rectification, blocking, erasure or destruction of<br />
accurate data to cases where the contravention of the Act has caused the data subject<br />
some harm distinct from the contravention itself, whereas no such limitation is<br />
<br />
imposed where the contravention involves holding inaccurate personal data.<br />
<br />
<br />
118. The second reason why the claimant’s interpretation is impossible to reconcile<br />
with the language of section 13 is that, as the Court of Appeal recognised in Vidal-Hall,<br />
it is plain from the words enacted by Parliament the term “damage” was intended to<br />
<br />
be limited to material damage and not to extend to “distress”. The only basis on which<br />
the Court of Appeal in Vidal-Hall was able to interpret the term “damage” as<br />
encompassing distress was by disapplying section 13(2) as being incompatible with EU<br />
law. By the same token, if the term “damage” in section 13 is to be interpreted as<br />
<br />
having an even wider meaning and as encompassing an infringement of a data<br />
subject’s rights under the Act which causes no material damage nor even distress, that<br />
could only be because this result is required by EU law. On a purely domestic<br />
interpretation of the DPA 1998, such a reading is untenable.<br />
<br />
<br />
<br />
Page 44 (b) The effect of EU law<br />
<br />
<br />
119. It is not suggested in the present case that section 13(1) should be disapplied:<br />
the claimant’s case is founded on it. No argument of the kind which succeeded in<br />
Vidal-Hall that words of the statute must be disapplied because they conflict with EU<br />
law is therefore available (or is advanced by the claimant). The question is whether the<br />
<br />
term “damage” in section 13(1) can and should be interpreted as having the meaning<br />
for which the claimant contends because such an interpretation is required in order to<br />
make the domestic legislation compatible with EU law. There are two aspects of this<br />
question: (i) what does the term “damage” mean in article 23 of the Data Protection<br />
<br />
Directive, which section 13 of the DPA 1998 was intended to implement; and (ii) if<br />
“damage” in article 23 includes contraventions of the national provisions adopted<br />
pursuant to the Directive which cause no material damage or distress, is it possible to<br />
interpret the term “damage” in section 13(1) of the DPA 1998 as having the same<br />
meaning?<br />
<br />
<br />
<br />
120. To take the second point first, it does not seem to me possible to interpret the<br />
term “damage” in section 13(1) of the DPA 1998 as having the meaning for which the<br />
claimant contends, even if such an interpretation were necessary to make the Act<br />
compatible with the Data Protection Directive. In Vidal-Hall the Court of Appeal held,<br />
<br />
rightly in my opinion, that section 13 of the DPA 1998 could not be construed as<br />
providing a general right to compensation for distress suffered by reason of a<br />
contravention of the Act “without contradicting the clearly expressed intention of<br />
Parliament on an issue that was central to the scheme” of the legislation (see para 95<br />
above). The same is equally, if not all the more, true of the contention that section 13<br />
<br />
of the DPA 1998 can be interpreted as providing a right to compensation for<br />
contraventions of the Act which have not caused any distress, let alone material<br />
damage. The distinction between “damage” suffered by an individual and a<br />
“contravention” of a requirement of the Act by a data controller which causes such<br />
<br />
damage is a fundamental feature of the remedial scheme provided by the Act which,<br />
as indicated above, permeates section 14 as well as section 13. If it were found that<br />
this feature makes the DPA 1998 incompatible with the Data Protection Directive, such<br />
incompatibility could, in my view, only be removed by amending the legislation. That<br />
<br />
could only be done by Parliament.<br />
<br />
<br />
121. No such incompatibility arises, however, as there is no reason to interpret the<br />
term “damage” in article 23 of the Data Protection Directive as extending beyond<br />
material damage and distress. The wording of article 23 draws exactly the same<br />
distinction as section 13(1) of the DPA 1998 between “damage” and an unlawful act of<br />
<br />
which the damage is “a result”. Again, this wording identifies the “damage” for which a<br />
person is entitled to receive compensation as distinct from the wrongful act which<br />
<br />
Page 45causes the damage. This is inconsistent with giving a right to compensation for the<br />
unlawful act itself on the basis that the act constitutes an interference with the<br />
claimant’s data protection rights. Nor has any authority been cited which suggests that<br />
the term “damage”, either generally in EU law or in the specific context of article 23 of<br />
the Data Protection Directive, is to be interpreted as including an infringement of a<br />
<br />
legal right which causes no material damage or distress.<br />
<br />
<br />
122. If there were evidence that at least some national laws on the processing of<br />
personal data which pre-dated the Data Protection Directive and are referred to in<br />
recital (10), quoted at para 111 above, provided a right to compensation for unlawful<br />
<br />
processing without proof of material damage or distress, that might arguably support<br />
an inference that the Directive was intended to ensure a similarly high level of<br />
protection across all member states. But it has not been asserted that any national<br />
laws did so. The Data Protection Act 1984, which was the applicable UK legislation<br />
when the Data Protection Directive was adopted, in sections 22 and 23 gave the data<br />
<br />
subject an entitlement to compensation in certain circumstances for damage or<br />
distress suffered by reason of the inaccuracy of data or the loss or unauthorised<br />
destruction or disclosure of data or unauthorised obtaining of access to data. By clear<br />
implication, UK national law gave no right to compensation for unlawful processing of<br />
<br />
personal data which did not result in material damage or distress. There is no evidence<br />
that the national law of any other member state at that time did so either.<br />
<br />
<br />
123. EU law therefore does not provide a basis for giving a wider meaning to the<br />
term “damage” in section 13 of the DPA 1998 than was given to that term by the Court<br />
of Appeal in Vidal-Hall.<br />
<br />
<br />
<br />
(c) Flaws in the common source argument<br />
<br />
<br />
124. I also reject the claimant’s argument that the decision in Gulati affords any<br />
assistance to its case on this issue. Leaving aside the fact that Gulati was decided many<br />
years after the Data Protection Directive was adopted, there is no reason on the face<br />
<br />
of it why the basis on which damages are awarded for an English domestic tort should<br />
be regarded as relevant to the proper interpretation of the term “damage” in a<br />
statutory provision intended to implement a European directive. The claimant relies on<br />
the fact that both derive from the right to respect for private life protected by article 8<br />
<br />
of the Convention (and incorporated in article 7 of the EU Charter when it was created<br />
in 2007). It does not follow, however, from the fact that two different legal regimes<br />
aim, at a general level, to provide protection for the same fundamental value that they<br />
must do so in the same way or to the same extent or by affording identical remedies.<br />
There are significant differences between the nature and scope of the common law<br />
<br />
privacy tort and the data protection legislation, to which I will draw attention in a<br />
Page 46moment. But the first point to note is that the decision in Gulati that damages can be<br />
awarded for misuse of private information itself was not compelled by article 8 of the<br />
Convention; nor did article 8 require the adoption of the particular legal framework<br />
governing the protection of personal data contained in the Data Protection Directive<br />
and the DPA 1998.<br />
<br />
<br />
<br />
125. The Convention imposes obligations on the states which are parties to it, but<br />
not on private individuals and bodies. In some cases the obligations on state parties<br />
extend beyond negative obligations not to act in ways which violate the Convention<br />
rights and include certain positive obligations on the state to ensure effective<br />
<br />
protection of those rights. That is so as regards the right to respect for private life<br />
guaranteed by article 8. The European Court of Human Rights has held that in certain<br />
circumstances the state’s positive obligations under article 8 are not adequately<br />
fulfilled unless the state secures respect for private life in the relations between<br />
individuals by setting up a legislative framework taking into consideration the various<br />
<br />
interests to be protected in a particular context. However, the court has emphasised<br />
that there are different ways of ensuring respect for private life and that “the choice of<br />
the means calculated to secure compliance with article 8 of the Convention in the<br />
sphere of the relations of individuals between themselves is in principle a matter that<br />
<br />
falls within the contracting states’ margin of appreciation”: see the judgment of the<br />
Grand Chamber in Bărbulescu v Romania [2017] ECHR 754; [2017] IRLR 1032, para 113.<br />
<br />
<br />
126. While the House of Lords in Campbell drew inspiration from article 8, it did not<br />
suggest that the Convention or the Human Rights Act 1998 required the recognition of<br />
a civil claim for damages for misuse of private information in English domestic law, let<br />
<br />
alone that damages should be recoverable in such claim where no material damage or<br />
distress has been caused. In Gulati the Court of Appeal rejected an argument that the<br />
approach to awarding damages for misuse of private information ought to follow the<br />
approach of the European Court of Human Rights in making awards of just satisfaction<br />
<br />
under article 41 of the Convention. As Arden LJ observed, at para 89, in awarding<br />
damages for misuse of private information, the court is not proceeding under section 8<br />
of the Human Rights Act 1998 or article 41 of the Convention, and the conditions of<br />
the tort are governed by English domestic law and not the Convention.<br />
<br />
<br />
<br />
127. For those reasons, I do not regard as relevant the decision of the European<br />
Court of Human Rights in Halford v United Kingdom (1997) 24 EHRR 523, relied on by<br />
counsel for the claimant. In Halford a senior police officer whose telephone calls had<br />
been intercepted by her employer in violation of article 8 was awarded £10,000 as just<br />
satisfaction. As Lord Sales pointed out in argument, on one reading of the judgment,<br />
<br />
which is far from clear, although it could not be shown that the interception of the<br />
applicant’s phone calls, as opposed to other conflicts with her employer, had caused<br />
<br />
Page 47stress for which she had required medical treatment, it was reasonably assumed that<br />
this invasion of privacy had caused her mental harm. Even if the award of just<br />
satisfaction is understood to have been for the invasion of the right to privacy itself<br />
rather than for any distress felt by the applicant, however, it does not follow that, in an<br />
action between private parties under national law for a similar invasion of privacy, the<br />
<br />
Convention requires the court to be able to award damages simply for the loss of<br />
privacy itself.<br />
<br />
<br />
128. Whilst it may be said that pursuant to the general principles of EU law<br />
embodied in articles 7 and 8 of the EU Charter the EU had a positive obligation to<br />
<br />
establish a legislative framework providing for protection of personal data, there was<br />
clearly a wide margin of choice as to the particular regime adopted; and the same<br />
applies to the positive obligation imposed directly on the UK by the Convention. It<br />
could not seriously be argued that the content of those positive obligations included a<br />
requirement to establish a right to receive compensation for any (non-trivial) breach of<br />
<br />
any requirement (in relation to any personal data of which the claimant is the subject)<br />
of whatever legislation the EU and UK chose to enact in this area without the need to<br />
prove that the claimant suffered any material damage or distress as a result of the<br />
breach.<br />
<br />
<br />
<br />
129. Accordingly, the fact that the common law privacy tort and the data protection<br />
legislation have a common source in article 8 of the Convention does not justify<br />
reading across the principles governing the award of damages from one regime to the<br />
other.<br />
<br />
<br />
(d) Material differences between the regimes<br />
<br />
<br />
<br />
130. There are further reasons why no such analogy can properly be drawn<br />
stemming from the differences between the two regimes. It is plain that the detailed<br />
scheme for regulating the processing of personal data established by the Data<br />
Protection Directive extended beyond the scope of article 8 and much more widely<br />
<br />
than the English domestic tort of misusing private information. An important<br />
difference is that the Directive (and the UK national legislation implementing it)<br />
applied to all “personal data” with no requirement that the data are of a confidential<br />
or private nature or that there is a reasonable expectation of privacy protection. By<br />
<br />
contrast, information is protected against misuse by the domestic tort only where<br />
there is a reasonable expectation of privacy. The reasonable expectation of privacy of<br />
the communications illicitly intercepted by the defendants in the phone hacking<br />
litigation was an essential element of the decision in Gulati that the claimants were<br />
entitled to compensation for the commission of the wrong itself. It cannot properly be<br />
<br />
<br />
Page 48inferred that the same entitlement should arise where a reasonable expectation of<br />
privacy is not a necessary element of the claim.<br />
<br />
<br />
131. This point goes to the heart of the approach adopted by the claimant in the<br />
present case. Stripped to its essentials, what the claimant is seeking to do is to claim<br />
for each member of the represented class a form of damages the rationale for which<br />
<br />
depends on there being a violation of privacy, while avoiding the need to show a<br />
violation of privacy in the case of any individual member of the class. This is a flawed<br />
endeavour.<br />
<br />
<br />
132. Another significant difference between the privacy tort and the data protection<br />
<br />
legislation is that a claimant is entitled to compensation for a contravention of the<br />
legislation only where the data controller has failed to exercise reasonable care. Some<br />
contraventions are inherently fault based. For example, the seventh data protection<br />
principle with which a data controller has a duty to comply pursuant to section 4(4) of<br />
the DPA 1998 (and article 17 of the Data Protection Directive) states:<br />
<br />
<br />
<br />
“Appropriate technical and organisational measures shall be<br />
taken against unauthorised or unlawful processing of<br />
personal data and against accidental loss or destruction of, or<br />
damage to, personal data.”<br />
<br />
<br />
<br />
A complaint that a data controller has failed to take such “appropriate technical and<br />
organisational measures” is similar to an allegation of negligence in that it is<br />
predicated on failure to meet an objective standard of care rather than on any<br />
intentional conduct. Even where a contravention of the legislation does not itself<br />
require fault, pursuant to section 13(3), quoted at para 90 above, there is no<br />
<br />
entitlement to compensation if the data controller proves that it took “such care as in<br />
all the circumstances was reasonably required to comply with the requirement<br />
concerned”.<br />
<br />
<br />
133. The privacy tort, like other torts for which damages may be awarded without<br />
<br />
proof of material damage or distress, is a tort involving strict liability for deliberate<br />
acts, not a tort based on a want of care. No inference can be drawn from the fact that<br />
compensation can be awarded for commission of the wrong itself where private<br />
information is misused that the same should be true where the wrong may consist only<br />
<br />
in a failure to take appropriate protective measures and where the right to<br />
compensation is expressly excluded if the defendant took reasonable care.<br />
<br />
<br />
<br />
Page 49134. Indeed, this feature of the data protection legislation seems to me to be a yet<br />
further reason to conclude that the “damage” for which an individual is entitled to<br />
compensation for a breach of any of its requirements does not include the commission<br />
of the wrong itself. It would be anomalous if failure to take reasonable care to protect<br />
personal data gave rise to a right to compensation without proof that the claimant<br />
<br />
suffered any material damage or distress when failure to take care to prevent personal<br />
injury or damage to tangible moveable property does not.<br />
<br />
<br />
135. Accordingly, I do not accept that the decision in Gulati is applicable by analogy<br />
to the DPA 1998. To the contrary, there are significant differences between the privacy<br />
<br />
tort and the data protection legislation which make such an analogy positively<br />
inappropriate.<br />
<br />
<br />
(e) Equivalence and effectiveness<br />
<br />
<br />
136. I add for completeness that the EU law principles of equivalence and<br />
effectiveness, on which the Court of Appeal placed some reliance, do not assist the<br />
<br />
claimant’s case. The principle of equivalence requires that procedural rules governing<br />
claims for breaches of EU law rights must not be less favourable than procedural rules<br />
governing equivalent domestic actions. As explained by Lord Briggs, giving the<br />
judgment of this court, in Totel Ltd v Revenue and Customs Comrs [2018] UKSC 44;<br />
<br />
[2018] 1 WLR 4053, para 7, the principle is “essentially comparative”. Thus:<br />
<br />
<br />
“The identification of one or more similar procedures for the<br />
enforcement of claims arising in domestic law is an essential<br />
prerequisite for its operation. If there is no true comparator,<br />
then the principle of equivalence can have no operation at<br />
<br />
all. The identification of one or more true comparators is<br />
therefore the essential first step in any examination of an<br />
assertion that the principle of equivalence has been<br />
infringed.” [citation omitted]<br />
<br />
<br />
<br />
For the reasons given, even if the measure of damages is regarded as a procedural<br />
rule, a claim for damages for misuse of private information at common law is not a<br />
true comparator of a claim under section 13 of the DPA 1998. The principle of<br />
equivalence can therefore have no operation.<br />
<br />
<br />
<br />
137. The principle of effectiveness invalidates a national procedure if it renders the<br />
enforcement of a right conferred by EU law either virtually impossible or excessively<br />
<br />
Page 50difficult: see again Totel Ltd at para 7. However, the absence of a right to<br />
compensation for a breach of data protection rights which causes no material damage<br />
or distress, even if regarded as a procedural limitation, does not render the<br />
enforcement of such rights virtually impossible or excessively difficult. The right to an<br />
effective remedy does not require awards of compensation for every (non-trivial)<br />
<br />
breach of statutory requirements even if no material damage or distress has been<br />
suffered.<br />
<br />
<br />
(f) Conclusion on the effect of section 13<br />
<br />
<br />
138. For all these reasons, I conclude that section 13 of the DPA 1998 cannot<br />
<br />
reasonably be interpreted as conferring on a data subject a right to compensation for<br />
any (non-trivial) contravention by a data controller of any of the requirements of the<br />
Act without the need to prove that the contravention has caused material damage or<br />
distress to the individual concerned.<br />
<br />
<br />
(9) The claim for user damages<br />
<br />
<br />
<br />
139. “User damages” is the name commonly given to a type of damages readily<br />
awarded in tort where use has wrongfully been made of someone else’s land or<br />
tangible moveable property although there has been no financial loss or physical<br />
damage to the property. The damages are assessed by estimating what a reasonable<br />
<br />
person would have paid for the right of user. Damages are also available on a similar<br />
basis for patent infringement and other breaches of intellectual property rights.<br />
Following the seminal decision of this court in OneStep (Support) Ltd v Morris-Garner<br />
[2018] UKSC 20; [2019] AC 649, it is now clear that user damages are compensatory in<br />
nature, their purpose being to compensate the claimant for interference with a right to<br />
<br />
control the use of property where the right is a commercially valuable asset. As Lord<br />
Reed explained in Morris-Garner, at para 95(1):<br />
<br />
<br />
“The rationale of such awards is that the person who makes<br />
wrongful use of property, where its use is commercially<br />
<br />
valuable, prevents the owner from exercising a valuable right<br />
to control its use, and should therefore compensate him for<br />
the loss of the value of the exercise of that right. He takes<br />
something for nothing, for which the owner was entitled to<br />
<br />
require payment.”<br />
<br />
<br />
<br />
<br />
Page 51140. Lord Reed, at paras 27 and 29, cited authorities which make it clear that the<br />
entitlement to user damages does not depend on whether the owner would in fact<br />
have exercised the right to control the use of the property, had it not been interfered<br />
with. The “loss” for which the claimant is entitled to compensation is not loss of this<br />
“conventional kind” (para 30); rather, it lies in the wrongful use of the claimant’s<br />
<br />
property itself, for which the economic value of the use provides an appropriate<br />
measure. This value can be assessed by postulating a hypothetical negotiation and<br />
estimating what fee would reasonably have been agreed for releasing the defendant<br />
from the duty which it breached. It is this method of assessment on which the claimant<br />
<br />
relies in the alternative formulation of the present claim.<br />
<br />
<br />
141. A claim in tort for misuse of private information based on the factual allegations<br />
made in this case, such as was made in Vidal-Hall, would naturally lend itself to an<br />
award of user damages. The decision in Gulati shows that damages may be awarded<br />
for the misuse of private information itself on the basis that, apart from any material<br />
<br />
damage or distress that it may cause, it prevents the claimant from exercising his or<br />
her right to control the use of the information. Nor can it be doubted that information<br />
about a person’s internet browsing history is a commercially valuable asset. What was<br />
described by the Chancellor in the Court of Appeal [2020] QB 747, para 46, as “the<br />
<br />
underlying reality of this case” is that Google was allegedly able to make a lot of money<br />
by tracking the browsing history of iPhone users without their consent and selling the<br />
information collected to advertisers.<br />
<br />
<br />
142. The view has sometimes been expressed that asserting privacy in information is<br />
inconsistent, or at least in tension, with treating such information as a commercial<br />
<br />
asset: see eg Douglas v Hello! Ltd (No 3) [2005] EWCA Civ 595; [2006] QB 125, para<br />
246; and on appeal sub nom OBG Ltd v Allan [2007] UKHL 21; [2008] AC 1, para 275<br />
(Lord Walker of Gestinghorpe). But once the basis of the right to privacy is understood<br />
to be the protection of a person’s freedom to choose and right to control whether and<br />
<br />
when others have access to his or her private affairs, I think that any tension largely<br />
disappears. It is common experience that some people are happy to exploit for<br />
commercial gain facets of their private lives which others would feel mortified at<br />
having exposed to public view. Save in the most extreme cases, this should be seen as<br />
<br />
a matter of personal choice on which it is not for the courts to pass judgments.<br />
Moreover, where the defendant’s very purpose in wrongfully obtaining and using<br />
private information is to exploit its commercial value, the law should not be prissy<br />
about awarding compensation based on the commercial value of the exercise of the<br />
right. As was confirmed in Morris-Garner, the fact that the claimant would not have<br />
<br />
chosen to exercise the right himself is no answer to a claim for user damages. It is<br />
enough that, as Lord Reed put it at paras 30 and 95(1) of his majority judgment, the<br />
defendant has taken something for nothing, for which the owner of the right was<br />
entitled to require payment.<br />
<br />
Page 52143. The point does not arise in the present case, however, because the claimant is<br />
not claiming damages for misuse of private information. As discussed, the only claim<br />
advanced is under the DPA 1998. Here it follows from the conclusion reached above<br />
about the meaning of section 13 that user damages are not available. This is because,<br />
for the reasons given, compensation can only be awarded under section 13 of the DPA<br />
<br />
1998 for material damage or distress caused by an infringement of a claimant’s right to<br />
have his or her personal data processed in accordance with the requirements of the<br />
Act, and not for the infringement itself. Although his reasoning was in part based on an<br />
understanding of user damages overtaken by this court’s decision in Morris-Garner, it<br />
<br />
follows that Patten J was right to hold in Murray v Express Newspapers Plc[2007]<br />
EWHC 1908 (Ch); [2007] EMLR 22, at para 92, that the principles on which user<br />
damages are awarded do not apply to a claim for compensation under the DPA 1998.<br />
<br />
<br />
F. THE NEED FOR INDIVIDUALISED EVIDENCE OF MISUSE<br />
<br />
<br />
144. There is a further reason why the claimant’s attempt to recover damages under<br />
<br />
section 13 of the DPA 1998 by means of a representative claim cannot succeed. Even if<br />
(contrary to my conclusion) it were unnecessary in order to recover compensation<br />
under this provision to show that an individual has suffered material damage or<br />
distress as a result of unlawful processing of his or her personal data, it would still be<br />
<br />
necessary for this purpose to establish the extent of the unlawful processing in his or<br />
her individual case. In deciding what amount of damages, if any, should be awarded,<br />
relevant factors would include: over what period of time did Google track the<br />
individual’s internet browsing history? What quantity of data was unlawfully<br />
processed? Was any of the information unlawfully processed of a sensitive or private<br />
<br />
nature? What use did Google make of the information and what commercial benefit, if<br />
any, did Google obtain from such use?<br />
<br />
<br />
(1) The claim for the “lowest common denominator”<br />
<br />
<br />
145. The claimant does not dispute that the amount of any compensation awarded<br />
<br />
must in principle depend on such matters. But he contends that it is possible to<br />
identify an “irreducible minimum harm” suffered by every member of the class whom<br />
he represents for which a “uniform sum” of damages can be awarded. This sum is<br />
claimed on the basis that it represents what the Chancellor in the Court of Appeal<br />
<br />
described as the “lowest common denominator” of all the individual claims: see [2020]<br />
QB 747, para 75.<br />
<br />
<br />
146. Google objects that Mr Lloyd, as the self-appointed representative of the class,<br />
has no authority from any individual class member to waive or abandon what may be<br />
<br />
Page 53the major part of their damages claim by disavowing reliance on any circumstances<br />
affecting that individual. Mr Lloyd’s answer, which the Court of Appeal accepted, is a<br />
pragmatic one. He points out that the limitation period for bringing any proceedings<br />
has now expired. For any represented individual there is therefore no longer any<br />
realistic possibility of recovering any compensation at all other than through the<br />
<br />
present action. Furthermore, to make this action viable, it is necessary to confine the<br />
amount of damages claimed for each class member to a uniform sum; and a uniform<br />
sum of damages, even if considerably smaller than an individualised award would be, is<br />
better than nothing.<br />
<br />
<br />
<br />
147. I do not think it necessary to enter into the merits of this issue. I am prepared to<br />
assume, without deciding, that as a matter of discretion the court could - if satisfied<br />
that the persons represented would not be prejudiced and with suitable arrangements<br />
in place enabling them to opt out of the proceedings if they chose - allow a<br />
representative claim to be pursued for only a part of the compensation that could<br />
<br />
potentially be claimed by any given individual. The fundamental problem is that, if no<br />
individual circumstances are taken into account, the facts alleged are insufficient to<br />
establish that any individual member of the represented class is entitled to damages.<br />
That is so even if it is unnecessary to prove that the alleged breaches caused any<br />
<br />
material damage or distress to the individual.<br />
<br />
<br />
(2) The facts common to each individual case<br />
<br />
<br />
148. The facts alleged against Google generically cannot establish that any given<br />
individual is entitled to compensation. To establish any such individual entitlement it<br />
must be shown, at least, that there was unlawful processing by Google of personal<br />
<br />
data of which that particular individual was the subject. In considering whether the<br />
facts alleged, if proved, are capable of establishing an entitlement to damages, it is<br />
therefore necessary to identify what unlawful processing by Google of personal data is<br />
alleged to have occurred in Mr Lloyd’s own case and also in the case of each other<br />
<br />
member of the represented class. What facts is the claimant proposing to prove to<br />
show that Google acted unlawfully in each individual case?<br />
<br />
<br />
149. The answer, on analysis, is: only those facts which are necessary to show that<br />
the individual falls within the definition of the “claimant class”. The premise of the<br />
<br />
claim is that Mr Lloyd and each person whom he represents is entitled to damages<br />
simply on proof that they are members of the class and without the need to prove any<br />
further facts to show that Google wrongfully collected and used their personal data.<br />
Any such further facts would inevitably vary from one individual member of the class<br />
to another and would require individual proof.<br />
<br />
<br />
Page 54150. To fall within the definition of the class, it must be shown, in substance, that the<br />
individual concerned had an iPhone of the appropriate model running a relevant<br />
version of the Apple Safari internet browser which, at any date during the relevant<br />
period whilst present in England and Wales, he or she used to access a website that<br />
was participating in Google’s DoubleClick advertising service. There are exclusions<br />
<br />
from the class definition for anyone who changed the default settings in the Safari<br />
browser, opted out of tracking and collation via Google’s “Ads Preference Manager” or<br />
obtained a DoubleClick Ad cookie via a “first party request” rather than as a “third<br />
party cookie”. The aim of the definition is to identify all those people who had a<br />
<br />
DoubleClick Ad cookie placed on their device unlawfully, through the Safari<br />
workaround, but not to include within the class anyone who did not receive a<br />
DoubleClick Ad cookie during the relevant period or who received the cookie by lawful<br />
means.<br />
<br />
<br />
151. It is sufficient to bring an individual within the class definition that he or she<br />
<br />
used the Safari browser to access a website participating in Google’s DoubleClick<br />
advertising service on a single occasion. The theory is that on that occasion the<br />
DoubleClick Ad cookie will have been placed on the user’s device unlawfully as a third<br />
party cookie. To qualify for membership of the class, it is not necessary to show that<br />
<br />
the individual ever visited a website participating in Google’s DoubleClick advertising<br />
service again during the relevant period. Nor is it alleged that any individual or<br />
individuals did visit such a website on more than one occasion. The “lowest common<br />
denominator” on which the claim is based is therefore someone whose internet usage<br />
- apart from one visit to a single website - was not illicitly tracked and collated and who<br />
<br />
received no targeted advertisements as a result of receiving a DoubleClick Ad cookie.<br />
This is because the claimant has deliberately chosen, in order to advance a claim in a<br />
representative capacity for damages assessed from the bottom up, not to rely on any<br />
facts about the internet activity of any individual iPhone user beyond those which<br />
<br />
bring them within the class of represented persons.<br />
<br />
<br />
152. For reasons given earlier, I am leaving aside the difficulties of proving<br />
membership of the class, significant as they would appear to be, and am assuming that<br />
such difficulties are not an impediment to the claim. But the question that must be<br />
<br />
asked is whether membership of the represented class is sufficient by itself to entitle<br />
an individual to compensation, without proof of any further facts particular to that<br />
individual.<br />
<br />
<br />
153. On the claimant’s own case there is a threshold of seriousness which must be<br />
crossed before a breach of the DPA 1998 will give rise to an entitlement to<br />
<br />
compensation under section 13. I cannot see that the facts which the claimant aims to<br />
prove in each individual case are sufficient to surmount this threshold. If (contrary to<br />
<br />
Page 55the conclusion I have reached) those facts disclose “damage” within the meaning of<br />
section 13 at all, I think it impossible to characterise such damage as more than trivial.<br />
What gives the appearance of substance to the claim is the allegation that Google<br />
secretly tracked the internet activity of millions of Apple iPhone users for several<br />
months and used the data obtained for commercial purposes. But on analysis the<br />
<br />
claimant is seeking to recover damages without attempting to prove that this<br />
allegation is true in the case of any individual for whom damages are claimed. Without<br />
proof of some unlawful processing of an individual’s personal data beyond the bare<br />
minimum required to bring them within the definition of the represented class, a claim<br />
<br />
on behalf of that individual has no prospect of meeting the threshold for an award of<br />
damages.<br />
<br />
<br />
(3) User damages on a lowest common denominator basis<br />
<br />
<br />
154. The claimant’s case is not improved by formulating the claim as one for user<br />
damages quantified by estimating what fee each member of the represented class<br />
<br />
could reasonably have charged - or which would reasonably have been agreed in a<br />
hypothetical negotiation - for releasing Google from the duties which it breached. I<br />
have already indicated why, in my opinion, user damages cannot be recovered for<br />
breaches of the DPA 1998. But even if (contrary to that conclusion) user damages<br />
<br />
could in principle be recovered, the inability or unwillingness to prove what, if any,<br />
wrongful use was made by Google of the personal data of any individual again means<br />
that any damages awarded would be nil.<br />
<br />
<br />
155. The claimant asserts, and I am content to assume, that if, instead of bypassing<br />
privacy settings through the Safari workaround, Google had offered to pay a fee to<br />
<br />
each affected Apple iPhone user for the right to place its DoubleClick Ad cookie on<br />
their device, the fee would have been a standard one, agreed in advance, rather than a<br />
fee which varied according to the quantity or commercial value to Google of the<br />
information which was subsequently collected as a result of the user’s acceptance of<br />
<br />
the cookie. However, imagining the negotiation of a fee in advance in this way is not<br />
the correct premise for the valuation.<br />
<br />
<br />
156. As explained in Morris-Garner, the object of an award of user damages is to<br />
compensate the claimant for use wrongfully made by the defendant of a valuable asset<br />
<br />
protected by the right infringed. The starting point for the valuation exercise is thus to<br />
identify what the extent of such wrongful use actually was: only then can an estimate<br />
be made of what sum of money could reasonably have been charged for that use or,<br />
put another way, for releasing the wrongdoer from the duties which it breached in the<br />
wrongful use that it made of the asset. Imagining a hypothetical negotiation, as Lord<br />
<br />
Reed explained at para 91 of Morris-Garner, is merely “a tool” for arriving at this<br />
Page 56estimated sum. As in any case where compensation is awarded, the aim is to place the<br />
claimant as nearly as possible in the same position as if the wrongdoing had not<br />
occurred. Accordingly, as Patten LJ put it in Eaton Mansions (Westminster) Ltd v Stinger<br />
Compania de Inversion SA [2013] EWCA Civ 1308; [2014] 1 P & CR 5, para 21:<br />
<br />
<br />
“The valuation construct is that the parties must be treated<br />
<br />
as having negotiated for a licence which covered the acts of<br />
trespass that actually occurred. The defendant is not required<br />
to pay damages for anything else.”<br />
<br />
<br />
See also Enfield London Borough Council v Outdoor Plus Ltd[2012] EWCA Civ 608, para<br />
<br />
47; and Marathon Asset Management LLP v Seddon [2017] EWHC 300 (Comm); [2017]<br />
ICR 791, paras 254-262.<br />
<br />
<br />
157. Applying that approach, the starting point would therefore need to be to<br />
establish what unlawful processing by Google of the claimant’s personal data actually<br />
occurred. Only when the wrongful use actually made by Google of such data is known<br />
<br />
is it possible to estimate its commercial value. As discussed, in order to avoid individual<br />
assessment, the only wrongful act which the claimant proposes to prove in the case of<br />
each represented person is that the DoubleClick Ad cookie was unlawfully placed on<br />
their device: no evidence is - or could without individual assessment - be adduced to<br />
<br />
show that, by means of this third party cookie, Google collected or used any personal<br />
data relating to that individual. The relevant valuation construct is therefore to ask<br />
what fee would hypothetically have been negotiated for a licence to place the<br />
DoubleClick Ad cookie on an individual user’s phone as a third party cookie, but<br />
without releasing Google from its obligations not to collect or use any information<br />
<br />
about that person’s internet browsing history. It is plain that such a licence would be<br />
valueless and that the fee which could reasonably be charged or negotiated for it<br />
would accordingly be nil.<br />
<br />
<br />
G. CONCLUSION<br />
<br />
<br />
<br />
158. The judge took the view that, even if the legal foundation for the claim made in<br />
this action were sound, he should exercise the discretion conferred by CPR rule 19.6(2)<br />
by refusing to allow the claim to be continued as a representative action. He<br />
characterised the claim as “officious litigation, embarked upon on behalf of individuals<br />
<br />
who have not authorised it” and in which the main beneficiaries of any award of<br />
damages would be the funders and the lawyers. He thought that the representative<br />
claimant “should not be permitted to consume substantial resources in the pursuit of<br />
litigation on behalf of others who have little to gain from it, and have not authorised<br />
<br />
Page 57the pursuit of the claim, nor indicated any concern about the matters to be litigated”:<br />
[2019] 1 WLR 1265, paras 102-104. The Court of Appeal formed a very different view<br />
of the merits of the representative claim. They regarded the fact that the members of<br />
the represented class had not authorised the claim as an irrelevant factor, which the<br />
judge had wrongly taken into account, and considered that it was open to them to<br />
<br />
exercise the discretion afresh. They saw this litigation as the only way of obtaining a<br />
civil compensatory remedy for what, if proved, was a “wholesale and deliberate<br />
misuse of personal data without consent, undertaken with a view to commercial<br />
profit”: see [2020] QB 747, para 86. In these circumstances the Court of Appeal took<br />
<br />
the view that, as a matter of discretion, the claim should be allowed to proceed.<br />
<br />
<br />
159. It is unnecessary to decide whether the Court of Appeal was entitled to<br />
interfere with the judge’s discretionary ruling or whether it would be desirable for a<br />
commercially funded class action to be available on the facts alleged in this case. This is<br />
because, regardless of what view of it is taken, the claim has no real prospect of<br />
<br />
success. That in turn is because, in the way the claim has been framed in order to try to<br />
bring it as a representative action, the claimant seeks damages under section 13 of the<br />
DPA 1998 for each individual member of the represented class without attempting to<br />
show that any wrongful use was made by Google of personal data relating to that<br />
<br />
individual or that the individual suffered any material damage or distress as a result of<br />
a breach of the requirements of the Act by Google. For the reasons explained in this<br />
judgment, without proof of these matters, a claim for damages cannot succeed.<br />
<br />
<br />
160. I would therefore allow the appeal and restore the order made by the judge<br />
refusing the claimant’s application for permission to serve the proceedings on Google<br />
<br />
outside the jurisdiction of the courts of England and Wales.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 58<br />
</pre></div>Mariam-hwthhttps://gdprhub.eu/index.php?title=UKSC_-_Richard_Lloyd_v_Google_LLC_(2021)_UKSC_50&diff=21382UKSC - Richard Lloyd v Google LLC (2021) UKSC 502021-11-23T18:35:58Z<p>Mariam-hwth: /* Holding */</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=UKSC<br />
|Court_With_Country=UKSC (United Kingdom)<br />
<br />
|Case_Number_Name=Richard Lloyd v Google LLC (2021) UKSC 50<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=The Supreme Court of the United Kingdom<br />
|Original_Source_Link_1=https://www.supremecourt.uk/cases/docs/uksc-2019-0213-judgment.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Date_Decided=10.11.2021<br />
|Date_Published=10.11.2021<br />
|Year=2021<br />
<br />
<br />
|EU_Law_Name_1=Article 23 of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:31995L0046<br />
<br />
|National_Law_Name_1=Rule 19.6 of the Civil Procedure Rules<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=Section 13 of the Data Protection Act 1998<br />
|National_Law_Link_2=https://www.legislation.gov.uk/ukpga/1998/29/contents<br />
|National_Law_Name_3=Section 14 of the Data Protection Act 1998<br />
|National_Law_Link_3=https://www.legislation.gov.uk/ukpga/1998/29/contents<br />
|National_Law_Name_4=Section 4(4) of the Data Protection Act 1998<br />
|National_Law_Link_4=https://www.legislation.gov.uk/ukpga/1998/29/contents<br />
|National_Law_Name_5=Rule 19.11 of the Civil Procedure Rules<br />
|National_Law_Link_5=<br />
<br />
|Party_Name_1=Richard Lloyd<br />
|Party_Link_1=<br />
|Party_Name_2=Google LLC<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=England and Wales Court of Appeal (Civil Division)<br />
|Appeal_From_Case_Number_Name=Lloyd v Google LLC [2019] EWCA Civ 1599<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=https://www.bailii.org/ew/cases/EWCA/Civ/2019/1599.html<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=MH<br />
|<br />
}}<br />
<br />
The UK Supreme Court held that to claim compensation for an infringement of the Data Protection Act 1998, it was necessary to demonstrate material damage or distress suffered by each individual. A representative action was therefore not suitable. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Google secretly tracked Apple iPhone users between late 2011 and early 2012 and using their data collected in that way for commercial purposes. Google bypassed privacy settings on Apple iPhones and the default blocking of third party cookies on Safari with its “DoubleClick Ad” cookie by relying on an exception devised by Apple. Google placed this cookie without the user’s knowledge or consent. This cookie was enabled if users visited a website that included DoubleClick Ad content (advertising content). The cookie identified visits by a specific device on websites using this advertising content, including data and time of visit; time spent by the user on the website; what advertisement was viewed for how long; and using IP address, the user’s geographical location. <br />
<br />
As a result, Google could infer the user’s internet surfing habits, location, as well as interests, race or ethnicity, social class, political or religious beliefs, health, sexual interests, age, gender and financial situation. Google then used this aggregated information to give them labels (eg “football lovers”) and eventually offering these group labels to advertising organisations looking to target specific groups when using Google’s DoubleClick service. <br />
<br />
This allegation was brought in the US and Google settled a charge of $22.5 million with the US Federal Trade Commission and $17 million to settle consumer based actions in the US. <br />
<br />
Three individuals in the UK sued Google in 2013 for the same allegation and their claim was settled by Google (Vidal-Hall v Google Inc). <br />
<br />
Lloyd has filed a claim before the UK courts on behalf of everyone that resides in England and Wales and owned an Apple iPhone at the time of the secret tracking. Lloyd filed this class action with the intention of recovering damages for more than 4 million people affected. He claimed that compensation (£750 suggested) should be awarded under the Data Protection Act 1998 for loss of control of personal data without having to demonstrate that the claimant suffered financial or mental distress as a result of the infringement.<br />
<br />
=== Holding ===<br />
<br />
==== Legal framework: ====<br />
Section 4(4) of the Data Protection Act 1998 (DPA 1998) imposes a duty on data controllers to comply with data protection principles. These are laid out in Schedule 1 of the DPA 1998.<br />
<br />
Section 13 of the DPA 1998 gives individuals a right to compensation from the controller if they suffer damage as a result of a contravention of the Act by that controller.<br />
<br />
Individuals can bring claims which give rise to a common issue of fact or law can apply for a Group Litigation Order to be made under Rule 19.11 of the Civil Procedure Rules. This is an “opt-in” regime where claimants must take steps to join the group. <br />
<br />
They can also do so under a representative action, reflected in Rule 19.6 of the Civil Procedure Rules (CPR). However, as a detailed legislative framework is missing, the representative action rules within common law have been considered by the Supreme Court. The following principles are relevant:<br />
<br />
* “same interest” requirement where the representative must have the same interest or common issues as the persons they represent (within Rule 19.6 CPR)<br />
* “court’s discretion” as to whether to allow the claim to proceed as a representative action. This is an objective assessment as to whether the case can be dealt with justly and at a proportionate cost (within Rules 1.1 and 1.2 CPR)<br />
* “no requirement of consent” or awareness required from the people represented<br />
* “class definition” requirement where the class of people represented must be clearly defined <br />
* “liability for costs” requirement where the persons represented will not have to pay costs of being represented incurred by the representative<br />
* “scope for claiming damages” where claiming damages is limited by the nature of the remedy of damages at common law, or by the fact that damages may reauire an individua assessment<br />
<br />
==== Holding: ====<br />
The UK Supreme court did not object to a representative claim brought to establish whether Google was in breach of DPA 1998 as individual claims could theoretically be brought. The Supreme Court also determined that the individuals had similar interests or common issues caused by tracking of their behaviour without consent. <br />
<br />
According to the Court, there was no uniform effect caused by Google’s actions across the represented class. Instead, the effect and the amount recoverable by each individual would depend on the circumstances particular to the individuals (eg how often they used Safari or website with DoubleClick Ad content). Contrary to Lloyd’s claim, the Court held that DPA 1998 cannot be read to mean that individuals are entitled to compensation for any contravention of the DPA 1998 without needing to prove financial loss or distress. According to the leading judgement, under Section 13 DPA 1998, it is not enough to prove an infringement by a data controller as “damage” (interpreted as only meaning material damages) or “distress” must be suffered as a result. <br />
<br />
Following an analysis of Vidal-Hall v Google Inc (discussing Section 13 DPA 1998) and Gulati v MGN Ltd (discussing tort for misuse of private information) the court outlined that it would be possible for Lloyd to claim (1) damages under Section 13(1) DPA 1998 for distress suffered due to Google’s infringement of the Act; (2) and /or damages for the misuse of private information without the need to show material damage or distress. However, the court outlined that the case was not made for either (claim for misuse of information tort having not be made). Again, the Court reiterated that to recover damages for distress under Section 13(1) DPA 1998, it would be necessary to provide evidence of this distress for each individual represented – making this incompatible with the nature of representative action.<br />
<br />
The UK Supreme Court rejected the argument that an infringement of the DPA 1998 should be dealt with in the same way as the tort of misuse of private information and that therefore damages can be recovered for interference by an organisation without the need to demonstrate material damage or distress. The UK Supreme Court relied on the fact that Section 13(1) DPA 1998 cannot be interpreted using that analogy, as highlighted above. The wording of the DPA 1998 and its interpretation in caselaw cannot be detached from the fact that material damage or distress must be demonstrated. <br />
<br />
''"…the wording of section 13(1) draws a distinction between “damage” suffered by an individual and a “contravention” of a requirement of the Act by a data controller, and provides a right to compensation “for that damage” only if the “damage” occurs “by reason of” the contravention.''" <br />
<br />
Section 14 DPA 1998 also supports the interpretation that a damage, and not purely an infringement of the legislation, must be demonstrated. The Court also relied on the interpretation by the Court of Appeal in Vidall-Hall v Google Inc, which distinguished damage or distress suffered and contravention of a requirement in the DPA 1998. The Court also did not consider that it was possible to rely on an analogy between the tort of misuse of information and Section 13 DPA 1998 simply because they are both founded in the common route of “right to privacy” embodied in Article 8 European Convention on Human Rights. <br />
<br />
Additionally, the Court held that it would be, in any case, necessary to identify damage or distress suffered by each individual for the purpose of awarding compensation (even if it was not necessary to show individual damage or distress as a result of the infringement). Factors like extent of Google’s tracking; quantity of data processed; nature of the data processed (sensitive nature?); use of that information and benefit from it by Google would all need to be assessed for individual cases. Without such individualised assessment, Lloyd’s argument that the “lowest common denominator” on which the claim is based (proof that the individual us part of the class by having an iPhone at the time) would not be sufficient to be something more than trivial (as required under Section 13 DPA 1998). Therefore, compensation could not be quantified beyond 0. <br />
<br />
The UK Supreme Court concluded and decided unanimously that: <br />
<br />
“''In order to recover compensation under the DPA 1998 for any given individual, it would be necessary to show both that Google made some unlawful use of personal data relating to that individual and that the individual suffered some damage as a result.''”<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
Michaelmas Term<br />
[2021] UKSC 50<br />
On appeal from: [2019] EWCA Civ 1599<br />
<br />
<br />
<br />
JUDGMENT<br />
<br />
<br />
Lloyd (Respondent) v Google LLC (Appellant)<br />
<br />
before<br />
<br />
<br />
Lord Reed, President<br />
Lady Arden<br />
Lord Sales<br />
<br />
Lord Leggatt<br />
Lord Burrows<br />
<br />
<br />
JUDGMENT GIVEN ON<br />
10 November 2021<br />
<br />
<br />
Heard on 28 and 29 April 2021 Appellant<br />
Antony White QC<br />
Edward Craven<br />
<br />
(Instructed by Pinsent Masons LLP (London))<br />
<br />
<br />
Respondent<br />
Hugh Tomlinson QC<br />
Oliver Campbell QC<br />
<br />
Victoria Wakefield QC<br />
(Instructed by Milberg London LLP)<br />
<br />
<br />
1st Intervener (Information Commissioner)<br />
Gerry Facenna QC<br />
<br />
Nikolaus Grubeck<br />
(Instructed by Information Commissioner’s Office)<br />
<br />
<br />
2nd Intervener (Open Rights Group)<br />
(written submissions only)<br />
<br />
Robert Palmer QC<br />
Julianne Kerr Morrison<br />
(Instructed by AWO)<br />
<br />
<br />
<br />
3rd Intervener (Association of the British Pharmaceutical Industry and Association of British<br />
HealthTech Industries (ABPI and ABHI))<br />
(written submissions only)<br />
Lord Anderson of Ipswich KBE QC<br />
Robin Hopkins<br />
<br />
Rupert Paines<br />
(Instructed by CMS Cameron McKenna Nabarro Olswang LLP (London))<br />
<br />
<br />
4th Intervener (Liberty, Coram Children’s Legal Centre and Inclusion London)<br />
(written submissions only)<br />
<br />
Dan Squires QC<br />
Aidan Wills<br />
Tim James-Matthews<br />
(Instructed by Liberty, Coram Children’s Legal Centre and Deighton Pierce Glynn)<br />
<br />
<br />
<br />
5th Intervener (Internet Association)<br />
(written submissions only)<br />
Christopher Knight<br />
(Instructed by Linklaters LLP (London))6th Intervener (TECHUK Ltd (trading as techUK))<br />
(written submissions only)<br />
Catrin Evans QC<br />
<br />
Ian Helme<br />
(Instructed by RPC LLP (London))LORD LEGGATT: (with whom Lord Reed, Lady Arden, Lord Sales and Lord Burrows<br />
agree)<br />
<br />
<br />
A. INTRODUCTION<br />
<br />
<br />
1. Mr Richard Lloyd - with financial backing from Therium Litigation Funding IC, a<br />
commercial litigation funder - has issued a claim against Google LLC, alleging breach of<br />
<br />
its duties as a data controller under section 4(4) of the Data Protection Act 1998 (“the<br />
DPA 1998”). The claim alleges that, for several months in late 2011 and early 2012,<br />
Google secretly tracked the internet activity of millions of Apple iPhone users and used<br />
the data collected in this way for commercial purposes without the users’ knowledge<br />
<br />
or consent.<br />
<br />
<br />
2. The factual allegation is not new. In August 2012, Google agreed to pay a civil<br />
penalty of US$22.5m to settle charges brought by the United States Federal Trade<br />
Commission based upon the allegation. In November 2013, Google agreed to pay<br />
US$17m to settle consumer-based actions brought against it in the United States. In<br />
<br />
England and Wales, three individuals sued Google in June 2013 making the same<br />
allegation and claiming compensation under the DPA 1998 and at common law for<br />
misuse of private information: see Vidal-Hall v Google Inc (Information Comr<br />
intervening)[2015] EWCA Civ 311; [2016] QB 1003. Following a dispute over<br />
<br />
jurisdiction, their claims were settled before Google had served a defence. What is<br />
new about the present action is that Mr Lloyd is not just claiming damages in his own<br />
right, as the three claimants did in Vidal-Hall. He claims to represent everyone resident<br />
in England and Wales who owned an Apple iPhone at the relevant time and whose<br />
data were obtained by Google without their consent, and to be entitled to recover<br />
<br />
damages on behalf of all these people. It is estimated that they number more than 4m.<br />
<br />
<br />
3. Class actions, in which a single person is permitted to bring a claim and obtain<br />
redress on behalf of a class of people who have been affected in a similar way by<br />
alleged wrongdoing, have long been possible in the United States and, more recently,<br />
<br />
in Canada and Australia. Whether legislation to establish a class action regime should<br />
be enacted in the UK has been much discussed. In 2009, the Government rejected a<br />
recommendation from the Civil Justice Council to introduce a generic class action<br />
regime applicable to all types of claim, preferring a “sector based approach”. This was<br />
<br />
for two reasons:<br />
<br />
<br />
“Firstly, there are potential structural differences between<br />
the sectors which will require different consideration. …<br />
Secondly, it will be necessary to undertake a full assessment<br />
<br />
Page 2 of the likely economic and other impacts before<br />
implementing any reform.”<br />
<br />
<br />
See the Government’s Response to the Civil Justice Council’s Report: “Improving<br />
Access to Justice through Collective Actions” (2008), paras 12-13.<br />
<br />
<br />
4. Since then, the only sector for which such a regime has so far been enacted is<br />
<br />
that of competition law. Parliament has not legislated to establish a class action regime<br />
in the field of data protection.<br />
<br />
<br />
5. Mr Lloyd has sought to overcome this difficulty by what the Court of Appeal in<br />
this case described as “an unusual and innovative use of the representative procedure”<br />
<br />
in rule 19.6 of the Civil Procedure Rules: see [2019] EWCA Civ 1599; [2020] QB 747,<br />
para 7. This is a procedure of very long standing in England and Wales whereby a claim<br />
can be brought by (or against) one or more persons as representatives of others who<br />
have “the same interest” in the claim. Mr Lloyd accepts that he could not use this<br />
procedure to claim compensation on behalf of other iPhone users if the compensation<br />
<br />
recoverable by each user would have to be individually assessed. But he contends that<br />
such individual assessment is unnecessary. He argues that, as a matter of law,<br />
compensation can be awarded under the DPA 1998 for “loss of control” of personal<br />
data without the need to prove that the claimant suffered any financial loss or mental<br />
<br />
distress as a result of the breach. Mr Lloyd further argues that a “uniform sum” of<br />
damages can properly be awarded in relation to each person whose data protection<br />
rights have been infringed without the need to investigate any circumstances<br />
particular to their individual case. The amount of damages recoverable per person<br />
would be a matter for argument, but a figure of £750 was advanced in a letter of claim.<br />
<br />
Multiplied by the number of people whom Mr Lloyd claims to represent, this would<br />
produce an award of damages of the order of £3 billion.<br />
<br />
<br />
6. Because Google is a Delaware corporation, the claimant needs the court’s<br />
permission to serve the claim form on Google outside the jurisdiction. The application<br />
<br />
for permission has been contested by Google on the grounds that the claim has no real<br />
prospect of success as: (1) damages cannot be awarded under the DPA 1998 for “loss<br />
of control” of data without proof that it caused financial damage or distress; and (2)<br />
the claim in any event is not suitable to proceed as a representative action. In the High<br />
<br />
Court Warby J decided both issues in Google’s favour and therefore refused permission<br />
to serve the proceedings on Google: see [2018] EWHC 2599 (QB); [2019] 1 WLR 1265.<br />
The Court of Appeal reversed that decision, for reasons given in a judgment of the<br />
Chancellor, Sir Geoffrey Vos, with which Davis LJ and Dame Victoria Sharp agreed:<br />
[2019] EWCA Civ 1599; [2020] QB 747.<br />
<br />
<br />
Page 37. On this further appeal, because of the potential ramifications of the issues<br />
raised, as well as hearing the claimant and Google, the court has received written and<br />
oral submissions from the Information Commissioner and written submissions from<br />
five further interested parties.<br />
<br />
<br />
8. In this judgment I will first summarise the facts alleged and the relevant legal<br />
<br />
framework for data protection before considering the different methods currently<br />
available in English procedural law for claiming collective redress and, in particular, the<br />
representative procedure which the claimant is seeking to use. Whether that<br />
procedure is capable of being used in this case critically depends, as the claimant<br />
<br />
accepts, on whether compensation for the alleged breaches of data protection law<br />
would need to be individually assessed. I will then consider the claimant’s arguments<br />
that individual assessment is unnecessary. For the reasons given in detail below, those<br />
arguments cannot in my view withstand scrutiny. In order to recover compensation<br />
under the DPA 1998 for any given individual, it would be necessary to show both that<br />
<br />
Google made some unlawful use of personal data relating to that individual and that<br />
the individual suffered some damage as a result. The claimant’s attempt to recover<br />
compensation under the Act without proving either matter in any individual case is<br />
therefore doomed to fail.<br />
<br />
<br />
<br />
B. FACTUAL BACKGROUND<br />
<br />
<br />
9. The relevant events took place between 9 August 2011 and 15 February 2012<br />
and involved the alleged use by Google of what has been called the “Safari<br />
workaround” to bypass privacy settings on Apple iPhones.<br />
<br />
<br />
10. Safari is an internet browser developed by Apple and installed on its iPhones. At<br />
<br />
the relevant time, unlike most other internet browsers, all relevant versions of Safari<br />
were set by default to block third party cookies. A “cookie” is a small block of data that<br />
is placed on a device when the user visits a website. A “third party cookie” is a cookie<br />
placed on the device not by the website visited by the user but by a third party whose<br />
<br />
content is included on that website. Third party cookies are often used to gather<br />
information about internet use, and in particular web pages visited over time, to<br />
enable the delivery to the user of advertisements tailored to interests inferred from<br />
the user’s browsing history.<br />
<br />
<br />
<br />
11. Google had a cookie known as the “DoubleClick Ad cookie” which could operate<br />
as a third party cookie. It would be placed on a device if the user visited a website that<br />
included DoubleClick Ad content. The DoubleClick Ad cookie enabled Google to<br />
identify visits by the device to any website displaying an advertisement from its vast<br />
<br />
Page 4advertising network and to collect considerable amounts of information. It could tell<br />
the date and time of any visit to a given website, how long the user spent there, which<br />
pages were visited for how long, and what advertisements were viewed for how long.<br />
In some cases, by means of the IP address of the browser, the user’s approximate<br />
geographical location could be identified.<br />
<br />
<br />
<br />
12. Although the default settings for Safari blocked all third party cookies, a blanket<br />
application of these settings would have prevented the use of certain popular web<br />
functions; so Apple devised some exceptions to them. These exceptions were in place<br />
until March 2012, when the system was changed. But in the meantime the exceptions<br />
<br />
made it possible for Google to devise and implement the Safari workaround. Its effect<br />
was to place the DoubleClick Ad cookie on an Apple device, without the user’s<br />
knowledge or consent, immediately, whenever the user visited a website that<br />
contained DoubleClick Ad content.<br />
<br />
<br />
13. It is alleged that, in this way, Google was able to collect or infer information<br />
<br />
relating not only to users’ internet surfing habits and location, but also about such<br />
diverse factors as their interests and pastimes, race or ethnicity, social class, political or<br />
religious beliefs or affiliations, health, sexual interests, age, gender and financial<br />
situation.<br />
<br />
<br />
<br />
14. Further, it is said that Google aggregated browser generated information from<br />
users displaying similar patterns, creating groups with labels such as “football lovers”,<br />
or “current affairs enthusiasts”. Google’s DoubleClick service then offered these group<br />
labels to subscribing advertisers to choose from when selecting the type of people at<br />
whom they wanted to target their advertisements.<br />
<br />
<br />
<br />
C. THE LEGAL FRAMEWORK<br />
<br />
<br />
15. The DPA 1998 was enacted to implement Parliament and Council Directive<br />
95/46/EC of 24 October 1995 “on the protection of individuals with regard to the<br />
processing of personal data and on the free movement of such data” (OJ 1995 L281, p<br />
<br />
31) (the “Data Protection Directive”). The Data Protection Directive has been<br />
superseded by the General Data Protection Regulation, which became law in the UK in<br />
May 2018, supplemented by the Data Protection Act 2018 (“the DPA 2018”). The DPA<br />
2018 repealed and replaced the DPA 1998 except in relation to acts or omissions which<br />
<br />
occurred before it came into force.<br />
<br />
<br />
<br />
<br />
Page 516. Because the acts and omissions giving rise to the present claim occurred in 2011<br />
and 2012, the claim is governed by the old law contained in the DPA 1998 and the Data<br />
Protection Directive. The parties and interveners in their submissions on this appeal<br />
nevertheless made frequent references to provisions of the General Data Protection<br />
Regulation and the DPA 2018. In principle, the meaning and effect of the DPA 1998 and<br />
<br />
the Data Protection Directive cannot be affected by legislation which has been enacted<br />
subsequently. The later legislation therefore cannot help to resolve the issues raised<br />
on this appeal, and I shall leave it to one side.<br />
<br />
<br />
(1) The scheme of the DPA 1998<br />
<br />
<br />
<br />
17. Section 4(4) of the DPA 1998 imposed a duty on a data controller to comply<br />
with “the data protection principles” set out in Schedule 1 “in relation to all personal<br />
data with respect to which he is the data controller”. As defined in section 1(1) of the<br />
Act, “personal data” are, in effect, all recorded information which relate to an<br />
identifiable individual. An individual who is the subject of personal data is referred to<br />
<br />
as the “data subject”. A “data controller” is a person who (either alone or with others)<br />
“determines the purposes for which and the manner in which any personal data are, or<br />
are to be, processed.” The term “processing” is defined very broadly to mean<br />
“obtaining, recording or holding the information or data or carrying out any operation<br />
<br />
or set of operations on the information or data …”. Section 2 of the Act establishes a<br />
category of “sensitive personal data” consisting of information about certain specified<br />
matters, which include the racial or ethnic origin, political opinions, religious beliefs,<br />
physical or mental health or sexual life of the data subject.<br />
<br />
<br />
18. The first of the eight “data protection principles” set out in Schedule 1 is that:<br />
<br />
<br />
<br />
“Personal data shall be processed fairly and lawfully and, in<br />
particular, shall not be processed unless -<br />
<br />
<br />
(a) at least one of the conditions in Schedule 2 is met,<br />
and<br />
<br />
<br />
<br />
(b) in the case of sensitive personal data, at least one<br />
of the conditions in Schedule 3 is also met.”<br />
<br />
<br />
The other seven data protection principles, in summary, require personal data: (2) to<br />
be obtained and processed only for specified and lawful purposes; (3) to be “adequate,<br />
<br />
relevant, and not excessive” in relation to those purposes; (4) to be accurate and,<br />
Page 6where necessary, kept up to date; (5) not to be kept for longer than is necessary for<br />
those purposes; (6) to be processed in accordance with the rights of data subjects<br />
under the Act; (7) to be protected by appropriate technical and organisational security<br />
measures against unauthorised or unlawful processing and against accidental loss or<br />
destruction or damage; and (8) not to be transferred outside the European Economic<br />
<br />
Area unless the destination country or territory provides an adequate level of<br />
protection for data subjects in relation to the processing of personal data.<br />
<br />
<br />
19. As discussed in more detail below, section 13 of the DPA 1998 gives an<br />
individual who suffers damage “by reason of any contravention by a data controller of<br />
<br />
any of the requirements of this Act” a right to compensation from the data controller<br />
for that damage.<br />
<br />
<br />
(2) The allegations of breach of duty<br />
<br />
<br />
20. The claimant, Mr Lloyd, contends that Google processed personal data of each<br />
member of the represented class in breach of the first, second and seventh data<br />
<br />
protection principles. The represented class consists in essence of everyone in England<br />
and Wales who at the relevant time had an Apple iPhone on which Google’s<br />
DoubleClick Ad cookie was placed through the Safari workaround. (The precise<br />
definition of the class is set out at para 19 of Warby J’s judgment.) Two principal<br />
<br />
allegations made are that, in breach of the first data protection principle, (i) the data<br />
obtained by placing the DoubleClick Ad cookie on each class member’s device were not<br />
processed fairly and (ii) none of the conditions in Schedule 2 (or 3) was met.<br />
<br />
<br />
21. Schedule 1, Part II, paragraph 2, provides, in substance, that personal data<br />
obtained from the data subject are not to be treated as processed fairly unless the<br />
<br />
data controller informs the data subject of the purpose for which the data are<br />
intended to be processed - a requirement with which it is said that Google failed to<br />
comply in this case.<br />
<br />
<br />
22. Schedule 2 contains a list of conditions capable of justifying the processing of<br />
<br />
data. To comply with the first data protection principle, at least one of these<br />
conditions must be satisfied. The first condition in Schedule 2 is that “the data subject<br />
has given his consent to the processing”. Other conditions are that the processing is<br />
necessary for (amongst other things): the performance of a contract to which the data<br />
<br />
subject is a party; or compliance with a legal obligation (other than a contractual<br />
obligation) of the data controller; or to protect the vital interests of the data subject;<br />
or for the exercise of any functions of a public nature exercised in the public interest<br />
by any person. The claimant asserts that the members of the represented class whose<br />
<br />
Page 7personal data Google processed had not given their consent to the processing, nor was<br />
any of the other conditions capable of justifying the processing met. Hence for this<br />
reason too Google was in breach of the first data protection principle.<br />
<br />
<br />
23. There is no doubt that the claimant is entitled to advance a claim against Google<br />
on this basis in his own right which has a real prospect of success. The issue is whether<br />
<br />
he can also do so on behalf of all other iPhone users who fall within the represented<br />
class. This depends on the scope of the representative procedure available under the<br />
Civil Procedure Rules (“CPR”). Before I come to that procedure, I will mention in order<br />
to compare them the two other methods of claiming collective redress currently<br />
<br />
available in English procedural law.<br />
<br />
<br />
D. COLLECTIVE REDRESS IN ENGLISH LAW<br />
<br />
<br />
(1) Group Actions<br />
<br />
<br />
24. A group of people who wish to bring claims which give rise to common or<br />
related issues of fact or law can apply to the court for a Group Litigation Order to be<br />
<br />
made under CPR rule 19.11, providing for the claims to be managed together, usually<br />
by a single designated judge. The Group Litigation Order will establish a register of the<br />
claims included in the group, which is maintained by the claimants’ lead solicitor. The<br />
order may also make provision for how the litigation costs are to be shared among the<br />
<br />
claimants. How the claims are managed is a matter for the designated judge, but<br />
procedures typically used are to select one or more claims to be tried as test claims<br />
while the remaining claims are stayed and to decide as preliminary issues common<br />
issues of law or fact which are potentially dispositive of the litigation. Unless the court<br />
orders otherwise, a judgment given or order made in the litigation is binding on all the<br />
<br />
claimants included in the group register: see CPR rule 19.12(1)(a).<br />
<br />
<br />
25. Where the individual claims are of sufficiently high value, group actions can be<br />
an effective way of enabling what are typically several hundred or thousands of claims<br />
to be litigated and managed together, avoiding duplication of the court’s resources<br />
<br />
and allowing the claimants to benefit from sharing costs and litigation risk and by<br />
obtaining a single judgment which is binding in relation to all their claims. However,<br />
the group action procedure suffers from the drawback that it is an “opt-in” regime: in<br />
other words, claimants must take active steps to join the group. This has an<br />
<br />
administrative cost, as a solicitor conducting the litigation has to obtain sufficient<br />
information from a potential claimant to determine whether he or she is eligible to be<br />
added to the group register, give appropriate advice and enter into a retainer with the<br />
client. For claims which individually are only worth a few hundred pounds, this process<br />
<br />
Page 8is not economic as the initial costs alone may easily exceed the potential value of the<br />
claim.<br />
<br />
<br />
26. Another limitation of opt-in proceedings is that experience has shown that only<br />
a relatively small proportion of those eligible to join the group are likely to do so,<br />
particularly if the number of people affected is large and the value of each individual<br />
<br />
claim relatively small. For example, a group action was recently brought against the<br />
Morrisons supermarket chain for compensation for breach of the DPA 1998 arising<br />
from the disclosure on the internet by a Morrisons’ employee of personal data relating<br />
to other employees. Of around 100,000 affected employees, fewer than 10,000 opted<br />
<br />
to join the group action: see Various Claimants v Wm Morrisons Supermarkets plc<br />
[2017] EWHC 3113 (QB); [2019] QB 772 (reversed on the issue of vicarious liability by<br />
the Supreme Court: [2020] UKSC 12; [2020] AC 989). During the period of more than 12<br />
years in which collective proceedings under the Competition Act 1998 (discussed<br />
below) could be brought only on an opt-in basis just one action was commenced,<br />
<br />
based on a finding of price fixing in the sale of replica football shirts. Although around<br />
1.2 – 1.5m people were affected, despite widespread publicity only 130 people opted<br />
into the proceedings: see The Consumers' Association v JJB Sports Plc[2009] CAT 2,<br />
para 5; Civil Justice Council Report “Improving Access to Justice through Collective<br />
<br />
Actions” (2008), Part 6, para 22; and Grave D, McIntosh M and Rowan G (eds), Class<br />
Actions in England and Wales, 1st ed (2018), para 1-068.<br />
<br />
<br />
27. Likely explanations for the low participation rates typically experienced in opt-in<br />
regimes include lack of awareness of the opportunity to join the litigation and the<br />
natural human tendency to do nothing when faced with a choice which requires<br />
<br />
positive action - particularly if there is no immediate benefit to be gained and the<br />
consequences are uncertain and not easy to understand: see eg Thaler R and Sunstein<br />
C, Nudge: The Final Edition (2021), pp 36-38; Samuelson W and Zeckhauser R, “Status<br />
Quo Bias in Decision Making” (1988) 1 Journal of Risk and Uncertainty 7-59. As the<br />
<br />
New Zealand Court of Appeal has recently said of opt-in class actions:<br />
<br />
<br />
“Whichever approach is adopted, many class members are<br />
likely to fail to take any positive action for a range of reasons<br />
that have nothing at all to do with an assessment of whether<br />
<br />
or not it is in their interests to participate in the proceedings.<br />
Some class members will not receive the relevant notice.<br />
Others will not understand the notice, or will have difficulty<br />
understanding what action they are required to take and<br />
completing any relevant form, or will be unsure or hesitant<br />
<br />
about what to do and will do nothing. Even where a class<br />
member considers that it is in their interests to participate in<br />
<br />
Page 9 the proceedings, the significance of inertia in human affairs<br />
should not be underestimated.”<br />
<br />
<br />
Ross v Southern Response Earthquake Services Ltd [2019] NZCA 431, para 98; approved<br />
by the New Zealand Supreme Court at [2020] NZSC 126, para 40.<br />
<br />
<br />
28. A further factor which makes group litigation impractical in cases where the loss<br />
<br />
suffered by each individual is small, even if in aggregate it may amount to a very large<br />
sum of money, is the need to prove the quantum of loss in each individual case. Not<br />
only are eligible individuals less likely to opt into the proceedings where the potential<br />
gain to them is small, but the costs of obtaining evidence from each individual to<br />
<br />
support their claim is again likely to make group litigation uneconomic in such cases.<br />
<br />
<br />
(2) Collective Proceedings<br />
<br />
<br />
29. Compared to group actions, the method of collective redress which is now<br />
available in the field of competition law offers significant advantages for claimants,<br />
particularly where many people have been affected by the defendant’s conduct but<br />
<br />
the value of each individual claim is small. Section 47B of the Competition Act 1998<br />
(added by the Enterprise Act 2002 and as amended by the Consumer Rights Act 2015)<br />
makes provision for bringing “collective proceedings” in the Competition Appeal<br />
Tribunal (“CAT”) combining two or more claims to which section 47A applies<br />
<br />
(essentially, claims in respect of an infringement or alleged infringement of<br />
competition law). Such proceedings must be commenced by a person who proposes to<br />
be the representative of a specified class of persons, and the proceedings may only be<br />
continued if they are certified by the CAT as satisfying criteria set out in section 47B<br />
<br />
and in the CAT Rules. Two features of this regime may be noted.<br />
<br />
<br />
30. First, unlike group litigation, collective proceedings may be brought on either an<br />
“opt-in” or “opt-out” basis. “Opt-out” collective proceedings are proceedings brought<br />
on behalf of each class member except any member who opts out by notifying the<br />
class representative that their claim should not be included in the proceedings: see<br />
<br />
section 47B(11). Where “opt-out” collective proceedings are permitted, a person may<br />
therefore have a claim brought on their behalf without taking any affirmative step and,<br />
potentially, without even knowing of the existence of the proceedings and the fact that<br />
he or she is represented in them.<br />
<br />
<br />
<br />
31. A second significant feature of the collective proceedings regime is that it<br />
enables liability to be established and damages recovered without the need to prove<br />
<br />
Page 10that members of the class have individually suffered loss: it is sufficient to show that<br />
loss has been suffered by the class viewed as a whole. This is the effect of section<br />
47C(2) of the Competition Act, which provides:<br />
<br />
<br />
“The tribunal may make an award of damages in collective<br />
proceedings without undertaking an assessment of the<br />
<br />
amount of damages recoverable in respect of the claim of<br />
each represented person.”<br />
<br />
<br />
Such an award of damages is referred to in the CAT Rules as “an aggregate award of<br />
damages”: see rule 73(2).<br />
<br />
<br />
<br />
32. As Lord Briggs explained in Merricks v Mastercard[2020] UKSC 51; [2021] Bus LR<br />
25, at para 76, section 47C(2) of the Competition Act “radically alters the established<br />
common law compensatory principle by removing the requirement to assess individual<br />
loss”. This is so for the purposes both of making and of paying out an aggregate award<br />
of damages. How an aggregate award of damages is distributed among the members<br />
<br />
of the class is subject to the control of the CAT and, as this court held in Merricks v<br />
Mastercard, the only requirement is that the distribution should be just: see paras 76-<br />
77, 149. No doubt in many cases a just method of distribution will be one which divides<br />
up an aggregate award of damages in a way which takes account of individual loss. But<br />
<br />
particularly where the size of the class is large and the amount of damages awarded<br />
small considered on a per capita basis, it may be impractical or disproportionate to<br />
adopt such a method. In such cases some other method of distribution, such as an<br />
equal division among all the members of the class, may be justified.<br />
<br />
<br />
<br />
(3) Representative Actions<br />
<br />
<br />
33. Collective proceedings are a recent phenomenon in English law. By contrast, the<br />
representative procedure which the claimant is seeking to use in this case has existed<br />
for several hundred years. The current version of the representative rule is CPR rule<br />
19.6, which states:<br />
<br />
<br />
<br />
“(1) Where more than one person has the same interest in<br />
a claim -<br />
<br />
<br />
(a) the claim may be begun; or<br />
<br />
<br />
<br />
Page 11 (b) the court may order that the claim be continued,<br />
<br />
<br />
by or against one or more of the persons who have the same<br />
interest as representatives of any other persons who have<br />
that interest.<br />
<br />
<br />
(2) The court may direct that a person may not act as a<br />
<br />
representative.<br />
<br />
<br />
(3) Any party may apply to the court for an order under<br />
paragraph (2).<br />
<br />
<br />
(4) Unless the court otherwise directs any judgment or<br />
<br />
order given in a claim in which a party is acting as a<br />
representative under this rule -<br />
<br />
<br />
(a) is binding on all persons represented in the claim;<br />
but<br />
<br />
<br />
(b) may only be enforced by or against a person who is<br />
<br />
not a party to the claim with the permission of the<br />
court.”<br />
<br />
<br />
(a) Origins of the rule<br />
<br />
<br />
34. This rule has its origins in the procedure of the Court of Chancery before the<br />
<br />
Judicature Act of 1873. The general rule was that all persons materially interested in<br />
the subject-matter of a suit should be made parties to it, either as claimants or<br />
defendants, so as to ensure that the rights of all persons interested were settled by a<br />
single judgment of the court: see eg Adair v New River Co (1805) 11 Ves Jr 429; 32 ER<br />
<br />
1153; Cockburn v Thompson (1809) 16 Ves Jr 321; 33 ER 1005. However, to join all<br />
interested persons as parties was not always practically convenient- particularly if they<br />
were very numerous. The solution devised was not to abandon the aim of settling the<br />
rights of all interested persons in a single proceeding; rather, it was to relax the<br />
“complete joinder rule” by allowing one or more claimants or defendants to represent<br />
<br />
all others who had the same interest as them: see Sorabji J, “The hidden class action in<br />
English civil procedure” (2009) 28 CJQ 498. All persons represented in this way, as well<br />
as the parties actually before the court, were bound by the court’s decision.<br />
<br />
Page 1235. In the very early cases in the 16th and 17th centuries in which this procedure<br />
was adopted, the persons represented were invariably a cohesive communal group,<br />
such as parishioners or manorial tenants, whose members had agreed to be<br />
represented; and the representatives were often required to show proof of their<br />
authority to represent the group. But as the nature of society changed and new, more<br />
<br />
impersonal institutions such as friendly societies and joint stock companies with<br />
multiple investors emerged, this requirement was dropped. The court allowed persons<br />
to be represented whether or not they had consented to such representation or even<br />
knew of the action, relying on community of interest among the members of the group<br />
<br />
to ensure that the interests of all were adequately protected: see Yeazell, “From Group<br />
Litigation to Class Action, Part I: The Industrialization of Group Litigation” (1980) 27<br />
UCLA Law Review 514.<br />
<br />
<br />
36. Many of the formative cases involved joint stock companies at a time (before<br />
the Joint Stock Companies Acts 1844 to 1858) when such companies were not yet<br />
<br />
recognised as separate legal entities which could sue or be sued. An action had<br />
therefore to be brought by (or against) the members themselves. In Chancey v May<br />
(1722) Precedents in Chancery 592; 24 ER 265, the treasurer and manager of a brass-<br />
works brought an action on behalf of themselves and all other proprietors of the<br />
<br />
undertaking, of whom there were 800 in total, except for the defendants, who were its<br />
former managers, to call the defendants to account for alleged mismanagement and<br />
embezzlement. The defendants objected that the claim should not be allowed to<br />
proceed as the rest of the proprietors had not been made parties. The court dismissed<br />
that objection on the grounds that, first, the action had been brought on behalf of all<br />
<br />
the other proprietors, so that “all the rest were in effect parties”, and secondly:<br />
<br />
<br />
“Because it would be impracticable to make them all parties<br />
by name, and there would be continual abatements by death<br />
and otherwise, and no coming at justice, if all were to be<br />
<br />
made parties.”<br />
<br />
<br />
37. Another notable case involving a joint stock company was Meux v Maltby (1818)<br />
2 Swanston 277; 36 ER 621. In this case the treasurer and directors of the company<br />
were sued as representative defendants on a contract made on behalf of all the<br />
<br />
members of the company to grant a lease. In rejecting an argument that the claim was<br />
defective because not all the proprietors were before the court, Plumer MR explained,<br />
at pp 281-282:<br />
<br />
<br />
“The general rule, which requires the plaintiff to bring before<br />
the court all the parties interested in the subject in question,<br />
<br />
admits of exceptions. The liberality of this court has long held<br />
Page 13 that there is of necessity an exception to the general rule,<br />
when a failure of justice would ensue from its enforcement.”<br />
<br />
<br />
After citing numerous authorities, he concluded, at p 284:<br />
<br />
<br />
“Here is a current of authority, adopting more or less a<br />
general principle of exception, by which the rule, that all<br />
<br />
persons interested must be parties, yields when justice<br />
requires it, in the instance either of plaintiffs or defendants.<br />
… It is quite clear that the present suit has sufficient parties,<br />
and that the defendants may be considered as representing<br />
<br />
the company.”<br />
<br />
<br />
38. In Duke of Bedford v Ellis [1901] AC 1, 8, Lord Macnaghten summarised the<br />
practice of the Court of Chancery in this way:<br />
<br />
<br />
“The old rule in the Court of Chancery was very simple and<br />
perfectly well understood. Under the old practice the Court<br />
<br />
required the presence of all parties interested in the matter<br />
in suit, in order that a final end might be made of the<br />
controversy. But when the parties were so numerous that<br />
you never could ‘come at justice’, to use an expression in one<br />
<br />
of the older cases, if everybody interested was made a party,<br />
the rule was not allowed to stand in the way. It was originally<br />
a rule of convenience: for the sake of convenience it was<br />
relaxed. Given a common interest and a common grievance,<br />
a representative suit was in order if the relief sought was in<br />
<br />
its nature beneficial to all whom the plaintiff proposed to<br />
represent.”<br />
<br />
<br />
(b) Effect of the Judicature Act<br />
<br />
<br />
39. By the Supreme Court of Judicature Act 1873, all the jurisdiction previously<br />
<br />
exercised by the Court of Chancery and the courts of common law was transferred to<br />
and vested in the new High Court of Justice. Rules of procedure for the High Court<br />
were scheduled to the Act, which included as rule 10:<br />
<br />
<br />
“Where there are numerous parties having the same interest<br />
<br />
in one action, one or more of such parties may sue or be<br />
Page 14 sued, or may be authorised by the court to defend in such<br />
action, on behalf or for the benefit of all parties so<br />
interested.”<br />
<br />
<br />
This rule became Order 16, rule 9 of the Rules of the Supreme Court and has remained<br />
in force in the same or similar form ever since. Save that the requirement for<br />
<br />
“numerous parties” has been reduced to “more than one”, there is no significant<br />
difference in the current version of the rule, quoted at para 33 above.<br />
<br />
<br />
40. At first after the enactment of the Judicature Act the courts construed the new<br />
rule narrowly. In Temperton v Russell [1893] 1 QB 435, 438, Lindley LJ, who gave the<br />
<br />
judgment of the Court of Appeal, expressed the view that the rule only applied to<br />
“persons who have or claim some beneficial proprietary right” which they are asserting<br />
or defending in an action that would have come within the jurisdiction of the old Court<br />
of Chancery; hence the rule did not apply to a claim for damages in tort. That view,<br />
however, was repudiated by the House of Lords in Duke of Bedford v Ellis [1901] AC 1.<br />
<br />
Six individuals sued the Duke of Bedford, who owned Covent Garden Market, on behalf<br />
of themselves and all other growers of fruit, flowers, vegetables, roots and herbs, to<br />
enforce certain preferential rights claimed under the Covent Garden Market Act 1828<br />
to stands in the market. They sought declarations of the rights of the growers and an<br />
<br />
injunction to restrain the Duke from acting inconsistently with those rights. They also<br />
claimed - though only for themselves and not on behalf of other growers - an account<br />
and repayment of sums charged to them for selling at the market in excess of what<br />
they would have paid if afforded their alleged preferential rights. The Duke applied to<br />
have the action stayed either on the ground that the claimants had no beneficial<br />
<br />
proprietary right, or on the ground that the joinder in one action of parties claiming<br />
separate and different rights under the Act, both personally and as representing a<br />
class, would embarrass or delay the trial. The House of Lords rejected both grounds<br />
(the first unanimously and the second by a majority of 3 to 2) and held that the action<br />
<br />
could be maintained.<br />
<br />
<br />
41. Lord Macnaghten, who gave the leading speech, expressly disapproved the<br />
restrictive view of the representative rule expressed in Temperton v Russell and<br />
confirmed that its purpose was simply to apply the practice of the Court of Chancery to<br />
<br />
all divisions of the High Court. The only change was therefore that the rule was now<br />
applicable in actions which, before the Judicature Act, could only have been brought in<br />
a court of common law. He said, at pp 10-11, that:<br />
<br />
<br />
“… in all other respects I think the rule as to representative<br />
suits remains very much as it was a hundred years ago. From<br />
<br />
the time it was first established it has been recognised as a<br />
Page 15 simple rule resting merely upon convenience. It is impossible,<br />
I think, to read such judgments as those delivered by Lord<br />
Eldon in Adair v New River Co, in 1805, and in Cockburn v<br />
Thompson, in 1809, without seeing that Lord Eldon took as<br />
broad and liberal a view on this subject as anybody could<br />
<br />
desire. ‘The strict rule’, he said, ‘was that all persons<br />
materially interested in the subject of the suit, however<br />
numerous, ought to be parties … but that being a general rule<br />
established for the convenient administration of justice must<br />
<br />
not be adhered to in cases to which consistently with<br />
practical convenience it is incapable of application’. ‘It was<br />
better’, he added, ‘to go as far as possible towards justice<br />
than to deny it altogether’. He laid out of consideration the<br />
case of persons suing on behalf of themselves and all others,<br />
<br />
‘for in a sense’, he said, ‘they are before the Court’. As<br />
regards defendants, if you cannot make everybody interested<br />
a party, you must bring so many that it can be said they will<br />
fairly and honestly try the right. I do not think, my Lords, that<br />
<br />
we have advanced much beyond that in the last hundred<br />
years …”<br />
<br />
<br />
As Megarry J commented in John v Rees[1970] Ch 345, 370, this explanation made it<br />
plain that the representative rule is to be treated as being “not a rigid matter of<br />
principle but a flexible tool of convenience in the administration of justice”.<br />
<br />
<br />
<br />
42. In Taff Vale Railway Co v Amalgamated Society of Railway Servants [1901] AC<br />
426, 443, Lord Lindley (as he had become) went out of his way to endorse this view<br />
and to retract his earlier observations in Temperton v Russell, stating:<br />
<br />
<br />
“The principle on which the rule is based forbids its<br />
<br />
restriction to cases for which an exact precedent can be<br />
found in the reports. The principle is as applicable to new<br />
cases as to old, and ought to be applied to the exigencies of<br />
modern life as occasion requires. The rule itself has been<br />
<br />
embodied and made applicable to the various Divisions of the<br />
High Court by the Judicature Act, 1873, sections 16 and 23-<br />
25, and Order XVI, rule 9; and the unfortunate observations<br />
made on that rule in Temperton v Russell have been happily<br />
corrected in this House in the Duke of Bedford v Ellis and in<br />
<br />
the course of the argument in the present case.”<br />
<br />
<br />
Page 16 (c) Markt and declarations of rights<br />
<br />
<br />
43. The subsequent decision of the Court of Appeal in Markt & Co Ltd v Knight<br />
Steamship Co Ltd [1910] 2 KB 1021 has sometimes been seen as undermining the<br />
broad and flexible view of the representative rule adumbrated by the House of Lords in<br />
these two cases by imposing significant constraints on its use: see eg Esanda Finance<br />
<br />
Corpn Ltd v Carnie (1992) 29 NSWLR 382, 395; Mulheron R, The Class Action in<br />
Common Law Legal Systems (2004) pp 78-82; Sorabji J, “The hidden class action in<br />
English civil procedure” (2009) 28 CJQ 498. I do not think, however, that the decision<br />
should be understood in this way. Markt was heard together with another action also<br />
<br />
brought against the owners of a cargo vessel which was intercepted by a Russian<br />
cruiser on a voyage to Japan during the Russo-Japanese war, on suspicion of carrying<br />
contraband of war, and sunk. Just before the limitation period expired, two cargo-<br />
owners issued writs “on behalf of themselves and others owners of cargo lately laden<br />
on board” the vessel, claiming “damages for breach of contract and duty in and about<br />
<br />
the carriage of goods by sea”. No further particulars of the claims were given.<br />
<br />
<br />
44. All three members of the Court of Appeal agreed that the claims as formulated<br />
could not be pursued as representative actions as there was no basis for asserting that<br />
all the cargo owners had the same interest in the actions. That was so if only because a<br />
<br />
claim that the shipowners were in breach of duty in carrying contraband goods plainly<br />
could not be maintained on behalf of any cargo-owners who had themselves shipped<br />
such goods; furthermore, each cargo owner would need to prove their individual loss.<br />
Buckley LJ would have allowed the claimants to amend their writs and continue the<br />
proceedings on behalf of themselves and all cargo-owners who were not shippers of<br />
<br />
contraband goods, claiming a declaration that the defendants were in breach of<br />
contract and duty in shipping contraband of war. The other judges, however, did not<br />
agree to this course. Vaughan Williams LJ, at p 1032, rejected it on the grounds that<br />
the proposed amendment had not been brought before the court in a way which gave<br />
<br />
a proper opportunity for argument and doubted anyway whether the amendment<br />
could be so framed as to disclose a common purpose of the shippers or any class of the<br />
shippers. Fletcher Moulton LJ, at p 1042, considered that making a declaration of the<br />
type suggested would be contrary to the practice of the courts and that subsequent<br />
<br />
claims by individual cargo-owners relying on such a declaration to recover damages<br />
would constitute new claims which would be time-barred, as the limitation period had<br />
now expired.<br />
<br />
<br />
45. The readiness of English courts to give judgments declaring legal rights where it<br />
would serve a useful purpose has much increased since 1910. An important step was<br />
<br />
the decision of the Court of Appeal in Guaranty Trust Co of New York v Hannay & Co<br />
[1915] 2 KB 536, which held that a declaration can be granted at the instance of a<br />
<br />
Page 17claimant even if the claimant has no cause of action against the defendant. Two cases<br />
decided together by the Court of Appeal in 1921 showed that there is no reason in<br />
principle why a claim for a declaration of the kind suggested by Buckley LJ in Markt<br />
cannot be brought as a representative action. In David Jones v Cory Bros & Co Ltd<br />
(1921) 56 LJ 302; 152 LT Jo 70, five individuals sued on their own behalf and on behalf<br />
<br />
of all other underground and surface workmen employed at the defendant’s colliery<br />
on three specified days in September 1919. They alleged that on those three days the<br />
safety lamps in use at the colliery were not in accordance with statutory requirements,<br />
were insufficient in number and were not properly examined; and that in consequence<br />
<br />
the workmen justifiably refused to go to work and lost the wages they would<br />
otherwise have earned and were entitled to damages. In Thomas v Great Mountain<br />
Collieries Co, which was heard at the same time, two claimants sued the owner of<br />
another colliery for loss of wages, alleging breach of statutory duty in not having a<br />
weighing machine to weigh coal as near the pit mouth as was reasonably practicable.<br />
<br />
The workmen were divided into two classes - one comprising all workmen whose<br />
wages depended on the amount of coal gotten and the other comprising all other<br />
underground and surface workmen. The claimants sued on their own behalf and on<br />
behalf of the class they respectively represented.<br />
<br />
<br />
<br />
46. In each action the claims were divisible under three heads: (1) claims for<br />
declarations upon matters in which the classes represented were alleged to have a<br />
common interest; (2) claims for damages by the individual named claimants; and (3)<br />
claims for damages by the individual members of the classes represented.<br />
Unfortunately, only a bare summary of the judgments is reported. But this records that<br />
<br />
the Court of Appeal by a majority (Bankes and Atkin LJJ, with Scrutton LJ dissenting)<br />
held that the claimants were entitled to sue in a representative capacity as regards<br />
claims that came within (1) and (2), but not as regards claims for damages by the<br />
individual members of the classes represented.<br />
<br />
<br />
<br />
47. In Prudential Assurance Co Ltd v Newman Industries Ltd [1981] Ch 229 the<br />
claimant brought a derivative action as a minority shareholder of the first defendant<br />
company claiming damages on behalf of the company against two of its directors for<br />
breach of duty and conspiracy. At the start of the hearing the claimant applied to<br />
<br />
amend its statement of claim to add a personal claim against the directors and the<br />
company, brought in a representative capacity on behalf of all the shareholders. The<br />
relief sought was a declaration that those shareholders who had suffered loss asa<br />
result of the alleged conspiracy were entitled to damages. The judge (Vinelott J)<br />
allowed the amendment. He distinguished Markt and followed David Jones v Cory Bros<br />
<br />
in holding that a representative claim for a declaration could be pursued<br />
notwithstanding that each member of the class of persons represented had a separate<br />
cause of action. Although the personal claim was later held by the Court of Appeal in<br />
Prudential Assurance Co Ltd v Newman Industries Ltd (No 2) [1981] Ch 204 at 222 to be<br />
<br />
Page 18misconceived as a matter of substantive law, the Court of Appeal cast no doubt on the<br />
use of the representative procedure.<br />
<br />
<br />
48. This decision was important in demonstrating the potential for a bifurcated<br />
process whereby issues common to the claims of a class of persons may be decided in<br />
a representative action which, if successful, can then form a basis for individual claims<br />
<br />
for redress. More generally, the Prudential case marked a welcome revival of the spirit<br />
of flexibility which characterised the old case law.<br />
<br />
<br />
(d) Claims for damages<br />
<br />
<br />
49. In the cases so far mentioned where claims were held to come within the scope<br />
<br />
of the representative rule, the relief claimed on behalf of the represented class was<br />
limited to a declaration of legal rights. It was accepted or held that the named<br />
claimants could only claim damages or other monetary relief in their personal capacity.<br />
In Markt Fletcher Moulton LJ expressed the view, at pp 1035 and 1040-1041, that<br />
damages are “a personal relief” and that:<br />
<br />
<br />
<br />
“no representative action can lie where the sole relief sought<br />
is damages, because they have to be proved separately in the<br />
case of each plaintiff, and therefore the possibility of<br />
representation ceases.”<br />
<br />
<br />
<br />
50. In many cases, of which Markt was one, it is clearly correct that the assessment<br />
of damages depends on circumstances personal to each individual claimant. In such<br />
cases it is unlikely to be practical or fair to assess damages on a common basis and<br />
without each individual claimant’s participation in the proceedings. However, this is<br />
<br />
not always so, and representative actions for damages have sometimes been allowed.<br />
For example, in the case of insurance underwritten by Lloyd’s syndicates, which are<br />
not separate legal entities, it is standard practice for a single member of the syndicate<br />
(usually the leading underwriter) to be named as a representative claimant or<br />
defendant suing, or being sued, for themselves and all the other members. There is no<br />
<br />
difficulty in awarding damages for or against the representative in such proceedings, as<br />
the calculation of any damages which the members of the syndicate are collectively<br />
entitled to recover or liable to pay does not depend on how the risk is divided among<br />
the members of the syndicate.<br />
<br />
<br />
<br />
51. In Pan Atlantic Insurance Co Ltd v Pine Top Insurance Co Ltd [1989] 1 Lloyd’s Rep<br />
568 the claimant companies sued on behalf of themselves and members of a syndicate<br />
<br />
Page 19which had reinsured on a quota share basis a proportion of the risks they had<br />
underwritten, claiming under contracts which provided excess of loss reinsurance<br />
cover for the claimants and their quota share reinsurers. The Court of Appeal rejected<br />
an argument that the claimants were not entitled to sue in a representative capacity. It<br />
made no difference that there was a dispute between one of the claimants and some<br />
<br />
members of the syndicate about the validity of the quota share reinsurance, since as<br />
Lloyd LJ said, at p 571: “the question is whether the parties have the same interest as<br />
against the defendants; not whether they have the same interest as between<br />
themselves”.<br />
<br />
<br />
<br />
52. In Irish Shipping Ltd v Commercial Union Assurance Co plc (The “Irish Rowan”)<br />
[1991] 2 QB 206 numerous insurers had subscribed in various proportions to a policy of<br />
marine insurance. The Court of Appeal accepted that, as a matter of law, each<br />
subscription constituted a separate contract of insurance (of which there were said to<br />
be 77 in all). Claims for losses allegedly covered by the policy were made by suing two<br />
<br />
of the insurers as representative defendants. The Court of Appeal rejected an<br />
argument that claims for debt or damages could not be included in a representative<br />
action, merely because they are made by numerous claimants individually or resisted<br />
by numerous defendants individually, and held that the action could continue as a<br />
<br />
representative action. While the policy terms contained a broadly worded leading<br />
underwriter clause, the presence of this clause was not essential to the decision: see<br />
Bank of America National Trust and Savings Association v Taylor (The Kyriaki) [1992] 1<br />
Lloyd’s Rep 484, 493-494; National Bank of Greece SA v Outhwaite [2001] CLC 591,<br />
para 31.<br />
<br />
<br />
<br />
53. In EMI Records Ltd v Riley [1981] 1 WLR 923, and in Independiente Ltd v Music<br />
Trading On-Line (HK) Ltd [2003] EWHC 470 (Ch), the claimants sued in a representative<br />
capacity on behalf of all members of the British Phonographic Industry Ltd (“BPI”), a<br />
trade association for the recorded music industry (and also in the latter case on behalf<br />
<br />
of Phonographic Performance Ltd), claiming damages for breach of copyright in selling<br />
pirated sound recordings. In each case the claims were allowed to proceed as<br />
representative actions. Because it was accepted or could safely be assumed that the<br />
owner of the copyright in any pirated recording was a member of the represented<br />
<br />
class, this procedure enabled breach of copyright to be proved and damages to be<br />
awarded without the need to prove which particular pirated recordings had been sold<br />
in what quantities. Again, what mattered was that the members of the class had a<br />
community of interest in suing the defendant.<br />
<br />
<br />
54. In EMI Records it was asserted, and not disputed by the defendants, that the<br />
<br />
members of the BPI had consented to all sums recovered in actions for breach of<br />
copyright being paid to the BPI: see [1981] 1 WLR 923, 925. In Independiente, however,<br />
<br />
Page 20this assertion was disputed and Morritt V-C found that there was no binding<br />
agreement that any money recovered should go to the BPI: see [2003] EWHC 470 (Ch),<br />
paras 16 and 28. He nevertheless held, at paras 28 and 39, that the claim was properly<br />
brought as a representative action, observing that what the claimants did with any<br />
damages recovered was a matter for them or between them, the BPI and the class<br />
<br />
members, and not between them and the defendants.<br />
<br />
<br />
55. Although not cited in these cases, the same point had been made long before in<br />
Warrick v Queen’s College Oxford (No 4) (1871) LR 6 Ch App 716, 726, where Lord<br />
Hatherley LC gave an example of:<br />
<br />
<br />
<br />
“classes of shareholders in a railway company who have<br />
different rights inter se, but they may all have a common<br />
enemy in the shape of a fraudulent director, and they may all<br />
join, of course, in one common suit against that director,<br />
although after the common right is established they may<br />
<br />
have a considerable litigation among themselves as to who<br />
are the persons entitled to the gains obtained through that<br />
suit.”<br />
<br />
<br />
While the right enforced in such a common suit would in modern company law be seen<br />
<br />
as a right belonging to the company itself, rather than its shareholders, it is clear from<br />
the context that Lord Hatherley had in mind a representative action brought on behalf<br />
of shareholders, as he gave this analogy to explain how in that case a representative<br />
claim could be brought on behalf of all the freehold tenants of a manor to establish<br />
common rights against the lord of the manor even though different tenants or classes<br />
<br />
of tenant had different rights as between themselves.<br />
<br />
<br />
(e) Emerald Supplies<br />
<br />
<br />
56. In giving the Court of Appeal’s judgment in the present case, the Chancellor, at<br />
[2020] QB 747, para 73, focused on Emerald Supplies Ltd v British Airways plc [2010]<br />
<br />
EWCA Civ 1284; [2011] Ch 345 as providing the latest authoritative interpretation of<br />
the representative rule. The decision in that case turned, however, on the particular<br />
way in which the class of represented persons had been defined. The claimants alleged<br />
that the defendant airline was a party to agreements or concerted practices with other<br />
<br />
airlines to fix prices for air freight charged for importing cut flowers into the UK. They<br />
claimed on behalf of all “direct or indirect purchasers of air freight services, the prices<br />
for which were inflated by the agreements or concerted practices”, a declaration that<br />
damages were recoverable in principle from the defendant by those purchasers. The<br />
<br />
Page 21Court of Appeal upheld a decision to strike out the representative claim on the basis<br />
that, in the way the class had been defined, the issue of liability would have to be<br />
decided before it could be known whether or not a person was a member of the<br />
represented class and therefore bound by the judgment: see paras 62-63 and 65. Such<br />
an approach would not be just, not least because, if the claim failed, no purchasers of<br />
<br />
air freight services apart from the named claimants would be bound by the result.<br />
<br />
<br />
57. The Court of Appeal in Emerald Supplies also considered that a second difficulty<br />
with the class definition was that the members of the represented class did not all<br />
have the same interest in the claim, as there was a conflict of interest between direct<br />
<br />
and indirect purchasers of air freight services: see paras 28-29 and 64. If it was shown<br />
that prices had been inflated by agreements or concerted practices to which the<br />
defendant was a party, it would be in the interests of direct purchasers to seek to<br />
prove that they had absorbed the higher prices in order to avoid a potential defence<br />
that they had suffered no loss because the higher prices had been passed on to<br />
<br />
“indirect purchasers” (understood to include sub-purchasers). On the other hand, it<br />
would be in the interests of such indirect purchasers to seek to prove that the higher<br />
prices had indeed been passed on to them.<br />
<br />
<br />
58. It seems to me that this second difficulty might have been avoided either by<br />
<br />
altering the class definition to exclude sub-purchasers or by following the approach<br />
adopted in Prudential of claiming a declaration that those members of the class who<br />
had suffered damage as a result of the alleged price fixing were entitled to damages.<br />
However, those possibilities do not appear to have been considered. I think that the<br />
judge in Rendlesham Estates plc v Barr Ltd [2014] EWHC 3968 (TCC); [2015] 1 WLR<br />
<br />
3663 - a case relied on by Google on this appeal - was therefore wrong to conclude<br />
from Emerald Supplies, at para 90, that “if damage is an ingredient of the cause of<br />
action a representative claim could not be maintained”. The Court of Appeal in<br />
Emerald Supplies did not doubt the correctness of the Prudential decision, where a<br />
<br />
representative claim was allowed to proceed although damage was an ingredient of<br />
the cause of action. As Professor Rachael Mulheron, a leading expert in this field, has<br />
persuasively argued, it should likewise have been possible in Emerald Suppliesto adopt<br />
a bifurcated process in which the questions whether prices had been inflated by<br />
<br />
agreements or concerted practices and whether passing on was in principle available<br />
as a defence were decided in a representative action. If successful, this action could<br />
then have formed the basis for further proceedings to prove the fact and amount of<br />
damage in individual cases: see Mulheron R, “Emerald Supplies Ltd v British Airways<br />
plc; A Century Later, The Ghost of Markt Lives On” [2009] Comp Law 159, 171.<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 22 (f) Commonwealth cases<br />
<br />
<br />
59. The highest courts of Australia, Canada and New Zealand have all adopted a<br />
broad and flexible approach in interpreting representative rules derived from the<br />
English rule.<br />
<br />
<br />
(i) Australia<br />
<br />
<br />
<br />
60. In Carnie v Esanda Finance Corpn Ltd (1994) 127 ALR 76 the High Court of<br />
Australia held that the fact that the claims arose under separate contracts did not<br />
prevent the named claimants and the persons represented from having “the same<br />
interest” in proceedings. It was enough to satisfy this requirement that there was a<br />
<br />
community of interest in the determination of a substantial question of law or fact that<br />
arose in the proceedings. Commenting on an argument that the representative rule<br />
was an inadequate basis for a “class action”, which required a comprehensive<br />
legislative regime, Toohey and Gaudron JJ (with whom Mason CJ, Deane and Dawson JJ<br />
generally agreed) said, at p 91:<br />
<br />
<br />
<br />
“... it is true that rule 13 lacks the detail of some other rules<br />
of court. But there is no reason to think that the Supreme<br />
Court of New South Wales lacks the authority to give<br />
directions as to such matters as service, notice and the<br />
<br />
conduct of proceedings which would enable it to monitor and<br />
finally to determine the action with justice to all concerned.<br />
The simplicity of the rule is also one of its strengths, allowing<br />
it to be treated as a flexible rule of convenience in the<br />
administration of justice and applied ‘to the exigencies of<br />
<br />
modern life as occasion requires’. The court retains the<br />
power to reshape proceedings at a later stage if they become<br />
impossibly complex or the defendant is prejudiced.”<br />
<br />
<br />
(ii) Canada<br />
<br />
<br />
<br />
61. In Western Canadian Shopping Centres Inc v Dutton [2001] 2 SCR 534, paras 38-<br />
48, the Supreme Court of Canada held that representative actions should be allowed<br />
to proceed where the following conditions are met: (1) the class is capable of clear<br />
definition; (2) there are issues of fact or law common to all class members; (3) success<br />
<br />
for one class member means success for all (although not necessarily to the same<br />
extent); and (4) the proposed representative adequately represents the interests of<br />
<br />
Page 23the class. If these conditions are met the court must also be satisfied, in the exercise of<br />
its discretion, that there are no countervailing considerations that outweigh the<br />
benefits of allowing the representative action to proceed. The Supreme Court held that<br />
the conditions were met by the claimants in Dutton, who sued as representatives of a<br />
group of investors complaining that the defendant had breached fiduciary duties to the<br />
<br />
investors by mismanaging their funds.<br />
<br />
<br />
62. Giving the judgment of the court, McLachlin CJ, at para 47, distinguished its<br />
earlier decision in General Motors of Canada Ltd v Naken [1983] 1 SCR 72, where a<br />
representative action had been disallowed. In Naken the action was brought on behalf<br />
<br />
of purchasers of new Firenza motor vehicles against the manufacturer, complaining<br />
that the quality of the vehicles had been misrepresented or was not as warranted in<br />
advertisements, other published materials and contracts which were partly oral and<br />
partly written. Damages were claimed limited to $1,000 per person. The claims were<br />
held to be unsuitable for resolution through a representative action, principally<br />
<br />
because determining both liability and damages would have required particularised<br />
evidence and fact-finding in relation to each individual purchaser.<br />
<br />
<br />
63. McLachlin CJ also commented, at para 46, that over the period since Naken was<br />
decided the benefits of class actions had become manifest. She identified, at paras 27-<br />
<br />
29, three important advantages which such actions offer over a multiplicity of<br />
individual suits: (1) avoiding unnecessary duplication in fact-finding and legal analysis;<br />
(2) making economical the prosecution of claims that would otherwise be too costly to<br />
prosecute individually; and (3) serving efficiency and justice by ensuring that actual<br />
and potential wrongdoers who cause widespread but individually minimal harm take<br />
<br />
into account the full costs of their conduct.<br />
<br />
<br />
64. McLachlin CJ further observed, at para 34, that, while it would clearly be<br />
advantageous if there existed a comprehensive legislative framework regulating class<br />
actions, in its absence “the courts must fill the void”.<br />
<br />
<br />
<br />
(iii) New Zealand<br />
<br />
<br />
65. The Supreme Court of New Zealand has recently considered the use of the<br />
representative procedure in Southern Response Earthquake Services Ltd v Ross [2020]<br />
NZSC 126. This was a representative action brought on behalf of some 3,000<br />
<br />
policyholders who had settled insurance claims for damage to their homes caused by<br />
earthquakes in the Canterbury region of New Zealand. The claimants alleged that the<br />
policyholders had been misled by the insurers about the cost of remedying the<br />
damage, with the result that they had settled their claims on a less favourable basis<br />
<br />
Page 24than otherwise would have been the case. The insurers did not oppose the action<br />
being brought on a representative basis, but argued that the class represented should<br />
be limited to policyholders who completed a form electing to opt into the proceedings.<br />
It was agreed that the proceedings would need to be heard in two stages. The first<br />
stage would deal with issues common to all members of the represented class. If the<br />
<br />
claimants succeeded at that stage in whole or in part, there would need to be a second<br />
stage, in which questions of relief were addressed. It was also agreed that, at the<br />
second stage, it would be necessary for all of the policyholders represented to take<br />
active steps - that is, to opt in - if they wished to establish their individual claims.<br />
<br />
<br />
<br />
66. The New Zealand Supreme Court affirmed the decision of the Court of Appeal<br />
that the claim should be allowed to continue on an opt out basis. In doing so, the<br />
Supreme Court rejected an argument that it should not develop an opt out regime in<br />
the absence of a statutory framework and gave guidance on various matters relating to<br />
supervision of opt out representative proceedings.<br />
<br />
<br />
<br />
(g) Principles governing use of the representative procedure<br />
<br />
<br />
67. Although the world has changed out of all recognition since the representative<br />
procedure was devised by the Court of Chancery, it has done so in ways which have<br />
made the problems to which the procedure provided a solution more common and<br />
<br />
often vastly bigger in scale. The mass production of goods and mass provision of<br />
services have had the result that, when legally culpable conduct occurs, a very large<br />
group of people, sometimes numbering in the millions, may be affected. As the<br />
present case illustrates, the development of digital technologies has added to the<br />
potential for mass harm for which legal redress may be sought. In such cases it is<br />
<br />
necessary to reconcile, on the one hand, the inconvenience or complete impracticality<br />
of litigating multiple individual claims with, on the other hand, the inconvenience or<br />
complete impracticality of making every prospective claimant (or defendant) a party to<br />
a single claim. The only practical way to “come at justice” is to combine the claims in a<br />
<br />
single proceeding and allow one or more persons to represent all others who share the<br />
same interest in the outcome. When trying all the individual claims is not feasible, the<br />
adages of Lord Eldon quoted by Lord Macnaghten in Ellis remain as pertinent as ever:<br />
that it is better to go as far as possible towards justice than to deny it altogether and<br />
<br />
that, if you cannot realistically make everybody interested a party, you should ensure<br />
that those who are parties will “fairly and honestly try the right”.<br />
<br />
<br />
68. I agree with the highest courts of Australia, Canada and New Zealand that, while<br />
a detailed legislative framework would be preferable, its absence (outside the field of<br />
competition law) in this country is no reason to decline to apply, or to interpret<br />
<br />
restrictively, the representative rule which has long existed (and has had a legislative<br />
Page 25basis since 1873). I also agree with the view expressed in Carnie that the very simplicity<br />
of the representative rule is in some respects a strength, allowing it to be treated as “a<br />
flexible tool of convenience in the administration of justice” and “applied to the<br />
exigencies of modern life as occasion requires”.<br />
<br />
<br />
(i) The “same interest” requirement<br />
<br />
<br />
<br />
69. In its current form in CPR rule 19.6 the rule imposes no limit (either as a<br />
minimum or maximum) on the number of people who may be represented. Only one<br />
condition must be satisfied before a representative claim may be begun or allowed to<br />
continue: that is, that the representative has “the same interest” in the claim as the<br />
<br />
person(s) represented.<br />
<br />
<br />
70. The phrase “the same interest” is capable of bearing a range of meanings and<br />
requires interpretation. In interpreting the phrase, reference has often been made to<br />
Lord Macnaghten’s statement in Ellis (quoted at para 38 above) that: “Given a<br />
common interest and a common grievance, a representative suit was in order if the<br />
<br />
relief sought was in its nature beneficial to all whom the plaintiff proposed to<br />
represent.” This statement has sometimes been treated as if it were a definition<br />
imposing a tripartite test: see eg Smith v Cardiff Corpn[1954] 1 QB 210. Such an<br />
approach seems to me misguided. It is clear from the context that Lord Macnaghten<br />
<br />
was not attempting to define “the same interest”, but to convey how limiting the rule<br />
to persons having a beneficial proprietary interest in the claim would be contrary to<br />
the old practice in the Court of Chancery. More profoundly, such a reading of Lord<br />
Macnaghten’s speech shows precisely the rigidity of approach to the application of the<br />
representative rule which he disparaged.<br />
<br />
<br />
<br />
71. The phrase “the same interest”, as it is used in the representative rule, needs to<br />
be interpreted purposively in light of the overriding objective of the civil procedure<br />
rules and the rationale for the representative procedure. The premise for a<br />
representative action is that claims are capable of being brought by (or against) a<br />
<br />
number of people which raise a common issue (or issues): hence the potential and<br />
motivation for a judgment which binds them all. The purpose of requiring the<br />
representative to have “the same interest” in the claim as the persons represented is<br />
to ensure that the representative can be relied on to conduct the litigation in a way<br />
<br />
which will effectively promote and protect the interests of all the members of the<br />
represented class. That plainly is not possible where there is a conflict of interest<br />
between class members, in that an argument which would advance the cause of some<br />
would prejudice the position of others. Markt and Emerald Supplies are both examples<br />
of cases where it was found that the proposed representative action, as formulated,<br />
<br />
could not be maintained for this reason.<br />
Page 2672. As Professor Adrian Zuckerman has observed in his valuable book on civil<br />
procedure, however, a distinction needs to be drawn between cases where there are<br />
conflicting interests between class members and cases where there are merely<br />
divergent interests, in that an issue arises or may well arise in relation to the claims of<br />
(or against) some class members but not others. So long as advancing the case of class<br />
<br />
members affected by the issue would not prejudice the position of others, there is no<br />
reason in principle why all should not be represented by the same person: see<br />
Zuckerman on Civil Procedure: Principles of Practice, 4th ed (2021), para 13.49. As<br />
Professor Zuckerman also points out, concerns which may once have existed about<br />
<br />
whether the representative party could be relied on to pursue vigorously lines of<br />
argument not directly applicable to their individual case are misplaced in the modern<br />
context, where the reality is that proceedings brought to seek collective redress are<br />
not normally conducted and controlled by the nominated representative, but rather<br />
are typically driven and funded by lawyers or commercial litigation funders with the<br />
<br />
representative party merely acting as a figurehead. In these circumstances, there is no<br />
reason why a representative party cannot properly represent the interests of all<br />
members of the class, provided there is no true conflict of interest between them.<br />
<br />
<br />
73. This purposive and pragmatic interpretation of the requirement is exemplified<br />
<br />
by The “Irish Rowan”, where Staughton LJ, at pp 227-228, noted that some of the<br />
insurers might wish to resist the claim on a ground that was not available to others. He<br />
rightly did not regard that circumstance as showing that all the insurers did not have<br />
“the same interest” in the action, or that it was not within the rule, and had “no<br />
qualms about a proceeding which allows that ground to be argued on their behalf by<br />
<br />
others”.<br />
<br />
<br />
74. Even if it were considered inconsistent with the “same interest” requirement, or<br />
otherwise inappropriate, for a single person to represent two groups of people in<br />
relation to whom different issues arise although there is no conflict of interest<br />
<br />
between them, any procedural objection could be overcome by bringing two (or more)<br />
representative claims, each with a separate representative claimant or defendant, and<br />
combining them in the same action.<br />
<br />
<br />
(ii) The court’s discretion<br />
<br />
<br />
<br />
75. Where the same interest requirement is satisfied, the court has a discretion<br />
whether to allow a claim to proceed as a representative action. As with any power<br />
given to it by the Civil Procedure Rules, the court must in exercising its discretion seek<br />
to give effect to the overriding objective of dealing with cases justly and at<br />
proportionate cost: see CPR rule 1.2(a). Many of the considerations specifically<br />
<br />
included in that objective (see CPR rule 1.1(2)) - such as ensuring that the parties are<br />
Page 27on an equal footing, saving expense, dealing with the case in ways which are<br />
proportionate to the amount of money involved, ensuring that the case is dealt with<br />
expeditiously and fairly, and allotting to it an appropriate share of the court’s<br />
resources while taking into account the need to allot resources to other cases - are<br />
likely to militate in favour of allowing a claim, where practicable, to be continued as a<br />
<br />
representative action rather than leaving members of the class to pursue claims<br />
individually.<br />
<br />
<br />
76. Four further features of the representative rule deserve mention.<br />
<br />
<br />
(iii) No requirement of consent<br />
<br />
<br />
<br />
77. First, as the ability to act as a representative under the rule does not depend on<br />
the consent of the persons represented but only on community of interest between<br />
them, there is ordinarily no need for a member of the represented class to take any<br />
positive step, or even to be aware of the existence of the action, in order to be bound<br />
by the result. The rule does not confer a right to opt out of the proceedings (though a<br />
<br />
person could, at least in theory, apply to the court for a direction under rule 19.6(3)<br />
that the named claimant (or defendant) may not represent them or under rule 19.6(4)<br />
that any judgment given will not be binding on them). It is, however, always open to<br />
the judge managing the case to impose a requirement to notify members of the class<br />
<br />
of the proceedings and establish a simple procedure for opting out of representation, if<br />
this is considered desirable. Equally, if there are circumstances which make it<br />
appropriate to limit the represented class to persons who have positively opted into<br />
the litigation, it is open to the judge to make this a condition of representation. The<br />
procedure is entirely flexible in these respects.<br />
<br />
<br />
<br />
(iv) The class definition<br />
<br />
<br />
78. Second, while it is plainly desirable that the class of persons represented should<br />
be clearly defined, the adequacy of the definition is a matter which goes to the court’s<br />
discretion in deciding whether it is just and convenient to allow the claim to be<br />
<br />
continued on a representative basis rather than being a precondition for the<br />
application of the rule. Emerald Supplies illustrates a general principle that<br />
membership of the class should not depend on the outcome of the litigation. Beyond<br />
that, whether or to what extent any practical difficulties in identifying the members of<br />
<br />
the class are material must depend on the nature and object of the proceedings. In<br />
Duke of Bedford v Ellis, for example, it did not matter that the number and identities of<br />
growers of fruit etc would have been difficult if not impossible to ascertain or that the<br />
class was a fluctuating one: given that the aim was to establish whether anyone who<br />
<br />
Page 28was a grower had preferential rights, all that mattered was that there would be no real<br />
difficulty in determining whether a particular person who claimed a preferential right<br />
to a vacant stand at Covent Garden was a grower or not: see [1901] AC 1 at 11. In<br />
some cases, however, for example where the viability of a claim for damages depends<br />
on demonstrating the size of the class or who its members are, such practical<br />
<br />
difficulties might well be significant.<br />
<br />
<br />
(v) Liability for costs<br />
<br />
<br />
79. Third, as persons represented by a representative claimant or defendant will<br />
not normally themselves have been joined as parties to the claim, they will not<br />
<br />
ordinarily be liable to pay any costs incurred by the representative in pursuing (or<br />
defending) the claim. That does not prevent the court, if it is in the interests of justice<br />
to do so, from making an order requiring a represented person to pay or contribute to<br />
costs and giving permission for the order to be enforced against that person pursuant<br />
to CPR rule 19.6(4)(b). Alternatively, such an order could be made pursuant to the<br />
<br />
general jurisdiction of the court to make costs orders against non-parties. It is difficult,<br />
however, to envisage circumstances in which it could be just to order a represented<br />
person to contribute to costs incurred by a claimant in bringing a representative claim<br />
which the represented person did not authorise. On the other hand, a commercial<br />
<br />
litigation funder who finances unsuccessful proceedings is likely to be ordered to pay<br />
the successful party’s costs at least to the extent of the funding: see Davey v Money<br />
[2020] EWCA Civ 246; [2020] 1 WLR 1751. That principle is no less applicable where the<br />
proceedings financed are a representative action.<br />
<br />
<br />
(vi) The scope for claiming damages<br />
<br />
<br />
<br />
80. Finally, as already discussed, it is not a bar to a representative claim that each<br />
represented person has in law a separate cause of action nor that the relief claimed<br />
consists of or includes damages or some other monetary relief. The potential for<br />
claiming damages in a representative action is, however, limited by the nature of the<br />
<br />
remedy of damages at common law. What limits the scope for claiming damages in<br />
representative proceedings is the compensatory principle on which damages for a civil<br />
wrong are awarded with the object of putting the claimant - as an individual - in the<br />
same position, as best money can do it, as if the wrong had not occurred. In the<br />
<br />
ordinary course, this necessitates an individualised assessment which raises no<br />
common issue and cannot fairly or effectively be carried out without the participation<br />
in the proceedings of the individuals concerned. A representative action is therefore<br />
not a suitable vehicle for such an exercise.<br />
<br />
<br />
<br />
Page 2981. In cases where damages would require individual assessment, there may<br />
nevertheless be advantages in terms of justice and efficiency in adopting a bifurcated<br />
process - as was done, for example, in the Prudential case - whereby common issues of<br />
law or fact are decided through a representative claim, leaving any issues which<br />
require individual determination - whether they relate to liability or the amount of<br />
<br />
damages - to be dealt with at a subsequent stage of the proceedings. In Prudential<br />
[1981] Ch 229, 255, Vinelott J expressed the view (obiter) that time would continue to<br />
run for the purpose of limitation until individual claims for damages were brought by<br />
the persons represented; see also the dicta of Fletcher Moulton LJ in Markt [1910] 2 KB<br />
<br />
1021, 1042, referred to at para 44 above. The court in Prudential did not have cited to<br />
it, however, the decision of the Court of Appeal in Moon v Atherton [1972] 2 QB 435. In<br />
that case a represented person applied to be substituted for the named claimant after<br />
the limitation period had expired when the claimant (and all the other represented<br />
persons) no longer wished to continue the action. The Court of Appeal, in allowing the<br />
<br />
substitution, held that the defendant was not thereby deprived of a limitation defence,<br />
as for the purpose of limitation the represented person was already a party to the<br />
action, albeit not a “full” party. It might be clearer to say that, although the<br />
represented person did not become a “party” until substituted as the claimant, an<br />
<br />
action was brought within the meaning of the statute of limitation by that person<br />
when the representative claim was initiated. Such an analysis has been adopted in<br />
Australia, including by the New South Wales Court of Appeal in Fostif Pty Ltd v<br />
Campbells Cash & Carry Pty Ltd[2005] NSWCA 83; (2005) 63 NSWLR 203, and by the<br />
New Zealand Supreme Court in Credit Suisse Private Equity v Houghton [2014] NZSC 37.<br />
<br />
<br />
<br />
82. There is no reason why damages or other monetary remedies cannot be<br />
claimed in a representative action if the entitlement can be calculated on a basis that is<br />
common to all the members of the class. Counsel for the claimant, Hugh Tomlinson<br />
QC, gave the example of a claim alleging that every member of the class was wrongly<br />
<br />
charged a fixed fee; another example might be a claim alleging that all the class<br />
members acquired the same product with the same defect which reduced its value by<br />
the same amount. In such cases the defendant’s monetary liability could be<br />
determined as a common issue and no individualised assessment would be needed.<br />
<br />
The same is true where loss suffered by the class as a whole can be calculated without<br />
reference to the losses suffered by individual class members - as in the cases<br />
mentioned at para 53 above. Such an assessment of loss on a global basis is sometimes<br />
described as a “top down” approach, in contrast to a “bottom up” approach of<br />
assessing a sum which each member of the class is individually entitled to recover.<br />
<br />
<br />
<br />
83. The recovery of money in a representative action on either basis may give rise<br />
to problems of distribution to the members of the class, about which the<br />
representative rule is silent. Although in Independiente Morritt V-C was untroubled by<br />
such problems, questions of considerable difficulty would arise if in the present case<br />
<br />
Page 30the claimant was awarded damages in a representative capacity with regard to how<br />
such damages should be distributed, including whether there would be any legal basis<br />
for paying part of the damages to the litigation funders without the consent of each<br />
individual entitled to them: see Mulheron R, “Creating and Distributing Common Funds<br />
under the English Representative Rule” (2021) King’s Law Journal 1-33. Google has not<br />
<br />
relied on such difficulties as a reason for disallowing a representative action, however,<br />
and as these matters were only touched on in argument, I will say no more about<br />
them.<br />
<br />
<br />
E. THE REPRESENTATIVE CLAIM IN THIS CASE<br />
<br />
<br />
<br />
84. In the present case I could see no legitimate objection to a representative claim<br />
brought to establish whether Google was in breach of the DPA 1998 and, if so, seeking<br />
a declaration that any member of the represented class who has suffered damage by<br />
reason of the breach is entitled to be paid compensation. The individual claims that<br />
could theoretically have been brought by each iPhone user who was affected by the<br />
<br />
Safari workaround clearly raise common issues; and it is not suggested that there is<br />
any conflict of interest among the members of the represented class. For the purpose<br />
of CPR rule 19.6(1), all would therefore have the same interest in such a claim as the<br />
representative claimant. There is no suggestion that Mr Lloyd is an unsuitable person<br />
<br />
to act in that capacity. Although Google has argued that there would be practical<br />
difficulties in identifying whether an individual falls within the class definition, even on<br />
Google’s evidence it is evident that the number of people affected by the Safari<br />
workaround was extremely large and it is unclear at this stage of the litigation how<br />
serious the difficulties of proof would actuallybe. Moreover, even if only a few<br />
<br />
individuals were ultimately able to obtain compensation on the basis of a declaratory<br />
judgment, I cannot see why that should provide a reason for refusing to allow a<br />
representative claim to proceed for the purpose of establishing liability.<br />
<br />
<br />
85. The claimant has not proposed such a bifurcated process, however. That is<br />
<br />
doubtless because success in the first, representative stage of such a process would<br />
not itself generate any financial return for the litigation funders or the persons<br />
represented. Funding the proceedings could therefore only be economic if pursuing<br />
separate damages claims on behalf of those individuals who opted into the second<br />
<br />
stage of the process would be economic. For the reasons discussed at paras 25-28<br />
above and emphasised in argument by counsel for the claimant, it clearly would not. In<br />
practice, therefore, as both courts below accepted, a representative action for<br />
damages is the only way in which the claims can be pursued.<br />
<br />
<br />
<br />
<br />
<br />
Page 31(1) The formulation of the claim fordamages<br />
<br />
<br />
86. In formulating the claim made in this action, the claimant has not adopted the<br />
“top down” approach of claiming compensation for damage suffered by the class as a<br />
whole without reference to the entitlements of individual class members. The claim<br />
advanced is for damages calculated from the “bottom up”. The way in which the<br />
<br />
claimant seeks to obviate the need for individualised assessment is by claiming<br />
damages for each class member on what is described as a “uniform per capita basis”.<br />
<br />
<br />
87. The difficulty facing this approach is that the effect of the Safari workaround<br />
was obviously not uniform across the represented class. No challenge is or could<br />
<br />
reasonably be made to the judge’s findings, at [2018] EWHC 2599 (QB); [2019] 1 WLR<br />
1265, para 91, that:<br />
<br />
<br />
“… some affected individuals were ‘super users’- heavy<br />
internet users. They will have been ‘victims’ of multiple<br />
breaches, with considerable amounts of [browser generated<br />
<br />
information] taken and used throughout the Relevant Period.<br />
Others will have engaged in very little internet activity.<br />
Different individuals will have had different kinds of<br />
information taken and used. No fewer than 17 categories of<br />
<br />
personal data are identified in the claim documents. The<br />
specified categories of data vary in their sensitivity, some of<br />
them being ‘sensitive personal data’ within the meaning of<br />
the section 2 of the DPA (such as sexuality, or ethnicity). …<br />
But it is not credible that all the specified categories of data<br />
<br />
were obtained by Google from each represented claimant. …<br />
The results of the acquisition and use will also have varied<br />
according to the individual, and their attitudes towards the<br />
acquisition, disclosure and use of the information in<br />
<br />
question.”<br />
<br />
<br />
If liability is established, the ordinary application of the compensatory principle would<br />
therefore result in different awards of compensation to different individuals.<br />
Furthermore, the amount of any compensation recoverable by any member of the<br />
<br />
class would depend on a variety of circumstances particular to that individual.<br />
Individualised assessment of damages would therefore be required.<br />
<br />
<br />
88. The claimant seeks to overcome this difficulty in one or other of two ways. Both<br />
rely on the proposition that an individual is entitled to compensation for any (non-<br />
<br />
Page 32trivial) contravention of the DPA 1998 without the need to prove that the individual<br />
suffered any financial loss or distress. On that footing it is argued, first of all, that<br />
general damages can be awarded on a uniform per capita basis to each member of the<br />
represented class without the need to prove any facts particular to that individual. The<br />
draft particulars of claim plead that the uniform sum awarded should reflect “the<br />
<br />
serious nature of the breach, in particular (but non-exhaustively):<br />
<br />
<br />
“(a) The lack of consent or knowledge of the<br />
Representative Claimant and each member of the Claimant<br />
Class to the defendant’s collection and use of their personal<br />
<br />
data.<br />
<br />
<br />
(b) The fact that such collection and use was contrary to<br />
the defendant’s public statements.<br />
<br />
<br />
(c) The fact that such collection and use was greatly to<br />
the commercial benefit of the defendant.<br />
<br />
<br />
<br />
(d) The fact that the defendant knew or ought to have<br />
known of the operation of the Safari Workaround from a very<br />
early stage during the Relevant Period. …”<br />
<br />
<br />
I interpose that factor (c), although no doubt true in relation to the class as a whole,<br />
<br />
plainly could not in fact be established in relation to any individual class member<br />
without evidence of what use, if any, was actually made of personal data of that<br />
individual by Google. If there is to be no individualised assessment, this factor must<br />
therefore be left out of account.<br />
<br />
<br />
<br />
89. The alternative case pleaded is that each member of the class is entitled to<br />
damages assessed as an amount which they could reasonably have charged for<br />
releasing Google from the duties which it breached. Again, it is contended that such<br />
damages should be assessed on a uniform per capita basis, “reflecting the generalised<br />
standard terms (rather than individuated basis) on which [Google] does business”.<br />
<br />
<br />
<br />
(2) Section 13 of the DPA 1998<br />
<br />
<br />
90. The claim for compensation made in the present case is founded (exclusively)<br />
on section 13 of the DPA 1998. This provides:<br />
<br />
Page 33 “(1) An individual who suffers damage by reason of any<br />
contravention by a data controller of any of the requirements<br />
of this Act is entitled to compensation from the data<br />
controller for that damage.<br />
<br />
<br />
(2) An individual who suffers distress by reason of any<br />
<br />
contravention by a data controller of any of the requirements<br />
of this Act is entitled to compensation from the data<br />
controller for that distress if -<br />
<br />
<br />
(a) the individual also suffers damage by reason of the<br />
<br />
contravention, or<br />
<br />
<br />
(b) the contravention relates to the processing of<br />
personal data for the special purposes.<br />
<br />
<br />
(3) In proceedings brought against a person by virtue of<br />
this section it is a defence to prove that he had taken such<br />
<br />
care as in all the circumstances was reasonably required to<br />
comply with the requirement concerned.”<br />
<br />
<br />
91. Section 13 was intended to implement article 23 of the Data Protection<br />
Directive. This stated:<br />
<br />
<br />
<br />
“1. Member states shall provide that any person who has<br />
suffered damage as a result of an unlawful processing<br />
operation or of any act incompatible with the national<br />
provisions adopted pursuant to this Directive is entitled to<br />
<br />
receive compensation from the controller for the damage<br />
suffered.<br />
<br />
<br />
2. The controller may be exempted from this liability, in<br />
whole or in part, if he proves that he is not responsible for<br />
the event giving rise to the damage.”<br />
<br />
<br />
<br />
92. Two initial points can be made about the wording and structure of section 13.<br />
First, to recover compensation under this provision it is not enough to prove a breach<br />
by a data controller of its statutory duty under section 4(4) of the Act: an individual is<br />
<br />
Page 34only entitled to compensation under section 13 where “damage” - or in some<br />
circumstances “distress” - is suffered as a consequence of such a breach of duty.<br />
Second, it is plain from subsection (2) that the term “damage” as it is used in section<br />
13 does not include “distress”. The term “material damage” is sometimes used to<br />
describe any financial loss or physical or psychological injury, but excluding distress (or<br />
<br />
other negative emotions not amounting to a recognised psychiatric illness): see eg<br />
Watkins v Secretary of State for the Home Department [2006] UKHL 17; [2006] 2 AC<br />
395, para 7. Adopting this terminology, on a straightforward interpretation the term<br />
“damage” in section 13 refers only to material damage and compensation can only be<br />
<br />
recovered for distress if either of the two conditions set out in subsection (2) is met.<br />
<br />
<br />
(3) Vidal-Hall v Google Inc<br />
<br />
<br />
93. The effect of section 13 was considered by the Court of Appeal in Vidal-Hall v<br />
Google Inc [2016] QB 1003 on facts which, in terms of the generic allegations made,<br />
were identical to those on which the present claim is based. The three claimants<br />
<br />
sought damages arising out of the Safari workaround on two alternative bases: (1) at<br />
common law for misuse of private information; and (2) under section 13 of the DPA<br />
1998. As in the present case, permission to serve the proceedings outside the<br />
jurisdiction was opposed by Google. The main issues raised were: (1) whether misuse<br />
<br />
of private information is a tort for the purpose of the rules providing for service out of<br />
the jurisdiction; and (2) whether compensation can be recovered for distress under<br />
section 13 of the DPA 1998 in the absence of financial loss. The judge decided both<br />
issues in the claimants’ favour and the Court of Appeal affirmed that decision, for<br />
reasons given in a judgment written by Lord Dyson MR and Sharp LJ, with which<br />
<br />
Macfarlane LJ agreed.<br />
<br />
<br />
94. On the second issue Google submitted that, as discussed above, the term<br />
“damage” in section 13 must mean material damage, which for practical purposes<br />
limits its scope to financial loss. Hence section 13(2) has the effect that an individual<br />
<br />
may only recover compensation for distress suffered by reason of a contravention by a<br />
data controller of a requirement of the Act if either (a) the contravention also causes<br />
the individual to suffer financial loss or (b) the contravention relates to the processing<br />
of personal data for “special purposes” - which are defined as journalistic, artistic or<br />
<br />
literary purposes (see section 3). It was not alleged that either of those conditions was<br />
satisfied in the Vidal-Hall case.<br />
<br />
<br />
95. The Court of Appeal accepted that section 13(2) does indeed have this meaning<br />
but held that this makes it incompatible with article 23 of the Data Protection<br />
Directive, which section 13 of the DPA 1998 was meant to implement. This is because<br />
<br />
the word “damage” in article 23 is to be interpreted as including distress, which is the<br />
Page 35primary form of damage likely to be caused by an invasion of data privacy; and article<br />
23 does not permit national laws to restrict the right to receive compensation for<br />
“damage” where it takes the form of distress. The Court of Appeal considered whether<br />
it is possible to interpret section 13 in a way which achieves the result sought by the<br />
Directive, but concluded that the words of section 13 are not capable of being<br />
<br />
interpreted in such a way and that the limits set by Parliament to the right to<br />
compensation for breaches of the DPA 1998 are a fundamental feature of the UK<br />
legislative scheme. In the words of Lord Dyson MR and Sharp LJ in their joint judgment,<br />
at para 93, if the court were to disapply the limits on the right to compensation for<br />
<br />
distress set out in section 13(2), “the court would, in effect, be legislating against the<br />
clearly expressed intention of Parliament on an issue that was central to the scheme as<br />
a whole”.<br />
<br />
<br />
96. The Court of Appeal nevertheless held that section 13(2) should be disapplied<br />
on the ground that it conflicts with articles 7 and 8 of the Charter of Fundamental<br />
<br />
Rights of the European Union (“the EU Charter”). Article 7 of the EU Charter is in<br />
materially similar terms to article 8 of the European Convention for the Protection of<br />
Human Rights and Fundamental Freedoms (“the Convention”) and provides that<br />
“[e]veryone has the right to respect for his or her private and family life, home and<br />
<br />
communications”. Article 8(1) provides that “[e]veryone has the right to the protection<br />
of personal data concerning him or her”. In addition, article 47 requires that<br />
“[e]veryone whose rights and freedoms guaranteed by the law of the Union are<br />
violated has the right to an effective remedy before a tribunal …”. The Court of Appeal<br />
decided that, in order to provide an effective remedy for the rights guaranteed by<br />
<br />
articles 7 and 8 of the EU Charter, it was necessary that national law should give effect<br />
to the obligation under article 23 of the Data Protection Directive to provide a right to<br />
receive compensation from the data controller for any damage, including distress,<br />
suffered as a result of an unlawful processing operation. That result could and should<br />
<br />
be achieved by disapplying section 13(2) of the DPA 1998, thus enabling section 13(1)<br />
to be interpreted compatibly with article 23: see [2016] QB 1003, para 105.<br />
<br />
<br />
(4) Misuse of private information<br />
<br />
<br />
97. The Court of Appeal in Vidal-Hall also held that the claims for damages for<br />
<br />
misuse of private information made by the claimants in that case were properly<br />
classified as claims in tort for the purpose of service out of the jurisdiction and had a<br />
real prospect of success. As described at paras 18-25 of the judgment, the tort of<br />
misuse of private information evolved out of the equitable action for breach of<br />
confidence, influenced by the protection of the right to respect for private life<br />
<br />
guaranteed by article 8 of the Convention. The critical step in its emergence as a<br />
distinct basis for a claim was the identification of privacy of information as worthy of<br />
<br />
Page 36protection in its own right, irrespective of whether the information was imparted in<br />
circumstances which give rise to a duty of confidence: see Campbell v MGN Ltd [2004]<br />
UKHL 22; [2004] 2 AC 457. As Lord Hoffmann put it in Campbell, at para 50:<br />
<br />
<br />
“What human rights law has done is to identify private<br />
information as something worth protecting as an aspect of<br />
<br />
human autonomy and dignity.”<br />
<br />
<br />
98. The complaint in Campbell was about the publication of private information.<br />
Lord Nicholls of Birkenhead described the “essence of the tort”, at para 14, as “misuse<br />
of private information”. He also noted, however, at para 15, that an individual’s privacy<br />
<br />
can be invaded in ways not involving publication of information, and subsequent cases<br />
have held that intrusion on privacy, without any misuse of information, is actionable:<br />
see PJS v News Group Newspapers Ltd [2016] UKSC 26; [2016] 2 AC 1081, paras 58-60.<br />
It is misuse of information, however, which is primarily relevant in this case, and I shall<br />
generally - as counsel did in argument - use the label for the tort of “misuse of private<br />
<br />
information”.<br />
<br />
<br />
99. To establish liability for misuse of private information (or other wrongful<br />
invasion of privacy), it is necessary to show that there was a reasonable expectation of<br />
privacy in the relevant matter. As the Court of Appeal (Sir Anthony Clarke MR, Laws<br />
<br />
and Thomas LJJ) explained in upholding a claim to restrain the publication of<br />
photographs taken in a public place of the child of the well-known author, JK Rowling,<br />
in Murray v Express Newspapers plc [2008] EWCA Civ 446; [2009] Ch 481, para 36:<br />
<br />
<br />
“… the question whether there is a reasonable expectation of<br />
privacy is a broad one, which takes account of all the<br />
<br />
circumstances of the case. They include the attributes of the<br />
claimant, the nature of the activity in which the claimant was<br />
engaged, the place at which it was happening, the nature and<br />
purpose of the intrusion, the absence of consent and<br />
<br />
whether it was known or could be inferred, the effect on the<br />
claimant and the circumstances in which and the purposes<br />
for which the information came into the hands of the<br />
publisher.”<br />
<br />
<br />
<br />
If this test is met, in cases where freedom of expression is involved the court must then<br />
undertake a “balancing exercise” to decide whether in all the circumstances the<br />
interests of the owner of the private information must yield to the right to freedom of<br />
<br />
<br />
Page 37expression conferred on the publisher by article 10 of the Convention: see eg<br />
McKennitt v Ash [2006] EWCA Civ 1714; [2008] QB 73, para 9.<br />
<br />
<br />
(5) Gulati v MGN Ltd<br />
<br />
<br />
100. The measure of damages for wrongful invasion of privacy was considered in<br />
depth in Gulati v MGN Ltd [2015] EWHC 1482 (Ch); [2016] FSR 12 and [2015] EWCA Civ<br />
<br />
1291; [2017] QB 149 by Mann J and by the Court of Appeal. The eight test claimants in<br />
that case were individuals in the public eye whose mobile phones were hacked by<br />
newspapers, leading in some instances to the publication of articles containing<br />
information obtained by this means. The newspapers admitted liability for breach of<br />
<br />
privacy but disputed the amount of damages. Their main argument of principle was<br />
that (in the absence of material damage) all that could be compensated for was<br />
distress caused by their unlawful activities: see [2016] FSR 12, para 108. The judge<br />
rejected that argument. He said, at para 111, that he did not see why “distress (or<br />
some similar emotion), which would admittedly be a likely consequence of an invasion<br />
<br />
of privacy, should be the only touchstone for damages”. In his view:<br />
<br />
<br />
“While the law is used to awarding damages for injured<br />
feelings, there is no reason in principle … why it should not<br />
also make an award to reflect infringements of the right<br />
<br />
itself, if the situation warrants it.”<br />
<br />
<br />
101. The judge referred to cases in which damages have been awarded to very young<br />
children (only ten months or one year old) for misuse of private information by<br />
publishing photographs of them even though, because of their age, they could not<br />
have suffered any distress: see AAA v Associated Newspapers Ltd [2012] EWHC 2103<br />
<br />
(QB); [2013] EMLR 2; and Weller v Associated Newspapers Ltd[2014] EWHC 1163 (QB);<br />
[2014] EMLR 24. He concluded, at para 144:<br />
<br />
<br />
“I shall therefore approach the consideration of quantum in<br />
this case on the footing that compensation can be given for<br />
<br />
things other than distress, and in particular can be given for<br />
the commission of the wrong itself so far as that commission<br />
impacts on the values protected by the right.”<br />
<br />
<br />
Later in the judgment, at para 168, the judge referred back to his finding that:<br />
<br />
<br />
<br />
<br />
Page 38 “the damages should compensate not merely for distress …,<br />
but should also compensate (if appropriate) for the loss of<br />
privacy or autonomy as such arising out [of] the infringement<br />
by hacking (or other mechanism) as such.”<br />
<br />
<br />
102. The Court of Appeal affirmed this decision: [2015] EWCA Civ 1291; [2017] QB<br />
<br />
149. Arden LJ (with whom Rafferty and Kitchin LJJ agreed) held, at para 45, that:<br />
<br />
<br />
“the judge was correct to conclude that the power of the<br />
court to grant general damages was not limited to distress<br />
and could be exercised to compensate the claimants also for<br />
<br />
the misuse of their private information. The essential<br />
principle is that, by misusing their private information, MGN<br />
deprived the claimants of their right to control the use of<br />
private information.”<br />
<br />
<br />
Arden LJ justified this conclusion, at para 46, on the basis that:<br />
<br />
<br />
<br />
“Privacy is a fundamental right. The reasons for having the<br />
right are no doubt manifold. Lord Nicholls of Birkenhead put<br />
it very succinctly in Campbell v MGN Ltd [2004] 2 AC 457,<br />
para 12: ‘[Privacy] lies at the heart of liberty in a modern<br />
<br />
state. A proper degree of privacy is essential for the well-<br />
being and development of an individual.’”<br />
<br />
<br />
103. The Court of Appeal in Gulati rejected a submission, also rejected by the judge,<br />
that granting damages for the fact of intrusion into a person’s privacy independently of<br />
<br />
any distress caused is inconsistent with the holding of this court in R (WL (Congo)) v<br />
Secretary of State for the Home Department [2011] UKSC 12; [2012] 1 AC 245, paras<br />
97-100, that vindicatory damages are not available as a remedy for violation of a<br />
private right. As Arden LJ pointed out at para 48, no question arose of awarding<br />
vindicatory damages of the kind referred to in WL (Congo), which have been awarded<br />
<br />
in some constitutional cases appealed to the Privy Council “to reflect the sense of<br />
public outrage, emphasise the importance of the constitutional right and the gravity of<br />
the breach, and deter further breaches”: see WL (Congo), para 98; Attorney General of<br />
Trinidad and Tobago v Ramanoop [2005] UKPC 15; [2006] 1 AC 328, para 19. Rather,<br />
<br />
the purpose of the relevant part of the awards made in Gulati was “to compensate for<br />
the loss or diminution of a right to control formerly private information”.<br />
<br />
<br />
<br />
Page 39104. Mann J’s reference to “loss of privacy or autonomy” and the Court of Appeal’s<br />
explanation that the claimants could be compensated for misuse of their private<br />
information itself because they were deprived of “their right to control [its] use”<br />
convey the point that English common law now recognises as a fundamental aspect of<br />
personal autonomy a person’s freedom to choose and right to control whether and<br />
<br />
when others have access to his or her private affairs: see on this point the helpful<br />
discussion by NA Moreham, “Compensating for Loss of Dignity and Autonomy” in<br />
Varuhas J and Moreham N (eds), Remedies for Breach of Privacy (2018) ch 5.<br />
<br />
<br />
(6) How the present claim is framed<br />
<br />
<br />
<br />
105. On the basis of the decisions of the Court of Appeal in Vidal-Hall and Gulati,<br />
neither of which is challenged by either party on this appeal, it would be open to Mr<br />
Lloyd to claim, at least in his own right: (1) damages under section 13(1) of the DPA<br />
1998 for any distress suffered by reason of any contravention by Google of any of the<br />
requirements of the Act; and/or (2) damages for the misuse of private information<br />
<br />
without the need to show that it caused any material damage or distress.<br />
<br />
<br />
106. Neither of these claims, however, is made in this case. The reasons why no<br />
claim is made in tort for misuse of private information have not been explained; but<br />
the view may have been taken that, to establish a reasonable expectation of privacy, it<br />
<br />
would be necessary to adduce evidence of facts particular to each individual claimant.<br />
In Vidal-Hall, the claimants produced confidential schedules about their internet use,<br />
showing that the information tracked and collected by Google in their cases was, in the<br />
Court of Appeal’s words at [2016] QB 1003, para 137, “often of an extremely private<br />
nature”. As discussed earlier, the need to obtain evidence in relation to individual<br />
<br />
members of the represented class would be incompatible with the representative<br />
claim which Mr Lloyd is seeking to bring.<br />
<br />
<br />
107. Similarly, to recover damages for distress under section 13(1) of the DPA 1998<br />
would require evidence of such distress from each individual for whom such a claim<br />
<br />
was made. Again, this would be incompatible with claiming damages on a<br />
representative basis.<br />
<br />
<br />
108. Instead of making either of these potential claims, the claimant seeks to break<br />
new legal ground by arguing that the principles identified in Gulati as applicable to the<br />
<br />
assessment of damages for misuse of private information at common law also apply to<br />
the assessment of compensation under section 13(1) of the DPA 1998. The case<br />
advanced, which is also supported by the Information Commissioner, is that the word<br />
<br />
<br />
Page 40“damage” in section 13(1) not only extends beyond material damage to include<br />
distress, as decided in Vidal-Hall, but also includes “loss of control” over personal data.<br />
<br />
<br />
(7) “Loss of control” over personal data<br />
<br />
<br />
109. There is potential for confusion in the use of this description. “Loss of control” is<br />
not an expression used in the DPA 1998 and, as the third interveners (the Association<br />
<br />
of the British Pharmaceutical Industry and Association of British HealthTech Industries)<br />
pointed out in their helpful written submissions, none of the requirements of the Act is<br />
predicated on “control” over personal data by the data subject. Under the legislative<br />
scheme the relevant control is that of the data controller: the entity which<br />
<br />
“determines the purposes for which and the manner in which any personal data are, or<br />
are to be, processed.” The nearest analogue to control as regards the data subject is<br />
his or her “consent to the processing”, being the first condition in Schedule 2 (see para<br />
22 above). Such consent, however, is neither necessary nor sufficient to render the<br />
processing of personal data compliant with the Act.<br />
<br />
<br />
<br />
110. It was made clear in submissions, however, that, in describing the basis for the<br />
compensation claimed as “loss of control” of personal data, the claimant is not seeking<br />
to single out a particular category of breaches of the DPA 1998 by a data controller as<br />
breaches in respect of which the data subject is entitled to compensation without<br />
<br />
proof of material damage or distress. The claimant’s case, which was accepted by the<br />
Court of Appeal, is that an individual is entitled to recover compensation under section<br />
13 of the DPA 1998 without proof of material damage or distress whenever a data<br />
controller fails to comply with any of the requirements of the Act in relation to any<br />
personal data of which that individual is the subject, provided only that the<br />
<br />
contravention is not trivial or de minimis. Any such contravention, on the claimant’s<br />
case, ipso facto involves “loss of control” of data for which compensation is payable.<br />
Only where the individual claiming compensation is not the data subject is it necessary<br />
on the claimant’s case to show that the individual has suffered material damage or<br />
<br />
distress.<br />
<br />
<br />
(8) The common sourceargument<br />
<br />
<br />
111. The claimant’s core argument for this interpretation is that, as a matter of<br />
principle, the same approach to the damage for which compensation can be awarded<br />
<br />
should apply under the data protection legislation as where the claim is brought in tort<br />
for misuse of private information because the two claims, although not coterminous,<br />
have a common source. Both seek to protect the same fundamental right to privacy<br />
<br />
<br />
Page 41guaranteed by article 8 of the Convention. This objective is expressly referred to in<br />
recital (10) of the Data Protection Directive, which states:<br />
<br />
<br />
“Whereas the object of the national laws on the processing<br />
of personal data is to protect fundamental rights and<br />
freedoms, notably the right to privacy, which is recognized<br />
<br />
both in article 8 of the European Convention for the<br />
Protection of Human Rights and Fundamental Freedoms and<br />
in the general principles of [EU] law; whereas, for that<br />
reason, the approximation of those laws must not result in<br />
<br />
any lessening of the protection they afford but must, on the<br />
contrary, seek to ensure a high level of protection in the<br />
[EU];”<br />
<br />
<br />
The aim of protecting the right to privacy with regard to the processing of personal<br />
data is also articulated in recitals (2), (7), (8) and (11) of the Data Protection Directive,<br />
<br />
and is spelt out in article 1 which states:<br />
<br />
<br />
“Object of the Directive<br />
<br />
<br />
In accordance with this Directive, member states shall<br />
protect the fundamental rights and freedoms of natural<br />
<br />
persons, and in particular their right to privacy with respect<br />
to the processing of personal data.”<br />
<br />
<br />
Reliance is also placed on the recognition in article 8 of the EU Charter, quoted at para<br />
96 above, of the right to the protection of personal data as a fundamental right in EU<br />
<br />
law.<br />
<br />
<br />
112. The claimant argues that, given that the tort of misuse of private information<br />
and the data protection legislation are both rooted in the same fundamental right to<br />
privacy, it would be wrong in principle to adopt a different approach to the nature of<br />
the damage which can be compensated under the two regimes. The conclusion should<br />
<br />
therefore be drawn that, in each case, damages can be recovered for interference with<br />
the claimant’s right, without the need to prove that the interference resulted in any<br />
material damage or distress.<br />
<br />
<br />
113. I cannot accept this argument for two reasons. First, even if the suggested<br />
<br />
analogy between the privacy tort and the data protection regime were persuasive,<br />
Page 42section 13(1) of the DPA 1998 cannot, in my opinion, properly be interpreted as having<br />
the meaning for which the claimant contends. Second, the logic of the argument by<br />
analogy is in any event flawed.<br />
<br />
<br />
(a) The wording of the DPA 1998<br />
<br />
<br />
114. I do not accept a submission made by counsel for Google that the interpretation<br />
<br />
of section 13 of the DPA 1998 should be approached on the basis of a general rule that<br />
breaches of statutory duty are not actionable without proof of material damage. The<br />
question in Cullen v Chief Constable of the Royal Ulster Constabulary [2003] UKHL 39;<br />
[2003] 1 WLR 1763, relied on to support this submission, was whether a statute which<br />
<br />
did not expressly confer a right to compensation on a person affected by a breach of<br />
statutory duty nevertheless conferred such a right impliedly. That is not the question<br />
raised in this case, where there is an express entitlement to compensation provided by<br />
section 13 of the DPA 1998. The only question in this case is what the words of the<br />
relevant statutory provision mean.<br />
<br />
<br />
<br />
115. Those words, however, cannot reasonably be interpreted as giving an individual<br />
a right to compensation without proof of material damage or distress whenever a data<br />
controller commits a non-trivial breach of any requirement of the Act in relation to any<br />
personal data of which that individual is the subject. In the first place, as discussed<br />
<br />
above, the wording of section 13(1) draws a distinction between “damage” suffered by<br />
an individual and a “contravention” of a requirement of the Act by a data controller,<br />
and provides a right to compensation “for that damage” only if the “damage” occurs<br />
“by reason of” the contravention. This wording is inconsistent with an entitlement to<br />
compensation based solely on proof of the contravention. To say, as the claimant does<br />
<br />
in its written case, that what is “damaged” is the data subject’s right to have their data<br />
processed in accordance with the requirements of the Act does not meet this point, as<br />
it amounts to an acknowledgement that on the claimant’s case the damage and the<br />
contravention are one and the same.<br />
<br />
<br />
<br />
116. Nor is the claimant’s case assisted by section 14 of the DPA 1998, on which<br />
reliance is placed. Section 14(1) gives the court power, on the application of a data<br />
subject, to order a data controller to rectify, block, erase or destroy personal data if<br />
satisfied that the data are inaccurate. Section 14(4) states:<br />
<br />
<br />
<br />
“If a court is satisfied on the application of a data subject -<br />
<br />
<br />
<br />
<br />
Page 43 (a) that he has suffered damage by reason of any<br />
contravention by a data controller of any of the<br />
requirements of this Act in respect of any personal<br />
data, in circumstances entitling him to compensation<br />
under section 13, and<br />
<br />
<br />
<br />
(b) that there is a substantial risk of further<br />
contravention in respect of those data in such<br />
circumstances,<br />
<br />
<br />
the court may order the rectification, blocking, erasure or<br />
<br />
destruction of any of those data.”<br />
<br />
<br />
117. Counsel for the claimant submitted that, if Google’s case on what is meant by<br />
“damage” is correct, a data subject who does not suffer material damage or distress as<br />
a result of a breach of duty by a data controller cannot claim rectification, blocking,<br />
erasure or destruction of data, unless those data are inaccurate, however egregious<br />
<br />
the breach. This is true, but I can see nothing unreasonable in such a result. Indeed,<br />
section 14 seems to me positively to confirm that “damage” means something distinct<br />
from a contravention of the Act itself. If a contravention by a data controller of the Act<br />
could by itself constitute “damage”, section 14(4)(a) would be otiose and there would<br />
<br />
be no material distinction in the remedies available in cases where the data are<br />
inaccurate and in cases where the data are accurate. The manifest intention behind<br />
section 14 is to limit the remedies of rectification, blocking, erasure or destruction of<br />
accurate data to cases where the contravention of the Act has caused the data subject<br />
some harm distinct from the contravention itself, whereas no such limitation is<br />
<br />
imposed where the contravention involves holding inaccurate personal data.<br />
<br />
<br />
118. The second reason why the claimant’s interpretation is impossible to reconcile<br />
with the language of section 13 is that, as the Court of Appeal recognised in Vidal-Hall,<br />
it is plain from the words enacted by Parliament the term “damage” was intended to<br />
<br />
be limited to material damage and not to extend to “distress”. The only basis on which<br />
the Court of Appeal in Vidal-Hall was able to interpret the term “damage” as<br />
encompassing distress was by disapplying section 13(2) as being incompatible with EU<br />
law. By the same token, if the term “damage” in section 13 is to be interpreted as<br />
<br />
having an even wider meaning and as encompassing an infringement of a data<br />
subject’s rights under the Act which causes no material damage nor even distress, that<br />
could only be because this result is required by EU law. On a purely domestic<br />
interpretation of the DPA 1998, such a reading is untenable.<br />
<br />
<br />
<br />
Page 44 (b) The effect of EU law<br />
<br />
<br />
119. It is not suggested in the present case that section 13(1) should be disapplied:<br />
the claimant’s case is founded on it. No argument of the kind which succeeded in<br />
Vidal-Hall that words of the statute must be disapplied because they conflict with EU<br />
law is therefore available (or is advanced by the claimant). The question is whether the<br />
<br />
term “damage” in section 13(1) can and should be interpreted as having the meaning<br />
for which the claimant contends because such an interpretation is required in order to<br />
make the domestic legislation compatible with EU law. There are two aspects of this<br />
question: (i) what does the term “damage” mean in article 23 of the Data Protection<br />
<br />
Directive, which section 13 of the DPA 1998 was intended to implement; and (ii) if<br />
“damage” in article 23 includes contraventions of the national provisions adopted<br />
pursuant to the Directive which cause no material damage or distress, is it possible to<br />
interpret the term “damage” in section 13(1) of the DPA 1998 as having the same<br />
meaning?<br />
<br />
<br />
<br />
120. To take the second point first, it does not seem to me possible to interpret the<br />
term “damage” in section 13(1) of the DPA 1998 as having the meaning for which the<br />
claimant contends, even if such an interpretation were necessary to make the Act<br />
compatible with the Data Protection Directive. In Vidal-Hall the Court of Appeal held,<br />
<br />
rightly in my opinion, that section 13 of the DPA 1998 could not be construed as<br />
providing a general right to compensation for distress suffered by reason of a<br />
contravention of the Act “without contradicting the clearly expressed intention of<br />
Parliament on an issue that was central to the scheme” of the legislation (see para 95<br />
above). The same is equally, if not all the more, true of the contention that section 13<br />
<br />
of the DPA 1998 can be interpreted as providing a right to compensation for<br />
contraventions of the Act which have not caused any distress, let alone material<br />
damage. The distinction between “damage” suffered by an individual and a<br />
“contravention” of a requirement of the Act by a data controller which causes such<br />
<br />
damage is a fundamental feature of the remedial scheme provided by the Act which,<br />
as indicated above, permeates section 14 as well as section 13. If it were found that<br />
this feature makes the DPA 1998 incompatible with the Data Protection Directive, such<br />
incompatibility could, in my view, only be removed by amending the legislation. That<br />
<br />
could only be done by Parliament.<br />
<br />
<br />
121. No such incompatibility arises, however, as there is no reason to interpret the<br />
term “damage” in article 23 of the Data Protection Directive as extending beyond<br />
material damage and distress. The wording of article 23 draws exactly the same<br />
distinction as section 13(1) of the DPA 1998 between “damage” and an unlawful act of<br />
<br />
which the damage is “a result”. Again, this wording identifies the “damage” for which a<br />
person is entitled to receive compensation as distinct from the wrongful act which<br />
<br />
Page 45causes the damage. This is inconsistent with giving a right to compensation for the<br />
unlawful act itself on the basis that the act constitutes an interference with the<br />
claimant’s data protection rights. Nor has any authority been cited which suggests that<br />
the term “damage”, either generally in EU law or in the specific context of article 23 of<br />
the Data Protection Directive, is to be interpreted as including an infringement of a<br />
<br />
legal right which causes no material damage or distress.<br />
<br />
<br />
122. If there were evidence that at least some national laws on the processing of<br />
personal data which pre-dated the Data Protection Directive and are referred to in<br />
recital (10), quoted at para 111 above, provided a right to compensation for unlawful<br />
<br />
processing without proof of material damage or distress, that might arguably support<br />
an inference that the Directive was intended to ensure a similarly high level of<br />
protection across all member states. But it has not been asserted that any national<br />
laws did so. The Data Protection Act 1984, which was the applicable UK legislation<br />
when the Data Protection Directive was adopted, in sections 22 and 23 gave the data<br />
<br />
subject an entitlement to compensation in certain circumstances for damage or<br />
distress suffered by reason of the inaccuracy of data or the loss or unauthorised<br />
destruction or disclosure of data or unauthorised obtaining of access to data. By clear<br />
implication, UK national law gave no right to compensation for unlawful processing of<br />
<br />
personal data which did not result in material damage or distress. There is no evidence<br />
that the national law of any other member state at that time did so either.<br />
<br />
<br />
123. EU law therefore does not provide a basis for giving a wider meaning to the<br />
term “damage” in section 13 of the DPA 1998 than was given to that term by the Court<br />
of Appeal in Vidal-Hall.<br />
<br />
<br />
<br />
(c) Flaws in the common source argument<br />
<br />
<br />
124. I also reject the claimant’s argument that the decision in Gulati affords any<br />
assistance to its case on this issue. Leaving aside the fact that Gulati was decided many<br />
years after the Data Protection Directive was adopted, there is no reason on the face<br />
<br />
of it why the basis on which damages are awarded for an English domestic tort should<br />
be regarded as relevant to the proper interpretation of the term “damage” in a<br />
statutory provision intended to implement a European directive. The claimant relies on<br />
the fact that both derive from the right to respect for private life protected by article 8<br />
<br />
of the Convention (and incorporated in article 7 of the EU Charter when it was created<br />
in 2007). It does not follow, however, from the fact that two different legal regimes<br />
aim, at a general level, to provide protection for the same fundamental value that they<br />
must do so in the same way or to the same extent or by affording identical remedies.<br />
There are significant differences between the nature and scope of the common law<br />
<br />
privacy tort and the data protection legislation, to which I will draw attention in a<br />
Page 46moment. But the first point to note is that the decision in Gulati that damages can be<br />
awarded for misuse of private information itself was not compelled by article 8 of the<br />
Convention; nor did article 8 require the adoption of the particular legal framework<br />
governing the protection of personal data contained in the Data Protection Directive<br />
and the DPA 1998.<br />
<br />
<br />
<br />
125. The Convention imposes obligations on the states which are parties to it, but<br />
not on private individuals and bodies. In some cases the obligations on state parties<br />
extend beyond negative obligations not to act in ways which violate the Convention<br />
rights and include certain positive obligations on the state to ensure effective<br />
<br />
protection of those rights. That is so as regards the right to respect for private life<br />
guaranteed by article 8. The European Court of Human Rights has held that in certain<br />
circumstances the state’s positive obligations under article 8 are not adequately<br />
fulfilled unless the state secures respect for private life in the relations between<br />
individuals by setting up a legislative framework taking into consideration the various<br />
<br />
interests to be protected in a particular context. However, the court has emphasised<br />
that there are different ways of ensuring respect for private life and that “the choice of<br />
the means calculated to secure compliance with article 8 of the Convention in the<br />
sphere of the relations of individuals between themselves is in principle a matter that<br />
<br />
falls within the contracting states’ margin of appreciation”: see the judgment of the<br />
Grand Chamber in Bărbulescu v Romania [2017] ECHR 754; [2017] IRLR 1032, para 113.<br />
<br />
<br />
126. While the House of Lords in Campbell drew inspiration from article 8, it did not<br />
suggest that the Convention or the Human Rights Act 1998 required the recognition of<br />
a civil claim for damages for misuse of private information in English domestic law, let<br />
<br />
alone that damages should be recoverable in such claim where no material damage or<br />
distress has been caused. In Gulati the Court of Appeal rejected an argument that the<br />
approach to awarding damages for misuse of private information ought to follow the<br />
approach of the European Court of Human Rights in making awards of just satisfaction<br />
<br />
under article 41 of the Convention. As Arden LJ observed, at para 89, in awarding<br />
damages for misuse of private information, the court is not proceeding under section 8<br />
of the Human Rights Act 1998 or article 41 of the Convention, and the conditions of<br />
the tort are governed by English domestic law and not the Convention.<br />
<br />
<br />
<br />
127. For those reasons, I do not regard as relevant the decision of the European<br />
Court of Human Rights in Halford v United Kingdom (1997) 24 EHRR 523, relied on by<br />
counsel for the claimant. In Halford a senior police officer whose telephone calls had<br />
been intercepted by her employer in violation of article 8 was awarded £10,000 as just<br />
satisfaction. As Lord Sales pointed out in argument, on one reading of the judgment,<br />
<br />
which is far from clear, although it could not be shown that the interception of the<br />
applicant’s phone calls, as opposed to other conflicts with her employer, had caused<br />
<br />
Page 47stress for which she had required medical treatment, it was reasonably assumed that<br />
this invasion of privacy had caused her mental harm. Even if the award of just<br />
satisfaction is understood to have been for the invasion of the right to privacy itself<br />
rather than for any distress felt by the applicant, however, it does not follow that, in an<br />
action between private parties under national law for a similar invasion of privacy, the<br />
<br />
Convention requires the court to be able to award damages simply for the loss of<br />
privacy itself.<br />
<br />
<br />
128. Whilst it may be said that pursuant to the general principles of EU law<br />
embodied in articles 7 and 8 of the EU Charter the EU had a positive obligation to<br />
<br />
establish a legislative framework providing for protection of personal data, there was<br />
clearly a wide margin of choice as to the particular regime adopted; and the same<br />
applies to the positive obligation imposed directly on the UK by the Convention. It<br />
could not seriously be argued that the content of those positive obligations included a<br />
requirement to establish a right to receive compensation for any (non-trivial) breach of<br />
<br />
any requirement (in relation to any personal data of which the claimant is the subject)<br />
of whatever legislation the EU and UK chose to enact in this area without the need to<br />
prove that the claimant suffered any material damage or distress as a result of the<br />
breach.<br />
<br />
<br />
<br />
129. Accordingly, the fact that the common law privacy tort and the data protection<br />
legislation have a common source in article 8 of the Convention does not justify<br />
reading across the principles governing the award of damages from one regime to the<br />
other.<br />
<br />
<br />
(d) Material differences between the regimes<br />
<br />
<br />
<br />
130. There are further reasons why no such analogy can properly be drawn<br />
stemming from the differences between the two regimes. It is plain that the detailed<br />
scheme for regulating the processing of personal data established by the Data<br />
Protection Directive extended beyond the scope of article 8 and much more widely<br />
<br />
than the English domestic tort of misusing private information. An important<br />
difference is that the Directive (and the UK national legislation implementing it)<br />
applied to all “personal data” with no requirement that the data are of a confidential<br />
or private nature or that there is a reasonable expectation of privacy protection. By<br />
<br />
contrast, information is protected against misuse by the domestic tort only where<br />
there is a reasonable expectation of privacy. The reasonable expectation of privacy of<br />
the communications illicitly intercepted by the defendants in the phone hacking<br />
litigation was an essential element of the decision in Gulati that the claimants were<br />
entitled to compensation for the commission of the wrong itself. It cannot properly be<br />
<br />
<br />
Page 48inferred that the same entitlement should arise where a reasonable expectation of<br />
privacy is not a necessary element of the claim.<br />
<br />
<br />
131. This point goes to the heart of the approach adopted by the claimant in the<br />
present case. Stripped to its essentials, what the claimant is seeking to do is to claim<br />
for each member of the represented class a form of damages the rationale for which<br />
<br />
depends on there being a violation of privacy, while avoiding the need to show a<br />
violation of privacy in the case of any individual member of the class. This is a flawed<br />
endeavour.<br />
<br />
<br />
132. Another significant difference between the privacy tort and the data protection<br />
<br />
legislation is that a claimant is entitled to compensation for a contravention of the<br />
legislation only where the data controller has failed to exercise reasonable care. Some<br />
contraventions are inherently fault based. For example, the seventh data protection<br />
principle with which a data controller has a duty to comply pursuant to section 4(4) of<br />
the DPA 1998 (and article 17 of the Data Protection Directive) states:<br />
<br />
<br />
<br />
“Appropriate technical and organisational measures shall be<br />
taken against unauthorised or unlawful processing of<br />
personal data and against accidental loss or destruction of, or<br />
damage to, personal data.”<br />
<br />
<br />
<br />
A complaint that a data controller has failed to take such “appropriate technical and<br />
organisational measures” is similar to an allegation of negligence in that it is<br />
predicated on failure to meet an objective standard of care rather than on any<br />
intentional conduct. Even where a contravention of the legislation does not itself<br />
require fault, pursuant to section 13(3), quoted at para 90 above, there is no<br />
<br />
entitlement to compensation if the data controller proves that it took “such care as in<br />
all the circumstances was reasonably required to comply with the requirement<br />
concerned”.<br />
<br />
<br />
133. The privacy tort, like other torts for which damages may be awarded without<br />
<br />
proof of material damage or distress, is a tort involving strict liability for deliberate<br />
acts, not a tort based on a want of care. No inference can be drawn from the fact that<br />
compensation can be awarded for commission of the wrong itself where private<br />
information is misused that the same should be true where the wrong may consist only<br />
<br />
in a failure to take appropriate protective measures and where the right to<br />
compensation is expressly excluded if the defendant took reasonable care.<br />
<br />
<br />
<br />
Page 49134. Indeed, this feature of the data protection legislation seems to me to be a yet<br />
further reason to conclude that the “damage” for which an individual is entitled to<br />
compensation for a breach of any of its requirements does not include the commission<br />
of the wrong itself. It would be anomalous if failure to take reasonable care to protect<br />
personal data gave rise to a right to compensation without proof that the claimant<br />
<br />
suffered any material damage or distress when failure to take care to prevent personal<br />
injury or damage to tangible moveable property does not.<br />
<br />
<br />
135. Accordingly, I do not accept that the decision in Gulati is applicable by analogy<br />
to the DPA 1998. To the contrary, there are significant differences between the privacy<br />
<br />
tort and the data protection legislation which make such an analogy positively<br />
inappropriate.<br />
<br />
<br />
(e) Equivalence and effectiveness<br />
<br />
<br />
136. I add for completeness that the EU law principles of equivalence and<br />
effectiveness, on which the Court of Appeal placed some reliance, do not assist the<br />
<br />
claimant’s case. The principle of equivalence requires that procedural rules governing<br />
claims for breaches of EU law rights must not be less favourable than procedural rules<br />
governing equivalent domestic actions. As explained by Lord Briggs, giving the<br />
judgment of this court, in Totel Ltd v Revenue and Customs Comrs [2018] UKSC 44;<br />
<br />
[2018] 1 WLR 4053, para 7, the principle is “essentially comparative”. Thus:<br />
<br />
<br />
“The identification of one or more similar procedures for the<br />
enforcement of claims arising in domestic law is an essential<br />
prerequisite for its operation. If there is no true comparator,<br />
then the principle of equivalence can have no operation at<br />
<br />
all. The identification of one or more true comparators is<br />
therefore the essential first step in any examination of an<br />
assertion that the principle of equivalence has been<br />
infringed.” [citation omitted]<br />
<br />
<br />
<br />
For the reasons given, even if the measure of damages is regarded as a procedural<br />
rule, a claim for damages for misuse of private information at common law is not a<br />
true comparator of a claim under section 13 of the DPA 1998. The principle of<br />
equivalence can therefore have no operation.<br />
<br />
<br />
<br />
137. The principle of effectiveness invalidates a national procedure if it renders the<br />
enforcement of a right conferred by EU law either virtually impossible or excessively<br />
<br />
Page 50difficult: see again Totel Ltd at para 7. However, the absence of a right to<br />
compensation for a breach of data protection rights which causes no material damage<br />
or distress, even if regarded as a procedural limitation, does not render the<br />
enforcement of such rights virtually impossible or excessively difficult. The right to an<br />
effective remedy does not require awards of compensation for every (non-trivial)<br />
<br />
breach of statutory requirements even if no material damage or distress has been<br />
suffered.<br />
<br />
<br />
(f) Conclusion on the effect of section 13<br />
<br />
<br />
138. For all these reasons, I conclude that section 13 of the DPA 1998 cannot<br />
<br />
reasonably be interpreted as conferring on a data subject a right to compensation for<br />
any (non-trivial) contravention by a data controller of any of the requirements of the<br />
Act without the need to prove that the contravention has caused material damage or<br />
distress to the individual concerned.<br />
<br />
<br />
(9) The claim for user damages<br />
<br />
<br />
<br />
139. “User damages” is the name commonly given to a type of damages readily<br />
awarded in tort where use has wrongfully been made of someone else’s land or<br />
tangible moveable property although there has been no financial loss or physical<br />
damage to the property. The damages are assessed by estimating what a reasonable<br />
<br />
person would have paid for the right of user. Damages are also available on a similar<br />
basis for patent infringement and other breaches of intellectual property rights.<br />
Following the seminal decision of this court in OneStep (Support) Ltd v Morris-Garner<br />
[2018] UKSC 20; [2019] AC 649, it is now clear that user damages are compensatory in<br />
nature, their purpose being to compensate the claimant for interference with a right to<br />
<br />
control the use of property where the right is a commercially valuable asset. As Lord<br />
Reed explained in Morris-Garner, at para 95(1):<br />
<br />
<br />
“The rationale of such awards is that the person who makes<br />
wrongful use of property, where its use is commercially<br />
<br />
valuable, prevents the owner from exercising a valuable right<br />
to control its use, and should therefore compensate him for<br />
the loss of the value of the exercise of that right. He takes<br />
something for nothing, for which the owner was entitled to<br />
<br />
require payment.”<br />
<br />
<br />
<br />
<br />
Page 51140. Lord Reed, at paras 27 and 29, cited authorities which make it clear that the<br />
entitlement to user damages does not depend on whether the owner would in fact<br />
have exercised the right to control the use of the property, had it not been interfered<br />
with. The “loss” for which the claimant is entitled to compensation is not loss of this<br />
“conventional kind” (para 30); rather, it lies in the wrongful use of the claimant’s<br />
<br />
property itself, for which the economic value of the use provides an appropriate<br />
measure. This value can be assessed by postulating a hypothetical negotiation and<br />
estimating what fee would reasonably have been agreed for releasing the defendant<br />
from the duty which it breached. It is this method of assessment on which the claimant<br />
<br />
relies in the alternative formulation of the present claim.<br />
<br />
<br />
141. A claim in tort for misuse of private information based on the factual allegations<br />
made in this case, such as was made in Vidal-Hall, would naturally lend itself to an<br />
award of user damages. The decision in Gulati shows that damages may be awarded<br />
for the misuse of private information itself on the basis that, apart from any material<br />
<br />
damage or distress that it may cause, it prevents the claimant from exercising his or<br />
her right to control the use of the information. Nor can it be doubted that information<br />
about a person’s internet browsing history is a commercially valuable asset. What was<br />
described by the Chancellor in the Court of Appeal [2020] QB 747, para 46, as “the<br />
<br />
underlying reality of this case” is that Google was allegedly able to make a lot of money<br />
by tracking the browsing history of iPhone users without their consent and selling the<br />
information collected to advertisers.<br />
<br />
<br />
142. The view has sometimes been expressed that asserting privacy in information is<br />
inconsistent, or at least in tension, with treating such information as a commercial<br />
<br />
asset: see eg Douglas v Hello! Ltd (No 3) [2005] EWCA Civ 595; [2006] QB 125, para<br />
246; and on appeal sub nom OBG Ltd v Allan [2007] UKHL 21; [2008] AC 1, para 275<br />
(Lord Walker of Gestinghorpe). But once the basis of the right to privacy is understood<br />
to be the protection of a person’s freedom to choose and right to control whether and<br />
<br />
when others have access to his or her private affairs, I think that any tension largely<br />
disappears. It is common experience that some people are happy to exploit for<br />
commercial gain facets of their private lives which others would feel mortified at<br />
having exposed to public view. Save in the most extreme cases, this should be seen as<br />
<br />
a matter of personal choice on which it is not for the courts to pass judgments.<br />
Moreover, where the defendant’s very purpose in wrongfully obtaining and using<br />
private information is to exploit its commercial value, the law should not be prissy<br />
about awarding compensation based on the commercial value of the exercise of the<br />
right. As was confirmed in Morris-Garner, the fact that the claimant would not have<br />
<br />
chosen to exercise the right himself is no answer to a claim for user damages. It is<br />
enough that, as Lord Reed put it at paras 30 and 95(1) of his majority judgment, the<br />
defendant has taken something for nothing, for which the owner of the right was<br />
entitled to require payment.<br />
<br />
Page 52143. The point does not arise in the present case, however, because the claimant is<br />
not claiming damages for misuse of private information. As discussed, the only claim<br />
advanced is under the DPA 1998. Here it follows from the conclusion reached above<br />
about the meaning of section 13 that user damages are not available. This is because,<br />
for the reasons given, compensation can only be awarded under section 13 of the DPA<br />
<br />
1998 for material damage or distress caused by an infringement of a claimant’s right to<br />
have his or her personal data processed in accordance with the requirements of the<br />
Act, and not for the infringement itself. Although his reasoning was in part based on an<br />
understanding of user damages overtaken by this court’s decision in Morris-Garner, it<br />
<br />
follows that Patten J was right to hold in Murray v Express Newspapers Plc[2007]<br />
EWHC 1908 (Ch); [2007] EMLR 22, at para 92, that the principles on which user<br />
damages are awarded do not apply to a claim for compensation under the DPA 1998.<br />
<br />
<br />
F. THE NEED FOR INDIVIDUALISED EVIDENCE OF MISUSE<br />
<br />
<br />
144. There is a further reason why the claimant’s attempt to recover damages under<br />
<br />
section 13 of the DPA 1998 by means of a representative claim cannot succeed. Even if<br />
(contrary to my conclusion) it were unnecessary in order to recover compensation<br />
under this provision to show that an individual has suffered material damage or<br />
distress as a result of unlawful processing of his or her personal data, it would still be<br />
<br />
necessary for this purpose to establish the extent of the unlawful processing in his or<br />
her individual case. In deciding what amount of damages, if any, should be awarded,<br />
relevant factors would include: over what period of time did Google track the<br />
individual’s internet browsing history? What quantity of data was unlawfully<br />
processed? Was any of the information unlawfully processed of a sensitive or private<br />
<br />
nature? What use did Google make of the information and what commercial benefit, if<br />
any, did Google obtain from such use?<br />
<br />
<br />
(1) The claim for the “lowest common denominator”<br />
<br />
<br />
145. The claimant does not dispute that the amount of any compensation awarded<br />
<br />
must in principle depend on such matters. But he contends that it is possible to<br />
identify an “irreducible minimum harm” suffered by every member of the class whom<br />
he represents for which a “uniform sum” of damages can be awarded. This sum is<br />
claimed on the basis that it represents what the Chancellor in the Court of Appeal<br />
<br />
described as the “lowest common denominator” of all the individual claims: see [2020]<br />
QB 747, para 75.<br />
<br />
<br />
146. Google objects that Mr Lloyd, as the self-appointed representative of the class,<br />
has no authority from any individual class member to waive or abandon what may be<br />
<br />
Page 53the major part of their damages claim by disavowing reliance on any circumstances<br />
affecting that individual. Mr Lloyd’s answer, which the Court of Appeal accepted, is a<br />
pragmatic one. He points out that the limitation period for bringing any proceedings<br />
has now expired. For any represented individual there is therefore no longer any<br />
realistic possibility of recovering any compensation at all other than through the<br />
<br />
present action. Furthermore, to make this action viable, it is necessary to confine the<br />
amount of damages claimed for each class member to a uniform sum; and a uniform<br />
sum of damages, even if considerably smaller than an individualised award would be, is<br />
better than nothing.<br />
<br />
<br />
<br />
147. I do not think it necessary to enter into the merits of this issue. I am prepared to<br />
assume, without deciding, that as a matter of discretion the court could - if satisfied<br />
that the persons represented would not be prejudiced and with suitable arrangements<br />
in place enabling them to opt out of the proceedings if they chose - allow a<br />
representative claim to be pursued for only a part of the compensation that could<br />
<br />
potentially be claimed by any given individual. The fundamental problem is that, if no<br />
individual circumstances are taken into account, the facts alleged are insufficient to<br />
establish that any individual member of the represented class is entitled to damages.<br />
That is so even if it is unnecessary to prove that the alleged breaches caused any<br />
<br />
material damage or distress to the individual.<br />
<br />
<br />
(2) The facts common to each individual case<br />
<br />
<br />
148. The facts alleged against Google generically cannot establish that any given<br />
individual is entitled to compensation. To establish any such individual entitlement it<br />
must be shown, at least, that there was unlawful processing by Google of personal<br />
<br />
data of which that particular individual was the subject. In considering whether the<br />
facts alleged, if proved, are capable of establishing an entitlement to damages, it is<br />
therefore necessary to identify what unlawful processing by Google of personal data is<br />
alleged to have occurred in Mr Lloyd’s own case and also in the case of each other<br />
<br />
member of the represented class. What facts is the claimant proposing to prove to<br />
show that Google acted unlawfully in each individual case?<br />
<br />
<br />
149. The answer, on analysis, is: only those facts which are necessary to show that<br />
the individual falls within the definition of the “claimant class”. The premise of the<br />
<br />
claim is that Mr Lloyd and each person whom he represents is entitled to damages<br />
simply on proof that they are members of the class and without the need to prove any<br />
further facts to show that Google wrongfully collected and used their personal data.<br />
Any such further facts would inevitably vary from one individual member of the class<br />
to another and would require individual proof.<br />
<br />
<br />
Page 54150. To fall within the definition of the class, it must be shown, in substance, that the<br />
individual concerned had an iPhone of the appropriate model running a relevant<br />
version of the Apple Safari internet browser which, at any date during the relevant<br />
period whilst present in England and Wales, he or she used to access a website that<br />
was participating in Google’s DoubleClick advertising service. There are exclusions<br />
<br />
from the class definition for anyone who changed the default settings in the Safari<br />
browser, opted out of tracking and collation via Google’s “Ads Preference Manager” or<br />
obtained a DoubleClick Ad cookie via a “first party request” rather than as a “third<br />
party cookie”. The aim of the definition is to identify all those people who had a<br />
<br />
DoubleClick Ad cookie placed on their device unlawfully, through the Safari<br />
workaround, but not to include within the class anyone who did not receive a<br />
DoubleClick Ad cookie during the relevant period or who received the cookie by lawful<br />
means.<br />
<br />
<br />
151. It is sufficient to bring an individual within the class definition that he or she<br />
<br />
used the Safari browser to access a website participating in Google’s DoubleClick<br />
advertising service on a single occasion. The theory is that on that occasion the<br />
DoubleClick Ad cookie will have been placed on the user’s device unlawfully as a third<br />
party cookie. To qualify for membership of the class, it is not necessary to show that<br />
<br />
the individual ever visited a website participating in Google’s DoubleClick advertising<br />
service again during the relevant period. Nor is it alleged that any individual or<br />
individuals did visit such a website on more than one occasion. The “lowest common<br />
denominator” on which the claim is based is therefore someone whose internet usage<br />
- apart from one visit to a single website - was not illicitly tracked and collated and who<br />
<br />
received no targeted advertisements as a result of receiving a DoubleClick Ad cookie.<br />
This is because the claimant has deliberately chosen, in order to advance a claim in a<br />
representative capacity for damages assessed from the bottom up, not to rely on any<br />
facts about the internet activity of any individual iPhone user beyond those which<br />
<br />
bring them within the class of represented persons.<br />
<br />
<br />
152. For reasons given earlier, I am leaving aside the difficulties of proving<br />
membership of the class, significant as they would appear to be, and am assuming that<br />
such difficulties are not an impediment to the claim. But the question that must be<br />
<br />
asked is whether membership of the represented class is sufficient by itself to entitle<br />
an individual to compensation, without proof of any further facts particular to that<br />
individual.<br />
<br />
<br />
153. On the claimant’s own case there is a threshold of seriousness which must be<br />
crossed before a breach of the DPA 1998 will give rise to an entitlement to<br />
<br />
compensation under section 13. I cannot see that the facts which the claimant aims to<br />
prove in each individual case are sufficient to surmount this threshold. If (contrary to<br />
<br />
Page 55the conclusion I have reached) those facts disclose “damage” within the meaning of<br />
section 13 at all, I think it impossible to characterise such damage as more than trivial.<br />
What gives the appearance of substance to the claim is the allegation that Google<br />
secretly tracked the internet activity of millions of Apple iPhone users for several<br />
months and used the data obtained for commercial purposes. But on analysis the<br />
<br />
claimant is seeking to recover damages without attempting to prove that this<br />
allegation is true in the case of any individual for whom damages are claimed. Without<br />
proof of some unlawful processing of an individual’s personal data beyond the bare<br />
minimum required to bring them within the definition of the represented class, a claim<br />
<br />
on behalf of that individual has no prospect of meeting the threshold for an award of<br />
damages.<br />
<br />
<br />
(3) User damages on a lowest common denominator basis<br />
<br />
<br />
154. The claimant’s case is not improved by formulating the claim as one for user<br />
damages quantified by estimating what fee each member of the represented class<br />
<br />
could reasonably have charged - or which would reasonably have been agreed in a<br />
hypothetical negotiation - for releasing Google from the duties which it breached. I<br />
have already indicated why, in my opinion, user damages cannot be recovered for<br />
breaches of the DPA 1998. But even if (contrary to that conclusion) user damages<br />
<br />
could in principle be recovered, the inability or unwillingness to prove what, if any,<br />
wrongful use was made by Google of the personal data of any individual again means<br />
that any damages awarded would be nil.<br />
<br />
<br />
155. The claimant asserts, and I am content to assume, that if, instead of bypassing<br />
privacy settings through the Safari workaround, Google had offered to pay a fee to<br />
<br />
each affected Apple iPhone user for the right to place its DoubleClick Ad cookie on<br />
their device, the fee would have been a standard one, agreed in advance, rather than a<br />
fee which varied according to the quantity or commercial value to Google of the<br />
information which was subsequently collected as a result of the user’s acceptance of<br />
<br />
the cookie. However, imagining the negotiation of a fee in advance in this way is not<br />
the correct premise for the valuation.<br />
<br />
<br />
156. As explained in Morris-Garner, the object of an award of user damages is to<br />
compensate the claimant for use wrongfully made by the defendant of a valuable asset<br />
<br />
protected by the right infringed. The starting point for the valuation exercise is thus to<br />
identify what the extent of such wrongful use actually was: only then can an estimate<br />
be made of what sum of money could reasonably have been charged for that use or,<br />
put another way, for releasing the wrongdoer from the duties which it breached in the<br />
wrongful use that it made of the asset. Imagining a hypothetical negotiation, as Lord<br />
<br />
Reed explained at para 91 of Morris-Garner, is merely “a tool” for arriving at this<br />
Page 56estimated sum. As in any case where compensation is awarded, the aim is to place the<br />
claimant as nearly as possible in the same position as if the wrongdoing had not<br />
occurred. Accordingly, as Patten LJ put it in Eaton Mansions (Westminster) Ltd v Stinger<br />
Compania de Inversion SA [2013] EWCA Civ 1308; [2014] 1 P & CR 5, para 21:<br />
<br />
<br />
“The valuation construct is that the parties must be treated<br />
<br />
as having negotiated for a licence which covered the acts of<br />
trespass that actually occurred. The defendant is not required<br />
to pay damages for anything else.”<br />
<br />
<br />
See also Enfield London Borough Council v Outdoor Plus Ltd[2012] EWCA Civ 608, para<br />
<br />
47; and Marathon Asset Management LLP v Seddon [2017] EWHC 300 (Comm); [2017]<br />
ICR 791, paras 254-262.<br />
<br />
<br />
157. Applying that approach, the starting point would therefore need to be to<br />
establish what unlawful processing by Google of the claimant’s personal data actually<br />
occurred. Only when the wrongful use actually made by Google of such data is known<br />
<br />
is it possible to estimate its commercial value. As discussed, in order to avoid individual<br />
assessment, the only wrongful act which the claimant proposes to prove in the case of<br />
each represented person is that the DoubleClick Ad cookie was unlawfully placed on<br />
their device: no evidence is - or could without individual assessment - be adduced to<br />
<br />
show that, by means of this third party cookie, Google collected or used any personal<br />
data relating to that individual. The relevant valuation construct is therefore to ask<br />
what fee would hypothetically have been negotiated for a licence to place the<br />
DoubleClick Ad cookie on an individual user’s phone as a third party cookie, but<br />
without releasing Google from its obligations not to collect or use any information<br />
<br />
about that person’s internet browsing history. It is plain that such a licence would be<br />
valueless and that the fee which could reasonably be charged or negotiated for it<br />
would accordingly be nil.<br />
<br />
<br />
G. CONCLUSION<br />
<br />
<br />
<br />
158. The judge took the view that, even if the legal foundation for the claim made in<br />
this action were sound, he should exercise the discretion conferred by CPR rule 19.6(2)<br />
by refusing to allow the claim to be continued as a representative action. He<br />
characterised the claim as “officious litigation, embarked upon on behalf of individuals<br />
<br />
who have not authorised it” and in which the main beneficiaries of any award of<br />
damages would be the funders and the lawyers. He thought that the representative<br />
claimant “should not be permitted to consume substantial resources in the pursuit of<br />
litigation on behalf of others who have little to gain from it, and have not authorised<br />
<br />
Page 57the pursuit of the claim, nor indicated any concern about the matters to be litigated”:<br />
[2019] 1 WLR 1265, paras 102-104. The Court of Appeal formed a very different view<br />
of the merits of the representative claim. They regarded the fact that the members of<br />
the represented class had not authorised the claim as an irrelevant factor, which the<br />
judge had wrongly taken into account, and considered that it was open to them to<br />
<br />
exercise the discretion afresh. They saw this litigation as the only way of obtaining a<br />
civil compensatory remedy for what, if proved, was a “wholesale and deliberate<br />
misuse of personal data without consent, undertaken with a view to commercial<br />
profit”: see [2020] QB 747, para 86. In these circumstances the Court of Appeal took<br />
<br />
the view that, as a matter of discretion, the claim should be allowed to proceed.<br />
<br />
<br />
159. It is unnecessary to decide whether the Court of Appeal was entitled to<br />
interfere with the judge’s discretionary ruling or whether it would be desirable for a<br />
commercially funded class action to be available on the facts alleged in this case. This is<br />
because, regardless of what view of it is taken, the claim has no real prospect of<br />
<br />
success. That in turn is because, in the way the claim has been framed in order to try to<br />
bring it as a representative action, the claimant seeks damages under section 13 of the<br />
DPA 1998 for each individual member of the represented class without attempting to<br />
show that any wrongful use was made by Google of personal data relating to that<br />
<br />
individual or that the individual suffered any material damage or distress as a result of<br />
a breach of the requirements of the Act by Google. For the reasons explained in this<br />
judgment, without proof of these matters, a claim for damages cannot succeed.<br />
<br />
<br />
160. I would therefore allow the appeal and restore the order made by the judge<br />
refusing the claimant’s application for permission to serve the proceedings on Google<br />
<br />
outside the jurisdiction of the courts of England and Wales.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 58<br />
</pre></div>Mariam-hwthhttps://gdprhub.eu/index.php?title=UKSC_-_Richard_Lloyd_v_Google_LLC_(2021)_UKSC_50&diff=21381UKSC - Richard Lloyd v Google LLC (2021) UKSC 502021-11-23T18:33:18Z<p>Mariam-hwth: Created page with "{{COURTdecisionBOX |Jurisdiction=United Kingdom |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=UKSC |Court_With_Country=UKSC (United Kingdom) |Case_Number_N..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=UKSC<br />
|Court_With_Country=UKSC (United Kingdom)<br />
<br />
|Case_Number_Name=Richard Lloyd v Google LLC (2021) UKSC 50<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=The Supreme Court of the United Kingdom<br />
|Original_Source_Link_1=https://www.supremecourt.uk/cases/docs/uksc-2019-0213-judgment.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Date_Decided=10.11.2021<br />
|Date_Published=10.11.2021<br />
|Year=2021<br />
<br />
<br />
|EU_Law_Name_1=Article 23 of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:31995L0046<br />
<br />
|National_Law_Name_1=Rule 19.6 of the Civil Procedure Rules<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=Section 13 of the Data Protection Act 1998<br />
|National_Law_Link_2=https://www.legislation.gov.uk/ukpga/1998/29/contents<br />
|National_Law_Name_3=Section 14 of the Data Protection Act 1998<br />
|National_Law_Link_3=https://www.legislation.gov.uk/ukpga/1998/29/contents<br />
|National_Law_Name_4=Section 4(4) of the Data Protection Act 1998<br />
|National_Law_Link_4=https://www.legislation.gov.uk/ukpga/1998/29/contents<br />
|National_Law_Name_5=Rule 19.11 of the Civil Procedure Rules<br />
|National_Law_Link_5=<br />
<br />
|Party_Name_1=Richard Lloyd<br />
|Party_Link_1=<br />
|Party_Name_2=Google LLC<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=England and Wales Court of Appeal (Civil Division)<br />
|Appeal_From_Case_Number_Name=Lloyd v Google LLC [2019] EWCA Civ 1599<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=https://www.bailii.org/ew/cases/EWCA/Civ/2019/1599.html<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=MH<br />
|<br />
}}<br />
<br />
The UK Supreme Court held that to claim compensation for an infringement of the Data Protection Act 1998, it was necessary to demonstrate material damage or distress suffered by each individual. A representative action was therefore not suitable. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Google secretly tracked Apple iPhone users between late 2011 and early 2012 and using their data collected in that way for commercial purposes. Google bypassed privacy settings on Apple iPhones and the default blocking of third party cookies on Safari with its “DoubleClick Ad” cookie by relying on an exception devised by Apple. Google placed this cookie without the user’s knowledge or consent. This cookie was enabled if users visited a website that included DoubleClick Ad content (advertising content). The cookie identified visits by a specific device on websites using this advertising content, including data and time of visit; time spent by the user on the website; what advertisement was viewed for how long; and using IP address, the user’s geographical location. <br />
<br />
As a result, Google could infer the user’s internet surfing habits, location, as well as interests, race or ethnicity, social class, political or religious beliefs, health, sexual interests, age, gender and financial situation. Google then used this aggregated information to give them labels (eg “football lovers”) and eventually offering these group labels to advertising organisations looking to target specific groups when using Google’s DoubleClick service. <br />
<br />
This allegation was brought in the US and Google settled a charge of $22.5 million with the US Federal Trade Commission and $17 million to settle consumer based actions in the US. <br />
<br />
Three individuals in the UK sued Google in 2013 for the same allegation and their claim was settled by Google (Vidal-Hall v Google Inc). <br />
<br />
Lloyd has filed a claim before the UK courts on behalf of everyone that resides in England and Wales and owned an Apple iPhone at the time of the secret tracking. Lloyd filed this class action with the intention of recovering damages for more than 4 million people affected. He claimed that compensation (£750 suggested) should be awarded under the Data Protection Act 1998 for loss of control of personal data without having to demonstrate that the claimant suffered financial or mental distress as a result of the infringement.<br />
<br />
=== Holding ===<br />
Legal framework:<br />
<br />
Section 4(4) of the Data Protection Act 1998 (DPA 1998) imposes a duty on data controllers to comply with data protection principles. These are laid out in Schedule 1 of the DPA 1998 as for personal data to be 1) processed personal data fairly and lawfully; 2) processed only for specified and lawful purposes; 3) “adequate, relevant, and not excessive; 4) accurate and kept up to data; 5) not kept for longer than is necessary for those purposes; 6) processed in accordance with the rights of data subjects; 7) protected by appropriate technical and organisational security measures; and 8) not to be transferred outside the European Economic Area unless the destination country provides an adequate level of <br />
protection.<br />
<br />
Section 13 of the DPA 1998 gives individuals a right to compensation from the controller if they suffer damage as a result of a contravention of the Act by that controller.<br />
<br />
Individuals can bring claims which give rise to a common issue of fact or law can apply for a Group Litigation Order to be made under Rule 19.11 of the Civil Procedure Rules. This is an “opt-in” regime where claimants must take steps to join the group. <br />
<br />
They can also do so under a representative action, reflected in Rule 19.6 of the Civil Procedure Rules (CPR). However, as a detailed legislative framework is missing, the representative action rules within common law have been considered by the Supreme Court. The following principles are relevant:<br />
- “same interest” requirement where the representative must have the same interest or common issues as the persons they represent (within Rule 19.6 CPR)<br />
- “court’s discretion” as to whether to allow the claim to proceed as a representative action. This is an objective assessment as to whether the case can be dealt with justly and at a proportionate cost (within Rules 1.1 and 1.2 CPR)<br />
- “no requirement of consent” or awareness required from the people represented<br />
- “class definition” requirement where the class of people represented must be clearly defined <br />
- “liability for costs” requirement where the persons represented will not have to pay costs of being represented incurred by the representative<br />
- “scope for claiming damages” where claiming damages is limited by the nature of the remedy of damages at common law, or by the fact that damages may reauire an individua assessment<br />
<br />
Holding:<br />
<br />
The UK Supreme court did not object to a representative claim brought to establish whether Google was in breach of DPA 1998 as individual claims could theoretically be brought. The Supreme Court also determined that the individuals had similar interests or common issues caused by tracking of their behaviour without consent. <br />
<br />
According to the Court, there was no uniform effect caused by Google’s actions across the represented class. Instead, the effect and the amount recoverable by each individual would depend on the circumstances particular to the individuals (eg how often they used Safari or website with DoubleClick Ad content). Contrary to Lloyd’s claim, the Court held that DPA 1998 cannot be read to mean that individuals are entitled to compensation for any contravention of the DPA 1998 without needing to prove financial loss or distress. According to the leading judgement, under Section 13 DPA 1998, it is not enough to prove an infringement by a data controller as “damage” (interpreted as only meaning material damages) or “distress” must be suffered as a result. <br />
<br />
Following an analysis of Vidal-Hall v Google Inc (discussing Section 13 DPA 1998) and Gulati v MGN Ltd (discussing tort for misuse of private information) the court outlined that it would be possible for Lloyd to claim (1) damages under Section 13(1) DPA 1998 for distress suffered due to Google’s infringement of the Act; (2) and /or damages for the misuse of private information without the need to show material damage or distress. However, the court outlined that the case was not made for either (claim for misuse of information tort having not be made). Again, the Court reiterated that to recover damages for distress under Section 13(1) DPA 1998, it would be necessary to provide evidence of this distress for each individual represented – making this incompatible with the nature of representative action.<br />
<br />
The UK Supreme Court rejected the argument that an infringement of the DPA 1998 should be dealt with in the same way as the tort of misuse of private information and that therefore damages can be recovered for interference by an organisation without the need to demonstrate material damage or distress. The UK Supreme Court relied on the fact that Section 13(1) DPA 1998 cannot be interpreted using that analogy, as highlighted above. The wording of the DPA 1998 and its interpretation in caselaw cannot be detached from the fact that material damage or distress must be demonstrated.<br />
“…the wording of section 13(1) draws a distinction between “damage” suffered by <br />
an individual and a “contravention” of a requirement of the Act by a data controller, and provides a right to compensation “for that damage” only if the “damage” occurs <br />
“by reason of” the contravention.”<br />
Section 14 DPA 1998 also supports the interpretation that a damage, and not purely an infringement of the legislation, must be demonstrated. The Court also relied on the interpretation by the Court of Appeal in Vidall-Hall v Google Inc, which distinguished damage or distress suffered and contravention of a requirement in the DPA 1998. The Court also did not consider that it was possible to rely on an analogy between the tort of misuse of information and Section 13 DPA 1998 simply because they are both founded in the common route of “right to privacy” embodied in Article 8 European Convention on Human Rights. <br />
<br />
The Court also commented on the meaning of “loss”, in “loss of control”. It highlighted that in past caselaw refer to loss in the sense of a proprietary loss (linked to economic value). It considered that the right to privacy is not linked to proprietary control in the same way as different people have different perspectives on them (eg some are happy to exploit their private life for commercial gains whilst others are not). Therefore, according to the Supreme Court it is not something courts can pass judgment on. <br />
<br />
Additionally, the Court held that it would be, in any case, necessary to identify damage or distress suffered by each individual for the purpose of awarding compensation (even if it was not necessary to show individual damage or distress as a result of the infringement). Factors like extent of Google’s tracking; quantity of data processed; nature of the data processed (sensitive nature?); use of that information and benefit from it by Google would all need to be assessed for individual cases. Without such individualised assessment, Lloyd’s argument that the “lowest common denominator” on which the claim is based (proof that the individual us part of the class by having an iPhone at the time) would not be sufficient to be something more than trivial (as required under Section 13 DPA 1998). Therefore, compensation could not be quantified beyond 0. <br />
<br />
The UK Supreme Court concluded and decided unanimously that “In order to recover compensation under the DPA 1998 for any given individual, it would be necessary to show both that Google made some unlawful use of personal data relating to that individual and that the individual suffered some damage as a result.”<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
Michaelmas Term<br />
[2021] UKSC 50<br />
On appeal from: [2019] EWCA Civ 1599<br />
<br />
<br />
<br />
JUDGMENT<br />
<br />
<br />
Lloyd (Respondent) v Google LLC (Appellant)<br />
<br />
before<br />
<br />
<br />
Lord Reed, President<br />
Lady Arden<br />
Lord Sales<br />
<br />
Lord Leggatt<br />
Lord Burrows<br />
<br />
<br />
JUDGMENT GIVEN ON<br />
10 November 2021<br />
<br />
<br />
Heard on 28 and 29 April 2021 Appellant<br />
Antony White QC<br />
Edward Craven<br />
<br />
(Instructed by Pinsent Masons LLP (London))<br />
<br />
<br />
Respondent<br />
Hugh Tomlinson QC<br />
Oliver Campbell QC<br />
<br />
Victoria Wakefield QC<br />
(Instructed by Milberg London LLP)<br />
<br />
<br />
1st Intervener (Information Commissioner)<br />
Gerry Facenna QC<br />
<br />
Nikolaus Grubeck<br />
(Instructed by Information Commissioner’s Office)<br />
<br />
<br />
2nd Intervener (Open Rights Group)<br />
(written submissions only)<br />
<br />
Robert Palmer QC<br />
Julianne Kerr Morrison<br />
(Instructed by AWO)<br />
<br />
<br />
<br />
3rd Intervener (Association of the British Pharmaceutical Industry and Association of British<br />
HealthTech Industries (ABPI and ABHI))<br />
(written submissions only)<br />
Lord Anderson of Ipswich KBE QC<br />
Robin Hopkins<br />
<br />
Rupert Paines<br />
(Instructed by CMS Cameron McKenna Nabarro Olswang LLP (London))<br />
<br />
<br />
4th Intervener (Liberty, Coram Children’s Legal Centre and Inclusion London)<br />
(written submissions only)<br />
<br />
Dan Squires QC<br />
Aidan Wills<br />
Tim James-Matthews<br />
(Instructed by Liberty, Coram Children’s Legal Centre and Deighton Pierce Glynn)<br />
<br />
<br />
<br />
5th Intervener (Internet Association)<br />
(written submissions only)<br />
Christopher Knight<br />
(Instructed by Linklaters LLP (London))6th Intervener (TECHUK Ltd (trading as techUK))<br />
(written submissions only)<br />
Catrin Evans QC<br />
<br />
Ian Helme<br />
(Instructed by RPC LLP (London))LORD LEGGATT: (with whom Lord Reed, Lady Arden, Lord Sales and Lord Burrows<br />
agree)<br />
<br />
<br />
A. INTRODUCTION<br />
<br />
<br />
1. Mr Richard Lloyd - with financial backing from Therium Litigation Funding IC, a<br />
commercial litigation funder - has issued a claim against Google LLC, alleging breach of<br />
<br />
its duties as a data controller under section 4(4) of the Data Protection Act 1998 (“the<br />
DPA 1998”). The claim alleges that, for several months in late 2011 and early 2012,<br />
Google secretly tracked the internet activity of millions of Apple iPhone users and used<br />
the data collected in this way for commercial purposes without the users’ knowledge<br />
<br />
or consent.<br />
<br />
<br />
2. The factual allegation is not new. In August 2012, Google agreed to pay a civil<br />
penalty of US$22.5m to settle charges brought by the United States Federal Trade<br />
Commission based upon the allegation. In November 2013, Google agreed to pay<br />
US$17m to settle consumer-based actions brought against it in the United States. In<br />
<br />
England and Wales, three individuals sued Google in June 2013 making the same<br />
allegation and claiming compensation under the DPA 1998 and at common law for<br />
misuse of private information: see Vidal-Hall v Google Inc (Information Comr<br />
intervening)[2015] EWCA Civ 311; [2016] QB 1003. Following a dispute over<br />
<br />
jurisdiction, their claims were settled before Google had served a defence. What is<br />
new about the present action is that Mr Lloyd is not just claiming damages in his own<br />
right, as the three claimants did in Vidal-Hall. He claims to represent everyone resident<br />
in England and Wales who owned an Apple iPhone at the relevant time and whose<br />
data were obtained by Google without their consent, and to be entitled to recover<br />
<br />
damages on behalf of all these people. It is estimated that they number more than 4m.<br />
<br />
<br />
3. Class actions, in which a single person is permitted to bring a claim and obtain<br />
redress on behalf of a class of people who have been affected in a similar way by<br />
alleged wrongdoing, have long been possible in the United States and, more recently,<br />
<br />
in Canada and Australia. Whether legislation to establish a class action regime should<br />
be enacted in the UK has been much discussed. In 2009, the Government rejected a<br />
recommendation from the Civil Justice Council to introduce a generic class action<br />
regime applicable to all types of claim, preferring a “sector based approach”. This was<br />
<br />
for two reasons:<br />
<br />
<br />
“Firstly, there are potential structural differences between<br />
the sectors which will require different consideration. …<br />
Secondly, it will be necessary to undertake a full assessment<br />
<br />
Page 2 of the likely economic and other impacts before<br />
implementing any reform.”<br />
<br />
<br />
See the Government’s Response to the Civil Justice Council’s Report: “Improving<br />
Access to Justice through Collective Actions” (2008), paras 12-13.<br />
<br />
<br />
4. Since then, the only sector for which such a regime has so far been enacted is<br />
<br />
that of competition law. Parliament has not legislated to establish a class action regime<br />
in the field of data protection.<br />
<br />
<br />
5. Mr Lloyd has sought to overcome this difficulty by what the Court of Appeal in<br />
this case described as “an unusual and innovative use of the representative procedure”<br />
<br />
in rule 19.6 of the Civil Procedure Rules: see [2019] EWCA Civ 1599; [2020] QB 747,<br />
para 7. This is a procedure of very long standing in England and Wales whereby a claim<br />
can be brought by (or against) one or more persons as representatives of others who<br />
have “the same interest” in the claim. Mr Lloyd accepts that he could not use this<br />
procedure to claim compensation on behalf of other iPhone users if the compensation<br />
<br />
recoverable by each user would have to be individually assessed. But he contends that<br />
such individual assessment is unnecessary. He argues that, as a matter of law,<br />
compensation can be awarded under the DPA 1998 for “loss of control” of personal<br />
data without the need to prove that the claimant suffered any financial loss or mental<br />
<br />
distress as a result of the breach. Mr Lloyd further argues that a “uniform sum” of<br />
damages can properly be awarded in relation to each person whose data protection<br />
rights have been infringed without the need to investigate any circumstances<br />
particular to their individual case. The amount of damages recoverable per person<br />
would be a matter for argument, but a figure of £750 was advanced in a letter of claim.<br />
<br />
Multiplied by the number of people whom Mr Lloyd claims to represent, this would<br />
produce an award of damages of the order of £3 billion.<br />
<br />
<br />
6. Because Google is a Delaware corporation, the claimant needs the court’s<br />
permission to serve the claim form on Google outside the jurisdiction. The application<br />
<br />
for permission has been contested by Google on the grounds that the claim has no real<br />
prospect of success as: (1) damages cannot be awarded under the DPA 1998 for “loss<br />
of control” of data without proof that it caused financial damage or distress; and (2)<br />
the claim in any event is not suitable to proceed as a representative action. In the High<br />
<br />
Court Warby J decided both issues in Google’s favour and therefore refused permission<br />
to serve the proceedings on Google: see [2018] EWHC 2599 (QB); [2019] 1 WLR 1265.<br />
The Court of Appeal reversed that decision, for reasons given in a judgment of the<br />
Chancellor, Sir Geoffrey Vos, with which Davis LJ and Dame Victoria Sharp agreed:<br />
[2019] EWCA Civ 1599; [2020] QB 747.<br />
<br />
<br />
Page 37. On this further appeal, because of the potential ramifications of the issues<br />
raised, as well as hearing the claimant and Google, the court has received written and<br />
oral submissions from the Information Commissioner and written submissions from<br />
five further interested parties.<br />
<br />
<br />
8. In this judgment I will first summarise the facts alleged and the relevant legal<br />
<br />
framework for data protection before considering the different methods currently<br />
available in English procedural law for claiming collective redress and, in particular, the<br />
representative procedure which the claimant is seeking to use. Whether that<br />
procedure is capable of being used in this case critically depends, as the claimant<br />
<br />
accepts, on whether compensation for the alleged breaches of data protection law<br />
would need to be individually assessed. I will then consider the claimant’s arguments<br />
that individual assessment is unnecessary. For the reasons given in detail below, those<br />
arguments cannot in my view withstand scrutiny. In order to recover compensation<br />
under the DPA 1998 for any given individual, it would be necessary to show both that<br />
<br />
Google made some unlawful use of personal data relating to that individual and that<br />
the individual suffered some damage as a result. The claimant’s attempt to recover<br />
compensation under the Act without proving either matter in any individual case is<br />
therefore doomed to fail.<br />
<br />
<br />
<br />
B. FACTUAL BACKGROUND<br />
<br />
<br />
9. The relevant events took place between 9 August 2011 and 15 February 2012<br />
and involved the alleged use by Google of what has been called the “Safari<br />
workaround” to bypass privacy settings on Apple iPhones.<br />
<br />
<br />
10. Safari is an internet browser developed by Apple and installed on its iPhones. At<br />
<br />
the relevant time, unlike most other internet browsers, all relevant versions of Safari<br />
were set by default to block third party cookies. A “cookie” is a small block of data that<br />
is placed on a device when the user visits a website. A “third party cookie” is a cookie<br />
placed on the device not by the website visited by the user but by a third party whose<br />
<br />
content is included on that website. Third party cookies are often used to gather<br />
information about internet use, and in particular web pages visited over time, to<br />
enable the delivery to the user of advertisements tailored to interests inferred from<br />
the user’s browsing history.<br />
<br />
<br />
<br />
11. Google had a cookie known as the “DoubleClick Ad cookie” which could operate<br />
as a third party cookie. It would be placed on a device if the user visited a website that<br />
included DoubleClick Ad content. The DoubleClick Ad cookie enabled Google to<br />
identify visits by the device to any website displaying an advertisement from its vast<br />
<br />
Page 4advertising network and to collect considerable amounts of information. It could tell<br />
the date and time of any visit to a given website, how long the user spent there, which<br />
pages were visited for how long, and what advertisements were viewed for how long.<br />
In some cases, by means of the IP address of the browser, the user’s approximate<br />
geographical location could be identified.<br />
<br />
<br />
<br />
12. Although the default settings for Safari blocked all third party cookies, a blanket<br />
application of these settings would have prevented the use of certain popular web<br />
functions; so Apple devised some exceptions to them. These exceptions were in place<br />
until March 2012, when the system was changed. But in the meantime the exceptions<br />
<br />
made it possible for Google to devise and implement the Safari workaround. Its effect<br />
was to place the DoubleClick Ad cookie on an Apple device, without the user’s<br />
knowledge or consent, immediately, whenever the user visited a website that<br />
contained DoubleClick Ad content.<br />
<br />
<br />
13. It is alleged that, in this way, Google was able to collect or infer information<br />
<br />
relating not only to users’ internet surfing habits and location, but also about such<br />
diverse factors as their interests and pastimes, race or ethnicity, social class, political or<br />
religious beliefs or affiliations, health, sexual interests, age, gender and financial<br />
situation.<br />
<br />
<br />
<br />
14. Further, it is said that Google aggregated browser generated information from<br />
users displaying similar patterns, creating groups with labels such as “football lovers”,<br />
or “current affairs enthusiasts”. Google’s DoubleClick service then offered these group<br />
labels to subscribing advertisers to choose from when selecting the type of people at<br />
whom they wanted to target their advertisements.<br />
<br />
<br />
<br />
C. THE LEGAL FRAMEWORK<br />
<br />
<br />
15. The DPA 1998 was enacted to implement Parliament and Council Directive<br />
95/46/EC of 24 October 1995 “on the protection of individuals with regard to the<br />
processing of personal data and on the free movement of such data” (OJ 1995 L281, p<br />
<br />
31) (the “Data Protection Directive”). The Data Protection Directive has been<br />
superseded by the General Data Protection Regulation, which became law in the UK in<br />
May 2018, supplemented by the Data Protection Act 2018 (“the DPA 2018”). The DPA<br />
2018 repealed and replaced the DPA 1998 except in relation to acts or omissions which<br />
<br />
occurred before it came into force.<br />
<br />
<br />
<br />
<br />
Page 516. Because the acts and omissions giving rise to the present claim occurred in 2011<br />
and 2012, the claim is governed by the old law contained in the DPA 1998 and the Data<br />
Protection Directive. The parties and interveners in their submissions on this appeal<br />
nevertheless made frequent references to provisions of the General Data Protection<br />
Regulation and the DPA 2018. In principle, the meaning and effect of the DPA 1998 and<br />
<br />
the Data Protection Directive cannot be affected by legislation which has been enacted<br />
subsequently. The later legislation therefore cannot help to resolve the issues raised<br />
on this appeal, and I shall leave it to one side.<br />
<br />
<br />
(1) The scheme of the DPA 1998<br />
<br />
<br />
<br />
17. Section 4(4) of the DPA 1998 imposed a duty on a data controller to comply<br />
with “the data protection principles” set out in Schedule 1 “in relation to all personal<br />
data with respect to which he is the data controller”. As defined in section 1(1) of the<br />
Act, “personal data” are, in effect, all recorded information which relate to an<br />
identifiable individual. An individual who is the subject of personal data is referred to<br />
<br />
as the “data subject”. A “data controller” is a person who (either alone or with others)<br />
“determines the purposes for which and the manner in which any personal data are, or<br />
are to be, processed.” The term “processing” is defined very broadly to mean<br />
“obtaining, recording or holding the information or data or carrying out any operation<br />
<br />
or set of operations on the information or data …”. Section 2 of the Act establishes a<br />
category of “sensitive personal data” consisting of information about certain specified<br />
matters, which include the racial or ethnic origin, political opinions, religious beliefs,<br />
physical or mental health or sexual life of the data subject.<br />
<br />
<br />
18. The first of the eight “data protection principles” set out in Schedule 1 is that:<br />
<br />
<br />
<br />
“Personal data shall be processed fairly and lawfully and, in<br />
particular, shall not be processed unless -<br />
<br />
<br />
(a) at least one of the conditions in Schedule 2 is met,<br />
and<br />
<br />
<br />
<br />
(b) in the case of sensitive personal data, at least one<br />
of the conditions in Schedule 3 is also met.”<br />
<br />
<br />
The other seven data protection principles, in summary, require personal data: (2) to<br />
be obtained and processed only for specified and lawful purposes; (3) to be “adequate,<br />
<br />
relevant, and not excessive” in relation to those purposes; (4) to be accurate and,<br />
Page 6where necessary, kept up to date; (5) not to be kept for longer than is necessary for<br />
those purposes; (6) to be processed in accordance with the rights of data subjects<br />
under the Act; (7) to be protected by appropriate technical and organisational security<br />
measures against unauthorised or unlawful processing and against accidental loss or<br />
destruction or damage; and (8) not to be transferred outside the European Economic<br />
<br />
Area unless the destination country or territory provides an adequate level of<br />
protection for data subjects in relation to the processing of personal data.<br />
<br />
<br />
19. As discussed in more detail below, section 13 of the DPA 1998 gives an<br />
individual who suffers damage “by reason of any contravention by a data controller of<br />
<br />
any of the requirements of this Act” a right to compensation from the data controller<br />
for that damage.<br />
<br />
<br />
(2) The allegations of breach of duty<br />
<br />
<br />
20. The claimant, Mr Lloyd, contends that Google processed personal data of each<br />
member of the represented class in breach of the first, second and seventh data<br />
<br />
protection principles. The represented class consists in essence of everyone in England<br />
and Wales who at the relevant time had an Apple iPhone on which Google’s<br />
DoubleClick Ad cookie was placed through the Safari workaround. (The precise<br />
definition of the class is set out at para 19 of Warby J’s judgment.) Two principal<br />
<br />
allegations made are that, in breach of the first data protection principle, (i) the data<br />
obtained by placing the DoubleClick Ad cookie on each class member’s device were not<br />
processed fairly and (ii) none of the conditions in Schedule 2 (or 3) was met.<br />
<br />
<br />
21. Schedule 1, Part II, paragraph 2, provides, in substance, that personal data<br />
obtained from the data subject are not to be treated as processed fairly unless the<br />
<br />
data controller informs the data subject of the purpose for which the data are<br />
intended to be processed - a requirement with which it is said that Google failed to<br />
comply in this case.<br />
<br />
<br />
22. Schedule 2 contains a list of conditions capable of justifying the processing of<br />
<br />
data. To comply with the first data protection principle, at least one of these<br />
conditions must be satisfied. The first condition in Schedule 2 is that “the data subject<br />
has given his consent to the processing”. Other conditions are that the processing is<br />
necessary for (amongst other things): the performance of a contract to which the data<br />
<br />
subject is a party; or compliance with a legal obligation (other than a contractual<br />
obligation) of the data controller; or to protect the vital interests of the data subject;<br />
or for the exercise of any functions of a public nature exercised in the public interest<br />
by any person. The claimant asserts that the members of the represented class whose<br />
<br />
Page 7personal data Google processed had not given their consent to the processing, nor was<br />
any of the other conditions capable of justifying the processing met. Hence for this<br />
reason too Google was in breach of the first data protection principle.<br />
<br />
<br />
23. There is no doubt that the claimant is entitled to advance a claim against Google<br />
on this basis in his own right which has a real prospect of success. The issue is whether<br />
<br />
he can also do so on behalf of all other iPhone users who fall within the represented<br />
class. This depends on the scope of the representative procedure available under the<br />
Civil Procedure Rules (“CPR”). Before I come to that procedure, I will mention in order<br />
to compare them the two other methods of claiming collective redress currently<br />
<br />
available in English procedural law.<br />
<br />
<br />
D. COLLECTIVE REDRESS IN ENGLISH LAW<br />
<br />
<br />
(1) Group Actions<br />
<br />
<br />
24. A group of people who wish to bring claims which give rise to common or<br />
related issues of fact or law can apply to the court for a Group Litigation Order to be<br />
<br />
made under CPR rule 19.11, providing for the claims to be managed together, usually<br />
by a single designated judge. The Group Litigation Order will establish a register of the<br />
claims included in the group, which is maintained by the claimants’ lead solicitor. The<br />
order may also make provision for how the litigation costs are to be shared among the<br />
<br />
claimants. How the claims are managed is a matter for the designated judge, but<br />
procedures typically used are to select one or more claims to be tried as test claims<br />
while the remaining claims are stayed and to decide as preliminary issues common<br />
issues of law or fact which are potentially dispositive of the litigation. Unless the court<br />
orders otherwise, a judgment given or order made in the litigation is binding on all the<br />
<br />
claimants included in the group register: see CPR rule 19.12(1)(a).<br />
<br />
<br />
25. Where the individual claims are of sufficiently high value, group actions can be<br />
an effective way of enabling what are typically several hundred or thousands of claims<br />
to be litigated and managed together, avoiding duplication of the court’s resources<br />
<br />
and allowing the claimants to benefit from sharing costs and litigation risk and by<br />
obtaining a single judgment which is binding in relation to all their claims. However,<br />
the group action procedure suffers from the drawback that it is an “opt-in” regime: in<br />
other words, claimants must take active steps to join the group. This has an<br />
<br />
administrative cost, as a solicitor conducting the litigation has to obtain sufficient<br />
information from a potential claimant to determine whether he or she is eligible to be<br />
added to the group register, give appropriate advice and enter into a retainer with the<br />
client. For claims which individually are only worth a few hundred pounds, this process<br />
<br />
Page 8is not economic as the initial costs alone may easily exceed the potential value of the<br />
claim.<br />
<br />
<br />
26. Another limitation of opt-in proceedings is that experience has shown that only<br />
a relatively small proportion of those eligible to join the group are likely to do so,<br />
particularly if the number of people affected is large and the value of each individual<br />
<br />
claim relatively small. For example, a group action was recently brought against the<br />
Morrisons supermarket chain for compensation for breach of the DPA 1998 arising<br />
from the disclosure on the internet by a Morrisons’ employee of personal data relating<br />
to other employees. Of around 100,000 affected employees, fewer than 10,000 opted<br />
<br />
to join the group action: see Various Claimants v Wm Morrisons Supermarkets plc<br />
[2017] EWHC 3113 (QB); [2019] QB 772 (reversed on the issue of vicarious liability by<br />
the Supreme Court: [2020] UKSC 12; [2020] AC 989). During the period of more than 12<br />
years in which collective proceedings under the Competition Act 1998 (discussed<br />
below) could be brought only on an opt-in basis just one action was commenced,<br />
<br />
based on a finding of price fixing in the sale of replica football shirts. Although around<br />
1.2 – 1.5m people were affected, despite widespread publicity only 130 people opted<br />
into the proceedings: see The Consumers' Association v JJB Sports Plc[2009] CAT 2,<br />
para 5; Civil Justice Council Report “Improving Access to Justice through Collective<br />
<br />
Actions” (2008), Part 6, para 22; and Grave D, McIntosh M and Rowan G (eds), Class<br />
Actions in England and Wales, 1st ed (2018), para 1-068.<br />
<br />
<br />
27. Likely explanations for the low participation rates typically experienced in opt-in<br />
regimes include lack of awareness of the opportunity to join the litigation and the<br />
natural human tendency to do nothing when faced with a choice which requires<br />
<br />
positive action - particularly if there is no immediate benefit to be gained and the<br />
consequences are uncertain and not easy to understand: see eg Thaler R and Sunstein<br />
C, Nudge: The Final Edition (2021), pp 36-38; Samuelson W and Zeckhauser R, “Status<br />
Quo Bias in Decision Making” (1988) 1 Journal of Risk and Uncertainty 7-59. As the<br />
<br />
New Zealand Court of Appeal has recently said of opt-in class actions:<br />
<br />
<br />
“Whichever approach is adopted, many class members are<br />
likely to fail to take any positive action for a range of reasons<br />
that have nothing at all to do with an assessment of whether<br />
<br />
or not it is in their interests to participate in the proceedings.<br />
Some class members will not receive the relevant notice.<br />
Others will not understand the notice, or will have difficulty<br />
understanding what action they are required to take and<br />
completing any relevant form, or will be unsure or hesitant<br />
<br />
about what to do and will do nothing. Even where a class<br />
member considers that it is in their interests to participate in<br />
<br />
Page 9 the proceedings, the significance of inertia in human affairs<br />
should not be underestimated.”<br />
<br />
<br />
Ross v Southern Response Earthquake Services Ltd [2019] NZCA 431, para 98; approved<br />
by the New Zealand Supreme Court at [2020] NZSC 126, para 40.<br />
<br />
<br />
28. A further factor which makes group litigation impractical in cases where the loss<br />
<br />
suffered by each individual is small, even if in aggregate it may amount to a very large<br />
sum of money, is the need to prove the quantum of loss in each individual case. Not<br />
only are eligible individuals less likely to opt into the proceedings where the potential<br />
gain to them is small, but the costs of obtaining evidence from each individual to<br />
<br />
support their claim is again likely to make group litigation uneconomic in such cases.<br />
<br />
<br />
(2) Collective Proceedings<br />
<br />
<br />
29. Compared to group actions, the method of collective redress which is now<br />
available in the field of competition law offers significant advantages for claimants,<br />
particularly where many people have been affected by the defendant’s conduct but<br />
<br />
the value of each individual claim is small. Section 47B of the Competition Act 1998<br />
(added by the Enterprise Act 2002 and as amended by the Consumer Rights Act 2015)<br />
makes provision for bringing “collective proceedings” in the Competition Appeal<br />
Tribunal (“CAT”) combining two or more claims to which section 47A applies<br />
<br />
(essentially, claims in respect of an infringement or alleged infringement of<br />
competition law). Such proceedings must be commenced by a person who proposes to<br />
be the representative of a specified class of persons, and the proceedings may only be<br />
continued if they are certified by the CAT as satisfying criteria set out in section 47B<br />
<br />
and in the CAT Rules. Two features of this regime may be noted.<br />
<br />
<br />
30. First, unlike group litigation, collective proceedings may be brought on either an<br />
“opt-in” or “opt-out” basis. “Opt-out” collective proceedings are proceedings brought<br />
on behalf of each class member except any member who opts out by notifying the<br />
class representative that their claim should not be included in the proceedings: see<br />
<br />
section 47B(11). Where “opt-out” collective proceedings are permitted, a person may<br />
therefore have a claim brought on their behalf without taking any affirmative step and,<br />
potentially, without even knowing of the existence of the proceedings and the fact that<br />
he or she is represented in them.<br />
<br />
<br />
<br />
31. A second significant feature of the collective proceedings regime is that it<br />
enables liability to be established and damages recovered without the need to prove<br />
<br />
Page 10that members of the class have individually suffered loss: it is sufficient to show that<br />
loss has been suffered by the class viewed as a whole. This is the effect of section<br />
47C(2) of the Competition Act, which provides:<br />
<br />
<br />
“The tribunal may make an award of damages in collective<br />
proceedings without undertaking an assessment of the<br />
<br />
amount of damages recoverable in respect of the claim of<br />
each represented person.”<br />
<br />
<br />
Such an award of damages is referred to in the CAT Rules as “an aggregate award of<br />
damages”: see rule 73(2).<br />
<br />
<br />
<br />
32. As Lord Briggs explained in Merricks v Mastercard[2020] UKSC 51; [2021] Bus LR<br />
25, at para 76, section 47C(2) of the Competition Act “radically alters the established<br />
common law compensatory principle by removing the requirement to assess individual<br />
loss”. This is so for the purposes both of making and of paying out an aggregate award<br />
of damages. How an aggregate award of damages is distributed among the members<br />
<br />
of the class is subject to the control of the CAT and, as this court held in Merricks v<br />
Mastercard, the only requirement is that the distribution should be just: see paras 76-<br />
77, 149. No doubt in many cases a just method of distribution will be one which divides<br />
up an aggregate award of damages in a way which takes account of individual loss. But<br />
<br />
particularly where the size of the class is large and the amount of damages awarded<br />
small considered on a per capita basis, it may be impractical or disproportionate to<br />
adopt such a method. In such cases some other method of distribution, such as an<br />
equal division among all the members of the class, may be justified.<br />
<br />
<br />
<br />
(3) Representative Actions<br />
<br />
<br />
33. Collective proceedings are a recent phenomenon in English law. By contrast, the<br />
representative procedure which the claimant is seeking to use in this case has existed<br />
for several hundred years. The current version of the representative rule is CPR rule<br />
19.6, which states:<br />
<br />
<br />
<br />
“(1) Where more than one person has the same interest in<br />
a claim -<br />
<br />
<br />
(a) the claim may be begun; or<br />
<br />
<br />
<br />
Page 11 (b) the court may order that the claim be continued,<br />
<br />
<br />
by or against one or more of the persons who have the same<br />
interest as representatives of any other persons who have<br />
that interest.<br />
<br />
<br />
(2) The court may direct that a person may not act as a<br />
<br />
representative.<br />
<br />
<br />
(3) Any party may apply to the court for an order under<br />
paragraph (2).<br />
<br />
<br />
(4) Unless the court otherwise directs any judgment or<br />
<br />
order given in a claim in which a party is acting as a<br />
representative under this rule -<br />
<br />
<br />
(a) is binding on all persons represented in the claim;<br />
but<br />
<br />
<br />
(b) may only be enforced by or against a person who is<br />
<br />
not a party to the claim with the permission of the<br />
court.”<br />
<br />
<br />
(a) Origins of the rule<br />
<br />
<br />
34. This rule has its origins in the procedure of the Court of Chancery before the<br />
<br />
Judicature Act of 1873. The general rule was that all persons materially interested in<br />
the subject-matter of a suit should be made parties to it, either as claimants or<br />
defendants, so as to ensure that the rights of all persons interested were settled by a<br />
single judgment of the court: see eg Adair v New River Co (1805) 11 Ves Jr 429; 32 ER<br />
<br />
1153; Cockburn v Thompson (1809) 16 Ves Jr 321; 33 ER 1005. However, to join all<br />
interested persons as parties was not always practically convenient- particularly if they<br />
were very numerous. The solution devised was not to abandon the aim of settling the<br />
rights of all interested persons in a single proceeding; rather, it was to relax the<br />
“complete joinder rule” by allowing one or more claimants or defendants to represent<br />
<br />
all others who had the same interest as them: see Sorabji J, “The hidden class action in<br />
English civil procedure” (2009) 28 CJQ 498. All persons represented in this way, as well<br />
as the parties actually before the court, were bound by the court’s decision.<br />
<br />
Page 1235. In the very early cases in the 16th and 17th centuries in which this procedure<br />
was adopted, the persons represented were invariably a cohesive communal group,<br />
such as parishioners or manorial tenants, whose members had agreed to be<br />
represented; and the representatives were often required to show proof of their<br />
authority to represent the group. But as the nature of society changed and new, more<br />
<br />
impersonal institutions such as friendly societies and joint stock companies with<br />
multiple investors emerged, this requirement was dropped. The court allowed persons<br />
to be represented whether or not they had consented to such representation or even<br />
knew of the action, relying on community of interest among the members of the group<br />
<br />
to ensure that the interests of all were adequately protected: see Yeazell, “From Group<br />
Litigation to Class Action, Part I: The Industrialization of Group Litigation” (1980) 27<br />
UCLA Law Review 514.<br />
<br />
<br />
36. Many of the formative cases involved joint stock companies at a time (before<br />
the Joint Stock Companies Acts 1844 to 1858) when such companies were not yet<br />
<br />
recognised as separate legal entities which could sue or be sued. An action had<br />
therefore to be brought by (or against) the members themselves. In Chancey v May<br />
(1722) Precedents in Chancery 592; 24 ER 265, the treasurer and manager of a brass-<br />
works brought an action on behalf of themselves and all other proprietors of the<br />
<br />
undertaking, of whom there were 800 in total, except for the defendants, who were its<br />
former managers, to call the defendants to account for alleged mismanagement and<br />
embezzlement. The defendants objected that the claim should not be allowed to<br />
proceed as the rest of the proprietors had not been made parties. The court dismissed<br />
that objection on the grounds that, first, the action had been brought on behalf of all<br />
<br />
the other proprietors, so that “all the rest were in effect parties”, and secondly:<br />
<br />
<br />
“Because it would be impracticable to make them all parties<br />
by name, and there would be continual abatements by death<br />
and otherwise, and no coming at justice, if all were to be<br />
<br />
made parties.”<br />
<br />
<br />
37. Another notable case involving a joint stock company was Meux v Maltby (1818)<br />
2 Swanston 277; 36 ER 621. In this case the treasurer and directors of the company<br />
were sued as representative defendants on a contract made on behalf of all the<br />
<br />
members of the company to grant a lease. In rejecting an argument that the claim was<br />
defective because not all the proprietors were before the court, Plumer MR explained,<br />
at pp 281-282:<br />
<br />
<br />
“The general rule, which requires the plaintiff to bring before<br />
the court all the parties interested in the subject in question,<br />
<br />
admits of exceptions. The liberality of this court has long held<br />
Page 13 that there is of necessity an exception to the general rule,<br />
when a failure of justice would ensue from its enforcement.”<br />
<br />
<br />
After citing numerous authorities, he concluded, at p 284:<br />
<br />
<br />
“Here is a current of authority, adopting more or less a<br />
general principle of exception, by which the rule, that all<br />
<br />
persons interested must be parties, yields when justice<br />
requires it, in the instance either of plaintiffs or defendants.<br />
… It is quite clear that the present suit has sufficient parties,<br />
and that the defendants may be considered as representing<br />
<br />
the company.”<br />
<br />
<br />
38. In Duke of Bedford v Ellis [1901] AC 1, 8, Lord Macnaghten summarised the<br />
practice of the Court of Chancery in this way:<br />
<br />
<br />
“The old rule in the Court of Chancery was very simple and<br />
perfectly well understood. Under the old practice the Court<br />
<br />
required the presence of all parties interested in the matter<br />
in suit, in order that a final end might be made of the<br />
controversy. But when the parties were so numerous that<br />
you never could ‘come at justice’, to use an expression in one<br />
<br />
of the older cases, if everybody interested was made a party,<br />
the rule was not allowed to stand in the way. It was originally<br />
a rule of convenience: for the sake of convenience it was<br />
relaxed. Given a common interest and a common grievance,<br />
a representative suit was in order if the relief sought was in<br />
<br />
its nature beneficial to all whom the plaintiff proposed to<br />
represent.”<br />
<br />
<br />
(b) Effect of the Judicature Act<br />
<br />
<br />
39. By the Supreme Court of Judicature Act 1873, all the jurisdiction previously<br />
<br />
exercised by the Court of Chancery and the courts of common law was transferred to<br />
and vested in the new High Court of Justice. Rules of procedure for the High Court<br />
were scheduled to the Act, which included as rule 10:<br />
<br />
<br />
“Where there are numerous parties having the same interest<br />
<br />
in one action, one or more of such parties may sue or be<br />
Page 14 sued, or may be authorised by the court to defend in such<br />
action, on behalf or for the benefit of all parties so<br />
interested.”<br />
<br />
<br />
This rule became Order 16, rule 9 of the Rules of the Supreme Court and has remained<br />
in force in the same or similar form ever since. Save that the requirement for<br />
<br />
“numerous parties” has been reduced to “more than one”, there is no significant<br />
difference in the current version of the rule, quoted at para 33 above.<br />
<br />
<br />
40. At first after the enactment of the Judicature Act the courts construed the new<br />
rule narrowly. In Temperton v Russell [1893] 1 QB 435, 438, Lindley LJ, who gave the<br />
<br />
judgment of the Court of Appeal, expressed the view that the rule only applied to<br />
“persons who have or claim some beneficial proprietary right” which they are asserting<br />
or defending in an action that would have come within the jurisdiction of the old Court<br />
of Chancery; hence the rule did not apply to a claim for damages in tort. That view,<br />
however, was repudiated by the House of Lords in Duke of Bedford v Ellis [1901] AC 1.<br />
<br />
Six individuals sued the Duke of Bedford, who owned Covent Garden Market, on behalf<br />
of themselves and all other growers of fruit, flowers, vegetables, roots and herbs, to<br />
enforce certain preferential rights claimed under the Covent Garden Market Act 1828<br />
to stands in the market. They sought declarations of the rights of the growers and an<br />
<br />
injunction to restrain the Duke from acting inconsistently with those rights. They also<br />
claimed - though only for themselves and not on behalf of other growers - an account<br />
and repayment of sums charged to them for selling at the market in excess of what<br />
they would have paid if afforded their alleged preferential rights. The Duke applied to<br />
have the action stayed either on the ground that the claimants had no beneficial<br />
<br />
proprietary right, or on the ground that the joinder in one action of parties claiming<br />
separate and different rights under the Act, both personally and as representing a<br />
class, would embarrass or delay the trial. The House of Lords rejected both grounds<br />
(the first unanimously and the second by a majority of 3 to 2) and held that the action<br />
<br />
could be maintained.<br />
<br />
<br />
41. Lord Macnaghten, who gave the leading speech, expressly disapproved the<br />
restrictive view of the representative rule expressed in Temperton v Russell and<br />
confirmed that its purpose was simply to apply the practice of the Court of Chancery to<br />
<br />
all divisions of the High Court. The only change was therefore that the rule was now<br />
applicable in actions which, before the Judicature Act, could only have been brought in<br />
a court of common law. He said, at pp 10-11, that:<br />
<br />
<br />
“… in all other respects I think the rule as to representative<br />
suits remains very much as it was a hundred years ago. From<br />
<br />
the time it was first established it has been recognised as a<br />
Page 15 simple rule resting merely upon convenience. It is impossible,<br />
I think, to read such judgments as those delivered by Lord<br />
Eldon in Adair v New River Co, in 1805, and in Cockburn v<br />
Thompson, in 1809, without seeing that Lord Eldon took as<br />
broad and liberal a view on this subject as anybody could<br />
<br />
desire. ‘The strict rule’, he said, ‘was that all persons<br />
materially interested in the subject of the suit, however<br />
numerous, ought to be parties … but that being a general rule<br />
established for the convenient administration of justice must<br />
<br />
not be adhered to in cases to which consistently with<br />
practical convenience it is incapable of application’. ‘It was<br />
better’, he added, ‘to go as far as possible towards justice<br />
than to deny it altogether’. He laid out of consideration the<br />
case of persons suing on behalf of themselves and all others,<br />
<br />
‘for in a sense’, he said, ‘they are before the Court’. As<br />
regards defendants, if you cannot make everybody interested<br />
a party, you must bring so many that it can be said they will<br />
fairly and honestly try the right. I do not think, my Lords, that<br />
<br />
we have advanced much beyond that in the last hundred<br />
years …”<br />
<br />
<br />
As Megarry J commented in John v Rees[1970] Ch 345, 370, this explanation made it<br />
plain that the representative rule is to be treated as being “not a rigid matter of<br />
principle but a flexible tool of convenience in the administration of justice”.<br />
<br />
<br />
<br />
42. In Taff Vale Railway Co v Amalgamated Society of Railway Servants [1901] AC<br />
426, 443, Lord Lindley (as he had become) went out of his way to endorse this view<br />
and to retract his earlier observations in Temperton v Russell, stating:<br />
<br />
<br />
“The principle on which the rule is based forbids its<br />
<br />
restriction to cases for which an exact precedent can be<br />
found in the reports. The principle is as applicable to new<br />
cases as to old, and ought to be applied to the exigencies of<br />
modern life as occasion requires. The rule itself has been<br />
<br />
embodied and made applicable to the various Divisions of the<br />
High Court by the Judicature Act, 1873, sections 16 and 23-<br />
25, and Order XVI, rule 9; and the unfortunate observations<br />
made on that rule in Temperton v Russell have been happily<br />
corrected in this House in the Duke of Bedford v Ellis and in<br />
<br />
the course of the argument in the present case.”<br />
<br />
<br />
Page 16 (c) Markt and declarations of rights<br />
<br />
<br />
43. The subsequent decision of the Court of Appeal in Markt & Co Ltd v Knight<br />
Steamship Co Ltd [1910] 2 KB 1021 has sometimes been seen as undermining the<br />
broad and flexible view of the representative rule adumbrated by the House of Lords in<br />
these two cases by imposing significant constraints on its use: see eg Esanda Finance<br />
<br />
Corpn Ltd v Carnie (1992) 29 NSWLR 382, 395; Mulheron R, The Class Action in<br />
Common Law Legal Systems (2004) pp 78-82; Sorabji J, “The hidden class action in<br />
English civil procedure” (2009) 28 CJQ 498. I do not think, however, that the decision<br />
should be understood in this way. Markt was heard together with another action also<br />
<br />
brought against the owners of a cargo vessel which was intercepted by a Russian<br />
cruiser on a voyage to Japan during the Russo-Japanese war, on suspicion of carrying<br />
contraband of war, and sunk. Just before the limitation period expired, two cargo-<br />
owners issued writs “on behalf of themselves and others owners of cargo lately laden<br />
on board” the vessel, claiming “damages for breach of contract and duty in and about<br />
<br />
the carriage of goods by sea”. No further particulars of the claims were given.<br />
<br />
<br />
44. All three members of the Court of Appeal agreed that the claims as formulated<br />
could not be pursued as representative actions as there was no basis for asserting that<br />
all the cargo owners had the same interest in the actions. That was so if only because a<br />
<br />
claim that the shipowners were in breach of duty in carrying contraband goods plainly<br />
could not be maintained on behalf of any cargo-owners who had themselves shipped<br />
such goods; furthermore, each cargo owner would need to prove their individual loss.<br />
Buckley LJ would have allowed the claimants to amend their writs and continue the<br />
proceedings on behalf of themselves and all cargo-owners who were not shippers of<br />
<br />
contraband goods, claiming a declaration that the defendants were in breach of<br />
contract and duty in shipping contraband of war. The other judges, however, did not<br />
agree to this course. Vaughan Williams LJ, at p 1032, rejected it on the grounds that<br />
the proposed amendment had not been brought before the court in a way which gave<br />
<br />
a proper opportunity for argument and doubted anyway whether the amendment<br />
could be so framed as to disclose a common purpose of the shippers or any class of the<br />
shippers. Fletcher Moulton LJ, at p 1042, considered that making a declaration of the<br />
type suggested would be contrary to the practice of the courts and that subsequent<br />
<br />
claims by individual cargo-owners relying on such a declaration to recover damages<br />
would constitute new claims which would be time-barred, as the limitation period had<br />
now expired.<br />
<br />
<br />
45. The readiness of English courts to give judgments declaring legal rights where it<br />
would serve a useful purpose has much increased since 1910. An important step was<br />
<br />
the decision of the Court of Appeal in Guaranty Trust Co of New York v Hannay & Co<br />
[1915] 2 KB 536, which held that a declaration can be granted at the instance of a<br />
<br />
Page 17claimant even if the claimant has no cause of action against the defendant. Two cases<br />
decided together by the Court of Appeal in 1921 showed that there is no reason in<br />
principle why a claim for a declaration of the kind suggested by Buckley LJ in Markt<br />
cannot be brought as a representative action. In David Jones v Cory Bros & Co Ltd<br />
(1921) 56 LJ 302; 152 LT Jo 70, five individuals sued on their own behalf and on behalf<br />
<br />
of all other underground and surface workmen employed at the defendant’s colliery<br />
on three specified days in September 1919. They alleged that on those three days the<br />
safety lamps in use at the colliery were not in accordance with statutory requirements,<br />
were insufficient in number and were not properly examined; and that in consequence<br />
<br />
the workmen justifiably refused to go to work and lost the wages they would<br />
otherwise have earned and were entitled to damages. In Thomas v Great Mountain<br />
Collieries Co, which was heard at the same time, two claimants sued the owner of<br />
another colliery for loss of wages, alleging breach of statutory duty in not having a<br />
weighing machine to weigh coal as near the pit mouth as was reasonably practicable.<br />
<br />
The workmen were divided into two classes - one comprising all workmen whose<br />
wages depended on the amount of coal gotten and the other comprising all other<br />
underground and surface workmen. The claimants sued on their own behalf and on<br />
behalf of the class they respectively represented.<br />
<br />
<br />
<br />
46. In each action the claims were divisible under three heads: (1) claims for<br />
declarations upon matters in which the classes represented were alleged to have a<br />
common interest; (2) claims for damages by the individual named claimants; and (3)<br />
claims for damages by the individual members of the classes represented.<br />
Unfortunately, only a bare summary of the judgments is reported. But this records that<br />
<br />
the Court of Appeal by a majority (Bankes and Atkin LJJ, with Scrutton LJ dissenting)<br />
held that the claimants were entitled to sue in a representative capacity as regards<br />
claims that came within (1) and (2), but not as regards claims for damages by the<br />
individual members of the classes represented.<br />
<br />
<br />
<br />
47. In Prudential Assurance Co Ltd v Newman Industries Ltd [1981] Ch 229 the<br />
claimant brought a derivative action as a minority shareholder of the first defendant<br />
company claiming damages on behalf of the company against two of its directors for<br />
breach of duty and conspiracy. At the start of the hearing the claimant applied to<br />
<br />
amend its statement of claim to add a personal claim against the directors and the<br />
company, brought in a representative capacity on behalf of all the shareholders. The<br />
relief sought was a declaration that those shareholders who had suffered loss asa<br />
result of the alleged conspiracy were entitled to damages. The judge (Vinelott J)<br />
allowed the amendment. He distinguished Markt and followed David Jones v Cory Bros<br />
<br />
in holding that a representative claim for a declaration could be pursued<br />
notwithstanding that each member of the class of persons represented had a separate<br />
cause of action. Although the personal claim was later held by the Court of Appeal in<br />
Prudential Assurance Co Ltd v Newman Industries Ltd (No 2) [1981] Ch 204 at 222 to be<br />
<br />
Page 18misconceived as a matter of substantive law, the Court of Appeal cast no doubt on the<br />
use of the representative procedure.<br />
<br />
<br />
48. This decision was important in demonstrating the potential for a bifurcated<br />
process whereby issues common to the claims of a class of persons may be decided in<br />
a representative action which, if successful, can then form a basis for individual claims<br />
<br />
for redress. More generally, the Prudential case marked a welcome revival of the spirit<br />
of flexibility which characterised the old case law.<br />
<br />
<br />
(d) Claims for damages<br />
<br />
<br />
49. In the cases so far mentioned where claims were held to come within the scope<br />
<br />
of the representative rule, the relief claimed on behalf of the represented class was<br />
limited to a declaration of legal rights. It was accepted or held that the named<br />
claimants could only claim damages or other monetary relief in their personal capacity.<br />
In Markt Fletcher Moulton LJ expressed the view, at pp 1035 and 1040-1041, that<br />
damages are “a personal relief” and that:<br />
<br />
<br />
<br />
“no representative action can lie where the sole relief sought<br />
is damages, because they have to be proved separately in the<br />
case of each plaintiff, and therefore the possibility of<br />
representation ceases.”<br />
<br />
<br />
<br />
50. In many cases, of which Markt was one, it is clearly correct that the assessment<br />
of damages depends on circumstances personal to each individual claimant. In such<br />
cases it is unlikely to be practical or fair to assess damages on a common basis and<br />
without each individual claimant’s participation in the proceedings. However, this is<br />
<br />
not always so, and representative actions for damages have sometimes been allowed.<br />
For example, in the case of insurance underwritten by Lloyd’s syndicates, which are<br />
not separate legal entities, it is standard practice for a single member of the syndicate<br />
(usually the leading underwriter) to be named as a representative claimant or<br />
defendant suing, or being sued, for themselves and all the other members. There is no<br />
<br />
difficulty in awarding damages for or against the representative in such proceedings, as<br />
the calculation of any damages which the members of the syndicate are collectively<br />
entitled to recover or liable to pay does not depend on how the risk is divided among<br />
the members of the syndicate.<br />
<br />
<br />
<br />
51. In Pan Atlantic Insurance Co Ltd v Pine Top Insurance Co Ltd [1989] 1 Lloyd’s Rep<br />
568 the claimant companies sued on behalf of themselves and members of a syndicate<br />
<br />
Page 19which had reinsured on a quota share basis a proportion of the risks they had<br />
underwritten, claiming under contracts which provided excess of loss reinsurance<br />
cover for the claimants and their quota share reinsurers. The Court of Appeal rejected<br />
an argument that the claimants were not entitled to sue in a representative capacity. It<br />
made no difference that there was a dispute between one of the claimants and some<br />
<br />
members of the syndicate about the validity of the quota share reinsurance, since as<br />
Lloyd LJ said, at p 571: “the question is whether the parties have the same interest as<br />
against the defendants; not whether they have the same interest as between<br />
themselves”.<br />
<br />
<br />
<br />
52. In Irish Shipping Ltd v Commercial Union Assurance Co plc (The “Irish Rowan”)<br />
[1991] 2 QB 206 numerous insurers had subscribed in various proportions to a policy of<br />
marine insurance. The Court of Appeal accepted that, as a matter of law, each<br />
subscription constituted a separate contract of insurance (of which there were said to<br />
be 77 in all). Claims for losses allegedly covered by the policy were made by suing two<br />
<br />
of the insurers as representative defendants. The Court of Appeal rejected an<br />
argument that claims for debt or damages could not be included in a representative<br />
action, merely because they are made by numerous claimants individually or resisted<br />
by numerous defendants individually, and held that the action could continue as a<br />
<br />
representative action. While the policy terms contained a broadly worded leading<br />
underwriter clause, the presence of this clause was not essential to the decision: see<br />
Bank of America National Trust and Savings Association v Taylor (The Kyriaki) [1992] 1<br />
Lloyd’s Rep 484, 493-494; National Bank of Greece SA v Outhwaite [2001] CLC 591,<br />
para 31.<br />
<br />
<br />
<br />
53. In EMI Records Ltd v Riley [1981] 1 WLR 923, and in Independiente Ltd v Music<br />
Trading On-Line (HK) Ltd [2003] EWHC 470 (Ch), the claimants sued in a representative<br />
capacity on behalf of all members of the British Phonographic Industry Ltd (“BPI”), a<br />
trade association for the recorded music industry (and also in the latter case on behalf<br />
<br />
of Phonographic Performance Ltd), claiming damages for breach of copyright in selling<br />
pirated sound recordings. In each case the claims were allowed to proceed as<br />
representative actions. Because it was accepted or could safely be assumed that the<br />
owner of the copyright in any pirated recording was a member of the represented<br />
<br />
class, this procedure enabled breach of copyright to be proved and damages to be<br />
awarded without the need to prove which particular pirated recordings had been sold<br />
in what quantities. Again, what mattered was that the members of the class had a<br />
community of interest in suing the defendant.<br />
<br />
<br />
54. In EMI Records it was asserted, and not disputed by the defendants, that the<br />
<br />
members of the BPI had consented to all sums recovered in actions for breach of<br />
copyright being paid to the BPI: see [1981] 1 WLR 923, 925. In Independiente, however,<br />
<br />
Page 20this assertion was disputed and Morritt V-C found that there was no binding<br />
agreement that any money recovered should go to the BPI: see [2003] EWHC 470 (Ch),<br />
paras 16 and 28. He nevertheless held, at paras 28 and 39, that the claim was properly<br />
brought as a representative action, observing that what the claimants did with any<br />
damages recovered was a matter for them or between them, the BPI and the class<br />
<br />
members, and not between them and the defendants.<br />
<br />
<br />
55. Although not cited in these cases, the same point had been made long before in<br />
Warrick v Queen’s College Oxford (No 4) (1871) LR 6 Ch App 716, 726, where Lord<br />
Hatherley LC gave an example of:<br />
<br />
<br />
<br />
“classes of shareholders in a railway company who have<br />
different rights inter se, but they may all have a common<br />
enemy in the shape of a fraudulent director, and they may all<br />
join, of course, in one common suit against that director,<br />
although after the common right is established they may<br />
<br />
have a considerable litigation among themselves as to who<br />
are the persons entitled to the gains obtained through that<br />
suit.”<br />
<br />
<br />
While the right enforced in such a common suit would in modern company law be seen<br />
<br />
as a right belonging to the company itself, rather than its shareholders, it is clear from<br />
the context that Lord Hatherley had in mind a representative action brought on behalf<br />
of shareholders, as he gave this analogy to explain how in that case a representative<br />
claim could be brought on behalf of all the freehold tenants of a manor to establish<br />
common rights against the lord of the manor even though different tenants or classes<br />
<br />
of tenant had different rights as between themselves.<br />
<br />
<br />
(e) Emerald Supplies<br />
<br />
<br />
56. In giving the Court of Appeal’s judgment in the present case, the Chancellor, at<br />
[2020] QB 747, para 73, focused on Emerald Supplies Ltd v British Airways plc [2010]<br />
<br />
EWCA Civ 1284; [2011] Ch 345 as providing the latest authoritative interpretation of<br />
the representative rule. The decision in that case turned, however, on the particular<br />
way in which the class of represented persons had been defined. The claimants alleged<br />
that the defendant airline was a party to agreements or concerted practices with other<br />
<br />
airlines to fix prices for air freight charged for importing cut flowers into the UK. They<br />
claimed on behalf of all “direct or indirect purchasers of air freight services, the prices<br />
for which were inflated by the agreements or concerted practices”, a declaration that<br />
damages were recoverable in principle from the defendant by those purchasers. The<br />
<br />
Page 21Court of Appeal upheld a decision to strike out the representative claim on the basis<br />
that, in the way the class had been defined, the issue of liability would have to be<br />
decided before it could be known whether or not a person was a member of the<br />
represented class and therefore bound by the judgment: see paras 62-63 and 65. Such<br />
an approach would not be just, not least because, if the claim failed, no purchasers of<br />
<br />
air freight services apart from the named claimants would be bound by the result.<br />
<br />
<br />
57. The Court of Appeal in Emerald Supplies also considered that a second difficulty<br />
with the class definition was that the members of the represented class did not all<br />
have the same interest in the claim, as there was a conflict of interest between direct<br />
<br />
and indirect purchasers of air freight services: see paras 28-29 and 64. If it was shown<br />
that prices had been inflated by agreements or concerted practices to which the<br />
defendant was a party, it would be in the interests of direct purchasers to seek to<br />
prove that they had absorbed the higher prices in order to avoid a potential defence<br />
that they had suffered no loss because the higher prices had been passed on to<br />
<br />
“indirect purchasers” (understood to include sub-purchasers). On the other hand, it<br />
would be in the interests of such indirect purchasers to seek to prove that the higher<br />
prices had indeed been passed on to them.<br />
<br />
<br />
58. It seems to me that this second difficulty might have been avoided either by<br />
<br />
altering the class definition to exclude sub-purchasers or by following the approach<br />
adopted in Prudential of claiming a declaration that those members of the class who<br />
had suffered damage as a result of the alleged price fixing were entitled to damages.<br />
However, those possibilities do not appear to have been considered. I think that the<br />
judge in Rendlesham Estates plc v Barr Ltd [2014] EWHC 3968 (TCC); [2015] 1 WLR<br />
<br />
3663 - a case relied on by Google on this appeal - was therefore wrong to conclude<br />
from Emerald Supplies, at para 90, that “if damage is an ingredient of the cause of<br />
action a representative claim could not be maintained”. The Court of Appeal in<br />
Emerald Supplies did not doubt the correctness of the Prudential decision, where a<br />
<br />
representative claim was allowed to proceed although damage was an ingredient of<br />
the cause of action. As Professor Rachael Mulheron, a leading expert in this field, has<br />
persuasively argued, it should likewise have been possible in Emerald Suppliesto adopt<br />
a bifurcated process in which the questions whether prices had been inflated by<br />
<br />
agreements or concerted practices and whether passing on was in principle available<br />
as a defence were decided in a representative action. If successful, this action could<br />
then have formed the basis for further proceedings to prove the fact and amount of<br />
damage in individual cases: see Mulheron R, “Emerald Supplies Ltd v British Airways<br />
plc; A Century Later, The Ghost of Markt Lives On” [2009] Comp Law 159, 171.<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 22 (f) Commonwealth cases<br />
<br />
<br />
59. The highest courts of Australia, Canada and New Zealand have all adopted a<br />
broad and flexible approach in interpreting representative rules derived from the<br />
English rule.<br />
<br />
<br />
(i) Australia<br />
<br />
<br />
<br />
60. In Carnie v Esanda Finance Corpn Ltd (1994) 127 ALR 76 the High Court of<br />
Australia held that the fact that the claims arose under separate contracts did not<br />
prevent the named claimants and the persons represented from having “the same<br />
interest” in proceedings. It was enough to satisfy this requirement that there was a<br />
<br />
community of interest in the determination of a substantial question of law or fact that<br />
arose in the proceedings. Commenting on an argument that the representative rule<br />
was an inadequate basis for a “class action”, which required a comprehensive<br />
legislative regime, Toohey and Gaudron JJ (with whom Mason CJ, Deane and Dawson JJ<br />
generally agreed) said, at p 91:<br />
<br />
<br />
<br />
“... it is true that rule 13 lacks the detail of some other rules<br />
of court. But there is no reason to think that the Supreme<br />
Court of New South Wales lacks the authority to give<br />
directions as to such matters as service, notice and the<br />
<br />
conduct of proceedings which would enable it to monitor and<br />
finally to determine the action with justice to all concerned.<br />
The simplicity of the rule is also one of its strengths, allowing<br />
it to be treated as a flexible rule of convenience in the<br />
administration of justice and applied ‘to the exigencies of<br />
<br />
modern life as occasion requires’. The court retains the<br />
power to reshape proceedings at a later stage if they become<br />
impossibly complex or the defendant is prejudiced.”<br />
<br />
<br />
(ii) Canada<br />
<br />
<br />
<br />
61. In Western Canadian Shopping Centres Inc v Dutton [2001] 2 SCR 534, paras 38-<br />
48, the Supreme Court of Canada held that representative actions should be allowed<br />
to proceed where the following conditions are met: (1) the class is capable of clear<br />
definition; (2) there are issues of fact or law common to all class members; (3) success<br />
<br />
for one class member means success for all (although not necessarily to the same<br />
extent); and (4) the proposed representative adequately represents the interests of<br />
<br />
Page 23the class. If these conditions are met the court must also be satisfied, in the exercise of<br />
its discretion, that there are no countervailing considerations that outweigh the<br />
benefits of allowing the representative action to proceed. The Supreme Court held that<br />
the conditions were met by the claimants in Dutton, who sued as representatives of a<br />
group of investors complaining that the defendant had breached fiduciary duties to the<br />
<br />
investors by mismanaging their funds.<br />
<br />
<br />
62. Giving the judgment of the court, McLachlin CJ, at para 47, distinguished its<br />
earlier decision in General Motors of Canada Ltd v Naken [1983] 1 SCR 72, where a<br />
representative action had been disallowed. In Naken the action was brought on behalf<br />
<br />
of purchasers of new Firenza motor vehicles against the manufacturer, complaining<br />
that the quality of the vehicles had been misrepresented or was not as warranted in<br />
advertisements, other published materials and contracts which were partly oral and<br />
partly written. Damages were claimed limited to $1,000 per person. The claims were<br />
held to be unsuitable for resolution through a representative action, principally<br />
<br />
because determining both liability and damages would have required particularised<br />
evidence and fact-finding in relation to each individual purchaser.<br />
<br />
<br />
63. McLachlin CJ also commented, at para 46, that over the period since Naken was<br />
decided the benefits of class actions had become manifest. She identified, at paras 27-<br />
<br />
29, three important advantages which such actions offer over a multiplicity of<br />
individual suits: (1) avoiding unnecessary duplication in fact-finding and legal analysis;<br />
(2) making economical the prosecution of claims that would otherwise be too costly to<br />
prosecute individually; and (3) serving efficiency and justice by ensuring that actual<br />
and potential wrongdoers who cause widespread but individually minimal harm take<br />
<br />
into account the full costs of their conduct.<br />
<br />
<br />
64. McLachlin CJ further observed, at para 34, that, while it would clearly be<br />
advantageous if there existed a comprehensive legislative framework regulating class<br />
actions, in its absence “the courts must fill the void”.<br />
<br />
<br />
<br />
(iii) New Zealand<br />
<br />
<br />
65. The Supreme Court of New Zealand has recently considered the use of the<br />
representative procedure in Southern Response Earthquake Services Ltd v Ross [2020]<br />
NZSC 126. This was a representative action brought on behalf of some 3,000<br />
<br />
policyholders who had settled insurance claims for damage to their homes caused by<br />
earthquakes in the Canterbury region of New Zealand. The claimants alleged that the<br />
policyholders had been misled by the insurers about the cost of remedying the<br />
damage, with the result that they had settled their claims on a less favourable basis<br />
<br />
Page 24than otherwise would have been the case. The insurers did not oppose the action<br />
being brought on a representative basis, but argued that the class represented should<br />
be limited to policyholders who completed a form electing to opt into the proceedings.<br />
It was agreed that the proceedings would need to be heard in two stages. The first<br />
stage would deal with issues common to all members of the represented class. If the<br />
<br />
claimants succeeded at that stage in whole or in part, there would need to be a second<br />
stage, in which questions of relief were addressed. It was also agreed that, at the<br />
second stage, it would be necessary for all of the policyholders represented to take<br />
active steps - that is, to opt in - if they wished to establish their individual claims.<br />
<br />
<br />
<br />
66. The New Zealand Supreme Court affirmed the decision of the Court of Appeal<br />
that the claim should be allowed to continue on an opt out basis. In doing so, the<br />
Supreme Court rejected an argument that it should not develop an opt out regime in<br />
the absence of a statutory framework and gave guidance on various matters relating to<br />
supervision of opt out representative proceedings.<br />
<br />
<br />
<br />
(g) Principles governing use of the representative procedure<br />
<br />
<br />
67. Although the world has changed out of all recognition since the representative<br />
procedure was devised by the Court of Chancery, it has done so in ways which have<br />
made the problems to which the procedure provided a solution more common and<br />
<br />
often vastly bigger in scale. The mass production of goods and mass provision of<br />
services have had the result that, when legally culpable conduct occurs, a very large<br />
group of people, sometimes numbering in the millions, may be affected. As the<br />
present case illustrates, the development of digital technologies has added to the<br />
potential for mass harm for which legal redress may be sought. In such cases it is<br />
<br />
necessary to reconcile, on the one hand, the inconvenience or complete impracticality<br />
of litigating multiple individual claims with, on the other hand, the inconvenience or<br />
complete impracticality of making every prospective claimant (or defendant) a party to<br />
a single claim. The only practical way to “come at justice” is to combine the claims in a<br />
<br />
single proceeding and allow one or more persons to represent all others who share the<br />
same interest in the outcome. When trying all the individual claims is not feasible, the<br />
adages of Lord Eldon quoted by Lord Macnaghten in Ellis remain as pertinent as ever:<br />
that it is better to go as far as possible towards justice than to deny it altogether and<br />
<br />
that, if you cannot realistically make everybody interested a party, you should ensure<br />
that those who are parties will “fairly and honestly try the right”.<br />
<br />
<br />
68. I agree with the highest courts of Australia, Canada and New Zealand that, while<br />
a detailed legislative framework would be preferable, its absence (outside the field of<br />
competition law) in this country is no reason to decline to apply, or to interpret<br />
<br />
restrictively, the representative rule which has long existed (and has had a legislative<br />
Page 25basis since 1873). I also agree with the view expressed in Carnie that the very simplicity<br />
of the representative rule is in some respects a strength, allowing it to be treated as “a<br />
flexible tool of convenience in the administration of justice” and “applied to the<br />
exigencies of modern life as occasion requires”.<br />
<br />
<br />
(i) The “same interest” requirement<br />
<br />
<br />
<br />
69. In its current form in CPR rule 19.6 the rule imposes no limit (either as a<br />
minimum or maximum) on the number of people who may be represented. Only one<br />
condition must be satisfied before a representative claim may be begun or allowed to<br />
continue: that is, that the representative has “the same interest” in the claim as the<br />
<br />
person(s) represented.<br />
<br />
<br />
70. The phrase “the same interest” is capable of bearing a range of meanings and<br />
requires interpretation. In interpreting the phrase, reference has often been made to<br />
Lord Macnaghten’s statement in Ellis (quoted at para 38 above) that: “Given a<br />
common interest and a common grievance, a representative suit was in order if the<br />
<br />
relief sought was in its nature beneficial to all whom the plaintiff proposed to<br />
represent.” This statement has sometimes been treated as if it were a definition<br />
imposing a tripartite test: see eg Smith v Cardiff Corpn[1954] 1 QB 210. Such an<br />
approach seems to me misguided. It is clear from the context that Lord Macnaghten<br />
<br />
was not attempting to define “the same interest”, but to convey how limiting the rule<br />
to persons having a beneficial proprietary interest in the claim would be contrary to<br />
the old practice in the Court of Chancery. More profoundly, such a reading of Lord<br />
Macnaghten’s speech shows precisely the rigidity of approach to the application of the<br />
representative rule which he disparaged.<br />
<br />
<br />
<br />
71. The phrase “the same interest”, as it is used in the representative rule, needs to<br />
be interpreted purposively in light of the overriding objective of the civil procedure<br />
rules and the rationale for the representative procedure. The premise for a<br />
representative action is that claims are capable of being brought by (or against) a<br />
<br />
number of people which raise a common issue (or issues): hence the potential and<br />
motivation for a judgment which binds them all. The purpose of requiring the<br />
representative to have “the same interest” in the claim as the persons represented is<br />
to ensure that the representative can be relied on to conduct the litigation in a way<br />
<br />
which will effectively promote and protect the interests of all the members of the<br />
represented class. That plainly is not possible where there is a conflict of interest<br />
between class members, in that an argument which would advance the cause of some<br />
would prejudice the position of others. Markt and Emerald Supplies are both examples<br />
of cases where it was found that the proposed representative action, as formulated,<br />
<br />
could not be maintained for this reason.<br />
Page 2672. As Professor Adrian Zuckerman has observed in his valuable book on civil<br />
procedure, however, a distinction needs to be drawn between cases where there are<br />
conflicting interests between class members and cases where there are merely<br />
divergent interests, in that an issue arises or may well arise in relation to the claims of<br />
(or against) some class members but not others. So long as advancing the case of class<br />
<br />
members affected by the issue would not prejudice the position of others, there is no<br />
reason in principle why all should not be represented by the same person: see<br />
Zuckerman on Civil Procedure: Principles of Practice, 4th ed (2021), para 13.49. As<br />
Professor Zuckerman also points out, concerns which may once have existed about<br />
<br />
whether the representative party could be relied on to pursue vigorously lines of<br />
argument not directly applicable to their individual case are misplaced in the modern<br />
context, where the reality is that proceedings brought to seek collective redress are<br />
not normally conducted and controlled by the nominated representative, but rather<br />
are typically driven and funded by lawyers or commercial litigation funders with the<br />
<br />
representative party merely acting as a figurehead. In these circumstances, there is no<br />
reason why a representative party cannot properly represent the interests of all<br />
members of the class, provided there is no true conflict of interest between them.<br />
<br />
<br />
73. This purposive and pragmatic interpretation of the requirement is exemplified<br />
<br />
by The “Irish Rowan”, where Staughton LJ, at pp 227-228, noted that some of the<br />
insurers might wish to resist the claim on a ground that was not available to others. He<br />
rightly did not regard that circumstance as showing that all the insurers did not have<br />
“the same interest” in the action, or that it was not within the rule, and had “no<br />
qualms about a proceeding which allows that ground to be argued on their behalf by<br />
<br />
others”.<br />
<br />
<br />
74. Even if it were considered inconsistent with the “same interest” requirement, or<br />
otherwise inappropriate, for a single person to represent two groups of people in<br />
relation to whom different issues arise although there is no conflict of interest<br />
<br />
between them, any procedural objection could be overcome by bringing two (or more)<br />
representative claims, each with a separate representative claimant or defendant, and<br />
combining them in the same action.<br />
<br />
<br />
(ii) The court’s discretion<br />
<br />
<br />
<br />
75. Where the same interest requirement is satisfied, the court has a discretion<br />
whether to allow a claim to proceed as a representative action. As with any power<br />
given to it by the Civil Procedure Rules, the court must in exercising its discretion seek<br />
to give effect to the overriding objective of dealing with cases justly and at<br />
proportionate cost: see CPR rule 1.2(a). Many of the considerations specifically<br />
<br />
included in that objective (see CPR rule 1.1(2)) - such as ensuring that the parties are<br />
Page 27on an equal footing, saving expense, dealing with the case in ways which are<br />
proportionate to the amount of money involved, ensuring that the case is dealt with<br />
expeditiously and fairly, and allotting to it an appropriate share of the court’s<br />
resources while taking into account the need to allot resources to other cases - are<br />
likely to militate in favour of allowing a claim, where practicable, to be continued as a<br />
<br />
representative action rather than leaving members of the class to pursue claims<br />
individually.<br />
<br />
<br />
76. Four further features of the representative rule deserve mention.<br />
<br />
<br />
(iii) No requirement of consent<br />
<br />
<br />
<br />
77. First, as the ability to act as a representative under the rule does not depend on<br />
the consent of the persons represented but only on community of interest between<br />
them, there is ordinarily no need for a member of the represented class to take any<br />
positive step, or even to be aware of the existence of the action, in order to be bound<br />
by the result. The rule does not confer a right to opt out of the proceedings (though a<br />
<br />
person could, at least in theory, apply to the court for a direction under rule 19.6(3)<br />
that the named claimant (or defendant) may not represent them or under rule 19.6(4)<br />
that any judgment given will not be binding on them). It is, however, always open to<br />
the judge managing the case to impose a requirement to notify members of the class<br />
<br />
of the proceedings and establish a simple procedure for opting out of representation, if<br />
this is considered desirable. Equally, if there are circumstances which make it<br />
appropriate to limit the represented class to persons who have positively opted into<br />
the litigation, it is open to the judge to make this a condition of representation. The<br />
procedure is entirely flexible in these respects.<br />
<br />
<br />
<br />
(iv) The class definition<br />
<br />
<br />
78. Second, while it is plainly desirable that the class of persons represented should<br />
be clearly defined, the adequacy of the definition is a matter which goes to the court’s<br />
discretion in deciding whether it is just and convenient to allow the claim to be<br />
<br />
continued on a representative basis rather than being a precondition for the<br />
application of the rule. Emerald Supplies illustrates a general principle that<br />
membership of the class should not depend on the outcome of the litigation. Beyond<br />
that, whether or to what extent any practical difficulties in identifying the members of<br />
<br />
the class are material must depend on the nature and object of the proceedings. In<br />
Duke of Bedford v Ellis, for example, it did not matter that the number and identities of<br />
growers of fruit etc would have been difficult if not impossible to ascertain or that the<br />
class was a fluctuating one: given that the aim was to establish whether anyone who<br />
<br />
Page 28was a grower had preferential rights, all that mattered was that there would be no real<br />
difficulty in determining whether a particular person who claimed a preferential right<br />
to a vacant stand at Covent Garden was a grower or not: see [1901] AC 1 at 11. In<br />
some cases, however, for example where the viability of a claim for damages depends<br />
on demonstrating the size of the class or who its members are, such practical<br />
<br />
difficulties might well be significant.<br />
<br />
<br />
(v) Liability for costs<br />
<br />
<br />
79. Third, as persons represented by a representative claimant or defendant will<br />
not normally themselves have been joined as parties to the claim, they will not<br />
<br />
ordinarily be liable to pay any costs incurred by the representative in pursuing (or<br />
defending) the claim. That does not prevent the court, if it is in the interests of justice<br />
to do so, from making an order requiring a represented person to pay or contribute to<br />
costs and giving permission for the order to be enforced against that person pursuant<br />
to CPR rule 19.6(4)(b). Alternatively, such an order could be made pursuant to the<br />
<br />
general jurisdiction of the court to make costs orders against non-parties. It is difficult,<br />
however, to envisage circumstances in which it could be just to order a represented<br />
person to contribute to costs incurred by a claimant in bringing a representative claim<br />
which the represented person did not authorise. On the other hand, a commercial<br />
<br />
litigation funder who finances unsuccessful proceedings is likely to be ordered to pay<br />
the successful party’s costs at least to the extent of the funding: see Davey v Money<br />
[2020] EWCA Civ 246; [2020] 1 WLR 1751. That principle is no less applicable where the<br />
proceedings financed are a representative action.<br />
<br />
<br />
(vi) The scope for claiming damages<br />
<br />
<br />
<br />
80. Finally, as already discussed, it is not a bar to a representative claim that each<br />
represented person has in law a separate cause of action nor that the relief claimed<br />
consists of or includes damages or some other monetary relief. The potential for<br />
claiming damages in a representative action is, however, limited by the nature of the<br />
<br />
remedy of damages at common law. What limits the scope for claiming damages in<br />
representative proceedings is the compensatory principle on which damages for a civil<br />
wrong are awarded with the object of putting the claimant - as an individual - in the<br />
same position, as best money can do it, as if the wrong had not occurred. In the<br />
<br />
ordinary course, this necessitates an individualised assessment which raises no<br />
common issue and cannot fairly or effectively be carried out without the participation<br />
in the proceedings of the individuals concerned. A representative action is therefore<br />
not a suitable vehicle for such an exercise.<br />
<br />
<br />
<br />
Page 2981. In cases where damages would require individual assessment, there may<br />
nevertheless be advantages in terms of justice and efficiency in adopting a bifurcated<br />
process - as was done, for example, in the Prudential case - whereby common issues of<br />
law or fact are decided through a representative claim, leaving any issues which<br />
require individual determination - whether they relate to liability or the amount of<br />
<br />
damages - to be dealt with at a subsequent stage of the proceedings. In Prudential<br />
[1981] Ch 229, 255, Vinelott J expressed the view (obiter) that time would continue to<br />
run for the purpose of limitation until individual claims for damages were brought by<br />
the persons represented; see also the dicta of Fletcher Moulton LJ in Markt [1910] 2 KB<br />
<br />
1021, 1042, referred to at para 44 above. The court in Prudential did not have cited to<br />
it, however, the decision of the Court of Appeal in Moon v Atherton [1972] 2 QB 435. In<br />
that case a represented person applied to be substituted for the named claimant after<br />
the limitation period had expired when the claimant (and all the other represented<br />
persons) no longer wished to continue the action. The Court of Appeal, in allowing the<br />
<br />
substitution, held that the defendant was not thereby deprived of a limitation defence,<br />
as for the purpose of limitation the represented person was already a party to the<br />
action, albeit not a “full” party. It might be clearer to say that, although the<br />
represented person did not become a “party” until substituted as the claimant, an<br />
<br />
action was brought within the meaning of the statute of limitation by that person<br />
when the representative claim was initiated. Such an analysis has been adopted in<br />
Australia, including by the New South Wales Court of Appeal in Fostif Pty Ltd v<br />
Campbells Cash & Carry Pty Ltd[2005] NSWCA 83; (2005) 63 NSWLR 203, and by the<br />
New Zealand Supreme Court in Credit Suisse Private Equity v Houghton [2014] NZSC 37.<br />
<br />
<br />
<br />
82. There is no reason why damages or other monetary remedies cannot be<br />
claimed in a representative action if the entitlement can be calculated on a basis that is<br />
common to all the members of the class. Counsel for the claimant, Hugh Tomlinson<br />
QC, gave the example of a claim alleging that every member of the class was wrongly<br />
<br />
charged a fixed fee; another example might be a claim alleging that all the class<br />
members acquired the same product with the same defect which reduced its value by<br />
the same amount. In such cases the defendant’s monetary liability could be<br />
determined as a common issue and no individualised assessment would be needed.<br />
<br />
The same is true where loss suffered by the class as a whole can be calculated without<br />
reference to the losses suffered by individual class members - as in the cases<br />
mentioned at para 53 above. Such an assessment of loss on a global basis is sometimes<br />
described as a “top down” approach, in contrast to a “bottom up” approach of<br />
assessing a sum which each member of the class is individually entitled to recover.<br />
<br />
<br />
<br />
83. The recovery of money in a representative action on either basis may give rise<br />
to problems of distribution to the members of the class, about which the<br />
representative rule is silent. Although in Independiente Morritt V-C was untroubled by<br />
such problems, questions of considerable difficulty would arise if in the present case<br />
<br />
Page 30the claimant was awarded damages in a representative capacity with regard to how<br />
such damages should be distributed, including whether there would be any legal basis<br />
for paying part of the damages to the litigation funders without the consent of each<br />
individual entitled to them: see Mulheron R, “Creating and Distributing Common Funds<br />
under the English Representative Rule” (2021) King’s Law Journal 1-33. Google has not<br />
<br />
relied on such difficulties as a reason for disallowing a representative action, however,<br />
and as these matters were only touched on in argument, I will say no more about<br />
them.<br />
<br />
<br />
E. THE REPRESENTATIVE CLAIM IN THIS CASE<br />
<br />
<br />
<br />
84. In the present case I could see no legitimate objection to a representative claim<br />
brought to establish whether Google was in breach of the DPA 1998 and, if so, seeking<br />
a declaration that any member of the represented class who has suffered damage by<br />
reason of the breach is entitled to be paid compensation. The individual claims that<br />
could theoretically have been brought by each iPhone user who was affected by the<br />
<br />
Safari workaround clearly raise common issues; and it is not suggested that there is<br />
any conflict of interest among the members of the represented class. For the purpose<br />
of CPR rule 19.6(1), all would therefore have the same interest in such a claim as the<br />
representative claimant. There is no suggestion that Mr Lloyd is an unsuitable person<br />
<br />
to act in that capacity. Although Google has argued that there would be practical<br />
difficulties in identifying whether an individual falls within the class definition, even on<br />
Google’s evidence it is evident that the number of people affected by the Safari<br />
workaround was extremely large and it is unclear at this stage of the litigation how<br />
serious the difficulties of proof would actuallybe. Moreover, even if only a few<br />
<br />
individuals were ultimately able to obtain compensation on the basis of a declaratory<br />
judgment, I cannot see why that should provide a reason for refusing to allow a<br />
representative claim to proceed for the purpose of establishing liability.<br />
<br />
<br />
85. The claimant has not proposed such a bifurcated process, however. That is<br />
<br />
doubtless because success in the first, representative stage of such a process would<br />
not itself generate any financial return for the litigation funders or the persons<br />
represented. Funding the proceedings could therefore only be economic if pursuing<br />
separate damages claims on behalf of those individuals who opted into the second<br />
<br />
stage of the process would be economic. For the reasons discussed at paras 25-28<br />
above and emphasised in argument by counsel for the claimant, it clearly would not. In<br />
practice, therefore, as both courts below accepted, a representative action for<br />
damages is the only way in which the claims can be pursued.<br />
<br />
<br />
<br />
<br />
<br />
Page 31(1) The formulation of the claim fordamages<br />
<br />
<br />
86. In formulating the claim made in this action, the claimant has not adopted the<br />
“top down” approach of claiming compensation for damage suffered by the class as a<br />
whole without reference to the entitlements of individual class members. The claim<br />
advanced is for damages calculated from the “bottom up”. The way in which the<br />
<br />
claimant seeks to obviate the need for individualised assessment is by claiming<br />
damages for each class member on what is described as a “uniform per capita basis”.<br />
<br />
<br />
87. The difficulty facing this approach is that the effect of the Safari workaround<br />
was obviously not uniform across the represented class. No challenge is or could<br />
<br />
reasonably be made to the judge’s findings, at [2018] EWHC 2599 (QB); [2019] 1 WLR<br />
1265, para 91, that:<br />
<br />
<br />
“… some affected individuals were ‘super users’- heavy<br />
internet users. They will have been ‘victims’ of multiple<br />
breaches, with considerable amounts of [browser generated<br />
<br />
information] taken and used throughout the Relevant Period.<br />
Others will have engaged in very little internet activity.<br />
Different individuals will have had different kinds of<br />
information taken and used. No fewer than 17 categories of<br />
<br />
personal data are identified in the claim documents. The<br />
specified categories of data vary in their sensitivity, some of<br />
them being ‘sensitive personal data’ within the meaning of<br />
the section 2 of the DPA (such as sexuality, or ethnicity). …<br />
But it is not credible that all the specified categories of data<br />
<br />
were obtained by Google from each represented claimant. …<br />
The results of the acquisition and use will also have varied<br />
according to the individual, and their attitudes towards the<br />
acquisition, disclosure and use of the information in<br />
<br />
question.”<br />
<br />
<br />
If liability is established, the ordinary application of the compensatory principle would<br />
therefore result in different awards of compensation to different individuals.<br />
Furthermore, the amount of any compensation recoverable by any member of the<br />
<br />
class would depend on a variety of circumstances particular to that individual.<br />
Individualised assessment of damages would therefore be required.<br />
<br />
<br />
88. The claimant seeks to overcome this difficulty in one or other of two ways. Both<br />
rely on the proposition that an individual is entitled to compensation for any (non-<br />
<br />
Page 32trivial) contravention of the DPA 1998 without the need to prove that the individual<br />
suffered any financial loss or distress. On that footing it is argued, first of all, that<br />
general damages can be awarded on a uniform per capita basis to each member of the<br />
represented class without the need to prove any facts particular to that individual. The<br />
draft particulars of claim plead that the uniform sum awarded should reflect “the<br />
<br />
serious nature of the breach, in particular (but non-exhaustively):<br />
<br />
<br />
“(a) The lack of consent or knowledge of the<br />
Representative Claimant and each member of the Claimant<br />
Class to the defendant’s collection and use of their personal<br />
<br />
data.<br />
<br />
<br />
(b) The fact that such collection and use was contrary to<br />
the defendant’s public statements.<br />
<br />
<br />
(c) The fact that such collection and use was greatly to<br />
the commercial benefit of the defendant.<br />
<br />
<br />
<br />
(d) The fact that the defendant knew or ought to have<br />
known of the operation of the Safari Workaround from a very<br />
early stage during the Relevant Period. …”<br />
<br />
<br />
I interpose that factor (c), although no doubt true in relation to the class as a whole,<br />
<br />
plainly could not in fact be established in relation to any individual class member<br />
without evidence of what use, if any, was actually made of personal data of that<br />
individual by Google. If there is to be no individualised assessment, this factor must<br />
therefore be left out of account.<br />
<br />
<br />
<br />
89. The alternative case pleaded is that each member of the class is entitled to<br />
damages assessed as an amount which they could reasonably have charged for<br />
releasing Google from the duties which it breached. Again, it is contended that such<br />
damages should be assessed on a uniform per capita basis, “reflecting the generalised<br />
standard terms (rather than individuated basis) on which [Google] does business”.<br />
<br />
<br />
<br />
(2) Section 13 of the DPA 1998<br />
<br />
<br />
90. The claim for compensation made in the present case is founded (exclusively)<br />
on section 13 of the DPA 1998. This provides:<br />
<br />
Page 33 “(1) An individual who suffers damage by reason of any<br />
contravention by a data controller of any of the requirements<br />
of this Act is entitled to compensation from the data<br />
controller for that damage.<br />
<br />
<br />
(2) An individual who suffers distress by reason of any<br />
<br />
contravention by a data controller of any of the requirements<br />
of this Act is entitled to compensation from the data<br />
controller for that distress if -<br />
<br />
<br />
(a) the individual also suffers damage by reason of the<br />
<br />
contravention, or<br />
<br />
<br />
(b) the contravention relates to the processing of<br />
personal data for the special purposes.<br />
<br />
<br />
(3) In proceedings brought against a person by virtue of<br />
this section it is a defence to prove that he had taken such<br />
<br />
care as in all the circumstances was reasonably required to<br />
comply with the requirement concerned.”<br />
<br />
<br />
91. Section 13 was intended to implement article 23 of the Data Protection<br />
Directive. This stated:<br />
<br />
<br />
<br />
“1. Member states shall provide that any person who has<br />
suffered damage as a result of an unlawful processing<br />
operation or of any act incompatible with the national<br />
provisions adopted pursuant to this Directive is entitled to<br />
<br />
receive compensation from the controller for the damage<br />
suffered.<br />
<br />
<br />
2. The controller may be exempted from this liability, in<br />
whole or in part, if he proves that he is not responsible for<br />
the event giving rise to the damage.”<br />
<br />
<br />
<br />
92. Two initial points can be made about the wording and structure of section 13.<br />
First, to recover compensation under this provision it is not enough to prove a breach<br />
by a data controller of its statutory duty under section 4(4) of the Act: an individual is<br />
<br />
Page 34only entitled to compensation under section 13 where “damage” - or in some<br />
circumstances “distress” - is suffered as a consequence of such a breach of duty.<br />
Second, it is plain from subsection (2) that the term “damage” as it is used in section<br />
13 does not include “distress”. The term “material damage” is sometimes used to<br />
describe any financial loss or physical or psychological injury, but excluding distress (or<br />
<br />
other negative emotions not amounting to a recognised psychiatric illness): see eg<br />
Watkins v Secretary of State for the Home Department [2006] UKHL 17; [2006] 2 AC<br />
395, para 7. Adopting this terminology, on a straightforward interpretation the term<br />
“damage” in section 13 refers only to material damage and compensation can only be<br />
<br />
recovered for distress if either of the two conditions set out in subsection (2) is met.<br />
<br />
<br />
(3) Vidal-Hall v Google Inc<br />
<br />
<br />
93. The effect of section 13 was considered by the Court of Appeal in Vidal-Hall v<br />
Google Inc [2016] QB 1003 on facts which, in terms of the generic allegations made,<br />
were identical to those on which the present claim is based. The three claimants<br />
<br />
sought damages arising out of the Safari workaround on two alternative bases: (1) at<br />
common law for misuse of private information; and (2) under section 13 of the DPA<br />
1998. As in the present case, permission to serve the proceedings outside the<br />
jurisdiction was opposed by Google. The main issues raised were: (1) whether misuse<br />
<br />
of private information is a tort for the purpose of the rules providing for service out of<br />
the jurisdiction; and (2) whether compensation can be recovered for distress under<br />
section 13 of the DPA 1998 in the absence of financial loss. The judge decided both<br />
issues in the claimants’ favour and the Court of Appeal affirmed that decision, for<br />
reasons given in a judgment written by Lord Dyson MR and Sharp LJ, with which<br />
<br />
Macfarlane LJ agreed.<br />
<br />
<br />
94. On the second issue Google submitted that, as discussed above, the term<br />
“damage” in section 13 must mean material damage, which for practical purposes<br />
limits its scope to financial loss. Hence section 13(2) has the effect that an individual<br />
<br />
may only recover compensation for distress suffered by reason of a contravention by a<br />
data controller of a requirement of the Act if either (a) the contravention also causes<br />
the individual to suffer financial loss or (b) the contravention relates to the processing<br />
of personal data for “special purposes” - which are defined as journalistic, artistic or<br />
<br />
literary purposes (see section 3). It was not alleged that either of those conditions was<br />
satisfied in the Vidal-Hall case.<br />
<br />
<br />
95. The Court of Appeal accepted that section 13(2) does indeed have this meaning<br />
but held that this makes it incompatible with article 23 of the Data Protection<br />
Directive, which section 13 of the DPA 1998 was meant to implement. This is because<br />
<br />
the word “damage” in article 23 is to be interpreted as including distress, which is the<br />
Page 35primary form of damage likely to be caused by an invasion of data privacy; and article<br />
23 does not permit national laws to restrict the right to receive compensation for<br />
“damage” where it takes the form of distress. The Court of Appeal considered whether<br />
it is possible to interpret section 13 in a way which achieves the result sought by the<br />
Directive, but concluded that the words of section 13 are not capable of being<br />
<br />
interpreted in such a way and that the limits set by Parliament to the right to<br />
compensation for breaches of the DPA 1998 are a fundamental feature of the UK<br />
legislative scheme. In the words of Lord Dyson MR and Sharp LJ in their joint judgment,<br />
at para 93, if the court were to disapply the limits on the right to compensation for<br />
<br />
distress set out in section 13(2), “the court would, in effect, be legislating against the<br />
clearly expressed intention of Parliament on an issue that was central to the scheme as<br />
a whole”.<br />
<br />
<br />
96. The Court of Appeal nevertheless held that section 13(2) should be disapplied<br />
on the ground that it conflicts with articles 7 and 8 of the Charter of Fundamental<br />
<br />
Rights of the European Union (“the EU Charter”). Article 7 of the EU Charter is in<br />
materially similar terms to article 8 of the European Convention for the Protection of<br />
Human Rights and Fundamental Freedoms (“the Convention”) and provides that<br />
“[e]veryone has the right to respect for his or her private and family life, home and<br />
<br />
communications”. Article 8(1) provides that “[e]veryone has the right to the protection<br />
of personal data concerning him or her”. In addition, article 47 requires that<br />
“[e]veryone whose rights and freedoms guaranteed by the law of the Union are<br />
violated has the right to an effective remedy before a tribunal …”. The Court of Appeal<br />
decided that, in order to provide an effective remedy for the rights guaranteed by<br />
<br />
articles 7 and 8 of the EU Charter, it was necessary that national law should give effect<br />
to the obligation under article 23 of the Data Protection Directive to provide a right to<br />
receive compensation from the data controller for any damage, including distress,<br />
suffered as a result of an unlawful processing operation. That result could and should<br />
<br />
be achieved by disapplying section 13(2) of the DPA 1998, thus enabling section 13(1)<br />
to be interpreted compatibly with article 23: see [2016] QB 1003, para 105.<br />
<br />
<br />
(4) Misuse of private information<br />
<br />
<br />
97. The Court of Appeal in Vidal-Hall also held that the claims for damages for<br />
<br />
misuse of private information made by the claimants in that case were properly<br />
classified as claims in tort for the purpose of service out of the jurisdiction and had a<br />
real prospect of success. As described at paras 18-25 of the judgment, the tort of<br />
misuse of private information evolved out of the equitable action for breach of<br />
confidence, influenced by the protection of the right to respect for private life<br />
<br />
guaranteed by article 8 of the Convention. The critical step in its emergence as a<br />
distinct basis for a claim was the identification of privacy of information as worthy of<br />
<br />
Page 36protection in its own right, irrespective of whether the information was imparted in<br />
circumstances which give rise to a duty of confidence: see Campbell v MGN Ltd [2004]<br />
UKHL 22; [2004] 2 AC 457. As Lord Hoffmann put it in Campbell, at para 50:<br />
<br />
<br />
“What human rights law has done is to identify private<br />
information as something worth protecting as an aspect of<br />
<br />
human autonomy and dignity.”<br />
<br />
<br />
98. The complaint in Campbell was about the publication of private information.<br />
Lord Nicholls of Birkenhead described the “essence of the tort”, at para 14, as “misuse<br />
of private information”. He also noted, however, at para 15, that an individual’s privacy<br />
<br />
can be invaded in ways not involving publication of information, and subsequent cases<br />
have held that intrusion on privacy, without any misuse of information, is actionable:<br />
see PJS v News Group Newspapers Ltd [2016] UKSC 26; [2016] 2 AC 1081, paras 58-60.<br />
It is misuse of information, however, which is primarily relevant in this case, and I shall<br />
generally - as counsel did in argument - use the label for the tort of “misuse of private<br />
<br />
information”.<br />
<br />
<br />
99. To establish liability for misuse of private information (or other wrongful<br />
invasion of privacy), it is necessary to show that there was a reasonable expectation of<br />
privacy in the relevant matter. As the Court of Appeal (Sir Anthony Clarke MR, Laws<br />
<br />
and Thomas LJJ) explained in upholding a claim to restrain the publication of<br />
photographs taken in a public place of the child of the well-known author, JK Rowling,<br />
in Murray v Express Newspapers plc [2008] EWCA Civ 446; [2009] Ch 481, para 36:<br />
<br />
<br />
“… the question whether there is a reasonable expectation of<br />
privacy is a broad one, which takes account of all the<br />
<br />
circumstances of the case. They include the attributes of the<br />
claimant, the nature of the activity in which the claimant was<br />
engaged, the place at which it was happening, the nature and<br />
purpose of the intrusion, the absence of consent and<br />
<br />
whether it was known or could be inferred, the effect on the<br />
claimant and the circumstances in which and the purposes<br />
for which the information came into the hands of the<br />
publisher.”<br />
<br />
<br />
<br />
If this test is met, in cases where freedom of expression is involved the court must then<br />
undertake a “balancing exercise” to decide whether in all the circumstances the<br />
interests of the owner of the private information must yield to the right to freedom of<br />
<br />
<br />
Page 37expression conferred on the publisher by article 10 of the Convention: see eg<br />
McKennitt v Ash [2006] EWCA Civ 1714; [2008] QB 73, para 9.<br />
<br />
<br />
(5) Gulati v MGN Ltd<br />
<br />
<br />
100. The measure of damages for wrongful invasion of privacy was considered in<br />
depth in Gulati v MGN Ltd [2015] EWHC 1482 (Ch); [2016] FSR 12 and [2015] EWCA Civ<br />
<br />
1291; [2017] QB 149 by Mann J and by the Court of Appeal. The eight test claimants in<br />
that case were individuals in the public eye whose mobile phones were hacked by<br />
newspapers, leading in some instances to the publication of articles containing<br />
information obtained by this means. The newspapers admitted liability for breach of<br />
<br />
privacy but disputed the amount of damages. Their main argument of principle was<br />
that (in the absence of material damage) all that could be compensated for was<br />
distress caused by their unlawful activities: see [2016] FSR 12, para 108. The judge<br />
rejected that argument. He said, at para 111, that he did not see why “distress (or<br />
some similar emotion), which would admittedly be a likely consequence of an invasion<br />
<br />
of privacy, should be the only touchstone for damages”. In his view:<br />
<br />
<br />
“While the law is used to awarding damages for injured<br />
feelings, there is no reason in principle … why it should not<br />
also make an award to reflect infringements of the right<br />
<br />
itself, if the situation warrants it.”<br />
<br />
<br />
101. The judge referred to cases in which damages have been awarded to very young<br />
children (only ten months or one year old) for misuse of private information by<br />
publishing photographs of them even though, because of their age, they could not<br />
have suffered any distress: see AAA v Associated Newspapers Ltd [2012] EWHC 2103<br />
<br />
(QB); [2013] EMLR 2; and Weller v Associated Newspapers Ltd[2014] EWHC 1163 (QB);<br />
[2014] EMLR 24. He concluded, at para 144:<br />
<br />
<br />
“I shall therefore approach the consideration of quantum in<br />
this case on the footing that compensation can be given for<br />
<br />
things other than distress, and in particular can be given for<br />
the commission of the wrong itself so far as that commission<br />
impacts on the values protected by the right.”<br />
<br />
<br />
Later in the judgment, at para 168, the judge referred back to his finding that:<br />
<br />
<br />
<br />
<br />
Page 38 “the damages should compensate not merely for distress …,<br />
but should also compensate (if appropriate) for the loss of<br />
privacy or autonomy as such arising out [of] the infringement<br />
by hacking (or other mechanism) as such.”<br />
<br />
<br />
102. The Court of Appeal affirmed this decision: [2015] EWCA Civ 1291; [2017] QB<br />
<br />
149. Arden LJ (with whom Rafferty and Kitchin LJJ agreed) held, at para 45, that:<br />
<br />
<br />
“the judge was correct to conclude that the power of the<br />
court to grant general damages was not limited to distress<br />
and could be exercised to compensate the claimants also for<br />
<br />
the misuse of their private information. The essential<br />
principle is that, by misusing their private information, MGN<br />
deprived the claimants of their right to control the use of<br />
private information.”<br />
<br />
<br />
Arden LJ justified this conclusion, at para 46, on the basis that:<br />
<br />
<br />
<br />
“Privacy is a fundamental right. The reasons for having the<br />
right are no doubt manifold. Lord Nicholls of Birkenhead put<br />
it very succinctly in Campbell v MGN Ltd [2004] 2 AC 457,<br />
para 12: ‘[Privacy] lies at the heart of liberty in a modern<br />
<br />
state. A proper degree of privacy is essential for the well-<br />
being and development of an individual.’”<br />
<br />
<br />
103. The Court of Appeal in Gulati rejected a submission, also rejected by the judge,<br />
that granting damages for the fact of intrusion into a person’s privacy independently of<br />
<br />
any distress caused is inconsistent with the holding of this court in R (WL (Congo)) v<br />
Secretary of State for the Home Department [2011] UKSC 12; [2012] 1 AC 245, paras<br />
97-100, that vindicatory damages are not available as a remedy for violation of a<br />
private right. As Arden LJ pointed out at para 48, no question arose of awarding<br />
vindicatory damages of the kind referred to in WL (Congo), which have been awarded<br />
<br />
in some constitutional cases appealed to the Privy Council “to reflect the sense of<br />
public outrage, emphasise the importance of the constitutional right and the gravity of<br />
the breach, and deter further breaches”: see WL (Congo), para 98; Attorney General of<br />
Trinidad and Tobago v Ramanoop [2005] UKPC 15; [2006] 1 AC 328, para 19. Rather,<br />
<br />
the purpose of the relevant part of the awards made in Gulati was “to compensate for<br />
the loss or diminution of a right to control formerly private information”.<br />
<br />
<br />
<br />
Page 39104. Mann J’s reference to “loss of privacy or autonomy” and the Court of Appeal’s<br />
explanation that the claimants could be compensated for misuse of their private<br />
information itself because they were deprived of “their right to control [its] use”<br />
convey the point that English common law now recognises as a fundamental aspect of<br />
personal autonomy a person’s freedom to choose and right to control whether and<br />
<br />
when others have access to his or her private affairs: see on this point the helpful<br />
discussion by NA Moreham, “Compensating for Loss of Dignity and Autonomy” in<br />
Varuhas J and Moreham N (eds), Remedies for Breach of Privacy (2018) ch 5.<br />
<br />
<br />
(6) How the present claim is framed<br />
<br />
<br />
<br />
105. On the basis of the decisions of the Court of Appeal in Vidal-Hall and Gulati,<br />
neither of which is challenged by either party on this appeal, it would be open to Mr<br />
Lloyd to claim, at least in his own right: (1) damages under section 13(1) of the DPA<br />
1998 for any distress suffered by reason of any contravention by Google of any of the<br />
requirements of the Act; and/or (2) damages for the misuse of private information<br />
<br />
without the need to show that it caused any material damage or distress.<br />
<br />
<br />
106. Neither of these claims, however, is made in this case. The reasons why no<br />
claim is made in tort for misuse of private information have not been explained; but<br />
the view may have been taken that, to establish a reasonable expectation of privacy, it<br />
<br />
would be necessary to adduce evidence of facts particular to each individual claimant.<br />
In Vidal-Hall, the claimants produced confidential schedules about their internet use,<br />
showing that the information tracked and collected by Google in their cases was, in the<br />
Court of Appeal’s words at [2016] QB 1003, para 137, “often of an extremely private<br />
nature”. As discussed earlier, the need to obtain evidence in relation to individual<br />
<br />
members of the represented class would be incompatible with the representative<br />
claim which Mr Lloyd is seeking to bring.<br />
<br />
<br />
107. Similarly, to recover damages for distress under section 13(1) of the DPA 1998<br />
would require evidence of such distress from each individual for whom such a claim<br />
<br />
was made. Again, this would be incompatible with claiming damages on a<br />
representative basis.<br />
<br />
<br />
108. Instead of making either of these potential claims, the claimant seeks to break<br />
new legal ground by arguing that the principles identified in Gulati as applicable to the<br />
<br />
assessment of damages for misuse of private information at common law also apply to<br />
the assessment of compensation under section 13(1) of the DPA 1998. The case<br />
advanced, which is also supported by the Information Commissioner, is that the word<br />
<br />
<br />
Page 40“damage” in section 13(1) not only extends beyond material damage to include<br />
distress, as decided in Vidal-Hall, but also includes “loss of control” over personal data.<br />
<br />
<br />
(7) “Loss of control” over personal data<br />
<br />
<br />
109. There is potential for confusion in the use of this description. “Loss of control” is<br />
not an expression used in the DPA 1998 and, as the third interveners (the Association<br />
<br />
of the British Pharmaceutical Industry and Association of British HealthTech Industries)<br />
pointed out in their helpful written submissions, none of the requirements of the Act is<br />
predicated on “control” over personal data by the data subject. Under the legislative<br />
scheme the relevant control is that of the data controller: the entity which<br />
<br />
“determines the purposes for which and the manner in which any personal data are, or<br />
are to be, processed.” The nearest analogue to control as regards the data subject is<br />
his or her “consent to the processing”, being the first condition in Schedule 2 (see para<br />
22 above). Such consent, however, is neither necessary nor sufficient to render the<br />
processing of personal data compliant with the Act.<br />
<br />
<br />
<br />
110. It was made clear in submissions, however, that, in describing the basis for the<br />
compensation claimed as “loss of control” of personal data, the claimant is not seeking<br />
to single out a particular category of breaches of the DPA 1998 by a data controller as<br />
breaches in respect of which the data subject is entitled to compensation without<br />
<br />
proof of material damage or distress. The claimant’s case, which was accepted by the<br />
Court of Appeal, is that an individual is entitled to recover compensation under section<br />
13 of the DPA 1998 without proof of material damage or distress whenever a data<br />
controller fails to comply with any of the requirements of the Act in relation to any<br />
personal data of which that individual is the subject, provided only that the<br />
<br />
contravention is not trivial or de minimis. Any such contravention, on the claimant’s<br />
case, ipso facto involves “loss of control” of data for which compensation is payable.<br />
Only where the individual claiming compensation is not the data subject is it necessary<br />
on the claimant’s case to show that the individual has suffered material damage or<br />
<br />
distress.<br />
<br />
<br />
(8) The common sourceargument<br />
<br />
<br />
111. The claimant’s core argument for this interpretation is that, as a matter of<br />
principle, the same approach to the damage for which compensation can be awarded<br />
<br />
should apply under the data protection legislation as where the claim is brought in tort<br />
for misuse of private information because the two claims, although not coterminous,<br />
have a common source. Both seek to protect the same fundamental right to privacy<br />
<br />
<br />
Page 41guaranteed by article 8 of the Convention. This objective is expressly referred to in<br />
recital (10) of the Data Protection Directive, which states:<br />
<br />
<br />
“Whereas the object of the national laws on the processing<br />
of personal data is to protect fundamental rights and<br />
freedoms, notably the right to privacy, which is recognized<br />
<br />
both in article 8 of the European Convention for the<br />
Protection of Human Rights and Fundamental Freedoms and<br />
in the general principles of [EU] law; whereas, for that<br />
reason, the approximation of those laws must not result in<br />
<br />
any lessening of the protection they afford but must, on the<br />
contrary, seek to ensure a high level of protection in the<br />
[EU];”<br />
<br />
<br />
The aim of protecting the right to privacy with regard to the processing of personal<br />
data is also articulated in recitals (2), (7), (8) and (11) of the Data Protection Directive,<br />
<br />
and is spelt out in article 1 which states:<br />
<br />
<br />
“Object of the Directive<br />
<br />
<br />
In accordance with this Directive, member states shall<br />
protect the fundamental rights and freedoms of natural<br />
<br />
persons, and in particular their right to privacy with respect<br />
to the processing of personal data.”<br />
<br />
<br />
Reliance is also placed on the recognition in article 8 of the EU Charter, quoted at para<br />
96 above, of the right to the protection of personal data as a fundamental right in EU<br />
<br />
law.<br />
<br />
<br />
112. The claimant argues that, given that the tort of misuse of private information<br />
and the data protection legislation are both rooted in the same fundamental right to<br />
privacy, it would be wrong in principle to adopt a different approach to the nature of<br />
the damage which can be compensated under the two regimes. The conclusion should<br />
<br />
therefore be drawn that, in each case, damages can be recovered for interference with<br />
the claimant’s right, without the need to prove that the interference resulted in any<br />
material damage or distress.<br />
<br />
<br />
113. I cannot accept this argument for two reasons. First, even if the suggested<br />
<br />
analogy between the privacy tort and the data protection regime were persuasive,<br />
Page 42section 13(1) of the DPA 1998 cannot, in my opinion, properly be interpreted as having<br />
the meaning for which the claimant contends. Second, the logic of the argument by<br />
analogy is in any event flawed.<br />
<br />
<br />
(a) The wording of the DPA 1998<br />
<br />
<br />
114. I do not accept a submission made by counsel for Google that the interpretation<br />
<br />
of section 13 of the DPA 1998 should be approached on the basis of a general rule that<br />
breaches of statutory duty are not actionable without proof of material damage. The<br />
question in Cullen v Chief Constable of the Royal Ulster Constabulary [2003] UKHL 39;<br />
[2003] 1 WLR 1763, relied on to support this submission, was whether a statute which<br />
<br />
did not expressly confer a right to compensation on a person affected by a breach of<br />
statutory duty nevertheless conferred such a right impliedly. That is not the question<br />
raised in this case, where there is an express entitlement to compensation provided by<br />
section 13 of the DPA 1998. The only question in this case is what the words of the<br />
relevant statutory provision mean.<br />
<br />
<br />
<br />
115. Those words, however, cannot reasonably be interpreted as giving an individual<br />
a right to compensation without proof of material damage or distress whenever a data<br />
controller commits a non-trivial breach of any requirement of the Act in relation to any<br />
personal data of which that individual is the subject. In the first place, as discussed<br />
<br />
above, the wording of section 13(1) draws a distinction between “damage” suffered by<br />
an individual and a “contravention” of a requirement of the Act by a data controller,<br />
and provides a right to compensation “for that damage” only if the “damage” occurs<br />
“by reason of” the contravention. This wording is inconsistent with an entitlement to<br />
compensation based solely on proof of the contravention. To say, as the claimant does<br />
<br />
in its written case, that what is “damaged” is the data subject’s right to have their data<br />
processed in accordance with the requirements of the Act does not meet this point, as<br />
it amounts to an acknowledgement that on the claimant’s case the damage and the<br />
contravention are one and the same.<br />
<br />
<br />
<br />
116. Nor is the claimant’s case assisted by section 14 of the DPA 1998, on which<br />
reliance is placed. Section 14(1) gives the court power, on the application of a data<br />
subject, to order a data controller to rectify, block, erase or destroy personal data if<br />
satisfied that the data are inaccurate. Section 14(4) states:<br />
<br />
<br />
<br />
“If a court is satisfied on the application of a data subject -<br />
<br />
<br />
<br />
<br />
Page 43 (a) that he has suffered damage by reason of any<br />
contravention by a data controller of any of the<br />
requirements of this Act in respect of any personal<br />
data, in circumstances entitling him to compensation<br />
under section 13, and<br />
<br />
<br />
<br />
(b) that there is a substantial risk of further<br />
contravention in respect of those data in such<br />
circumstances,<br />
<br />
<br />
the court may order the rectification, blocking, erasure or<br />
<br />
destruction of any of those data.”<br />
<br />
<br />
117. Counsel for the claimant submitted that, if Google’s case on what is meant by<br />
“damage” is correct, a data subject who does not suffer material damage or distress as<br />
a result of a breach of duty by a data controller cannot claim rectification, blocking,<br />
erasure or destruction of data, unless those data are inaccurate, however egregious<br />
<br />
the breach. This is true, but I can see nothing unreasonable in such a result. Indeed,<br />
section 14 seems to me positively to confirm that “damage” means something distinct<br />
from a contravention of the Act itself. If a contravention by a data controller of the Act<br />
could by itself constitute “damage”, section 14(4)(a) would be otiose and there would<br />
<br />
be no material distinction in the remedies available in cases where the data are<br />
inaccurate and in cases where the data are accurate. The manifest intention behind<br />
section 14 is to limit the remedies of rectification, blocking, erasure or destruction of<br />
accurate data to cases where the contravention of the Act has caused the data subject<br />
some harm distinct from the contravention itself, whereas no such limitation is<br />
<br />
imposed where the contravention involves holding inaccurate personal data.<br />
<br />
<br />
118. The second reason why the claimant’s interpretation is impossible to reconcile<br />
with the language of section 13 is that, as the Court of Appeal recognised in Vidal-Hall,<br />
it is plain from the words enacted by Parliament the term “damage” was intended to<br />
<br />
be limited to material damage and not to extend to “distress”. The only basis on which<br />
the Court of Appeal in Vidal-Hall was able to interpret the term “damage” as<br />
encompassing distress was by disapplying section 13(2) as being incompatible with EU<br />
law. By the same token, if the term “damage” in section 13 is to be interpreted as<br />
<br />
having an even wider meaning and as encompassing an infringement of a data<br />
subject’s rights under the Act which causes no material damage nor even distress, that<br />
could only be because this result is required by EU law. On a purely domestic<br />
interpretation of the DPA 1998, such a reading is untenable.<br />
<br />
<br />
<br />
Page 44 (b) The effect of EU law<br />
<br />
<br />
119. It is not suggested in the present case that section 13(1) should be disapplied:<br />
the claimant’s case is founded on it. No argument of the kind which succeeded in<br />
Vidal-Hall that words of the statute must be disapplied because they conflict with EU<br />
law is therefore available (or is advanced by the claimant). The question is whether the<br />
<br />
term “damage” in section 13(1) can and should be interpreted as having the meaning<br />
for which the claimant contends because such an interpretation is required in order to<br />
make the domestic legislation compatible with EU law. There are two aspects of this<br />
question: (i) what does the term “damage” mean in article 23 of the Data Protection<br />
<br />
Directive, which section 13 of the DPA 1998 was intended to implement; and (ii) if<br />
“damage” in article 23 includes contraventions of the national provisions adopted<br />
pursuant to the Directive which cause no material damage or distress, is it possible to<br />
interpret the term “damage” in section 13(1) of the DPA 1998 as having the same<br />
meaning?<br />
<br />
<br />
<br />
120. To take the second point first, it does not seem to me possible to interpret the<br />
term “damage” in section 13(1) of the DPA 1998 as having the meaning for which the<br />
claimant contends, even if such an interpretation were necessary to make the Act<br />
compatible with the Data Protection Directive. In Vidal-Hall the Court of Appeal held,<br />
<br />
rightly in my opinion, that section 13 of the DPA 1998 could not be construed as<br />
providing a general right to compensation for distress suffered by reason of a<br />
contravention of the Act “without contradicting the clearly expressed intention of<br />
Parliament on an issue that was central to the scheme” of the legislation (see para 95<br />
above). The same is equally, if not all the more, true of the contention that section 13<br />
<br />
of the DPA 1998 can be interpreted as providing a right to compensation for<br />
contraventions of the Act which have not caused any distress, let alone material<br />
damage. The distinction between “damage” suffered by an individual and a<br />
“contravention” of a requirement of the Act by a data controller which causes such<br />
<br />
damage is a fundamental feature of the remedial scheme provided by the Act which,<br />
as indicated above, permeates section 14 as well as section 13. If it were found that<br />
this feature makes the DPA 1998 incompatible with the Data Protection Directive, such<br />
incompatibility could, in my view, only be removed by amending the legislation. That<br />
<br />
could only be done by Parliament.<br />
<br />
<br />
121. No such incompatibility arises, however, as there is no reason to interpret the<br />
term “damage” in article 23 of the Data Protection Directive as extending beyond<br />
material damage and distress. The wording of article 23 draws exactly the same<br />
distinction as section 13(1) of the DPA 1998 between “damage” and an unlawful act of<br />
<br />
which the damage is “a result”. Again, this wording identifies the “damage” for which a<br />
person is entitled to receive compensation as distinct from the wrongful act which<br />
<br />
Page 45causes the damage. This is inconsistent with giving a right to compensation for the<br />
unlawful act itself on the basis that the act constitutes an interference with the<br />
claimant’s data protection rights. Nor has any authority been cited which suggests that<br />
the term “damage”, either generally in EU law or in the specific context of article 23 of<br />
the Data Protection Directive, is to be interpreted as including an infringement of a<br />
<br />
legal right which causes no material damage or distress.<br />
<br />
<br />
122. If there were evidence that at least some national laws on the processing of<br />
personal data which pre-dated the Data Protection Directive and are referred to in<br />
recital (10), quoted at para 111 above, provided a right to compensation for unlawful<br />
<br />
processing without proof of material damage or distress, that might arguably support<br />
an inference that the Directive was intended to ensure a similarly high level of<br />
protection across all member states. But it has not been asserted that any national<br />
laws did so. The Data Protection Act 1984, which was the applicable UK legislation<br />
when the Data Protection Directive was adopted, in sections 22 and 23 gave the data<br />
<br />
subject an entitlement to compensation in certain circumstances for damage or<br />
distress suffered by reason of the inaccuracy of data or the loss or unauthorised<br />
destruction or disclosure of data or unauthorised obtaining of access to data. By clear<br />
implication, UK national law gave no right to compensation for unlawful processing of<br />
<br />
personal data which did not result in material damage or distress. There is no evidence<br />
that the national law of any other member state at that time did so either.<br />
<br />
<br />
123. EU law therefore does not provide a basis for giving a wider meaning to the<br />
term “damage” in section 13 of the DPA 1998 than was given to that term by the Court<br />
of Appeal in Vidal-Hall.<br />
<br />
<br />
<br />
(c) Flaws in the common source argument<br />
<br />
<br />
124. I also reject the claimant’s argument that the decision in Gulati affords any<br />
assistance to its case on this issue. Leaving aside the fact that Gulati was decided many<br />
years after the Data Protection Directive was adopted, there is no reason on the face<br />
<br />
of it why the basis on which damages are awarded for an English domestic tort should<br />
be regarded as relevant to the proper interpretation of the term “damage” in a<br />
statutory provision intended to implement a European directive. The claimant relies on<br />
the fact that both derive from the right to respect for private life protected by article 8<br />
<br />
of the Convention (and incorporated in article 7 of the EU Charter when it was created<br />
in 2007). It does not follow, however, from the fact that two different legal regimes<br />
aim, at a general level, to provide protection for the same fundamental value that they<br />
must do so in the same way or to the same extent or by affording identical remedies.<br />
There are significant differences between the nature and scope of the common law<br />
<br />
privacy tort and the data protection legislation, to which I will draw attention in a<br />
Page 46moment. But the first point to note is that the decision in Gulati that damages can be<br />
awarded for misuse of private information itself was not compelled by article 8 of the<br />
Convention; nor did article 8 require the adoption of the particular legal framework<br />
governing the protection of personal data contained in the Data Protection Directive<br />
and the DPA 1998.<br />
<br />
<br />
<br />
125. The Convention imposes obligations on the states which are parties to it, but<br />
not on private individuals and bodies. In some cases the obligations on state parties<br />
extend beyond negative obligations not to act in ways which violate the Convention<br />
rights and include certain positive obligations on the state to ensure effective<br />
<br />
protection of those rights. That is so as regards the right to respect for private life<br />
guaranteed by article 8. The European Court of Human Rights has held that in certain<br />
circumstances the state’s positive obligations under article 8 are not adequately<br />
fulfilled unless the state secures respect for private life in the relations between<br />
individuals by setting up a legislative framework taking into consideration the various<br />
<br />
interests to be protected in a particular context. However, the court has emphasised<br />
that there are different ways of ensuring respect for private life and that “the choice of<br />
the means calculated to secure compliance with article 8 of the Convention in the<br />
sphere of the relations of individuals between themselves is in principle a matter that<br />
<br />
falls within the contracting states’ margin of appreciation”: see the judgment of the<br />
Grand Chamber in Bărbulescu v Romania [2017] ECHR 754; [2017] IRLR 1032, para 113.<br />
<br />
<br />
126. While the House of Lords in Campbell drew inspiration from article 8, it did not<br />
suggest that the Convention or the Human Rights Act 1998 required the recognition of<br />
a civil claim for damages for misuse of private information in English domestic law, let<br />
<br />
alone that damages should be recoverable in such claim where no material damage or<br />
distress has been caused. In Gulati the Court of Appeal rejected an argument that the<br />
approach to awarding damages for misuse of private information ought to follow the<br />
approach of the European Court of Human Rights in making awards of just satisfaction<br />
<br />
under article 41 of the Convention. As Arden LJ observed, at para 89, in awarding<br />
damages for misuse of private information, the court is not proceeding under section 8<br />
of the Human Rights Act 1998 or article 41 of the Convention, and the conditions of<br />
the tort are governed by English domestic law and not the Convention.<br />
<br />
<br />
<br />
127. For those reasons, I do not regard as relevant the decision of the European<br />
Court of Human Rights in Halford v United Kingdom (1997) 24 EHRR 523, relied on by<br />
counsel for the claimant. In Halford a senior police officer whose telephone calls had<br />
been intercepted by her employer in violation of article 8 was awarded £10,000 as just<br />
satisfaction. As Lord Sales pointed out in argument, on one reading of the judgment,<br />
<br />
which is far from clear, although it could not be shown that the interception of the<br />
applicant’s phone calls, as opposed to other conflicts with her employer, had caused<br />
<br />
Page 47stress for which she had required medical treatment, it was reasonably assumed that<br />
this invasion of privacy had caused her mental harm. Even if the award of just<br />
satisfaction is understood to have been for the invasion of the right to privacy itself<br />
rather than for any distress felt by the applicant, however, it does not follow that, in an<br />
action between private parties under national law for a similar invasion of privacy, the<br />
<br />
Convention requires the court to be able to award damages simply for the loss of<br />
privacy itself.<br />
<br />
<br />
128. Whilst it may be said that pursuant to the general principles of EU law<br />
embodied in articles 7 and 8 of the EU Charter the EU had a positive obligation to<br />
<br />
establish a legislative framework providing for protection of personal data, there was<br />
clearly a wide margin of choice as to the particular regime adopted; and the same<br />
applies to the positive obligation imposed directly on the UK by the Convention. It<br />
could not seriously be argued that the content of those positive obligations included a<br />
requirement to establish a right to receive compensation for any (non-trivial) breach of<br />
<br />
any requirement (in relation to any personal data of which the claimant is the subject)<br />
of whatever legislation the EU and UK chose to enact in this area without the need to<br />
prove that the claimant suffered any material damage or distress as a result of the<br />
breach.<br />
<br />
<br />
<br />
129. Accordingly, the fact that the common law privacy tort and the data protection<br />
legislation have a common source in article 8 of the Convention does not justify<br />
reading across the principles governing the award of damages from one regime to the<br />
other.<br />
<br />
<br />
(d) Material differences between the regimes<br />
<br />
<br />
<br />
130. There are further reasons why no such analogy can properly be drawn<br />
stemming from the differences between the two regimes. It is plain that the detailed<br />
scheme for regulating the processing of personal data established by the Data<br />
Protection Directive extended beyond the scope of article 8 and much more widely<br />
<br />
than the English domestic tort of misusing private information. An important<br />
difference is that the Directive (and the UK national legislation implementing it)<br />
applied to all “personal data” with no requirement that the data are of a confidential<br />
or private nature or that there is a reasonable expectation of privacy protection. By<br />
<br />
contrast, information is protected against misuse by the domestic tort only where<br />
there is a reasonable expectation of privacy. The reasonable expectation of privacy of<br />
the communications illicitly intercepted by the defendants in the phone hacking<br />
litigation was an essential element of the decision in Gulati that the claimants were<br />
entitled to compensation for the commission of the wrong itself. It cannot properly be<br />
<br />
<br />
Page 48inferred that the same entitlement should arise where a reasonable expectation of<br />
privacy is not a necessary element of the claim.<br />
<br />
<br />
131. This point goes to the heart of the approach adopted by the claimant in the<br />
present case. Stripped to its essentials, what the claimant is seeking to do is to claim<br />
for each member of the represented class a form of damages the rationale for which<br />
<br />
depends on there being a violation of privacy, while avoiding the need to show a<br />
violation of privacy in the case of any individual member of the class. This is a flawed<br />
endeavour.<br />
<br />
<br />
132. Another significant difference between the privacy tort and the data protection<br />
<br />
legislation is that a claimant is entitled to compensation for a contravention of the<br />
legislation only where the data controller has failed to exercise reasonable care. Some<br />
contraventions are inherently fault based. For example, the seventh data protection<br />
principle with which a data controller has a duty to comply pursuant to section 4(4) of<br />
the DPA 1998 (and article 17 of the Data Protection Directive) states:<br />
<br />
<br />
<br />
“Appropriate technical and organisational measures shall be<br />
taken against unauthorised or unlawful processing of<br />
personal data and against accidental loss or destruction of, or<br />
damage to, personal data.”<br />
<br />
<br />
<br />
A complaint that a data controller has failed to take such “appropriate technical and<br />
organisational measures” is similar to an allegation of negligence in that it is<br />
predicated on failure to meet an objective standard of care rather than on any<br />
intentional conduct. Even where a contravention of the legislation does not itself<br />
require fault, pursuant to section 13(3), quoted at para 90 above, there is no<br />
<br />
entitlement to compensation if the data controller proves that it took “such care as in<br />
all the circumstances was reasonably required to comply with the requirement<br />
concerned”.<br />
<br />
<br />
133. The privacy tort, like other torts for which damages may be awarded without<br />
<br />
proof of material damage or distress, is a tort involving strict liability for deliberate<br />
acts, not a tort based on a want of care. No inference can be drawn from the fact that<br />
compensation can be awarded for commission of the wrong itself where private<br />
information is misused that the same should be true where the wrong may consist only<br />
<br />
in a failure to take appropriate protective measures and where the right to<br />
compensation is expressly excluded if the defendant took reasonable care.<br />
<br />
<br />
<br />
Page 49134. Indeed, this feature of the data protection legislation seems to me to be a yet<br />
further reason to conclude that the “damage” for which an individual is entitled to<br />
compensation for a breach of any of its requirements does not include the commission<br />
of the wrong itself. It would be anomalous if failure to take reasonable care to protect<br />
personal data gave rise to a right to compensation without proof that the claimant<br />
<br />
suffered any material damage or distress when failure to take care to prevent personal<br />
injury or damage to tangible moveable property does not.<br />
<br />
<br />
135. Accordingly, I do not accept that the decision in Gulati is applicable by analogy<br />
to the DPA 1998. To the contrary, there are significant differences between the privacy<br />
<br />
tort and the data protection legislation which make such an analogy positively<br />
inappropriate.<br />
<br />
<br />
(e) Equivalence and effectiveness<br />
<br />
<br />
136. I add for completeness that the EU law principles of equivalence and<br />
effectiveness, on which the Court of Appeal placed some reliance, do not assist the<br />
<br />
claimant’s case. The principle of equivalence requires that procedural rules governing<br />
claims for breaches of EU law rights must not be less favourable than procedural rules<br />
governing equivalent domestic actions. As explained by Lord Briggs, giving the<br />
judgment of this court, in Totel Ltd v Revenue and Customs Comrs [2018] UKSC 44;<br />
<br />
[2018] 1 WLR 4053, para 7, the principle is “essentially comparative”. Thus:<br />
<br />
<br />
“The identification of one or more similar procedures for the<br />
enforcement of claims arising in domestic law is an essential<br />
prerequisite for its operation. If there is no true comparator,<br />
then the principle of equivalence can have no operation at<br />
<br />
all. The identification of one or more true comparators is<br />
therefore the essential first step in any examination of an<br />
assertion that the principle of equivalence has been<br />
infringed.” [citation omitted]<br />
<br />
<br />
<br />
For the reasons given, even if the measure of damages is regarded as a procedural<br />
rule, a claim for damages for misuse of private information at common law is not a<br />
true comparator of a claim under section 13 of the DPA 1998. The principle of<br />
equivalence can therefore have no operation.<br />
<br />
<br />
<br />
137. The principle of effectiveness invalidates a national procedure if it renders the<br />
enforcement of a right conferred by EU law either virtually impossible or excessively<br />
<br />
Page 50difficult: see again Totel Ltd at para 7. However, the absence of a right to<br />
compensation for a breach of data protection rights which causes no material damage<br />
or distress, even if regarded as a procedural limitation, does not render the<br />
enforcement of such rights virtually impossible or excessively difficult. The right to an<br />
effective remedy does not require awards of compensation for every (non-trivial)<br />
<br />
breach of statutory requirements even if no material damage or distress has been<br />
suffered.<br />
<br />
<br />
(f) Conclusion on the effect of section 13<br />
<br />
<br />
138. For all these reasons, I conclude that section 13 of the DPA 1998 cannot<br />
<br />
reasonably be interpreted as conferring on a data subject a right to compensation for<br />
any (non-trivial) contravention by a data controller of any of the requirements of the<br />
Act without the need to prove that the contravention has caused material damage or<br />
distress to the individual concerned.<br />
<br />
<br />
(9) The claim for user damages<br />
<br />
<br />
<br />
139. “User damages” is the name commonly given to a type of damages readily<br />
awarded in tort where use has wrongfully been made of someone else’s land or<br />
tangible moveable property although there has been no financial loss or physical<br />
damage to the property. The damages are assessed by estimating what a reasonable<br />
<br />
person would have paid for the right of user. Damages are also available on a similar<br />
basis for patent infringement and other breaches of intellectual property rights.<br />
Following the seminal decision of this court in OneStep (Support) Ltd v Morris-Garner<br />
[2018] UKSC 20; [2019] AC 649, it is now clear that user damages are compensatory in<br />
nature, their purpose being to compensate the claimant for interference with a right to<br />
<br />
control the use of property where the right is a commercially valuable asset. As Lord<br />
Reed explained in Morris-Garner, at para 95(1):<br />
<br />
<br />
“The rationale of such awards is that the person who makes<br />
wrongful use of property, where its use is commercially<br />
<br />
valuable, prevents the owner from exercising a valuable right<br />
to control its use, and should therefore compensate him for<br />
the loss of the value of the exercise of that right. He takes<br />
something for nothing, for which the owner was entitled to<br />
<br />
require payment.”<br />
<br />
<br />
<br />
<br />
Page 51140. Lord Reed, at paras 27 and 29, cited authorities which make it clear that the<br />
entitlement to user damages does not depend on whether the owner would in fact<br />
have exercised the right to control the use of the property, had it not been interfered<br />
with. The “loss” for which the claimant is entitled to compensation is not loss of this<br />
“conventional kind” (para 30); rather, it lies in the wrongful use of the claimant’s<br />
<br />
property itself, for which the economic value of the use provides an appropriate<br />
measure. This value can be assessed by postulating a hypothetical negotiation and<br />
estimating what fee would reasonably have been agreed for releasing the defendant<br />
from the duty which it breached. It is this method of assessment on which the claimant<br />
<br />
relies in the alternative formulation of the present claim.<br />
<br />
<br />
141. A claim in tort for misuse of private information based on the factual allegations<br />
made in this case, such as was made in Vidal-Hall, would naturally lend itself to an<br />
award of user damages. The decision in Gulati shows that damages may be awarded<br />
for the misuse of private information itself on the basis that, apart from any material<br />
<br />
damage or distress that it may cause, it prevents the claimant from exercising his or<br />
her right to control the use of the information. Nor can it be doubted that information<br />
about a person’s internet browsing history is a commercially valuable asset. What was<br />
described by the Chancellor in the Court of Appeal [2020] QB 747, para 46, as “the<br />
<br />
underlying reality of this case” is that Google was allegedly able to make a lot of money<br />
by tracking the browsing history of iPhone users without their consent and selling the<br />
information collected to advertisers.<br />
<br />
<br />
142. The view has sometimes been expressed that asserting privacy in information is<br />
inconsistent, or at least in tension, with treating such information as a commercial<br />
<br />
asset: see eg Douglas v Hello! Ltd (No 3) [2005] EWCA Civ 595; [2006] QB 125, para<br />
246; and on appeal sub nom OBG Ltd v Allan [2007] UKHL 21; [2008] AC 1, para 275<br />
(Lord Walker of Gestinghorpe). But once the basis of the right to privacy is understood<br />
to be the protection of a person’s freedom to choose and right to control whether and<br />
<br />
when others have access to his or her private affairs, I think that any tension largely<br />
disappears. It is common experience that some people are happy to exploit for<br />
commercial gain facets of their private lives which others would feel mortified at<br />
having exposed to public view. Save in the most extreme cases, this should be seen as<br />
<br />
a matter of personal choice on which it is not for the courts to pass judgments.<br />
Moreover, where the defendant’s very purpose in wrongfully obtaining and using<br />
private information is to exploit its commercial value, the law should not be prissy<br />
about awarding compensation based on the commercial value of the exercise of the<br />
right. As was confirmed in Morris-Garner, the fact that the claimant would not have<br />
<br />
chosen to exercise the right himself is no answer to a claim for user damages. It is<br />
enough that, as Lord Reed put it at paras 30 and 95(1) of his majority judgment, the<br />
defendant has taken something for nothing, for which the owner of the right was<br />
entitled to require payment.<br />
<br />
Page 52143. The point does not arise in the present case, however, because the claimant is<br />
not claiming damages for misuse of private information. As discussed, the only claim<br />
advanced is under the DPA 1998. Here it follows from the conclusion reached above<br />
about the meaning of section 13 that user damages are not available. This is because,<br />
for the reasons given, compensation can only be awarded under section 13 of the DPA<br />
<br />
1998 for material damage or distress caused by an infringement of a claimant’s right to<br />
have his or her personal data processed in accordance with the requirements of the<br />
Act, and not for the infringement itself. Although his reasoning was in part based on an<br />
understanding of user damages overtaken by this court’s decision in Morris-Garner, it<br />
<br />
follows that Patten J was right to hold in Murray v Express Newspapers Plc[2007]<br />
EWHC 1908 (Ch); [2007] EMLR 22, at para 92, that the principles on which user<br />
damages are awarded do not apply to a claim for compensation under the DPA 1998.<br />
<br />
<br />
F. THE NEED FOR INDIVIDUALISED EVIDENCE OF MISUSE<br />
<br />
<br />
144. There is a further reason why the claimant’s attempt to recover damages under<br />
<br />
section 13 of the DPA 1998 by means of a representative claim cannot succeed. Even if<br />
(contrary to my conclusion) it were unnecessary in order to recover compensation<br />
under this provision to show that an individual has suffered material damage or<br />
distress as a result of unlawful processing of his or her personal data, it would still be<br />
<br />
necessary for this purpose to establish the extent of the unlawful processing in his or<br />
her individual case. In deciding what amount of damages, if any, should be awarded,<br />
relevant factors would include: over what period of time did Google track the<br />
individual’s internet browsing history? What quantity of data was unlawfully<br />
processed? Was any of the information unlawfully processed of a sensitive or private<br />
<br />
nature? What use did Google make of the information and what commercial benefit, if<br />
any, did Google obtain from such use?<br />
<br />
<br />
(1) The claim for the “lowest common denominator”<br />
<br />
<br />
145. The claimant does not dispute that the amount of any compensation awarded<br />
<br />
must in principle depend on such matters. But he contends that it is possible to<br />
identify an “irreducible minimum harm” suffered by every member of the class whom<br />
he represents for which a “uniform sum” of damages can be awarded. This sum is<br />
claimed on the basis that it represents what the Chancellor in the Court of Appeal<br />
<br />
described as the “lowest common denominator” of all the individual claims: see [2020]<br />
QB 747, para 75.<br />
<br />
<br />
146. Google objects that Mr Lloyd, as the self-appointed representative of the class,<br />
has no authority from any individual class member to waive or abandon what may be<br />
<br />
Page 53the major part of their damages claim by disavowing reliance on any circumstances<br />
affecting that individual. Mr Lloyd’s answer, which the Court of Appeal accepted, is a<br />
pragmatic one. He points out that the limitation period for bringing any proceedings<br />
has now expired. For any represented individual there is therefore no longer any<br />
realistic possibility of recovering any compensation at all other than through the<br />
<br />
present action. Furthermore, to make this action viable, it is necessary to confine the<br />
amount of damages claimed for each class member to a uniform sum; and a uniform<br />
sum of damages, even if considerably smaller than an individualised award would be, is<br />
better than nothing.<br />
<br />
<br />
<br />
147. I do not think it necessary to enter into the merits of this issue. I am prepared to<br />
assume, without deciding, that as a matter of discretion the court could - if satisfied<br />
that the persons represented would not be prejudiced and with suitable arrangements<br />
in place enabling them to opt out of the proceedings if they chose - allow a<br />
representative claim to be pursued for only a part of the compensation that could<br />
<br />
potentially be claimed by any given individual. The fundamental problem is that, if no<br />
individual circumstances are taken into account, the facts alleged are insufficient to<br />
establish that any individual member of the represented class is entitled to damages.<br />
That is so even if it is unnecessary to prove that the alleged breaches caused any<br />
<br />
material damage or distress to the individual.<br />
<br />
<br />
(2) The facts common to each individual case<br />
<br />
<br />
148. The facts alleged against Google generically cannot establish that any given<br />
individual is entitled to compensation. To establish any such individual entitlement it<br />
must be shown, at least, that there was unlawful processing by Google of personal<br />
<br />
data of which that particular individual was the subject. In considering whether the<br />
facts alleged, if proved, are capable of establishing an entitlement to damages, it is<br />
therefore necessary to identify what unlawful processing by Google of personal data is<br />
alleged to have occurred in Mr Lloyd’s own case and also in the case of each other<br />
<br />
member of the represented class. What facts is the claimant proposing to prove to<br />
show that Google acted unlawfully in each individual case?<br />
<br />
<br />
149. The answer, on analysis, is: only those facts which are necessary to show that<br />
the individual falls within the definition of the “claimant class”. The premise of the<br />
<br />
claim is that Mr Lloyd and each person whom he represents is entitled to damages<br />
simply on proof that they are members of the class and without the need to prove any<br />
further facts to show that Google wrongfully collected and used their personal data.<br />
Any such further facts would inevitably vary from one individual member of the class<br />
to another and would require individual proof.<br />
<br />
<br />
Page 54150. To fall within the definition of the class, it must be shown, in substance, that the<br />
individual concerned had an iPhone of the appropriate model running a relevant<br />
version of the Apple Safari internet browser which, at any date during the relevant<br />
period whilst present in England and Wales, he or she used to access a website that<br />
was participating in Google’s DoubleClick advertising service. There are exclusions<br />
<br />
from the class definition for anyone who changed the default settings in the Safari<br />
browser, opted out of tracking and collation via Google’s “Ads Preference Manager” or<br />
obtained a DoubleClick Ad cookie via a “first party request” rather than as a “third<br />
party cookie”. The aim of the definition is to identify all those people who had a<br />
<br />
DoubleClick Ad cookie placed on their device unlawfully, through the Safari<br />
workaround, but not to include within the class anyone who did not receive a<br />
DoubleClick Ad cookie during the relevant period or who received the cookie by lawful<br />
means.<br />
<br />
<br />
151. It is sufficient to bring an individual within the class definition that he or she<br />
<br />
used the Safari browser to access a website participating in Google’s DoubleClick<br />
advertising service on a single occasion. The theory is that on that occasion the<br />
DoubleClick Ad cookie will have been placed on the user’s device unlawfully as a third<br />
party cookie. To qualify for membership of the class, it is not necessary to show that<br />
<br />
the individual ever visited a website participating in Google’s DoubleClick advertising<br />
service again during the relevant period. Nor is it alleged that any individual or<br />
individuals did visit such a website on more than one occasion. The “lowest common<br />
denominator” on which the claim is based is therefore someone whose internet usage<br />
- apart from one visit to a single website - was not illicitly tracked and collated and who<br />
<br />
received no targeted advertisements as a result of receiving a DoubleClick Ad cookie.<br />
This is because the claimant has deliberately chosen, in order to advance a claim in a<br />
representative capacity for damages assessed from the bottom up, not to rely on any<br />
facts about the internet activity of any individual iPhone user beyond those which<br />
<br />
bring them within the class of represented persons.<br />
<br />
<br />
152. For reasons given earlier, I am leaving aside the difficulties of proving<br />
membership of the class, significant as they would appear to be, and am assuming that<br />
such difficulties are not an impediment to the claim. But the question that must be<br />
<br />
asked is whether membership of the represented class is sufficient by itself to entitle<br />
an individual to compensation, without proof of any further facts particular to that<br />
individual.<br />
<br />
<br />
153. On the claimant’s own case there is a threshold of seriousness which must be<br />
crossed before a breach of the DPA 1998 will give rise to an entitlement to<br />
<br />
compensation under section 13. I cannot see that the facts which the claimant aims to<br />
prove in each individual case are sufficient to surmount this threshold. If (contrary to<br />
<br />
Page 55the conclusion I have reached) those facts disclose “damage” within the meaning of<br />
section 13 at all, I think it impossible to characterise such damage as more than trivial.<br />
What gives the appearance of substance to the claim is the allegation that Google<br />
secretly tracked the internet activity of millions of Apple iPhone users for several<br />
months and used the data obtained for commercial purposes. But on analysis the<br />
<br />
claimant is seeking to recover damages without attempting to prove that this<br />
allegation is true in the case of any individual for whom damages are claimed. Without<br />
proof of some unlawful processing of an individual’s personal data beyond the bare<br />
minimum required to bring them within the definition of the represented class, a claim<br />
<br />
on behalf of that individual has no prospect of meeting the threshold for an award of<br />
damages.<br />
<br />
<br />
(3) User damages on a lowest common denominator basis<br />
<br />
<br />
154. The claimant’s case is not improved by formulating the claim as one for user<br />
damages quantified by estimating what fee each member of the represented class<br />
<br />
could reasonably have charged - or which would reasonably have been agreed in a<br />
hypothetical negotiation - for releasing Google from the duties which it breached. I<br />
have already indicated why, in my opinion, user damages cannot be recovered for<br />
breaches of the DPA 1998. But even if (contrary to that conclusion) user damages<br />
<br />
could in principle be recovered, the inability or unwillingness to prove what, if any,<br />
wrongful use was made by Google of the personal data of any individual again means<br />
that any damages awarded would be nil.<br />
<br />
<br />
155. The claimant asserts, and I am content to assume, that if, instead of bypassing<br />
privacy settings through the Safari workaround, Google had offered to pay a fee to<br />
<br />
each affected Apple iPhone user for the right to place its DoubleClick Ad cookie on<br />
their device, the fee would have been a standard one, agreed in advance, rather than a<br />
fee which varied according to the quantity or commercial value to Google of the<br />
information which was subsequently collected as a result of the user’s acceptance of<br />
<br />
the cookie. However, imagining the negotiation of a fee in advance in this way is not<br />
the correct premise for the valuation.<br />
<br />
<br />
156. As explained in Morris-Garner, the object of an award of user damages is to<br />
compensate the claimant for use wrongfully made by the defendant of a valuable asset<br />
<br />
protected by the right infringed. The starting point for the valuation exercise is thus to<br />
identify what the extent of such wrongful use actually was: only then can an estimate<br />
be made of what sum of money could reasonably have been charged for that use or,<br />
put another way, for releasing the wrongdoer from the duties which it breached in the<br />
wrongful use that it made of the asset. Imagining a hypothetical negotiation, as Lord<br />
<br />
Reed explained at para 91 of Morris-Garner, is merely “a tool” for arriving at this<br />
Page 56estimated sum. As in any case where compensation is awarded, the aim is to place the<br />
claimant as nearly as possible in the same position as if the wrongdoing had not<br />
occurred. Accordingly, as Patten LJ put it in Eaton Mansions (Westminster) Ltd v Stinger<br />
Compania de Inversion SA [2013] EWCA Civ 1308; [2014] 1 P & CR 5, para 21:<br />
<br />
<br />
“The valuation construct is that the parties must be treated<br />
<br />
as having negotiated for a licence which covered the acts of<br />
trespass that actually occurred. The defendant is not required<br />
to pay damages for anything else.”<br />
<br />
<br />
See also Enfield London Borough Council v Outdoor Plus Ltd[2012] EWCA Civ 608, para<br />
<br />
47; and Marathon Asset Management LLP v Seddon [2017] EWHC 300 (Comm); [2017]<br />
ICR 791, paras 254-262.<br />
<br />
<br />
157. Applying that approach, the starting point would therefore need to be to<br />
establish what unlawful processing by Google of the claimant’s personal data actually<br />
occurred. Only when the wrongful use actually made by Google of such data is known<br />
<br />
is it possible to estimate its commercial value. As discussed, in order to avoid individual<br />
assessment, the only wrongful act which the claimant proposes to prove in the case of<br />
each represented person is that the DoubleClick Ad cookie was unlawfully placed on<br />
their device: no evidence is - or could without individual assessment - be adduced to<br />
<br />
show that, by means of this third party cookie, Google collected or used any personal<br />
data relating to that individual. The relevant valuation construct is therefore to ask<br />
what fee would hypothetically have been negotiated for a licence to place the<br />
DoubleClick Ad cookie on an individual user’s phone as a third party cookie, but<br />
without releasing Google from its obligations not to collect or use any information<br />
<br />
about that person’s internet browsing history. It is plain that such a licence would be<br />
valueless and that the fee which could reasonably be charged or negotiated for it<br />
would accordingly be nil.<br />
<br />
<br />
G. CONCLUSION<br />
<br />
<br />
<br />
158. The judge took the view that, even if the legal foundation for the claim made in<br />
this action were sound, he should exercise the discretion conferred by CPR rule 19.6(2)<br />
by refusing to allow the claim to be continued as a representative action. He<br />
characterised the claim as “officious litigation, embarked upon on behalf of individuals<br />
<br />
who have not authorised it” and in which the main beneficiaries of any award of<br />
damages would be the funders and the lawyers. He thought that the representative<br />
claimant “should not be permitted to consume substantial resources in the pursuit of<br />
litigation on behalf of others who have little to gain from it, and have not authorised<br />
<br />
Page 57the pursuit of the claim, nor indicated any concern about the matters to be litigated”:<br />
[2019] 1 WLR 1265, paras 102-104. The Court of Appeal formed a very different view<br />
of the merits of the representative claim. They regarded the fact that the members of<br />
the represented class had not authorised the claim as an irrelevant factor, which the<br />
judge had wrongly taken into account, and considered that it was open to them to<br />
<br />
exercise the discretion afresh. They saw this litigation as the only way of obtaining a<br />
civil compensatory remedy for what, if proved, was a “wholesale and deliberate<br />
misuse of personal data without consent, undertaken with a view to commercial<br />
profit”: see [2020] QB 747, para 86. In these circumstances the Court of Appeal took<br />
<br />
the view that, as a matter of discretion, the claim should be allowed to proceed.<br />
<br />
<br />
159. It is unnecessary to decide whether the Court of Appeal was entitled to<br />
interfere with the judge’s discretionary ruling or whether it would be desirable for a<br />
commercially funded class action to be available on the facts alleged in this case. This is<br />
because, regardless of what view of it is taken, the claim has no real prospect of<br />
<br />
success. That in turn is because, in the way the claim has been framed in order to try to<br />
bring it as a representative action, the claimant seeks damages under section 13 of the<br />
DPA 1998 for each individual member of the represented class without attempting to<br />
show that any wrongful use was made by Google of personal data relating to that<br />
<br />
individual or that the individual suffered any material damage or distress as a result of<br />
a breach of the requirements of the Act by Google. For the reasons explained in this<br />
judgment, without proof of these matters, a claim for damages cannot succeed.<br />
<br />
<br />
160. I would therefore allow the appeal and restore the order made by the judge<br />
refusing the claimant’s application for permission to serve the proceedings on Google<br />
<br />
outside the jurisdiction of the courts of England and Wales.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Page 58<br />
</pre></div>Mariam-hwthhttps://gdprhub.eu/index.php?title=ICO_(UK)_-_HIV_Scotland&diff=20982ICO (UK) - HIV Scotland2021-10-25T18:12:03Z<p>Mariam-hwth: Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO (UK) |DPA_With_Country=ICO (UK) |Case_Number_N..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|DPA-BG-Color=background-color:#023868;<br />
|DPAlogo=LogoUK.png<br />
|DPA_Abbrevation=ICO (UK)<br />
|DPA_With_Country=ICO (UK)<br />
<br />
|Case_Number_Name=HIV Scotland<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Information Commissioner's Office<br />
|Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/mpns/4018736/mpn-hiv-scotland-20211018.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=18.10.2021<br />
|Date_Published=22.10.2021<br />
|Year=2021<br />
|Fine=10000<br />
|Currency=GBP<br />
<br />
|GDPR_Article_1=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1f<br />
|GDPR_Article_2=Article 32(1) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#1<br />
|GDPR_Article_3=Article 32(2) GDPR<br />
|GDPR_Article_Link_3=Article 32 GDPR#2<br />
<br />
<br />
<br />
|Party_Name_1=HIV Scotland<br />
|Party_Link_1=https://www.hiv.scot/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=MH<br />
|<br />
}}<br />
<br />
The UK DPA (ICO) imposed a fine of around €12000 on HIV Scotland for failing to implement appropriate organisational and technical measures. The charity disclosed special category data by sending a group email in CC rather than BCC.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
HIV Scotland is a charity that helps people living with HIV, those at risk of HIV and individuals that support people with HIV. HIV Scotland got a MailChimp account for the purpose of online mailing and migrated contact details to the bulk mailing platform. A list of contact details of the Community Advisory Network (CAN) was not migrated.<br />
<br />
On 3 Feburary 2020, an email was sent using Microsoft Outlook to 105 members of CAN in CC rather than BCC. This meant that email addresses of 65 recipients were apparent, identifying the individual by name. <br />
<br />
HIV Scotland noticed the error instantly and submitted a breach report, highlighting that individuals' HIV statuses could be deduced from this breach. HIV Scotland contacted the individuals to apologise and offered support if distress was caused.<br />
<br />
HIV Scotland has since implemented MailChimp for all its mailing operations to reduce the risk of a repeat incident. <br />
<br />
=== Holding ===<br />
The Information Commissioner's Office (ICO) conclude that HIV Scotland failed to set up an appropriate organisational and technical measures. The following steps taken by HIV Scotland prior to the breach were insufficient according to the ICO:<br />
- Employees asked to read and refer to HIV Scotland's privacy policy<br />
- Training on GDPR awareness in the first three months of employment<br />
- Awareness of the BCC requirement for group emails<br />
- Attempt to migrate contact details to MailChimp for better security.<br />
<br />
The ICO found following deficiencies in the technical and organisational measures at HIV Scotland.<br />
- HIV Scotland did not have a specific internal Policy for handling personal data securely. Reliance on the external Privacy Policy was not an appropriate data protection policy for staff handling personal data.<br />
- The staff did not have guidance on how to handle personal data securely. According to the ICO, employees should have had GDPR training prior to handling personal data and within one month of their start data. This is especially required when staff handle special category data. <br />
- It was revealed during the investigation that the charity was aware of the poor data storage for 10 months prior to the breach. The move to MailChimp was an attempt to rectify this, however this was not adequately implemented between July 2019 and the day of the breach, 3 February 2020. According to the ICO, a correct and full implementation MailChimp would have prevented the disclosure of personal data. <br />
<br />
The ICO clarified that although only email addresses were apparent, the special category data of 65 identified individuals could be inferred to a reasonable degree (HIV status). <br />
<br />
The ICO deemed that HIV Scotland was fully aware of the risk of its practices, having criticised another controller for having suffered a similar error 6 months before HIV Scotland's own personal data breach.<br />
<br />
The ICO concluded that HIV Scotland infringed Article 5(1)(f) of the GDPR by sending bulk emails rather than separate emails to each intended recipient. Additionally, it found that in addition to failing to fully migrate to MailChimp, HIV Scotland failed to use BCC in Microsoft Outlook.<br />
<br />
The ICO also concluded that HIV Scotland infringed Articles 32(1) and (2) of the GDPR by failing to have a level of security appropriate to the risk of processing. The ICO particularly highlighted the awareness within HIV Scotland that their practices prior to the breach were deficient. <br />
<br />
When assessing the level of the fine, the ICO considered certain factors, such as:<br />
- the fact that the breach of personal data would at least cause an element of distress for the individuals;<br />
- the fact that the breach was negligent due to HIV Scotland's awareness that Outlook was not secure for sensitive communications and that HIV Scotland had criticised another controller for a similar error; <br />
- the fact that HIV Scotland should have been aware of previous fines by the ICO regarding similar breaches and in any case were aware of the deficiencies of their own technical and organisational measures;<br />
- the fact that special category data (HIV status) could be reasonably inferred as a result of the breach;<br />
- the fact that HIV Scotland took steps to mitigate the damage suffered by individuals;<br />
- the fact that HIV Scotland didn't have prior data protection infringements;<br />
- the fact that HIV Scotland cooperated with the ICO; and <br />
- the fact that HIV Scotland reported the breach to the ICO within 2 hours of the incident.<br />
The ICO then went to impose a fine of approximately €12000 on HIV Scotland.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
•<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
DATA PROTECTION ACT 2018 (PART 6, SECTION 155)<br />
<br />
<br />
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER<br />
<br />
<br />
MONETARY PENALTY NOTICE<br />
<br />
<br />
TO: HIV Scotland<br />
<br />
<br />
OF: 18 York Place, HIV Scotland, Edinburgh EHl 3EP<br />
<br />
<br />
<br />
1. HIV Scotland is charity registered in Scotland (number SC033951) and<br />
a company limited by guarantee (number SC242242).<br />
<br />
<br />
2. The InformatioCommissioner ("the Commissioner"has decided to<br />
<br />
issue HIV Scotland with a Penalty Notice under section 155 of the Data<br />
Protection Act 2018 ("the DPA"). This penalty notice imposes an<br />
<br />
administrativfine on HIV Scotland, in accordance with the<br />
Commissioner's powers under Article 83 of the General Data Protection<br />
<br />
Regulation 2016 ("the GDPR"). The amount of the monetary penalty is<br />
<br />
£10,000.<br />
<br />
<br />
3. This penalty has been issued because of contravenby HIV<br />
Scotland of Articles 5(land 32(1) and (2) of the GDPR in that,<br />
<br />
during the period of 25 May 2018 to 24 February 2020, HIV Scotland<br />
failed to implement an appropriate level of organisand technical<br />
<br />
security to its internal email systems. This failure resulted in an email<br />
<br />
being sent on 3 February 2020 without the appropriate security to 105<br />
recipients, disclosing the personal data of 65 of the recipients. In<br />
<br />
particular, the email contained personal data and disclosed information<br />
from which special category data could be reasonably inferred.<br />
<br />
1 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
4. In the interests of clarity, 25 May 2018 is the date when GDPR came<br />
into effect, and 25 February 2020 is the date on which HIV Scotland<br />
<br />
took its final steps to implement MailChimp as its sole email client for<br />
any mail-out across the organisation, thereby mitigating the risk which<br />
<br />
led to the initial data breach.<br />
<br />
<br />
5. This Monetary Penalty Notice explains the Commissioner's decision,<br />
<br />
includingthe Commissioner's reasons for issuing the penalty and for<br />
the amount of the penalty.<br />
<br />
<br />
Legal framework for this Notice of Intent<br />
<br />
<br />
<br />
Obligations of the controller<br />
<br />
<br />
6. HIV Scotland is a controller for the purposes of the GDPR and the DPA,<br />
<br />
because it determines the purposes and means of processing of personal<br />
data (GDPR Article 4(7)).<br />
<br />
<br />
<br />
7. 'Personal data' is defined by Article 4(1) of the GDPR to mean:<br />
<br />
information relating to an identified or identifiable natural<br />
person ('data subject'); an identifiable natural person is<br />
one who can be identified,irectly or indirectly, in<br />
particular by reference to an identifier such as a name, an<br />
identificationumber, location data, an online identifier or<br />
to one or more factors specific to the physical,<br />
<br />
physiological, genetic,ntal, economic, cultural or social<br />
identity of that natural person.<br />
<br />
8. 'Processing' is defined by Article 4(2) of the GDPR to mean:<br />
<br />
<br />
any operation or set of operations which is performed on<br />
personal dataor on sets of personal data, whether or not<br />
by automated means, such as collection, recording,<br />
<br />
2 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
organisation, structuring,storage, adaptation or alteration,<br />
retrieval, consultation, use, disclosure by transmission,<br />
dissemination or otherwise making available, alignment or<br />
combination, restriction, erasure or destruction<br />
<br />
<br />
9. Article 9DPR prohibits the processing of 'special categories of personal<br />
<br />
data' unless certain conditions are met. The special categories of<br />
personal data subject to Article 9 include 'data concerning health or data<br />
<br />
concerning a natural person's sex life or sexual orientation'.<br />
<br />
<br />
10. Controllers are subjecto various obligations in relation to the processing<br />
<br />
of personal data, as set out in the GDPR and the DPA. They are obliged<br />
by Article 5(2) to adhere to the data processing principles set out in<br />
<br />
Article 5(1) of the GDPR.<br />
<br />
<br />
11. In particular, controllers are required to implement appropriate technical<br />
<br />
and organisational measures to ensure that their processing of personal<br />
data is secure, and to enable them to demonstrate that their processing<br />
<br />
is secure. Article 5(1)(f("Integrity and Confidentiality") stipulates<br />
<br />
that:<br />
<br />
Personal data shall be [...] processed in a manner that<br />
ensures appropriate security of the personal data, including<br />
protection against unauthorised or unlawful processing and<br />
against accidental loss, destruction or damage, using<br />
<br />
appropriate technical or organisational measures<br />
<br />
<br />
12. Article 32 ("Security of processing") provides, in material part:<br />
<br />
<br />
1. Taking into account the state of the art, the costs of<br />
implementation and the nature, scope, context and<br />
purposes of processing as well as the risk of varying<br />
<br />
likelihood and severity for the rights and freedoms of<br />
natural persons, the controller and the processor shall<br />
implement appropriate technical and organisational<br />
<br />
3 •<br />
<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
measures to ensure a level of security appropriate to the<br />
risk, including inter alia as appropriate:<br />
<br />
(a) the pseudonymisation and encryption of personal<br />
data;<br />
<br />
(b) the ability to ensure the ongoing confidentiality,<br />
integrity, availability and resilience of processing<br />
systems and services;<br />
<br />
<br />
(c) the ability to restore the availability and access to<br />
personal data in a timely manner in the event of a<br />
physical or technical incident;<br />
<br />
(d) a process for regularly testing, assessing and<br />
evaluating the effectiveness of technical and<br />
organisational measures for ensuring the security of<br />
the processing.<br />
<br />
2. In assessing the appropriate level of security account<br />
<br />
shall be taken in particular of the risks that are presented<br />
by processing, in particular from accidental or unlawful<br />
destruction, loss, alteration, unauthorised disclosure of, or<br />
access to personal data transmitted,stored or otherwise<br />
processed.<br />
<br />
<br />
The Commissioner's powers of enforcement<br />
<br />
<br />
13. The Commissioner is the supervisory authorityfor the UK under the<br />
<br />
GDPR.<br />
<br />
<br />
14. By Article 57(1) of the GDPR, it is the Commissioner'task to monitor<br />
and enforce the application of the GDPR.<br />
<br />
<br />
15. By Article 58(2)(d)of the GDPR the Commissioner has the power to<br />
<br />
notify controllers of alleged infringemenof GDPR. By Article 58(2)(i)<br />
she has the power to impose an administrative fine, in accordance with<br />
<br />
Article 83, in addition to or instead of the other correctimeasures<br />
<br />
referred to in Article 58(2)depending on the circumstances of each<br />
individual case.<br />
<br />
4 •<br />
<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
16. By Article 83(1), the Commissioner is required to ensure that<br />
administrative fines issued in accordance with Article 83 are effective,<br />
<br />
proportionate,and dissuasive in each individual case. Article 83(2) goes<br />
<br />
on to provide that:<br />
<br />
When deciding whether to impose an administrative fine<br />
<br />
and deciding on the amount of the administrative fine in<br />
each individual case due regard shall be given to the<br />
following:<br />
<br />
(a) the nature, gravity and duration of the<br />
infringement taking into account the nature scope or<br />
purpose of the processing concerned as well as the<br />
number of data subjects affected and the level of<br />
damage suffered by them;<br />
<br />
(b) the intentional or negligent character of the<br />
<br />
infringement;<br />
<br />
(c) any action taken by the controller or processor to<br />
mitigate the damage suffered by data subjects;<br />
<br />
(d) the degree of responsibility of the controller or<br />
processor taking into account technical and<br />
organisational measures implemented by them<br />
pursuant to Articles 25 and 32;<br />
<br />
(e) any relevant previous infringements by the<br />
<br />
controller or processor;<br />
<br />
(f) the degree of cooperation with the supervisory<br />
authority, in order to remedy the infringement and<br />
mitigate the possible adverse effects of the<br />
infringement;<br />
<br />
(g) the categories of personal data affected by the<br />
infringement;<br />
<br />
(h) the manner in which the infringement became<br />
<br />
known to the supervisory authority, in particular<br />
whether, and if so to what extent, the controller or<br />
processor notified the infringement;<br />
<br />
<br />
5 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
(i)where measures referred to in Article 58(2) have<br />
previously been ordered against the controller or<br />
processor concerned with regard to the same<br />
subject-matter, compliance with those measures;<br />
<br />
(j)adherence to approved codes of conduct pursuant<br />
to Article 40 or approved certification mechanisms<br />
pursuant to Article 42; and<br />
<br />
(k) any other aggravating or mitigating factor<br />
applicable to the circumstances of the case, such as<br />
financial benefits gained, or losses avoided, directly<br />
<br />
or indirectly, from the infringement.<br />
<br />
<br />
17. The DPA contains enforcement provisions in Part 6 which are exercisable<br />
by the Commissioner. Section 155 of the DPA ("Penalty Notices")<br />
<br />
provides that:<br />
<br />
<br />
(1) If the Commissioner is satisfied that a person<br />
<br />
(a) has failed or is failing as described in section<br />
149(2) ...,<br />
<br />
the Commissioner may, by written notice (a "penalty<br />
notice"), require the person to pay to the<br />
Commissioner an amount in sterling specified in the<br />
notice.<br />
<br />
(2) Subject to subsection (4), when deciding whether to<br />
give a penalty notice to a person and determiningthe<br />
<br />
amount of the penalty, the Commissioner must have<br />
regard to the following, so far as relevant-<br />
<br />
(a) to the extent that the notice concerns a matter to<br />
which the GDPR applies, the matters listed in Article<br />
83(1) and (2) of the GDPR.<br />
<br />
<br />
18. The failures identifiedin section 149(2) DPA are, insofar as relevant<br />
<br />
here:<br />
<br />
<br />
<br />
<br />
6 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
(2) The first type of failure is where a controller or<br />
processor has failed, or is failing, to comply with any of the<br />
following-<br />
<br />
(a) a provision of Chapter II of the GDPR or Chapter<br />
2 of Part 3 or Chapter 2 of Part 4 of this Act<br />
(principles of processing);<br />
<br />
.,.<br />
<br />
(c) a provision of Articles 25 to 39 of the GDPR or<br />
section 64 or 65 of this Act (obligations of controllers<br />
and processors) [...]<br />
<br />
<br />
Factual background to the incident<br />
<br />
<br />
<br />
19. HIV Scotland is a charity which provides support for individuals<br />
living with HIV, individuals who may be at risk of HIV, and individuals<br />
<br />
who support those groups.<br />
<br />
<br />
20. HIV Scotland's Community Advisory Network ("CAN") brings<br />
together patient advocates from across Scotland to represent the full<br />
<br />
diversity of people living with HIV. Individuals sign up to be part of this<br />
<br />
network to help support and inform the work of HIV Scotland. Semi<br />
regular email updates are sent to the group, usually surrounding one of<br />
<br />
their quarterly meetings.<br />
<br />
21. Having identified its onlineailing/database programme as a key<br />
<br />
organisationalpriority in April 2019, in June 2019 HIV Scotland made a<br />
<br />
decision to procure a MailChimp account. The procurement took place<br />
in July 2019. Over the following months a number of lists held by HIV<br />
<br />
Scotland were migrated to MailChimp to provide the necessary<br />
functionalitfor bulk messages to be sent in a more secure manner.<br />
<br />
However, by the time of the incident, the CAN list was not one of those<br />
<br />
which had been migrated.<br />
<br />
7 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
22. On 3 February 2020, HIV Scotland sent<br />
an email using Microsoft Outlook, containing an agenda for an event<br />
<br />
taking place on 8 February 2020, to 105 individual members of HIV<br />
<br />
Scotland's CAN. The agenda provided details of the meeting's key<br />
discussion points, and details of the meeting's location. Instead of<br />
<br />
using the Blind Carbon Copy ("BCC") feature, the used<br />
the Carbon Copy ("CC") feature, showing the email addresses of all<br />
<br />
intended recipients to all that received the email.<br />
<br />
<br />
23. 65 of 105 email addresses visible to the other recipients as part<br />
of this communication clearly identified individuals by their name. The<br />
<br />
breach was identified immediately,<br />
<br />
Ithas not been possible for HIV<br />
Scotland to determine how successful the recall was.<br />
<br />
<br />
24. Itis noted that two recipients responded to HIV Scotland to<br />
highlight the incident.<br />
<br />
<br />
25. HIV Scotland contacted the ICO Helpline about the incident and<br />
<br />
completed and submitted a breach report on the same day as the<br />
incident. The incident was attributed to human error, with HIV Scotland<br />
<br />
accepting that, in terms of the personal data disclosed, "[a]ssumption<br />
<br />
could be made about individuals HIV status or risk".<br />
<br />
26. Upon becoming aware of the error, HIV Scotland's chief<br />
<br />
executive emailed all recipients to apologise. HIV Scotland also issued<br />
a statement on its website, contacted the individuals involved to<br />
<br />
apologise, and to ask that the email is deleteItalso offered personal<br />
<br />
support in the event of any distress caused. HIV Scotland has advised<br />
that 12 individuals contacted it to thank it for the apology.<br />
<br />
<br />
<br />
<br />
8 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
<br />
<br />
<br />
<br />
28. It is understood that MailChimp is now fully implemented and<br />
<br />
operational so the risk of a repeat incident is significantly reduced and<br />
very unlikely. In February 2020 HIV Scotland confirmed to the<br />
<br />
Commissioner that it has "now completed the migration to Mai/Chimp<br />
to ensure that the error of failing to BCC a group email can no longer<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
29. As a result of the breach, HIV Scotland decided to fully audit all<br />
of its security and data management procedures and a full search of its<br />
<br />
SharePoint Server was completed to ensure no personal information<br />
was stored separately from its secure mailing lists.<br />
<br />
<br />
30. The Commissioner has considered whether these facts constitute<br />
a contraventionof the data protection legislation.<br />
<br />
<br />
The Contraventions of Article S(l)(f),32(1) and (2) of the GDPR<br />
<br />
<br />
31. For the reasons set out below, the Commissioner takes the view<br />
from her investigation that this breach occurred primarily as a result of<br />
<br />
serious deficiencies in HIV Scotland's technical and organisational<br />
measures.<br />
<br />
<br />
32. It is accepted that HIV Scotland did have some policies and<br />
<br />
associated measures, whether in place or in progress, at the time of<br />
<br />
the breach, and the Commissioner has considered these below:<br />
<br />
<br />
<br />
9 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
a) HIV Scotland advised that all employees would be asked to read and<br />
<br />
refer to the HIV Scotland's Privacy Policy as well as highlight it to<br />
<br />
those who contact them when relevant.<br />
<br />
<br />
b) HIV Scotland confirmedthat all staff have access to an online<br />
training hub called 'BOLT Spark' and are required to complete 11<br />
<br />
training modules within the first three months of their employment,<br />
including GDPR (called "EU GDPR Awareness for All") which contains<br />
<br />
an assessed module on data protection and specifically GDPR.<br />
<br />
c)<br />
<br />
was aware of<br />
<br />
the privacy policy and expectations to meet GDPR requirements,<br />
includingthe use of BCC for group emails.<br />
<br />
<br />
d) HIV Scotland wereat the time of the breach in the process of<br />
migrating its databases/lists to MailChimp in order to introduce the<br />
<br />
ability to securely email group contacts on all mailing lists held by<br />
them.<br />
<br />
<br />
<br />
33. Whilst it is accepted that HIV Scotland had taken some steps as<br />
detailed above, the Commissioner finds that they were not sufficient.<br />
<br />
The Commissioner's findings are detailed below:<br />
<br />
<br />
a) HIV Scotland did not have a specific Policy on the secure handling of<br />
personal data within the organisation. Rather, the Policy staff relied<br />
<br />
on related to HIV Scotland's own Privacy Policy, and was the public<br />
facing statement covering points such as Cookie use, and data<br />
<br />
subject access rights; it was not an appropriate Data Protection<br />
<br />
Policy which focused on staff handling of personal data. The Privacy<br />
Policy referenced by HIV Scotland provided no guidanceo staff on<br />
<br />
the handling of personal data itself, for example, what they must do<br />
10 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
to ensure that it is kept secure. This is something which the<br />
<br />
Commissioner would expect from an organisation handling personal<br />
<br />
data, and would expect it to maintain policies regarding, amongst<br />
other things, confidentiality.<br />
<br />
<br />
b) The used by HIV Scotland includes<br />
an entry for day one as "Explanatof data processing, GDP&<br />
<br />
email use inc. BBC for group emails" (sic) which appears to suggest<br />
that the use of BCC for group emails was deemed an acceptable<br />
<br />
method of group-email contact.<br />
<br />
<br />
c) HIV Scotland stated in its initial breach notification,<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
HIV Scotland confirmed that employees are expected to complete<br />
the "EU GDPR Awareness for All" on an annual basis. The<br />
<br />
Commissioner considers it a weakness and a risk that the data<br />
<br />
protection course is expected to be completed<br />
when it should have been much sooner and<br />
<br />
certainly before an employee handled personal data. Whilst there is<br />
no fixed requirement within the DPA or the GDPR as to the type of<br />
<br />
data protection training an employee should undertake, or when it<br />
should be provided, as part of a controller's organisational measures<br />
<br />
to safeguard personal data the Commissioner would expect an<br />
<br />
organisation to train employees handling personal data, and in<br />
particular data which is special category in nature or by inference<br />
<br />
beforean individual is given access to such data. The<br />
Commissioner's current guidance on this (as contained in the<br />
<br />
11 •<br />
<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
'AccountabilityFramework' package 1) recommends that staff receive<br />
<br />
inductiontraining prior to accessing personal data and within one<br />
month of their start date.<br />
<br />
<br />
d) Regarding the implementation of Mailchimp, the Commissioner<br />
<br />
notes that when asked for its reasons for procuring Mailchimp, HIV<br />
<br />
Scotland advised that "when I [the HIV Scotland representative]<br />
took over as Chief Executive, the system for storing data was poor<br />
<br />
in the organisation. It involved a variety of different excel<br />
<br />
spreadsheets that individual staff controlled. This meant that if<br />
someone asked to be removed from a mailing list; the process was<br />
<br />
difficult and hard to confirm every entry had been deleted. When we<br />
<br />
hired our Communications Lead, we highlighted an online<br />
mailing/database programme as a key priority in April 2019." (sic).<br />
<br />
<br />
HIV Scotland stated further during the Commissioner's investigation<br />
<br />
that "[d]ue to the impending event, we had not yet moved the<br />
<br />
Advisory Network mailing list over to Mai/Chimp to ensure everyone<br />
was still receiving the emails." The "impending event" referred to is<br />
<br />
the CAN event of 8 February 2020, to which the email agenda that<br />
<br />
was sent on 3 February 2020 without the use of BCC pertains. HIV<br />
Scotland further confirmed that they had procured MailChimp and<br />
<br />
other groups had been transferred onto it, but they held off doing<br />
<br />
that for this particular CAN group because of the immediacy of the<br />
event that formed the content of the email of 3 February 2020.<br />
<br />
They were concerned that if they had used MailChimp for<br />
<br />
communication in relation to the impending event, that the emails<br />
<br />
may have caused disruption by ending up in the junk folder or<br />
appearing to have been sent by someone else. It is clear from HIV<br />
<br />
Scotland's reasons for procuring Mailchimp that it had identified the<br />
<br />
<br />
1https ://ico .org.uk/for-orga nisations/ accounta biIity-fra mework/trai ning-and-awa reness/i nduction-a nd-refresher-tra ining/<br />
<br />
12 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
need for improvements to online mailings as early as ten months<br />
prior to the breach.<br />
<br />
<br />
The Commissioner understands that Mailchimp was in fact procured<br />
<br />
in July 2019but was not adequately implemented by the time of the<br />
breach on 3 February 2020.<br />
<br />
<br />
Mailchimp providedthe necessary functionalitfor bulk messages to<br />
<br />
be sent in a more secure manner. The Commissioner is of the view<br />
that if it had been appropriateimplemented when communicating<br />
<br />
with users and supporters of HIV Scotland's services via email, it<br />
would have prevented the disclosure of those users' email<br />
<br />
addresses. In short, it would have prevented both the occurrence<br />
<br />
and consequence of the breach.<br />
<br />
<br />
The Commissioner's investigation into this matter has determined<br />
that despite a clear recognition of the risks of the use of BCC,<br />
<br />
insufficient stewere taken quickly enough to prevent the<br />
<br />
disclosure of service users' emails. This is despite a solution having<br />
already being procured and in use in regard to other areas of HIV<br />
<br />
Scotland's estate. This represents a serious and negligent failure<br />
take appropriate organisational and technical steps to reduce the<br />
<br />
possibility of an incident occurring. If the use of Mailchimp had been<br />
adequately risk assessed, scoped and prioritised, the Commissioner<br />
<br />
takes the view that it is highly likely that this incident would not<br />
<br />
have happened.<br />
<br />
<br />
34. The Commissioner considers that the data concerned in this case<br />
comprises of email addresses. An email address which clearly relates to<br />
<br />
an identified or identifiable living individual is considered to be personal<br />
<br />
data.<br />
<br />
13 •<br />
<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
35. However, regarding the content of any email, this will not<br />
<br />
automatically be personal data unless it includes information which<br />
reveals something about that individual or has an impact on them.<br />
<br />
<br />
<br />
36. In this case, it is considered that the content of the email,<br />
specifically the agenda, combined with the identity of the organisation<br />
<br />
sending the email, does reveal information about the recipients.<br />
<br />
Namely, the receipts are identified as HIV Scotland CAN members, to<br />
<br />
the extent that they have been invited to a CAN event hosted by the<br />
organisation. Consequently, and to the extent to which 65 individuals<br />
<br />
can be identified from the email distributionlist, special category data<br />
<br />
can be inferred to a reasonable degree in so far as the disclosure of the<br />
email addresses connects those individuals with an organisation that<br />
<br />
provides HIV support services.<br />
<br />
<br />
<br />
37. The Commissioner takes the view that even if the email<br />
addresses and content of the email itself can be deemed not to<br />
<br />
constitute special category data, it is clear that there are particular<br />
<br />
sensitivities around the nature of the personal data being processed in<br />
this situation that HIV Scotland should have considered in line with the<br />
<br />
Commissioner's guidance on Special Category Data 2•<br />
<br />
<br />
<br />
38. The Commissioner considers further that HIV Scotland has<br />
previously demonstrated an increased awareness of the risks of such<br />
<br />
conduct, given that on 17 June 2019 it had commented critically on its<br />
<br />
website in relationto a similar issue involving a Health Board.<br />
<br />
<br />
<br />
<br />
<br />
2https ://ico. org. uk/for-ouide-to-data-proteuide-to-the-general-data-protection<br />
regulation-g dpr/ specia 1-category-d ata/what-i s#scd7i a1-category-d ata/<br />
<br />
14 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
39. The Commissioner takes the view that by the time the HIV<br />
Scotland breach occurred almost eight months later, and having<br />
<br />
commented on the error experienced by another controller, HIV<br />
Scotland were certainly aware of such a risk and should have ensured<br />
<br />
they had adequate measures in place to prevent such an incident<br />
within its own organisation.<br />
<br />
<br />
<br />
40. HIV Scotland has confirmed that it received one formal complaint<br />
regarding the incident but did not believe the points raised in the<br />
<br />
complaint required any further action. HIV Scotland responded to the<br />
complainant with its view at the time, although the Commissioner<br />
<br />
considers that the complaint clearly identifies distress being<br />
<br />
experienced by the complainant as a result of the breach.<br />
<br />
41. Specifically,ith regard to the principle of integrity and<br />
<br />
confidentialitunder Article (S)(l)(of the GDPR, the Commissioner<br />
considersthat HIV Scotland failed to send a separate email to each<br />
<br />
intended recipient, and instead utilised bulk email facility.<br />
<br />
<br />
42. The Commissioner further finds that, notwithstandiits failure<br />
to migrate the CAN list to the more secure MailChimp platform despite<br />
<br />
it being available, HIV Scotland failed to use the BCC function of<br />
Microsoft Outlook.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
had completed the 'Explanation of data processing, GDPR& email use<br />
inc BBC for group emails' (sic) awareness training<br />
<br />
<br />
<br />
<br />
<br />
<br />
15 •<br />
<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
44. In regard to the requirementunder Articles 32(1) and (2) of the<br />
GDPR to implement a level of security appropriate to the risk when<br />
<br />
processing data,the Commissioner considers that HIV Scotland failed<br />
<br />
to implement a level of security appropriate to the risk in this instance.<br />
HIV Scotland had actively recognised the need for greater outbound<br />
<br />
mailing security aumber of months prior to the breach, and had in<br />
<br />
fact procured a MailChimp account which, if implementedwould have<br />
mitigated the risk of a breach. However, it failed to implement this<br />
<br />
level of security in relation to the CAN list which, had it done so, would<br />
have significantly reducedhe likelihood of the breach occurring.<br />
<br />
<br />
<br />
45. The Commissioner finds that HIV Scotland should have taken<br />
particular account of the risks associated with processing the personal<br />
<br />
data in this instance when assessing the appropriate level of security.<br />
<br />
Given the nature of the CAN list, together with the significant delay<br />
between procurement of MailChimp in July 2019 and its eventual<br />
<br />
implementation which took place shortly after the breach in February<br />
<br />
2020, it is clear that HIV Scotland failed to do this.<br />
<br />
Notice of Intent<br />
<br />
<br />
46. On 22 July 2021, in accordance with s.155(5) and paragraphs 2<br />
<br />
and 3 of Schedule 16 DPA, the Commissioner issued HIV Scotland with<br />
a Notice of Intent to impose a penalty under s.155 DPA. The Notice of<br />
<br />
Intent described the circumstances and the nature of the personal data<br />
<br />
breach in question, explainedhe Commissioner's reasons for a<br />
proposed penalty, and invited written representatiofrom HIV<br />
<br />
Scotland.<br />
<br />
<br />
47. On 20 August 2021, HIV Scotland provided written<br />
representationsin respect of the Notice, together with supporting<br />
<br />
documentation in relation to its finances.<br />
<br />
16 •<br />
<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
48. On 30 September 2021 the Commissioner held a 'representations<br />
meeting' to thoroughly consider the representationprovided by HIV<br />
<br />
Scotland. At that meeting it was determined that a monetary penalty<br />
<br />
remained appropriate in all of the circumstances.<br />
<br />
<br />
Factors relevant to whether a penalty is appropriate, and if so, the<br />
<br />
amount of the penalty<br />
<br />
49. The Commissioner has considered the factors set out in Article<br />
<br />
83(2) of the GDPRin deciding whether to issue a penalty. For the reasons<br />
<br />
given below, she is satisfiedhat (i) the contraventionare sufficiently<br />
serious to justify issuing a penalty in addition to exercising her corrective<br />
<br />
powers; and (ii) the contraventions are serious enough to justify a<br />
<br />
significant fine.<br />
<br />
(a) the nature, gravity and duration of the infringement taking into<br />
account the nature, scope or purpose of the processing concerned as<br />
well as the number of data subjects affected and the level of damage<br />
suffered by them<br />
<br />
<br />
<br />
50. On 3 February 2020 sent an<br />
<br />
email using Microsoft Outlookto 105 individual members of HIV<br />
Scotland'sCAN. The email contained an agenda for a forthcoming<br />
<br />
meeting. Instead of using the BCC feature, used the<br />
<br />
CC feature, showing the email addresses to all that received the email.<br />
This was aone-off incident.<br />
<br />
<br />
<br />
51. 65 individuals could potentially be identified as their names were<br />
included inthe email address. The other email addresses did not have<br />
<br />
identifiablenformation in the email address but could be used to<br />
<br />
identify individuals in combination with other information e.g. the email<br />
address could be used to search online to discover other details about<br />
<br />
17 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
the individual. Whilst the data comprises email addresses which in<br />
themselves are not considered special category data, it could be<br />
<br />
inferred that the individuals they belong to are HIV positive or<br />
supporting someone who is.<br />
<br />
<br />
52. The Commissioner considers that it is at least possible that there<br />
may be an element of distress associated with this breach. There has<br />
<br />
been one formalcomplaint received by HIV Scotland, with the<br />
<br />
complainant stating that their HIV status had been disclosed to<br />
strangers and their choice to tell friends or family had been taken<br />
<br />
away.<br />
<br />
(b) the intentional or negligent character of the infringement<br />
<br />
<br />
53. The Commissioner considers that there is no evidence of there<br />
<br />
being an intentional aspect to this infringehowever the<br />
Commissioner considers that the breach was negligent since the risks<br />
<br />
of using Outlook for sensitive communications were known by HIV<br />
Scotland either by reference to previous ICO enforcement action, or by<br />
<br />
HIV Scotland's knowledge of a very similar recent incident involving<br />
another controller. Furthermore, online mailing was a key priority area<br />
<br />
identified by HIV Scotland in April 2019, some tenths before the<br />
<br />
breach occurred. MailChimp was procured in July 2019 and yet the CAN<br />
group was still not migrated to MailChimp by 3 February 2020. There<br />
<br />
was also a degree of negligence in that HIV Scotland's policies and<br />
procedures, and also the was<br />
<br />
not sufficient at the time of the incident.<br />
<br />
<br />
(c) any action taken by the controller or processor to mitigate the<br />
damage suffered by data subjects<br />
<br />
<br />
<br />
<br />
<br />
18 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
54. All affected recipients were emailed by HIV Scotland, and a<br />
statement was put on its website very shortly after the incident<br />
<br />
occurring. HIV Scotland also asked all recipients to delete the email. In<br />
addition, the matter was addressed at the CAN meeting on 8 February<br />
<br />
2020 when HIV Scotland outlined the action it had taken and offered<br />
<br />
the chance for queries or concernsThe sole complaint has been dealt<br />
with.<br />
<br />
<br />
(dl the degree of responsibility of the controller or processor taking<br />
into account technical and organisational measures implemented by<br />
them pursuant to Articles 25 and 32<br />
<br />
<br />
55. HIV Scotland should have been aware of previous, very similar<br />
incidents that the ICO has fined and publicised. They were certainly<br />
<br />
aware of a case involving a UK controller that occurred in June 2019<br />
and identifiedhe need for a different system. MailChimp was procured<br />
<br />
but 7 months had passed and the CAN group had not yet been<br />
<br />
migrated to MailChimp at the time of the incident. HIV Scotland should<br />
have adopted a risk-based approach and should have identifiedhe<br />
<br />
CAN list as one of the more urgent groups, noting the potential for the<br />
inference of special category data; it is for this reason that the<br />
<br />
Commissioner is of the view that it should have prioritised its<br />
<br />
migration. Whilst HIV Scotland's materials suggested that<br />
'BCC' was sufficient as a means of engaging in group emails, it should<br />
<br />
have identifiedhat this was a risk and at the very least put other<br />
<br />
measures in place such as not sending group emails out and sending<br />
such emails individually until MailChimp was fully implemented.<br />
<br />
<br />
(el any relevant previous infringements by the controller or<br />
processor<br />
<br />
<br />
<br />
56. The Commissioner is unaware of any previous data protection<br />
infringementsby HIV Scotland.<br />
<br />
19 •<br />
<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
(f) the degree of cooperation with the supervisory authority, in<br />
order to remedy the infringement and mitigate the possible adverse<br />
effects of the infringement<br />
<br />
57. HIV Scotland were fully cooperative with the Commissioner's<br />
<br />
investigation.<br />
<br />
<br />
(g) the categories of personal data affected by the infringement<br />
<br />
<br />
58. Whilst the disclosed data comprises email addresses which in<br />
<br />
themselves are not considered special category data, the<br />
Commissioner is of the view that it can be reasonably inferred that the<br />
<br />
individuals whose email address were impacted included individuals<br />
<br />
who are HIV positive or at risk of contracting the virus.<br />
<br />
<br />
(h) the manner in which the infringement became known to the<br />
supervisory authority, in particular whether, and if so to what extent,<br />
the controller or processor notified the infringement<br />
<br />
<br />
59. HIV Scotland notified the Commissioner about the breach on 3<br />
February 2020. HIV Scotland contacted the Commissioner's Helpline<br />
<br />
about the incident and completed the necessary 'breach report' within<br />
<br />
2 hours of the incident occurring.<br />
<br />
(i) where measures referred to in Article 58(2) have previously<br />
been ordered against the controller or processor concerned with<br />
regard to the same subject-matter, compliance with those measures;<br />
<br />
<br />
<br />
60. Not applicable.<br />
<br />
<br />
(j) adherence to approved codes of conduct pursuant to Article 40<br />
or approved certification mechanisms pursuant to Article 42;<br />
<br />
61. Not applicable.<br />
<br />
<br />
20 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
(k) any other aggravating or mitigating factor applicable to the<br />
circumstances of the case, such as financial benefits gained, or<br />
losses avoided, directly or indirectly,from the infringement.<br />
<br />
<br />
62. The Commissioner has considered the following aggravating<br />
factor in this case:<br />
<br />
<br />
<br />
• The Commissioner has previously taken action against<br />
organisations for similar breaches. As such, the Commissioner<br />
<br />
takes the view that the risks of these kind of disclosures and the<br />
consequences for the potential harm that might be caused to<br />
<br />
data subjects was a matter that had been reported on both in<br />
mainstream and trade (privacy professional) media.<br />
<br />
<br />
<br />
63. The Commissioner has considered the following mitigating<br />
factors in this case:<br />
<br />
<br />
• are asked to read and refer to HIV<br />
<br />
Scotland's privacy policy - whilst this does not provide sufficient<br />
guidance or information generally about what are<br />
<br />
required to do, it demonstrates that data protection<br />
<br />
considerations are not entirely absent from HIV Scotland's<br />
induction process.<br />
<br />
<br />
• MailChimp had been procured but at the time of the breach the<br />
<br />
CAN group had not been migrated. The plan was that the group<br />
would be told about this at the meeting on 8 February 2020 so<br />
<br />
that they would be aware and to avoid emails going to 'Spam' or<br />
<br />
it not being clear who they were from. Full migration to<br />
MailChimp is now completed. Whilst the failure to implement this<br />
<br />
solution quickly is a material fact to the seriousness of the<br />
<br />
21 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
infringements, its procurement demonstrates that consideration<br />
of the improvements that could be made, specifically the security<br />
<br />
of email communications, was not entirely absent.<br />
<br />
<br />
• The organisation has a training portal for-with mandatory<br />
GDPRtraining refreshed every year.<br />
<br />
<br />
• HIV Scotland took steps to remedy the incident by asking all<br />
recipients to delete the email on the same day that it was sent,<br />
<br />
and also added a message to its website.<br />
<br />
<br />
<br />
Summary and decided penalty<br />
<br />
64. For the reasons set out above, the Commissioner has decided to<br />
<br />
impose a financial penalty on HIV ScotlandThe Commissioner has<br />
<br />
taken into account the size of HIV Scotland, publicly available<br />
information regarding its finances, and the representatimade by<br />
<br />
HIV Scotland as to its financial position. She is mindful that the penalty<br />
must be effective, proportionatand dissuasive.<br />
<br />
<br />
<br />
65. Taking into account all of the factors set out above, the<br />
Commissioner has decided to impose a penalty on HIV Scotland of<br />
<br />
£10,000 (ten thousand pounds).<br />
<br />
<br />
Payment of the penalty<br />
<br />
<br />
66. The penalty must be paid to the Commissioner's office by BACS<br />
<br />
transfer or cheque by 16 November 2021 at the latest. The penalty is<br />
not kept by the Commissioner but will be paid into the Consolidated<br />
<br />
Fund which isthe Government's general bank account at the Bank of<br />
<br />
England.<br />
<br />
<br />
22 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
67. There is a right of appeal to the First-tier Tribunal (Information<br />
Rights) against:<br />
<br />
<br />
(a) The imposition of the penalty; and/or,<br />
(b) The amount of the penalty specified in the penalty notice<br />
<br />
<br />
68. Any notice of appeal should be received by the Tribunal within 28<br />
<br />
days of the date of this penalty notice.<br />
<br />
<br />
69. The Commissioner will not take action to enforce a penalty<br />
<br />
unless:<br />
<br />
<br />
• the period specified within the notice within which a penalty must<br />
<br />
be paid has expired and all or any of the penalty has not been<br />
paid;<br />
<br />
• allrelevant appeals against the penalty notice and any variation<br />
of it have either been decided or withdrawn;and<br />
<br />
• the period for appealing against the penalty and any variation of<br />
<br />
it has expired.<br />
<br />
<br />
70. In England, Wales and Northern Ireland, the penalty is<br />
<br />
recoverable by Order of the County Court or the High Court. In<br />
Scotland, the penalty can be enforced in the same manner as an<br />
<br />
extract registered decree arbitral bearing a warrant for execution<br />
issued by the sheriff court of any sheriffdom in Scotland.<br />
<br />
<br />
<br />
71. Your attention is drawn to Annex 1 to this Notice, which sets out<br />
details of your rights of appeal under s.162 DPA.<br />
<br />
<br />
<br />
<br />
<br />
<br />
23 •<br />
<br />
ICO.<br />
th Information Commissioner's Office<br />
Dated the 18day of October 2021<br />
<br />
Director of Investigations<br />
InformatioCommissioner's Office<br />
Wycliffe House<br />
Water Lane<br />
Wilmslow<br />
Cheshire<br />
SK9 SAF<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
24 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
ANNEX 1<br />
<br />
<br />
DATA PROTECTION ACT 2018<br />
Rights of appeal against decisions of the Commissioner<br />
<br />
<br />
1. Section 162 of the Data Protection Act 2018 gives any person upon<br />
<br />
whom a penalty notice or variation notice has been served a right of<br />
<br />
appeal to the First-tier Tribunal (InformaRights) (the 'Tribunal')<br />
against the notice.<br />
<br />
<br />
2. If you decide to appeal and if the Tribunal considers:-<br />
<br />
<br />
<br />
a) that the notice against which the appeal is brought is not in<br />
accordance with the law; or<br />
<br />
<br />
b) to the extent that the notice involved an exercise of discretion by<br />
<br />
the Commissioner, that she ought to have exercised her<br />
discretion differently,<br />
<br />
<br />
<br />
the Tribunal will allow the appeal or substitute such other decision as<br />
could have been made by the Commissioner. In any other case the<br />
<br />
Tribunal will dismiss the appeal.<br />
<br />
<br />
3. You may bring an appeal by serving a notice of appeal on the Tribunal<br />
<br />
at the following address:<br />
<br />
<br />
General Regulatory Chamber<br />
HM Courts &Tribunals Service<br />
PO Box 9300<br />
Leicester<br />
LEl 8DJ<br />
<br />
Telephone: 0203 936 8963<br />
<br />
25 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
Email: grc@justice.gov.uk<br />
<br />
<br />
a) The notice of appeal should be sent so it is received by the<br />
Tribunal within 28 days of the date of the notice.<br />
<br />
<br />
b) If your notice of appeal is late the Tribunal will not admit it<br />
<br />
unless the Tribunal has extended the time for complying with this<br />
<br />
rule.<br />
<br />
<br />
4. The noticeof appeal should state:-<br />
<br />
<br />
a) your name and address/name and address of your representative<br />
(if any);<br />
<br />
<br />
<br />
b) an address where documents may be sent or delivered to you;<br />
<br />
<br />
c) the name and address of the Information Commissioner;<br />
<br />
<br />
d) detailsof the decision to which the proceedings relate;<br />
<br />
<br />
e) the result that you are seeking;<br />
<br />
<br />
f) the grounds on which you rely;<br />
<br />
<br />
g) you must provide with the notice of appeal a copy of the penalty<br />
<br />
notice or variation notice;<br />
<br />
<br />
h) if you have exceeded the time limit mentioned above the notice<br />
<br />
of appeal must include a request for an extension of time and the<br />
reason why the notice of appeal was not provided in time.<br />
<br />
<br />
<br />
26 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
5. Before deciding whether or not to appeal you may wish to consult your<br />
solicitor or another advAt the hearing of an appeal a party may<br />
conduct his case himself or may be represented by any person whom<br />
<br />
he may appoint for that purpose.<br />
<br />
<br />
6. The statutory provisions concerning appeals to the First-tier Tribunal<br />
(General Regulatoryhamber) are contained in sections 162 and 163<br />
of, and Schedule 16 to, the Data Protection Act 2018, and Tribunal<br />
<br />
Procedure(First-tier Tribunal) (General Regulatory Chamber) Rules<br />
2009 (StatutorInstrument2009 No. 1976 (L.20))<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
27<br />
</pre></div>Mariam-hwthhttps://gdprhub.eu/index.php?title=ICO_(UK)_-_SportsDirect.com_Retail_Limited&diff=19777ICO (UK) - SportsDirect.com Retail Limited2021-09-19T16:56:51Z<p>Mariam-hwth: /* Holding */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|DPA-BG-Color=background-color:#023868;<br />
|DPAlogo=LogoUK.png<br />
|DPA_Abbrevation=ICO (UK)<br />
|DPA_With_Country=ICO (UK)<br />
<br />
|Case_Number_Name=SportsDirect.com Retail Limited<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ICO<br />
|Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/mpns/4018347/sportsdirect_com-retail-limited-mpn-20210913.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=13.09.2021<br />
|Date_Published=15.09.2021<br />
|Year=2021<br />
|Fine=70000<br />
|Currency=GBP<br />
<br />
<br />
<br />
|National_Law_Name_1=Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
|National_Law_Link_1=https://www.legislation.gov.uk/uksi/2003/2426<br />
|National_Law_Name_2=Regulation 22(3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
|National_Law_Link_2=https://www.legislation.gov.uk/uksi/2003/2426<br />
<br />
|Party_Name_1=SportsDirect.com Retail Limited<br />
|Party_Link_1=https://www.sportsdirect.com/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=MH<br />
|<br />
}}<br />
<br />
The UK DPA, Information Commissioner's Office, imposed a fine of approximately €82000 on SportsDirect.com Retail Ltd. The sports retailer infringed Regulation 22 of PECR by sending unsolicited marketing emails that was received by just under 2.6 million individuals.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
SportsDirect.com Retail Limited (hereafter: SportsDirect) is a sports retailer in the UK. It was the subject of various complaints via the UK DPA's, Information Commissioner's Office (ICO), online reporting tool in relation to unsolicited communications between December 2019 and February 2020. The ICO started an investigation on the basis of these complaints.<br />
<br />
SportsDirect outlined that the personal data it used for direct marketing was obtained directly from customers after having given their consent. SportsDirect considered the direct marketing sent to individuals who complained to be a "re-engagement campaign". They claimed that these individuals had opted in to receiving marketing emails (and didn't unsubscribe). The emails sent amounted to a total of 459,882,124 emails, 2,565,513 of which were received as part of the "re-engagement campaign". <br />
<br />
SportsDirect claimed to rely on the soft opt-in for 7 of the 12 complainants and stated that it collected consent directly from 3 others. It did not have a record of having sent marketing to 1 complaints and had recently erased the data of another shortly after they complained. <br />
<br />
During the investigation, the ICO uncovered that SportsDirect continued to send messages to customers signed up to a specific scheme even after the scheme had ended. SportsDirect claimed this to be on the basis of legitimate interest for the ex-members of the scheme. <br />
<br />
Throughout the investigation, SportsDirect cited the challenges it faced to gather the information requested by the ICO. The ICO responded that some of the information, such as legal bases should be readily available to data controllers.<br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
The Information Commissioner's Office (ICO) held that SportsDirect infringed Regulation 22 of Privacy and Electronic Communications (EC Directive) Regulations 2003 (hereafter PECR). 2,565,513 direct market emails sent by SportsDirect were received by subscribers. However, SportsDirect was unable to demonstrate evidence that they had valid consent to send thes emarekting emails. The ICO did not consider that SportsDirect could rely on the soft opt-in exception under Regulation 22(3) PECR.<br />
<br />
The ICO determined that the infringement was negligent from SportsDirect as they knew or ought reasonably to have known that they may infringe PECR. The ICO considered the fact that there is a lot of guidance readily available on PECR for organisations. Additionally, it is clear from this guidance that organisations must keep track of when and how consent was given - which SportsDirect had not done. The ICO also mentioned its concern with regards to SportsDirect's privacy policy which states: "... you confirm that you do not and will not consider any of these purposes as a breach of any of your rights under the Privacy and Electronic Communications (EC Directive) Regulations 2003". <br />
<br />
Considering these factors, the ICO imposed a fine of approximately €82000 on SportsDirect<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
DATA PROTECTION ACT 1998<br />
<br />
<br />
<br />
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER<br />
<br />
<br />
<br />
MONETARY PENALTY NOTICE<br />
<br />
<br />
<br />
<br />
To: SportsDirect.com Retail Limited<br />
<br />
<br />
Of: Unit A, Brook Park East, Shirebrook NG20 8RY<br />
<br />
<br />
1. The Information Commissioner (“the Commissioner”) has decided to<br />
issue SportsDirect.com Retail Limited (“SportsDirect”) with a monetary<br />
<br />
penalty under section 55A of the Data Protection Act 1998 (“DPA”). The<br />
<br />
penalty is in relation to a serious contravention of Regulation 22 of the<br />
<br />
Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
<br />
(“PECR”).<br />
<br />
<br />
2. This notice explains the Commissioner’s decision.<br />
<br />
<br />
<br />
Legal framework<br />
<br />
<br />
<br />
3. SportsDirect, whose registered office address is given above<br />
(Companies House Registration Number: 03406347) is the organisation<br />
<br />
stated in this notice to have transmitted unsolicited communications by<br />
<br />
means of electronic mail to individual subscribers for the purposes of<br />
<br />
direct marketing contrary to regulation 22 of PECR.<br />
<br />
<br />
<br />
4. Regulation 22 of PECR states:<br />
<br />
<br />
<br />
<br />
<br />
1“(1) This regulation applies to the transmission of unsolicited<br />
communications by means of electronic mail to individual<br />
<br />
subscribers.<br />
<br />
<br />
(2) Except in the circumstances referred to in paragraph (3), a person<br />
shall neither transmit, nor instigate the transmission of, unsolicited<br />
<br />
communications for the purposes of direct marketing by means of<br />
<br />
electronic mail unless the recipient of the electronic mail has<br />
<br />
previously notified the sender that he consents for the time being<br />
<br />
to such communications being sent by, or at the instigation of, the<br />
sender.<br />
<br />
<br />
(3) A person may send or instigate the sending of electronic mail for<br />
<br />
the purposes of direct marketing where—<br />
<br />
(a) that person has obtained the contact details of the recipient<br />
<br />
of that electronic mail in the course of the sale or<br />
<br />
negotiations for the sale of a product or service to that<br />
recipient;<br />
<br />
<br />
(b) the direct marketing is in respect of that person’s similar<br />
<br />
products and services only; and<br />
<br />
(c) the recipient has been given a simple means of refusing<br />
<br />
(free of charge except for the costs of the transmission of<br />
the refusal) the use of his contact details for the purposes<br />
<br />
of such direct marketing, at the time that the details were<br />
<br />
initially collected, and, where he did not initially refuse the<br />
<br />
use of the details, at the time of each subsequent<br />
<br />
communication.<br />
<br />
(4) A subscriber shall not permit his line to be used in contravention of<br />
<br />
paragraph (2).”<br />
<br />
<br />
<br />
<br />
<br />
<br />
25. Section 122(5) of the Data Protection Act 2018 “DPA18” defines direct<br />
marketing as “the communication (by whatever means) of any<br />
<br />
advertising material which is directed to particular individuals”. This<br />
<br />
definition also applies for the purposes of PECR (see regulation 2(2)<br />
<br />
PECR and paragraphs 430 & 432(6) to Schedule 19 of the DPA18).<br />
<br />
<br />
6. Consent in PECR is now defined, from 29 March 2019, by reference to<br />
<br />
the concept of consent in Regulation 2016/679 (“the GDPR”):<br />
<br />
regulation 8(2) of the Data Protection, Privacy and Electronic<br />
Communications (Amendments etc) (EU Exit) Regulations 2019. Article<br />
<br />
4(11) of the GDPR sets out the following definition: “‘consent’ of the<br />
<br />
data subject means any freely given, specific, informed and<br />
<br />
unambiguous indication of the data subject's wishes by which he or<br />
<br />
she, by a statement or by a clear affirmative action, signifies<br />
agreement to the processing of personal data relating to him or her”.<br />
<br />
<br />
<br />
7. Recital 32 of the GDPR materially states that “When the processing has<br />
<br />
multiple purposes, consent should be given for all of them”. Recital 42<br />
<br />
materially provides that “For consent to be informed, the data subject<br />
<br />
should be aware at least of the identity of the controller”. Recital 43<br />
materially states that “Consent is presumed not to be freely given if it<br />
<br />
does not allow separate consent to be given to different personal data<br />
<br />
processing operations despite it being appropriate in the individual case”.<br />
<br />
<br />
<br />
8. “Individual” is defined in regulation 2(1) of PECR as “a living individual<br />
and includes an unincorporated body of such individuals”.<br />
<br />
<br />
9. A “subscriber” is defined in regulation 2(1) of PECR as “a person who is<br />
<br />
a party to a contract with a provider of public electronic<br />
<br />
communications services for the supply of such services”.<br />
<br />
<br />
<br />
<br />
<br />
310. “Electronic mail” is defined in regulation 2(1) of PECR as “any text,<br />
voice, sound or image message sent over a public electronic<br />
<br />
communications network which can be stored in the network or in the<br />
<br />
recipient’s terminal equipment until it is collected by the recipient and<br />
<br />
includes messages sent using a short message service”.<br />
<br />
<br />
11. The term "soft opt-in" is used to describe the rule set out in in<br />
<br />
Regulation 22(3) of PECR. In essence, an organisation may be able to<br />
e-mail its existing customers even if they haven't specifically consented<br />
<br />
to electronic mail. The soft opt-in rule can only be relied upon by the<br />
<br />
organisation that collected the contact details.<br />
<br />
<br />
<br />
12. Section 55A of the DPA (as applied to PECR cases by Schedule 1 to<br />
<br />
PECR, as variously amended) states:<br />
<br />
<br />
“(1) The Commissioner may serve a person with a monetary penalty if<br />
<br />
the Commissioner is satisfied that –<br />
<br />
(a) there has been a serious contravention of the requirements<br />
<br />
of the Privacy and Electronic Communications (EC<br />
<br />
Directive) Regulations 2003 by the person,<br />
<br />
(b) subsection (2) or (3) applies.<br />
<br />
<br />
(2) This subsection applies if the contravention was deliberate.<br />
<br />
(3) This subsection applies if the person –<br />
<br />
(a) knew or ought to have known that there was a risk that the<br />
<br />
contravention would occur, but<br />
<br />
(b) failed to take reasonable steps to prevent the<br />
<br />
contravention.”<br />
<br />
<br />
<br />
13. The Commissioner has issued statutory guidance under section 55C (1)<br />
<br />
of the DPA about the issuing of monetary penalties that has been<br />
<br />
4 published on the ICO’s website. The Data Protection (Monetary<br />
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe<br />
<br />
that the amount of any penalty determined by the Commissioner must<br />
<br />
not exceed £500,000.<br />
<br />
<br />
<br />
14. PECR were enacted to protect the individual’s fundamental right to<br />
<br />
privacy in the electronic communications sector. PECR were<br />
subsequently amended and strengthened. The Commissioner will<br />
<br />
interpret PECR in a way which is consistent with the Regulations’<br />
<br />
overall aim of ensuring high levels of protection for individuals’ privacy<br />
<br />
rights.<br />
<br />
<br />
15. The provisions of the DPA remain in force for the purposes of PECR<br />
<br />
notwithstanding the introduction of the DPA18: see paragraph 58(1) of<br />
<br />
Schedule 20 to the DPA18.<br />
<br />
<br />
<br />
Background to the case<br />
<br />
<br />
<br />
16. SportsDirect came to the attention of the Commissioner due to<br />
complaints reported via the ICO’s online reporting tool. The<br />
<br />
Commissioner received twelve complaints about unsolicited<br />
<br />
communications between 21 December 2019 and 16 February 2020.<br />
<br />
<br />
<br />
17. The Commissioner sent an initial investigation letter to SportsDirect on<br />
25 February 2020 setting out her concerns regarding SportsDirect’s<br />
<br />
compliance with PECR and asking for, inter alia, the source of its data,<br />
<br />
and evidence of the consent relied on in the course of its direct<br />
<br />
marketing campaign between 21 December 2019 and 16 February<br />
<br />
2020.<br />
<br />
<br />
<br />
<br />
<br />
518. SportsDirect provided a response on 13 March 2020. This response<br />
explained that all data used to engage in its direct marketing is<br />
<br />
obtained directly from customers; and provided details of the ways in<br />
<br />
which it obtained consent to engage in its direct marketing campaigns.<br />
<br />
In relation to the complaints which had been received, SportsDirect<br />
<br />
indicated that these recipients were part of a “re-engagement<br />
<br />
campaign”, and stated:<br />
<br />
<br />
“The ecommerce team determined that the data subjects in the aged<br />
<br />
data set had not unsubscribed from receiving email marketing and<br />
would only send emails with content that provided offers on multi-buy<br />
<br />
products or free delivery/click&collect, along with the usual unsubscribe<br />
<br />
link. This was done with the expectation that data subjects would<br />
<br />
either not engage with the email, choose to unsubscribe from future<br />
<br />
emails or view those offers and emails positively and engage with<br />
Sports Direct.<br />
<br />
<br />
<br />
Where a data subject unsubscribed, this would be processed in the<br />
<br />
normal way, and where they did not engage with the emails after a<br />
<br />
reasonable period, the data would be removed from or anonymised<br />
<br />
within the marketing database.<br />
<br />
<br />
Having considered the proposed approach and likely impact of the re-<br />
<br />
engagement campaign, the ecommerce team took the decision to run a<br />
<br />
re-engagement campaign with that aged data set with the objectives of<br />
<br />
(1) reducing the amount of data held in the marketing database and<br />
<br />
(2) connecting with customers who had not engaged with Sports Direct<br />
within the normal engagement criteria.”<br />
<br />
<br />
19. SportsDirect explained that "...the Sports Direct ecommerce team<br />
<br />
analysed the Sports Direct marketing database and identified a<br />
<br />
<br />
<br />
6 category of data that showed as being opted in to receive email<br />
marketing but had not been sent any marketing emails.". This category<br />
<br />
of data has been referred to as the ‘aged data / aged dataset’.<br />
<br />
<br />
<br />
20. Regarding evidence of consent, SportsDirect stated that “none of the<br />
<br />
complainants were recorded as being opted out of marketing emails at<br />
<br />
the time their details were collected and had not unsubscribed to<br />
marketing emails at the time when the emails were sent”. It also<br />
<br />
provided a simple breakdown of the “lawful basis” relied upon for each<br />
<br />
complainant (i.e. soft opt-in; or consent).<br />
<br />
<br />
<br />
21. The Commissioner sent further enquiries to SportsDirect on 2 April<br />
2020, specifically seeking confirmation of the number of emails which<br />
<br />
were sent between 21 December 2019 and 16 February 2020, in<br />
<br />
addition to further information regarding the consent being relied upon<br />
<br />
and the frequency of the direct marketing emails being sent.<br />
<br />
<br />
22. SportsDirect requested an extension of two months for its response in<br />
<br />
light of the impact of the COVID-19 pandemic, which the Commissioner<br />
<br />
agreed to.<br />
<br />
<br />
23. SportsDirect responded on 12 June 2020 in line with the agreed<br />
<br />
extension period to provide answers to the Commissioner’s most recent<br />
<br />
questions. Within this response it was confirmed that between 21<br />
<br />
December 2019 and 16 February 2020 there were a total of<br />
459,882,124 emails sent by SportsDirect, with 2,948,865 of those<br />
<br />
relating specifically to the “re-engagement campaign”. SportsDirect<br />
<br />
provided percentages for the number of those sent messages which<br />
<br />
had been received by a subscriber; in relation to the “re-engagement<br />
<br />
campaign” it was explained that 87% were received, which the<br />
<br />
<br />
<br />
<br />
7 Commissioner calculates equates to 2,565,513 direct marketing<br />
messages being received over the relevant period.<br />
<br />
<br />
24. SportsDirect claimed to rely on the ‘soft opt in’ for seven of the twelve<br />
<br />
complainants, and stated that consent had been obtained from three of<br />
<br />
the twelve complainants directly. In terms of the two remaining<br />
<br />
complainants, SportsDirect claimed that its records did not show any<br />
<br />
messages being sent to one of them; and that the final complainant<br />
<br />
had since requested that their information be removed from its<br />
systems and so SportsDirect was unable to provide details of the lawful<br />
<br />
basis on which it would have relied to send the message.<br />
<br />
<br />
25. The Commissioner took the view that sufficient evidence of valid<br />
<br />
consent had not been provided and sent an email to SportsDirect on 2<br />
<br />
July 2020 to request this. SportsDirect requested an extension for<br />
<br />
providing this information which the Commissioner granted, although it<br />
<br />
was explained to SportsDirect that in the Commissioner’s view such<br />
evidence should be readily available.<br />
<br />
<br />
26. SportsDirect provided its response on 20 July 2020 with purported<br />
<br />
evidence of consent for three of the twelve complainants, specifically<br />
<br />
stating that those individuals had signed up to a ‘local customer benefit<br />
<br />
scheme’ (the “benefit scheme”) at a store outside of the United<br />
<br />
Kingdom on 8 August 2011, 6 October 2012 and 24 April 2014<br />
respectively. The purpose of the benefit scheme was to allow<br />
<br />
subscribers to “receive their receipts by email, a regular brochure,<br />
<br />
annual vouchers and other offers and promotions”. This scheme<br />
<br />
ceased to operate in 2018.<br />
<br />
<br />
27. The Commissioner sent further queries to SportsDirect on 14 August<br />
<br />
2020 to establish why subscribers who signed up to the benefit scheme<br />
<br />
<br />
<br />
<br />
8 continued to receive messages, and the number of customers who had<br />
consented to marketing communications in this way.<br />
<br />
<br />
28. SportsDirect explained in response that “[f]ollowing cessation of the<br />
<br />
Scheme, the Scheme data set was reviewed and it was decided that (i)<br />
<br />
there was a legitimate interest in members of the Scheme continuing<br />
<br />
to receive general offers and discounts from the business as an<br />
<br />
alternative to the benefits previously made available under the Scheme<br />
<br />
and (ii) it would be prudent to run a data cleanse. This data cleanse<br />
removed duplicated data, incorrectly formatted email addresses and<br />
<br />
emails identified as ‘spam traps’. This left a data set of around 779,000<br />
<br />
email contacts.<br />
<br />
<br />
This reduced data set then received a small number of emails<br />
<br />
immediately following cessation of the Scheme, starting with a<br />
<br />
welcome-style email introducing the type of emails members would<br />
<br />
receive following cessation of the Scheme, unless they unsubscribed.”<br />
<br />
<br />
29. The Commissioner asked further questions on 4 September 2020. In<br />
particular the Commissioner wished to know, inter alia, the specific<br />
<br />
date when the benefit scheme ended; the number of emails sent to,<br />
<br />
and received by, subscribers after the cessation of the scheme; and as<br />
<br />
part of the “re-engagement campaign”, how many subscribers were<br />
<br />
sent messages who had initially consented to marketing emails as part<br />
of a previous campaign.<br />
<br />
<br />
<br />
30. In its response, SportsDirect again cited concerns which it had raised<br />
<br />
earlier in the investigation in respect of the challenges it has faced in<br />
<br />
gathering information to respond to some of the Commissioner’s<br />
<br />
queries; i.e. since many of the individuals who were “involved in<br />
making decisions and administering the databases around the time the<br />
<br />
dataset was cleansed have already long since left the business” [and]<br />
<br />
<br />
9 “most files and communications created during their employment on<br />
local drives have long since been deleted in accordance with standard<br />
<br />
retention procedures”.<br />
<br />
<br />
<br />
31. SportsDirect therefore sought to provide its “best estimate” of the<br />
<br />
dates in connection with the cessation of the benefit scheme, stating<br />
that it ceased to operate “in around January 2018”, and that<br />
<br />
throughout January and February 2018 the data cleanse took place,<br />
<br />
leaving “around 779,000 email contacts”. This dataset was then sent a<br />
<br />
“welcome-style email” although the content of this could not be<br />
<br />
determined. Those who “engaged” with the “welcome-style email”<br />
<br />
were added to the “main email marketing dataset”.<br />
<br />
<br />
32. In relation to the “re-engagement campaign” (also referred to by<br />
SportsDirect as the “Christmas 2019 Email Campaign”), SportsDirect<br />
<br />
stated: “one of the objectives of the Christmas 2019 Email Campaign<br />
<br />
was to cleanse the marketing database. This cleanse began in the week<br />
<br />
commencing 13 January 2020. This means that the business is not able<br />
<br />
to retrieve data deleted at that time and is unable to re-create that<br />
segmentation to provide [the Commissioner] with specific details<br />
<br />
around how many individuals initially consented to marketing emails as<br />
<br />
part of a previous campaign or scheme. The business used legitimate<br />
<br />
interests as the basis on which to send the Christmas 2019 Email<br />
<br />
Campaign.<br />
<br />
<br />
For the reasons described above, it is no longer possible for us to<br />
<br />
retrieve the distribution list used in the Christmas 2019 Email<br />
<br />
Campaign and then separate out individuals who were initially opted in<br />
<br />
through being a member of the Scheme”<br />
<br />
<br />
<br />
<br />
<br />
<br />
1033. The Commissioner sent an ‘end of investigation’ email to SportsDirect<br />
on 21 October 2020, although it was invited to provide any further<br />
<br />
“relevant evidence, or information regarding [its] policies, procedures<br />
<br />
and training programmes”. SportsDirect responded on 2 November<br />
<br />
2020 with a summary of its position, and information in respect of the<br />
<br />
number of individuals who may have received an email as part of the<br />
<br />
“re-engagement campaign”, specifically stating that it: “understand[s]<br />
that the volume of emails sent as part of the Christmas 2019 Campaign<br />
<br />
was approximately 2.9 million. [It] cannot quantify the total number of<br />
<br />
data subjects emailed as part of this campaign due to the absence of<br />
<br />
historic communications due to strict data deletion […]. […] the data<br />
<br />
subjects would have included individuals who had been members of the<br />
[Loyalty Scheme operating outside of the UK], but there would also<br />
<br />
have been other recipients”. Whilst SportsDirect were unable to<br />
<br />
confirm the precise number of individuals which it had emailed, its<br />
<br />
confirmation that “approximately 2.9 million” messages were sent<br />
<br />
accorded with the precise figures which it had provided on 12 June<br />
<br />
2020 where it was stated that there had been 2,948,865 direct<br />
marketing messages sent relating specifically to the “re-engagement<br />
<br />
campaign”, with 87% being received.<br />
<br />
<br />
<br />
34. The Commissioner has made the above findings of fact on the<br />
<br />
balance of probabilities.<br />
<br />
<br />
35. The Commissioner has considered whether those facts constitute<br />
<br />
a contravention of regulation 22 of PECR by SportsDirect and, if so,<br />
<br />
whether the conditions of section 55A DPA are satisfied.<br />
<br />
<br />
The contravention<br />
<br />
<br />
<br />
<br />
<br />
<br />
1136. The Commissioner finds that SportsDirect contravened regulation 22 of<br />
PECR.<br />
<br />
<br />
<br />
37. The Commissioner finds that the contravention was as follows:<br />
<br />
<br />
<br />
38. The Commissioner finds that between 21 December 2019 and 16<br />
<br />
February 2020 there were 2,565,513 direct marketing emails received<br />
by subscribers. The Commissioner finds that SportsDirect transmitted<br />
<br />
those direct marketing messages, contrary to regulation 22 of PECR.<br />
<br />
<br />
39. SportsDirect, as the sender of the direct marketing, is required to<br />
<br />
ensure that it is acting in compliance with the requirements of<br />
<br />
regulation 22 of PECR, and to ensure that valid consent to send those<br />
<br />
messages had been acquired.<br />
<br />
<br />
40. SportsDirect has been unable to provide evidence of consent for the<br />
messages sent over the period of 21 December 2019 and 16 February<br />
<br />
2020.<br />
<br />
<br />
41. In this instance, in relation to the 2,565,513 direct marketing emails<br />
<br />
stated by SportsDirect on 12 June 2020 to have been received by<br />
<br />
subscribers over the relevant period, SportsDirect has been unable to<br />
<br />
provide evidence of valid consent. Indeed it is stated that it is no<br />
longer possible for SportsDirect to “retrieve the distribution list used in<br />
<br />
the Christmas 2019 Email Campaign”. In the circumstances the<br />
<br />
Commissioner is not satisfied that SportsDirect can avail itself to the<br />
<br />
soft opt-in exception provided at regulation 22(3) PECR.<br />
<br />
<br />
42. The Commissioner has gone on to consider whether the conditions<br />
<br />
under section 55A DPA are met.<br />
<br />
<br />
<br />
<br />
<br />
<br />
12 Seriousness of the contravention<br />
<br />
<br />
43. The Commissioner is satisfied that the contravention identified<br />
<br />
above was serious. This is because between 21 December 2019 and 16<br />
<br />
February 2020, a total of 2,565,513 direct marketing messages were<br />
<br />
received by subscribers having been sent by SportsDirect. These<br />
<br />
messages, which were sent as part of a “re-engagement campaign”,<br />
contained direct marketing material for which subscribers had not<br />
<br />
provided valid consent. Furthermore, since SportsDirect is now unable<br />
<br />
to retrieve the distribution list and is therefore unable to evidence<br />
<br />
how/when details were purportedly obtained, the Commissioner is<br />
<br />
satisfied that SportsDirect is unable to rely on the soft opt-in<br />
exemption.<br />
<br />
<br />
<br />
44. The Commissioner is therefore satisfied that condition (a) from<br />
<br />
section 55A(1) DPA is met.<br />
<br />
<br />
Deliberate or negligent contraventions<br />
<br />
<br />
<br />
45. The Commissioner has considered whether the contravention identified<br />
<br />
above was deliberate.<br />
<br />
<br />
<br />
46. The Commissioner does not consider that SportsDirect deliberately set<br />
out to contravene PECR in this instance.<br />
<br />
<br />
<br />
47. The Commissioner has gone on to consider whether the contravention<br />
<br />
identified above was negligent. This consideration comprises two<br />
<br />
elements:<br />
<br />
<br />
48. Firstly, she has considered whether SportsDirect knew or ought<br />
<br />
reasonably to have known that there was a risk that these<br />
<br />
<br />
13 contraventions would occur. This is not a high bar and she is satisfied<br />
that this condition is met.<br />
<br />
<br />
<br />
49. The Commissioner has published detailed guidance for those carrying<br />
<br />
out direct marketing explaining their legal obligations under PECR.<br />
<br />
This guidance gives clear advice regarding the requirements of consent<br />
<br />
for direct marketing and explains the circumstances under which<br />
organisations are able to carry out marketing over the phone, by text,<br />
<br />
by email, by post, or by fax. In particular it states that organisations<br />
<br />
can generally only send, or instigate, marketing messages to<br />
<br />
individuals if that person has specifically consented to receiving them.<br />
<br />
The guidance also provides a full explanation of the “soft opt-in”<br />
exemption and states that organisations “should […] make sure that<br />
<br />
they keep clear records of exactly what someone has consented to. In<br />
<br />
particular, they should record the date of consent, the method of<br />
<br />
consent, who obtained consent, and exactly what information was<br />
<br />
provided to the person consenting”. SportsDirect has been unable to<br />
<br />
do this.<br />
<br />
50. The Commissioner has published detailed guidance on consent under<br />
<br />
the GDPR. In case organisations remain unclear on their obligations,<br />
<br />
the ICO operates a telephone helpline. ICO communications about<br />
<br />
previous enforcement action where businesses have not complied with<br />
<br />
PECR are also readily available.<br />
<br />
<br />
51. It is therefore reasonable to suppose that SportsDirect should have<br />
been aware of its responsibilities in this area.<br />
<br />
<br />
<br />
52. Secondly, the Commissioner has gone on to consider whether<br />
SportsDirect failed to take reasonable steps to prevent the<br />
<br />
contraventions. Again, she is satisfied that this condition is met.<br />
<br />
<br />
<br />
<br />
1453. The Commissioner takes the view that any person wishing to engage in<br />
direct marketing by electronic mail could and should – particularly<br />
<br />
since the coming into effect of the GDPR – have ensured that all of<br />
<br />
their consent capture mechanisms properly enabled consent to be<br />
<br />
separately given or withheld for direct marketing communications, and<br />
<br />
that such consent was retained. At the outset of the investigation the<br />
<br />
Commissioner raised concerns with SportsDirect’s privacy policy which<br />
stated: “You acknowledge that you do not object to us and third parties<br />
<br />
identified below, including our Third Party Advertisers, using your<br />
<br />
personal information for any of the purposes outlined in this privacy<br />
<br />
policy and you confirm that you do not and will not consider any of<br />
<br />
these purposes as a breach of any of your rights under the Privacy and<br />
Electronic Communications (EC Directive) Regulations 2003” (emphasis<br />
<br />
added). SportsDirect has since amended the wording of its Privacy<br />
<br />
Policy.<br />
<br />
<br />
54. The Commissioner takes the view that SportsDirect could legitimately<br />
<br />
have sought advice either from the Commissioner or from a legal<br />
<br />
advisor in relation to the basis on which it proposed to send its<br />
unsolicited direct marketing to an aged dataset but failed to do so.<br />
<br />
This is particularly egregious given that the purpose of SportsDirect’s<br />
<br />
“re-engagement campaign” was to contact individuals with whom it<br />
<br />
had not “connected” with for some time.<br />
<br />
<br />
55. In the circumstances, the Commissioner is satisfied that SportsDirect<br />
<br />
failed to take reasonable steps to prevent the contraventions.<br />
<br />
<br />
56. The Commissioner is therefore satisfied that condition (b) from section<br />
<br />
55A (1) DPA is met.<br />
<br />
<br />
<br />
The Commissioner’s decision to issue a monetary penalty<br />
<br />
<br />
<br />
1557. The Commissioner has taken into account the following<br />
aggravating feature of this case:<br />
<br />
<br />
<br />
• The Commissioner is concerned about SportsDirect’s failure to maintain<br />
<br />
satisfactory internal consent records.<br />
<br />
<br />
<br />
58. The Commissioner has taken into account the following mitigating<br />
feature of this case:<br />
<br />
<br />
<br />
• The Commissioner is mindful that SportsDirect has taken a number of<br />
<br />
steps to improve its compliance with data protection legislation,<br />
<br />
specifically it has carried out an exercise to reduce the amount of data<br />
in its database; it has reconsidered the frequency of emails which will<br />
<br />
be sent to individuals; and will introduce a new cleansing system. It<br />
<br />
is noted that it has also updated its privacy policy in line with the<br />
<br />
Commissioner’s guidance.<br />
<br />
<br />
<br />
59. For the reasons explained above, the Commissioner is satisfied that the<br />
conditions from section 55A (1) DPA have been met in this case. She is<br />
<br />
also satisfied that the procedural rights under section 55B have been<br />
<br />
complied with.<br />
<br />
<br />
<br />
60. The latter has included the issuing of a Notice of Intent, in which the<br />
Commissioner set out her preliminary thinking. In reaching her final<br />
<br />
view, the Commissioner has taken into account the representations<br />
<br />
made by SportsDirect on this matter.<br />
<br />
<br />
<br />
61. The Commissioner is accordingly entitled to issue a monetary penalty<br />
<br />
in this case.<br />
<br />
<br />
<br />
<br />
<br />
1662. The Commissioner has considered whether, in the circumstances, she<br />
should exercise her discretion so as to issue a monetary penalty.<br />
<br />
<br />
<br />
63. The Commissioner has considered the likely impact of a monetary<br />
<br />
penalty on SportsDirect. She has decided on the information that is<br />
<br />
available to her, that SportsDirect has access to sufficient financial<br />
resources to pay the proposed monetary penalty without causing<br />
<br />
undue financial hardship.<br />
<br />
<br />
<br />
64. The Commissioner’s underlying objective in imposing a monetary<br />
<br />
penalty notice is to promote compliance with PECR. The sending of<br />
<br />
unsolicited direct marketing messages is a matter of significant public<br />
concern. A monetary penalty in this case should act as a general<br />
<br />
encouragement towards compliance with the law, or at least as a<br />
<br />
deterrent against non-compliance, on the part of all persons running<br />
<br />
businesses currently engaging in these practices. The issuing of a<br />
<br />
monetary penalty will reinforce the need for businesses to ensure that<br />
they are only messaging those who specifically consent to receive<br />
<br />
direct marketing.<br />
<br />
<br />
65. For these reasons, the Commissioner has decided to issue a monetary<br />
<br />
penalty in this case.<br />
<br />
<br />
<br />
The amount of the penalty<br />
<br />
<br />
66. Taking into account all of the above, the Commissioner has decided<br />
<br />
that a penalty in the sum of £70,000 (seventy thousand pounds) is<br />
reasonable and proportionate given the particular facts of the case and<br />
<br />
the underlying objective in imposing the penalty.<br />
<br />
<br />
<br />
Conclusion<br />
<br />
<br />
<br />
1767. The monetary penalty must be paid to the Commissioner’s office by<br />
BACS transfer or cheque by 14 October 2021 at the latest. The<br />
<br />
monetary penalty is not kept by the Commissioner but will be paid into<br />
<br />
the Consolidated Fund which is the Government’s general bank account<br />
<br />
at the Bank of England.<br />
<br />
<br />
<br />
68. If the Commissioner receives full payment of the monetary penalty by<br />
13 October 2021 the Commissioner will reduce the monetary penalty<br />
<br />
by 20% to £56,000 (fifty-six thousand pounds). However, you<br />
<br />
should be aware that the early payment discount is not available if you<br />
<br />
decide to exercise your right of appeal.<br />
<br />
<br />
69. There is a right of appeal to the First-tier Tribunal (Information Rights)<br />
<br />
against:<br />
<br />
<br />
<br />
(a) the imposition of the monetary penalty<br />
<br />
and/or;<br />
<br />
(b) the amount of the penalty specified in the monetary penalty<br />
notice.<br />
<br />
<br />
<br />
70. Any notice of appeal should be received by the Tribunal within 28 days<br />
<br />
of the date of this monetary penalty notice.<br />
<br />
<br />
71. Information about appeals is set out in Annex 1.<br />
<br />
<br />
<br />
72. The Commissioner will not take action to enforce a monetary penalty<br />
<br />
unless:<br />
<br />
<br />
<br />
• the period specified within the notice within which a monetary<br />
penalty must be paid has expired and all or any of the monetary<br />
<br />
penalty has not been paid;<br />
<br />
<br />
18 • all relevant appeals against the monetary penalty notice and any<br />
<br />
variation of it have either been decided or withdrawn; and<br />
<br />
• the period for appealing against the monetary penalty and any<br />
<br />
variation of it has expired.<br />
<br />
<br />
<br />
<br />
73. In England, Wales and Northern Ireland, the monetary penalty is<br />
recoverable by Order of the County Court or the High Court. In<br />
<br />
Scotland, the monetary penalty can be enforced in the same manner as<br />
<br />
an extract registered decree arbitral bearing a warrant for execution<br />
<br />
issued by the sheriff court of any sheriffdom in Scotland.<br />
<br />
<br />
th<br />
Dated the 13 day of September 2021<br />
<br />
Andy Curry<br />
<br />
Head of Investigations<br />
Information Commissioner’s Office<br />
Wycliffe House<br />
Water Lane<br />
<br />
Wilmslow<br />
Cheshire<br />
SK9 5AF<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
19ANNEX 1<br />
<br />
<br />
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998<br />
<br />
<br />
<br />
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER<br />
<br />
<br />
<br />
1. Section 55B(5) of the Data Protection Act 1998 gives any person<br />
upon whom a monetary penalty notice has been served a right of<br />
<br />
appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’)<br />
<br />
against the notice.<br />
<br />
<br />
<br />
2. If you decide to appeal and if the Tribunal considers:-<br />
<br />
<br />
a) that the notice against which the appeal is brought is not in<br />
<br />
accordance with the law; or<br />
<br />
<br />
<br />
b) to the extent that the notice involved an exercise of<br />
<br />
discretion by the Commissioner, that she ought to have exercised<br />
her discretion differently,<br />
<br />
<br />
<br />
the Tribunal will allow the appeal or substitute such other decision as<br />
<br />
could have been made by the Commissioner. In any other case the<br />
<br />
Tribunal will dismiss the appeal.<br />
<br />
<br />
3. You may bring an appeal by serving a notice of appeal on the<br />
<br />
Tribunal at the following address:<br />
<br />
<br />
<br />
General Regulatory Chamber<br />
HM Courts & Tribunals Service<br />
PO Box 9300<br />
Leicester<br />
<br />
LE1 8DJ<br />
<br />
<br />
20 Telephone: 0203 936 8963<br />
Email: grc@justice.gov.uk<br />
<br />
<br />
a) The notice of appeal should be sent so it is received by the<br />
<br />
Tribunal within 28 days of the date of the notice.<br />
<br />
<br />
b) If your notice of appeal is late the Tribunal will not admit it<br />
<br />
unless the Tribunal has extended the time for complying with this<br />
<br />
rule.<br />
<br />
<br />
<br />
4. The notice of appeal should state:-<br />
<br />
<br />
a) your name and address/name and address of your<br />
<br />
representative (if any);<br />
<br />
<br />
<br />
b) an address where documents may be sent or delivered to<br />
<br />
you;<br />
<br />
<br />
c) the name and address of the Information Commissioner;<br />
<br />
<br />
<br />
d) details of the decision to which the proceedings relate;<br />
<br />
<br />
e) the result that you are seeking;<br />
<br />
<br />
<br />
f) the grounds on which you rely;<br />
<br />
<br />
<br />
g) you must provide with the notice of appeal a copy of the<br />
<br />
monetary penalty notice or variation notice;<br />
<br />
<br />
h) if you have exceeded the time limit mentioned above the<br />
<br />
notice of appeal must include a request for an extension of time<br />
<br />
<br />
<br />
21 and the reason why the notice of appeal was not provided in<br />
time.<br />
<br />
<br />
<br />
5. Before deciding whether or not to appeal you may wish to consult<br />
<br />
your solicitor or another adviser. At the hearing of an appeal a party<br />
<br />
may conduct his case himself or may be represented by any person<br />
<br />
whom he may appoint for that purpose.<br />
<br />
<br />
6. The statutory provisions concerning appeals to the First-tier<br />
<br />
Tribunal (Information Rights) are contained in section 55B(5) of, and<br />
<br />
Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure<br />
<br />
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009<br />
(Statutory Instrument 2009 No. 1976 (L.20)).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
22<br />
</pre></div>Mariam-hwthhttps://gdprhub.eu/index.php?title=ICO_(UK)_-_SportsDirect.com_Retail_Limited&diff=19776ICO (UK) - SportsDirect.com Retail Limited2021-09-19T16:56:05Z<p>Mariam-hwth: Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO (UK) |DPA_With_Country=ICO (UK) |Case_Number_N..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|DPA-BG-Color=background-color:#023868;<br />
|DPAlogo=LogoUK.png<br />
|DPA_Abbrevation=ICO (UK)<br />
|DPA_With_Country=ICO (UK)<br />
<br />
|Case_Number_Name=SportsDirect.com Retail Limited<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ICO<br />
|Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/mpns/4018347/sportsdirect_com-retail-limited-mpn-20210913.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=13.09.2021<br />
|Date_Published=15.09.2021<br />
|Year=2021<br />
|Fine=70000<br />
|Currency=GBP<br />
<br />
<br />
<br />
|National_Law_Name_1=Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
|National_Law_Link_1=https://www.legislation.gov.uk/uksi/2003/2426<br />
|National_Law_Name_2=Regulation 22(3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
|National_Law_Link_2=https://www.legislation.gov.uk/uksi/2003/2426<br />
<br />
|Party_Name_1=SportsDirect.com Retail Limited<br />
|Party_Link_1=https://www.sportsdirect.com/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=MH<br />
|<br />
}}<br />
<br />
The UK DPA, Information Commissioner's Office, imposed a fine of approximately €82000 on SportsDirect.com Retail Ltd. The sports retailer infringed Regulation 22 of PECR by sending unsolicited marketing emails that was received by just under 2.6 million individuals.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
SportsDirect.com Retail Limited (hereafter: SportsDirect) is a sports retailer in the UK. It was the subject of various complaints via the UK DPA's, Information Commissioner's Office (ICO), online reporting tool in relation to unsolicited communications between December 2019 and February 2020. The ICO started an investigation on the basis of these complaints.<br />
<br />
SportsDirect outlined that the personal data it used for direct marketing was obtained directly from customers after having given their consent. SportsDirect considered the direct marketing sent to individuals who complained to be a "re-engagement campaign". They claimed that these individuals had opted in to receiving marketing emails (and didn't unsubscribe). The emails sent amounted to a total of 459,882,124 emails, 2,565,513 of which were received as part of the "re-engagement campaign". <br />
<br />
SportsDirect claimed to rely on the soft opt-in for 7 of the 12 complainants and stated that it collected consent directly from 3 others. It did not have a record of having sent marketing to 1 complaints and had recently erased the data of another shortly after they complained. <br />
<br />
During the investigation, the ICO uncovered that SportsDirect continued to send messages to customers signed up to a specific scheme even after the scheme had ended. SportsDirect claimed this to be on the basis of legitimate interest for the ex-members of the scheme. <br />
<br />
Throughout the investigation, SportsDirect cited the challenges it faced to gather the information requested by the ICO. The ICO responded that some of the information, such as legal bases should be readily available to data controllers.<br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
The Information Commissioner's Office (ICO) held that SportsDirect infringed Regulation 22 of Privacy and Electronic Communications (EC Directive) Regulations 2003 (hereafter PECR). 2,565,513 direct market emails sent by SportsDirect were received by subscribers. However, SportsDirect was unable to demonstrate evidence that they had valid consent to send thes emarekting emails. The ICO did not consider that SportsDirect could rely on the soft opt-in exception under Regulation 22(3) PECR.<br />
<br />
The ICO determined that the infringement was negligent from SportsDirect as they knew or oguht reasonably to have known that they may infringe PECR. The ICO considered the fact that there is a lot of guidance readily available on PECR for organisations. Additionally, it is clear from this guidance that organisations must keep track of when and how consent was given - which SportsDirect had not done.<br />
<br />
The ICO also mentioned its concern with regards to SportsDirect's privacy policy which states: "... you confirm that you do not and will not consider any of <br />
these purposes as a breach of any of your rights under the Privacy and <br />
Electronic Communications (EC Directive) Regulations 2003". Considering these factors, the ICO imposed a fine of approximately €82000 on SportsDirect<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
DATA PROTECTION ACT 1998<br />
<br />
<br />
<br />
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER<br />
<br />
<br />
<br />
MONETARY PENALTY NOTICE<br />
<br />
<br />
<br />
<br />
To: SportsDirect.com Retail Limited<br />
<br />
<br />
Of: Unit A, Brook Park East, Shirebrook NG20 8RY<br />
<br />
<br />
1. The Information Commissioner (“the Commissioner”) has decided to<br />
issue SportsDirect.com Retail Limited (“SportsDirect”) with a monetary<br />
<br />
penalty under section 55A of the Data Protection Act 1998 (“DPA”). The<br />
<br />
penalty is in relation to a serious contravention of Regulation 22 of the<br />
<br />
Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
<br />
(“PECR”).<br />
<br />
<br />
2. This notice explains the Commissioner’s decision.<br />
<br />
<br />
<br />
Legal framework<br />
<br />
<br />
<br />
3. SportsDirect, whose registered office address is given above<br />
(Companies House Registration Number: 03406347) is the organisation<br />
<br />
stated in this notice to have transmitted unsolicited communications by<br />
<br />
means of electronic mail to individual subscribers for the purposes of<br />
<br />
direct marketing contrary to regulation 22 of PECR.<br />
<br />
<br />
<br />
4. Regulation 22 of PECR states:<br />
<br />
<br />
<br />
<br />
<br />
1“(1) This regulation applies to the transmission of unsolicited<br />
communications by means of electronic mail to individual<br />
<br />
subscribers.<br />
<br />
<br />
(2) Except in the circumstances referred to in paragraph (3), a person<br />
shall neither transmit, nor instigate the transmission of, unsolicited<br />
<br />
communications for the purposes of direct marketing by means of<br />
<br />
electronic mail unless the recipient of the electronic mail has<br />
<br />
previously notified the sender that he consents for the time being<br />
<br />
to such communications being sent by, or at the instigation of, the<br />
sender.<br />
<br />
<br />
(3) A person may send or instigate the sending of electronic mail for<br />
<br />
the purposes of direct marketing where—<br />
<br />
(a) that person has obtained the contact details of the recipient<br />
<br />
of that electronic mail in the course of the sale or<br />
<br />
negotiations for the sale of a product or service to that<br />
recipient;<br />
<br />
<br />
(b) the direct marketing is in respect of that person’s similar<br />
<br />
products and services only; and<br />
<br />
(c) the recipient has been given a simple means of refusing<br />
<br />
(free of charge except for the costs of the transmission of<br />
the refusal) the use of his contact details for the purposes<br />
<br />
of such direct marketing, at the time that the details were<br />
<br />
initially collected, and, where he did not initially refuse the<br />
<br />
use of the details, at the time of each subsequent<br />
<br />
communication.<br />
<br />
(4) A subscriber shall not permit his line to be used in contravention of<br />
<br />
paragraph (2).”<br />
<br />
<br />
<br />
<br />
<br />
<br />
25. Section 122(5) of the Data Protection Act 2018 “DPA18” defines direct<br />
marketing as “the communication (by whatever means) of any<br />
<br />
advertising material which is directed to particular individuals”. This<br />
<br />
definition also applies for the purposes of PECR (see regulation 2(2)<br />
<br />
PECR and paragraphs 430 & 432(6) to Schedule 19 of the DPA18).<br />
<br />
<br />
6. Consent in PECR is now defined, from 29 March 2019, by reference to<br />
<br />
the concept of consent in Regulation 2016/679 (“the GDPR”):<br />
<br />
regulation 8(2) of the Data Protection, Privacy and Electronic<br />
Communications (Amendments etc) (EU Exit) Regulations 2019. Article<br />
<br />
4(11) of the GDPR sets out the following definition: “‘consent’ of the<br />
<br />
data subject means any freely given, specific, informed and<br />
<br />
unambiguous indication of the data subject's wishes by which he or<br />
<br />
she, by a statement or by a clear affirmative action, signifies<br />
agreement to the processing of personal data relating to him or her”.<br />
<br />
<br />
<br />
7. Recital 32 of the GDPR materially states that “When the processing has<br />
<br />
multiple purposes, consent should be given for all of them”. Recital 42<br />
<br />
materially provides that “For consent to be informed, the data subject<br />
<br />
should be aware at least of the identity of the controller”. Recital 43<br />
materially states that “Consent is presumed not to be freely given if it<br />
<br />
does not allow separate consent to be given to different personal data<br />
<br />
processing operations despite it being appropriate in the individual case”.<br />
<br />
<br />
<br />
8. “Individual” is defined in regulation 2(1) of PECR as “a living individual<br />
and includes an unincorporated body of such individuals”.<br />
<br />
<br />
9. A “subscriber” is defined in regulation 2(1) of PECR as “a person who is<br />
<br />
a party to a contract with a provider of public electronic<br />
<br />
communications services for the supply of such services”.<br />
<br />
<br />
<br />
<br />
<br />
310. “Electronic mail” is defined in regulation 2(1) of PECR as “any text,<br />
voice, sound or image message sent over a public electronic<br />
<br />
communications network which can be stored in the network or in the<br />
<br />
recipient’s terminal equipment until it is collected by the recipient and<br />
<br />
includes messages sent using a short message service”.<br />
<br />
<br />
11. The term "soft opt-in" is used to describe the rule set out in in<br />
<br />
Regulation 22(3) of PECR. In essence, an organisation may be able to<br />
e-mail its existing customers even if they haven't specifically consented<br />
<br />
to electronic mail. The soft opt-in rule can only be relied upon by the<br />
<br />
organisation that collected the contact details.<br />
<br />
<br />
<br />
12. Section 55A of the DPA (as applied to PECR cases by Schedule 1 to<br />
<br />
PECR, as variously amended) states:<br />
<br />
<br />
“(1) The Commissioner may serve a person with a monetary penalty if<br />
<br />
the Commissioner is satisfied that –<br />
<br />
(a) there has been a serious contravention of the requirements<br />
<br />
of the Privacy and Electronic Communications (EC<br />
<br />
Directive) Regulations 2003 by the person,<br />
<br />
(b) subsection (2) or (3) applies.<br />
<br />
<br />
(2) This subsection applies if the contravention was deliberate.<br />
<br />
(3) This subsection applies if the person –<br />
<br />
(a) knew or ought to have known that there was a risk that the<br />
<br />
contravention would occur, but<br />
<br />
(b) failed to take reasonable steps to prevent the<br />
<br />
contravention.”<br />
<br />
<br />
<br />
13. The Commissioner has issued statutory guidance under section 55C (1)<br />
<br />
of the DPA about the issuing of monetary penalties that has been<br />
<br />
4 published on the ICO’s website. The Data Protection (Monetary<br />
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe<br />
<br />
that the amount of any penalty determined by the Commissioner must<br />
<br />
not exceed £500,000.<br />
<br />
<br />
<br />
14. PECR were enacted to protect the individual’s fundamental right to<br />
<br />
privacy in the electronic communications sector. PECR were<br />
subsequently amended and strengthened. The Commissioner will<br />
<br />
interpret PECR in a way which is consistent with the Regulations’<br />
<br />
overall aim of ensuring high levels of protection for individuals’ privacy<br />
<br />
rights.<br />
<br />
<br />
15. The provisions of the DPA remain in force for the purposes of PECR<br />
<br />
notwithstanding the introduction of the DPA18: see paragraph 58(1) of<br />
<br />
Schedule 20 to the DPA18.<br />
<br />
<br />
<br />
Background to the case<br />
<br />
<br />
<br />
16. SportsDirect came to the attention of the Commissioner due to<br />
complaints reported via the ICO’s online reporting tool. The<br />
<br />
Commissioner received twelve complaints about unsolicited<br />
<br />
communications between 21 December 2019 and 16 February 2020.<br />
<br />
<br />
<br />
17. The Commissioner sent an initial investigation letter to SportsDirect on<br />
25 February 2020 setting out her concerns regarding SportsDirect’s<br />
<br />
compliance with PECR and asking for, inter alia, the source of its data,<br />
<br />
and evidence of the consent relied on in the course of its direct<br />
<br />
marketing campaign between 21 December 2019 and 16 February<br />
<br />
2020.<br />
<br />
<br />
<br />
<br />
<br />
518. SportsDirect provided a response on 13 March 2020. This response<br />
explained that all data used to engage in its direct marketing is<br />
<br />
obtained directly from customers; and provided details of the ways in<br />
<br />
which it obtained consent to engage in its direct marketing campaigns.<br />
<br />
In relation to the complaints which had been received, SportsDirect<br />
<br />
indicated that these recipients were part of a “re-engagement<br />
<br />
campaign”, and stated:<br />
<br />
<br />
“The ecommerce team determined that the data subjects in the aged<br />
<br />
data set had not unsubscribed from receiving email marketing and<br />
would only send emails with content that provided offers on multi-buy<br />
<br />
products or free delivery/click&collect, along with the usual unsubscribe<br />
<br />
link. This was done with the expectation that data subjects would<br />
<br />
either not engage with the email, choose to unsubscribe from future<br />
<br />
emails or view those offers and emails positively and engage with<br />
Sports Direct.<br />
<br />
<br />
<br />
Where a data subject unsubscribed, this would be processed in the<br />
<br />
normal way, and where they did not engage with the emails after a<br />
<br />
reasonable period, the data would be removed from or anonymised<br />
<br />
within the marketing database.<br />
<br />
<br />
Having considered the proposed approach and likely impact of the re-<br />
<br />
engagement campaign, the ecommerce team took the decision to run a<br />
<br />
re-engagement campaign with that aged data set with the objectives of<br />
<br />
(1) reducing the amount of data held in the marketing database and<br />
<br />
(2) connecting with customers who had not engaged with Sports Direct<br />
within the normal engagement criteria.”<br />
<br />
<br />
19. SportsDirect explained that "...the Sports Direct ecommerce team<br />
<br />
analysed the Sports Direct marketing database and identified a<br />
<br />
<br />
<br />
6 category of data that showed as being opted in to receive email<br />
marketing but had not been sent any marketing emails.". This category<br />
<br />
of data has been referred to as the ‘aged data / aged dataset’.<br />
<br />
<br />
<br />
20. Regarding evidence of consent, SportsDirect stated that “none of the<br />
<br />
complainants were recorded as being opted out of marketing emails at<br />
<br />
the time their details were collected and had not unsubscribed to<br />
marketing emails at the time when the emails were sent”. It also<br />
<br />
provided a simple breakdown of the “lawful basis” relied upon for each<br />
<br />
complainant (i.e. soft opt-in; or consent).<br />
<br />
<br />
<br />
21. The Commissioner sent further enquiries to SportsDirect on 2 April<br />
2020, specifically seeking confirmation of the number of emails which<br />
<br />
were sent between 21 December 2019 and 16 February 2020, in<br />
<br />
addition to further information regarding the consent being relied upon<br />
<br />
and the frequency of the direct marketing emails being sent.<br />
<br />
<br />
22. SportsDirect requested an extension of two months for its response in<br />
<br />
light of the impact of the COVID-19 pandemic, which the Commissioner<br />
<br />
agreed to.<br />
<br />
<br />
23. SportsDirect responded on 12 June 2020 in line with the agreed<br />
<br />
extension period to provide answers to the Commissioner’s most recent<br />
<br />
questions. Within this response it was confirmed that between 21<br />
<br />
December 2019 and 16 February 2020 there were a total of<br />
459,882,124 emails sent by SportsDirect, with 2,948,865 of those<br />
<br />
relating specifically to the “re-engagement campaign”. SportsDirect<br />
<br />
provided percentages for the number of those sent messages which<br />
<br />
had been received by a subscriber; in relation to the “re-engagement<br />
<br />
campaign” it was explained that 87% were received, which the<br />
<br />
<br />
<br />
<br />
7 Commissioner calculates equates to 2,565,513 direct marketing<br />
messages being received over the relevant period.<br />
<br />
<br />
24. SportsDirect claimed to rely on the ‘soft opt in’ for seven of the twelve<br />
<br />
complainants, and stated that consent had been obtained from three of<br />
<br />
the twelve complainants directly. In terms of the two remaining<br />
<br />
complainants, SportsDirect claimed that its records did not show any<br />
<br />
messages being sent to one of them; and that the final complainant<br />
<br />
had since requested that their information be removed from its<br />
systems and so SportsDirect was unable to provide details of the lawful<br />
<br />
basis on which it would have relied to send the message.<br />
<br />
<br />
25. The Commissioner took the view that sufficient evidence of valid<br />
<br />
consent had not been provided and sent an email to SportsDirect on 2<br />
<br />
July 2020 to request this. SportsDirect requested an extension for<br />
<br />
providing this information which the Commissioner granted, although it<br />
<br />
was explained to SportsDirect that in the Commissioner’s view such<br />
evidence should be readily available.<br />
<br />
<br />
26. SportsDirect provided its response on 20 July 2020 with purported<br />
<br />
evidence of consent for three of the twelve complainants, specifically<br />
<br />
stating that those individuals had signed up to a ‘local customer benefit<br />
<br />
scheme’ (the “benefit scheme”) at a store outside of the United<br />
<br />
Kingdom on 8 August 2011, 6 October 2012 and 24 April 2014<br />
respectively. The purpose of the benefit scheme was to allow<br />
<br />
subscribers to “receive their receipts by email, a regular brochure,<br />
<br />
annual vouchers and other offers and promotions”. This scheme<br />
<br />
ceased to operate in 2018.<br />
<br />
<br />
27. The Commissioner sent further queries to SportsDirect on 14 August<br />
<br />
2020 to establish why subscribers who signed up to the benefit scheme<br />
<br />
<br />
<br />
<br />
8 continued to receive messages, and the number of customers who had<br />
consented to marketing communications in this way.<br />
<br />
<br />
28. SportsDirect explained in response that “[f]ollowing cessation of the<br />
<br />
Scheme, the Scheme data set was reviewed and it was decided that (i)<br />
<br />
there was a legitimate interest in members of the Scheme continuing<br />
<br />
to receive general offers and discounts from the business as an<br />
<br />
alternative to the benefits previously made available under the Scheme<br />
<br />
and (ii) it would be prudent to run a data cleanse. This data cleanse<br />
removed duplicated data, incorrectly formatted email addresses and<br />
<br />
emails identified as ‘spam traps’. This left a data set of around 779,000<br />
<br />
email contacts.<br />
<br />
<br />
This reduced data set then received a small number of emails<br />
<br />
immediately following cessation of the Scheme, starting with a<br />
<br />
welcome-style email introducing the type of emails members would<br />
<br />
receive following cessation of the Scheme, unless they unsubscribed.”<br />
<br />
<br />
29. The Commissioner asked further questions on 4 September 2020. In<br />
particular the Commissioner wished to know, inter alia, the specific<br />
<br />
date when the benefit scheme ended; the number of emails sent to,<br />
<br />
and received by, subscribers after the cessation of the scheme; and as<br />
<br />
part of the “re-engagement campaign”, how many subscribers were<br />
<br />
sent messages who had initially consented to marketing emails as part<br />
of a previous campaign.<br />
<br />
<br />
<br />
30. In its response, SportsDirect again cited concerns which it had raised<br />
<br />
earlier in the investigation in respect of the challenges it has faced in<br />
<br />
gathering information to respond to some of the Commissioner’s<br />
<br />
queries; i.e. since many of the individuals who were “involved in<br />
making decisions and administering the databases around the time the<br />
<br />
dataset was cleansed have already long since left the business” [and]<br />
<br />
<br />
9 “most files and communications created during their employment on<br />
local drives have long since been deleted in accordance with standard<br />
<br />
retention procedures”.<br />
<br />
<br />
<br />
31. SportsDirect therefore sought to provide its “best estimate” of the<br />
<br />
dates in connection with the cessation of the benefit scheme, stating<br />
that it ceased to operate “in around January 2018”, and that<br />
<br />
throughout January and February 2018 the data cleanse took place,<br />
<br />
leaving “around 779,000 email contacts”. This dataset was then sent a<br />
<br />
“welcome-style email” although the content of this could not be<br />
<br />
determined. Those who “engaged” with the “welcome-style email”<br />
<br />
were added to the “main email marketing dataset”.<br />
<br />
<br />
32. In relation to the “re-engagement campaign” (also referred to by<br />
SportsDirect as the “Christmas 2019 Email Campaign”), SportsDirect<br />
<br />
stated: “one of the objectives of the Christmas 2019 Email Campaign<br />
<br />
was to cleanse the marketing database. This cleanse began in the week<br />
<br />
commencing 13 January 2020. This means that the business is not able<br />
<br />
to retrieve data deleted at that time and is unable to re-create that<br />
segmentation to provide [the Commissioner] with specific details<br />
<br />
around how many individuals initially consented to marketing emails as<br />
<br />
part of a previous campaign or scheme. The business used legitimate<br />
<br />
interests as the basis on which to send the Christmas 2019 Email<br />
<br />
Campaign.<br />
<br />
<br />
For the reasons described above, it is no longer possible for us to<br />
<br />
retrieve the distribution list used in the Christmas 2019 Email<br />
<br />
Campaign and then separate out individuals who were initially opted in<br />
<br />
through being a member of the Scheme”<br />
<br />
<br />
<br />
<br />
<br />
<br />
1033. The Commissioner sent an ‘end of investigation’ email to SportsDirect<br />
on 21 October 2020, although it was invited to provide any further<br />
<br />
“relevant evidence, or information regarding [its] policies, procedures<br />
<br />
and training programmes”. SportsDirect responded on 2 November<br />
<br />
2020 with a summary of its position, and information in respect of the<br />
<br />
number of individuals who may have received an email as part of the<br />
<br />
“re-engagement campaign”, specifically stating that it: “understand[s]<br />
that the volume of emails sent as part of the Christmas 2019 Campaign<br />
<br />
was approximately 2.9 million. [It] cannot quantify the total number of<br />
<br />
data subjects emailed as part of this campaign due to the absence of<br />
<br />
historic communications due to strict data deletion […]. […] the data<br />
<br />
subjects would have included individuals who had been members of the<br />
[Loyalty Scheme operating outside of the UK], but there would also<br />
<br />
have been other recipients”. Whilst SportsDirect were unable to<br />
<br />
confirm the precise number of individuals which it had emailed, its<br />
<br />
confirmation that “approximately 2.9 million” messages were sent<br />
<br />
accorded with the precise figures which it had provided on 12 June<br />
<br />
2020 where it was stated that there had been 2,948,865 direct<br />
marketing messages sent relating specifically to the “re-engagement<br />
<br />
campaign”, with 87% being received.<br />
<br />
<br />
<br />
34. The Commissioner has made the above findings of fact on the<br />
<br />
balance of probabilities.<br />
<br />
<br />
35. The Commissioner has considered whether those facts constitute<br />
<br />
a contravention of regulation 22 of PECR by SportsDirect and, if so,<br />
<br />
whether the conditions of section 55A DPA are satisfied.<br />
<br />
<br />
The contravention<br />
<br />
<br />
<br />
<br />
<br />
<br />
1136. The Commissioner finds that SportsDirect contravened regulation 22 of<br />
PECR.<br />
<br />
<br />
<br />
37. The Commissioner finds that the contravention was as follows:<br />
<br />
<br />
<br />
38. The Commissioner finds that between 21 December 2019 and 16<br />
<br />
February 2020 there were 2,565,513 direct marketing emails received<br />
by subscribers. The Commissioner finds that SportsDirect transmitted<br />
<br />
those direct marketing messages, contrary to regulation 22 of PECR.<br />
<br />
<br />
39. SportsDirect, as the sender of the direct marketing, is required to<br />
<br />
ensure that it is acting in compliance with the requirements of<br />
<br />
regulation 22 of PECR, and to ensure that valid consent to send those<br />
<br />
messages had been acquired.<br />
<br />
<br />
40. SportsDirect has been unable to provide evidence of consent for the<br />
messages sent over the period of 21 December 2019 and 16 February<br />
<br />
2020.<br />
<br />
<br />
41. In this instance, in relation to the 2,565,513 direct marketing emails<br />
<br />
stated by SportsDirect on 12 June 2020 to have been received by<br />
<br />
subscribers over the relevant period, SportsDirect has been unable to<br />
<br />
provide evidence of valid consent. Indeed it is stated that it is no<br />
longer possible for SportsDirect to “retrieve the distribution list used in<br />
<br />
the Christmas 2019 Email Campaign”. In the circumstances the<br />
<br />
Commissioner is not satisfied that SportsDirect can avail itself to the<br />
<br />
soft opt-in exception provided at regulation 22(3) PECR.<br />
<br />
<br />
42. The Commissioner has gone on to consider whether the conditions<br />
<br />
under section 55A DPA are met.<br />
<br />
<br />
<br />
<br />
<br />
<br />
12 Seriousness of the contravention<br />
<br />
<br />
43. The Commissioner is satisfied that the contravention identified<br />
<br />
above was serious. This is because between 21 December 2019 and 16<br />
<br />
February 2020, a total of 2,565,513 direct marketing messages were<br />
<br />
received by subscribers having been sent by SportsDirect. These<br />
<br />
messages, which were sent as part of a “re-engagement campaign”,<br />
contained direct marketing material for which subscribers had not<br />
<br />
provided valid consent. Furthermore, since SportsDirect is now unable<br />
<br />
to retrieve the distribution list and is therefore unable to evidence<br />
<br />
how/when details were purportedly obtained, the Commissioner is<br />
<br />
satisfied that SportsDirect is unable to rely on the soft opt-in<br />
exemption.<br />
<br />
<br />
<br />
44. The Commissioner is therefore satisfied that condition (a) from<br />
<br />
section 55A(1) DPA is met.<br />
<br />
<br />
Deliberate or negligent contraventions<br />
<br />
<br />
<br />
45. The Commissioner has considered whether the contravention identified<br />
<br />
above was deliberate.<br />
<br />
<br />
<br />
46. The Commissioner does not consider that SportsDirect deliberately set<br />
out to contravene PECR in this instance.<br />
<br />
<br />
<br />
47. The Commissioner has gone on to consider whether the contravention<br />
<br />
identified above was negligent. This consideration comprises two<br />
<br />
elements:<br />
<br />
<br />
48. Firstly, she has considered whether SportsDirect knew or ought<br />
<br />
reasonably to have known that there was a risk that these<br />
<br />
<br />
13 contraventions would occur. This is not a high bar and she is satisfied<br />
that this condition is met.<br />
<br />
<br />
<br />
49. The Commissioner has published detailed guidance for those carrying<br />
<br />
out direct marketing explaining their legal obligations under PECR.<br />
<br />
This guidance gives clear advice regarding the requirements of consent<br />
<br />
for direct marketing and explains the circumstances under which<br />
organisations are able to carry out marketing over the phone, by text,<br />
<br />
by email, by post, or by fax. In particular it states that organisations<br />
<br />
can generally only send, or instigate, marketing messages to<br />
<br />
individuals if that person has specifically consented to receiving them.<br />
<br />
The guidance also provides a full explanation of the “soft opt-in”<br />
exemption and states that organisations “should […] make sure that<br />
<br />
they keep clear records of exactly what someone has consented to. In<br />
<br />
particular, they should record the date of consent, the method of<br />
<br />
consent, who obtained consent, and exactly what information was<br />
<br />
provided to the person consenting”. SportsDirect has been unable to<br />
<br />
do this.<br />
<br />
50. The Commissioner has published detailed guidance on consent under<br />
<br />
the GDPR. In case organisations remain unclear on their obligations,<br />
<br />
the ICO operates a telephone helpline. ICO communications about<br />
<br />
previous enforcement action where businesses have not complied with<br />
<br />
PECR are also readily available.<br />
<br />
<br />
51. It is therefore reasonable to suppose that SportsDirect should have<br />
been aware of its responsibilities in this area.<br />
<br />
<br />
<br />
52. Secondly, the Commissioner has gone on to consider whether<br />
SportsDirect failed to take reasonable steps to prevent the<br />
<br />
contraventions. Again, she is satisfied that this condition is met.<br />
<br />
<br />
<br />
<br />
1453. The Commissioner takes the view that any person wishing to engage in<br />
direct marketing by electronic mail could and should – particularly<br />
<br />
since the coming into effect of the GDPR – have ensured that all of<br />
<br />
their consent capture mechanisms properly enabled consent to be<br />
<br />
separately given or withheld for direct marketing communications, and<br />
<br />
that such consent was retained. At the outset of the investigation the<br />
<br />
Commissioner raised concerns with SportsDirect’s privacy policy which<br />
stated: “You acknowledge that you do not object to us and third parties<br />
<br />
identified below, including our Third Party Advertisers, using your<br />
<br />
personal information for any of the purposes outlined in this privacy<br />
<br />
policy and you confirm that you do not and will not consider any of<br />
<br />
these purposes as a breach of any of your rights under the Privacy and<br />
Electronic Communications (EC Directive) Regulations 2003” (emphasis<br />
<br />
added). SportsDirect has since amended the wording of its Privacy<br />
<br />
Policy.<br />
<br />
<br />
54. The Commissioner takes the view that SportsDirect could legitimately<br />
<br />
have sought advice either from the Commissioner or from a legal<br />
<br />
advisor in relation to the basis on which it proposed to send its<br />
unsolicited direct marketing to an aged dataset but failed to do so.<br />
<br />
This is particularly egregious given that the purpose of SportsDirect’s<br />
<br />
“re-engagement campaign” was to contact individuals with whom it<br />
<br />
had not “connected” with for some time.<br />
<br />
<br />
55. In the circumstances, the Commissioner is satisfied that SportsDirect<br />
<br />
failed to take reasonable steps to prevent the contraventions.<br />
<br />
<br />
56. The Commissioner is therefore satisfied that condition (b) from section<br />
<br />
55A (1) DPA is met.<br />
<br />
<br />
<br />
The Commissioner’s decision to issue a monetary penalty<br />
<br />
<br />
<br />
1557. The Commissioner has taken into account the following<br />
aggravating feature of this case:<br />
<br />
<br />
<br />
• The Commissioner is concerned about SportsDirect’s failure to maintain<br />
<br />
satisfactory internal consent records.<br />
<br />
<br />
<br />
58. The Commissioner has taken into account the following mitigating<br />
feature of this case:<br />
<br />
<br />
<br />
• The Commissioner is mindful that SportsDirect has taken a number of<br />
<br />
steps to improve its compliance with data protection legislation,<br />
<br />
specifically it has carried out an exercise to reduce the amount of data<br />
in its database; it has reconsidered the frequency of emails which will<br />
<br />
be sent to individuals; and will introduce a new cleansing system. It<br />
<br />
is noted that it has also updated its privacy policy in line with the<br />
<br />
Commissioner’s guidance.<br />
<br />
<br />
<br />
59. For the reasons explained above, the Commissioner is satisfied that the<br />
conditions from section 55A (1) DPA have been met in this case. She is<br />
<br />
also satisfied that the procedural rights under section 55B have been<br />
<br />
complied with.<br />
<br />
<br />
<br />
60. The latter has included the issuing of a Notice of Intent, in which the<br />
Commissioner set out her preliminary thinking. In reaching her final<br />
<br />
view, the Commissioner has taken into account the representations<br />
<br />
made by SportsDirect on this matter.<br />
<br />
<br />
<br />
61. The Commissioner is accordingly entitled to issue a monetary penalty<br />
<br />
in this case.<br />
<br />
<br />
<br />
<br />
<br />
1662. The Commissioner has considered whether, in the circumstances, she<br />
should exercise her discretion so as to issue a monetary penalty.<br />
<br />
<br />
<br />
63. The Commissioner has considered the likely impact of a monetary<br />
<br />
penalty on SportsDirect. She has decided on the information that is<br />
<br />
available to her, that SportsDirect has access to sufficient financial<br />
resources to pay the proposed monetary penalty without causing<br />
<br />
undue financial hardship.<br />
<br />
<br />
<br />
64. The Commissioner’s underlying objective in imposing a monetary<br />
<br />
penalty notice is to promote compliance with PECR. The sending of<br />
<br />
unsolicited direct marketing messages is a matter of significant public<br />
concern. A monetary penalty in this case should act as a general<br />
<br />
encouragement towards compliance with the law, or at least as a<br />
<br />
deterrent against non-compliance, on the part of all persons running<br />
<br />
businesses currently engaging in these practices. The issuing of a<br />
<br />
monetary penalty will reinforce the need for businesses to ensure that<br />
they are only messaging those who specifically consent to receive<br />
<br />
direct marketing.<br />
<br />
<br />
65. For these reasons, the Commissioner has decided to issue a monetary<br />
<br />
penalty in this case.<br />
<br />
<br />
<br />
The amount of the penalty<br />
<br />
<br />
66. Taking into account all of the above, the Commissioner has decided<br />
<br />
that a penalty in the sum of £70,000 (seventy thousand pounds) is<br />
reasonable and proportionate given the particular facts of the case and<br />
<br />
the underlying objective in imposing the penalty.<br />
<br />
<br />
<br />
Conclusion<br />
<br />
<br />
<br />
1767. The monetary penalty must be paid to the Commissioner’s office by<br />
BACS transfer or cheque by 14 October 2021 at the latest. The<br />
<br />
monetary penalty is not kept by the Commissioner but will be paid into<br />
<br />
the Consolidated Fund which is the Government’s general bank account<br />
<br />
at the Bank of England.<br />
<br />
<br />
<br />
68. If the Commissioner receives full payment of the monetary penalty by<br />
13 October 2021 the Commissioner will reduce the monetary penalty<br />
<br />
by 20% to £56,000 (fifty-six thousand pounds). However, you<br />
<br />
should be aware that the early payment discount is not available if you<br />
<br />
decide to exercise your right of appeal.<br />
<br />
<br />
69. There is a right of appeal to the First-tier Tribunal (Information Rights)<br />
<br />
against:<br />
<br />
<br />
<br />
(a) the imposition of the monetary penalty<br />
<br />
and/or;<br />
<br />
(b) the amount of the penalty specified in the monetary penalty<br />
notice.<br />
<br />
<br />
<br />
70. Any notice of appeal should be received by the Tribunal within 28 days<br />
<br />
of the date of this monetary penalty notice.<br />
<br />
<br />
71. Information about appeals is set out in Annex 1.<br />
<br />
<br />
<br />
72. The Commissioner will not take action to enforce a monetary penalty<br />
<br />
unless:<br />
<br />
<br />
<br />
• the period specified within the notice within which a monetary<br />
penalty must be paid has expired and all or any of the monetary<br />
<br />
penalty has not been paid;<br />
<br />
<br />
18 • all relevant appeals against the monetary penalty notice and any<br />
<br />
variation of it have either been decided or withdrawn; and<br />
<br />
• the period for appealing against the monetary penalty and any<br />
<br />
variation of it has expired.<br />
<br />
<br />
<br />
<br />
73. In England, Wales and Northern Ireland, the monetary penalty is<br />
recoverable by Order of the County Court or the High Court. In<br />
<br />
Scotland, the monetary penalty can be enforced in the same manner as<br />
<br />
an extract registered decree arbitral bearing a warrant for execution<br />
<br />
issued by the sheriff court of any sheriffdom in Scotland.<br />
<br />
<br />
th<br />
Dated the 13 day of September 2021<br />
<br />
Andy Curry<br />
<br />
Head of Investigations<br />
Information Commissioner’s Office<br />
Wycliffe House<br />
Water Lane<br />
<br />
Wilmslow<br />
Cheshire<br />
SK9 5AF<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
19ANNEX 1<br />
<br />
<br />
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998<br />
<br />
<br />
<br />
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER<br />
<br />
<br />
<br />
1. Section 55B(5) of the Data Protection Act 1998 gives any person<br />
upon whom a monetary penalty notice has been served a right of<br />
<br />
appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’)<br />
<br />
against the notice.<br />
<br />
<br />
<br />
2. If you decide to appeal and if the Tribunal considers:-<br />
<br />
<br />
a) that the notice against which the appeal is brought is not in<br />
<br />
accordance with the law; or<br />
<br />
<br />
<br />
b) to the extent that the notice involved an exercise of<br />
<br />
discretion by the Commissioner, that she ought to have exercised<br />
her discretion differently,<br />
<br />
<br />
<br />
the Tribunal will allow the appeal or substitute such other decision as<br />
<br />
could have been made by the Commissioner. In any other case the<br />
<br />
Tribunal will dismiss the appeal.<br />
<br />
<br />
3. You may bring an appeal by serving a notice of appeal on the<br />
<br />
Tribunal at the following address:<br />
<br />
<br />
<br />
General Regulatory Chamber<br />
HM Courts & Tribunals Service<br />
PO Box 9300<br />
Leicester<br />
<br />
LE1 8DJ<br />
<br />
<br />
20 Telephone: 0203 936 8963<br />
Email: grc@justice.gov.uk<br />
<br />
<br />
a) The notice of appeal should be sent so it is received by the<br />
<br />
Tribunal within 28 days of the date of the notice.<br />
<br />
<br />
b) If your notice of appeal is late the Tribunal will not admit it<br />
<br />
unless the Tribunal has extended the time for complying with this<br />
<br />
rule.<br />
<br />
<br />
<br />
4. The notice of appeal should state:-<br />
<br />
<br />
a) your name and address/name and address of your<br />
<br />
representative (if any);<br />
<br />
<br />
<br />
b) an address where documents may be sent or delivered to<br />
<br />
you;<br />
<br />
<br />
c) the name and address of the Information Commissioner;<br />
<br />
<br />
<br />
d) details of the decision to which the proceedings relate;<br />
<br />
<br />
e) the result that you are seeking;<br />
<br />
<br />
<br />
f) the grounds on which you rely;<br />
<br />
<br />
<br />
g) you must provide with the notice of appeal a copy of the<br />
<br />
monetary penalty notice or variation notice;<br />
<br />
<br />
h) if you have exceeded the time limit mentioned above the<br />
<br />
notice of appeal must include a request for an extension of time<br />
<br />
<br />
<br />
21 and the reason why the notice of appeal was not provided in<br />
time.<br />
<br />
<br />
<br />
5. Before deciding whether or not to appeal you may wish to consult<br />
<br />
your solicitor or another adviser. At the hearing of an appeal a party<br />
<br />
may conduct his case himself or may be represented by any person<br />
<br />
whom he may appoint for that purpose.<br />
<br />
<br />
6. The statutory provisions concerning appeals to the First-tier<br />
<br />
Tribunal (Information Rights) are contained in section 55B(5) of, and<br />
<br />
Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure<br />
<br />
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009<br />
(Statutory Instrument 2009 No. 1976 (L.20)).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
22<br />
</pre></div>Mariam-hwthhttps://gdprhub.eu/index.php?title=ICO_(UK)_-_Colour_Car_Sales_Limited&diff=19775ICO (UK) - Colour Car Sales Limited2021-09-19T16:07:11Z<p>Mariam-hwth: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|DPA-BG-Color=background-color:#023868;<br />
|DPAlogo=LogoUK.png<br />
|DPA_Abbrevation=ICO (UK)<br />
|DPA_With_Country=ICO (UK)<br />
<br />
|Case_Number_Name=Colour Car Sales Limited<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Information Commissioner's Office<br />
|Original_Source_Link_1=https://cy.ico.org.uk/media/action-weve-taken/enforcement-notices/2619915/colour-car-sales-ltd-en-20210524.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=24.05.2021<br />
|Date_Published=08.06.2021<br />
|Year=2021<br />
|Fine=170000<br />
|Currency=GBP<br />
<br />
|GDPR_Article_1=Article 4(11) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#11<br />
<br />
<br />
|National_Law_Name_1=Regulation 2(1) of the Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
|National_Law_Link_1=https://www.legislation.gov.uk/uksi/2003/2426<br />
|National_Law_Name_2=Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
|National_Law_Link_2=https://www.legislation.gov.uk/uksi/2003/2426<br />
<br />
|Party_Name_1=Colour Car Sales Limited<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The UK DPA fined a car finance company approximately €198,000 (£170,000) for sending unsolicited direct marketing messages without obtaining valid consent. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Colour Car Sales Limited (CCSL) is a company acting as a credit intermediary for finance on used cars. It traded under serveral names, including 'immediatecarfinance.co.uk'; 'carfinancetoday.net'; 'achillesuk.com'; and 'taxifinancetoday.com'.<br />
<br />
Between 2018 and 2019, the UK DPA (Information Commissioner's Office; ICO) received nearly 200 complaints over unsolicited electronic direct marketing text messages. The ICO started a preliminary investigation and contacted CCSL for further evidence. The letter sent was returned undelivered. The company director was then contacted who provided an alternative contact address.<br />
<br />
CCSL confirmed it had sent over 3 million direct marketing messages between 2018 and 2019. CCSL claimed to have gathered consent through an application form with the following statement:<br />
"By starting an application you agree that immediatecarfinance may/will pass your details on to a third party lender or broker, and they may wish to contact you by phone, post, SMS or other electronic means". CCSL explained that an opt-out would be possible by calling the CCSL office. <br />
<br />
The ICO investigated the privacy notice available and found that the privacy notice stated that marketing communication was only sent where there was consent of a "legitimate business interest" <br />
<br />
Following initial cooperation, CCSL did not respond to the ICO any further. <br />
<br />
=== Dispute ===<br />
What classifies as valid consent to send direct marketing messages?<br />
<br />
=== Holding ===<br />
The UK DPA first outlined the definition of consent as defined by Article 4(11) of the GDPR. It also outlined the rules under Regulation 22 PECR which address consent.<br />
<br />
Analysing the application form, the ICO considered that there was no specific reference to direct marketing nor purposes of contact from third parties. Additionally, the UK DPA found that there was no method for the individual to send an application without consenting to being contacted, nor any option for them to select who may contact them. <br />
<br />
The ICO therefore found CCSL in contravention of Regulation 22 of PECR for instigating unsolicited direct marketing messages. Individuals did not have the option other than agreeing to receiving direct marketing. Consent was therefore not freely given. Similarly, it was not specific as individuals could not select which party they agreed to receive marketing from. Finally, it was not informed (the information provided was too vague). <br />
<br />
The ICO found that the "soft opt-in", where organisations can send marketing messages by text and e-mail to individuals whose details had been obtained in the course or negotiation of a sale and in respect of similar products and services, was also not available to CCSL. This is because individuals were not given the opportunity to refuse or opt-out in the first place.<br />
<br />
The ICO took into account the seriousness and the deliberate or negligent nature of the infraction, as well as the lack of cooperation by CCSL. It therefore imposed a fine of approximately €198,000 on CCSL.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
•<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
DATA PROTECTION ACT 1998<br />
<br />
<br />
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER<br />
<br />
<br />
<br />
ENFORCEMENT NOTICE<br />
<br />
<br />
<br />
<br />
To: Colour Car Sales Limited<br />
<br />
Of: Unit 1 & 2 Mossfield Road, Stoke-on-TrenEngland ST3 SBW<br />
<br />
1. The Information Commissioner ("the Commissioner")has decided to<br />
<br />
issue Colour Car Sales Limited ("CCSL") with an enforcement notice<br />
<br />
under section 40 of the Data Protection Act 1998 ("DPA"). The notice is<br />
in relation to a serious contravenof Regulation 22 of the Privacy<br />
<br />
and Electronic Communications(EC Directive) Regulations 2003<br />
("PECR").<br />
<br />
<br />
<br />
2. This notice explains the Commissioner's decision.<br />
<br />
<br />
Legal framework<br />
<br />
<br />
3. CCSL, whose registered office is given above (Companies House<br />
<br />
Registration Number: 10382413) is the organisation stated in this<br />
notice to have instigated the transmissof unsolicited<br />
<br />
communications by means of electronic mail to individual subscribers<br />
<br />
for the purposes of direct marketing contrary to regulation 22 of PECR.<br />
<br />
<br />
4. Regulation 22 of PECRstates:<br />
<br />
<br />
<br />
<br />
1 •<br />
<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
"(1) This regulation applies to the transmission of unsolicited<br />
communications by means of electronic mail to individual<br />
<br />
subscribers.<br />
<br />
(2) Except in the circumstances referred to in paragraph (3), a person<br />
<br />
shall neither transmit, nor instigate the transmission of, unsolicited<br />
communications for the purposes of direct marketing by means of<br />
<br />
electronic mail unless the recipient of the electronic mail has<br />
<br />
previously notified the sender that he consents for the time being<br />
to such communications being sent by, or at the instigation of, the<br />
<br />
sender.<br />
<br />
(3) A person may send or instigate the sending of electronic mail for<br />
<br />
the purposes of direct marketing where-<br />
<br />
(a) that person has obtained the contact details of the recipient<br />
of that electronic mail in the course of the sale or<br />
<br />
negotiations for the sale of a product or service to that<br />
<br />
recipient;<br />
<br />
(b) the direct marketing is in respect of that person's similar<br />
products and services only; and<br />
<br />
(c) the recipient has been given a simple means of refusing<br />
<br />
(free of charge except for the costs of the transmission of<br />
<br />
the refusal) the use of his contact details for the purposes<br />
of such direct marketing, at the time that the details were<br />
<br />
initially collected, and, where he did not initially refuse the<br />
<br />
use of the details, at the time of each subsequent<br />
communication.<br />
<br />
(4) A subscriber shall not permit his line to be used in contraventioof<br />
<br />
paragraph (2)."<br />
<br />
<br />
<br />
<br />
<br />
2 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
5. Section 122(5) of the DPA18 defines direct marketing as "the<br />
communication (by whatever means) of any advertising material which<br />
<br />
isdirected to particular individuals". This definition also applies for the<br />
purposes of PECR(see regulation 2(2) PECR& Schedule 19 paragraphs<br />
<br />
430 & 432(6) DPA18).<br />
<br />
<br />
6. Priorto 29 March 2019, the European Directive 95/46/EC defined<br />
<br />
'consent' as "any freely given specific and informed indication of his<br />
<br />
wishes by which the data subject signifies his agreement to personal<br />
data relating to him being processed".<br />
<br />
<br />
7. Consent in PECRis now defined, from 29 March 2019, by reference to<br />
the concept of consent in Regulation 2016/679 ("the GDPR"):<br />
<br />
regulation 8(2) of the Data Protection, Privacy and Electronic<br />
<br />
Communications (Amendments etc) (EU Exit) Regulations 2019. Article<br />
4(11) of the GDPR sets out the following definition: "'consent' of the<br />
<br />
data subject means any freely given, specific, informed and<br />
unambiguous indication of the data subject's wishes by which he or<br />
<br />
she, by a statement or by a clear affirmative action, signifies<br />
<br />
agreement to the processing of personal data relating to him or her".<br />
<br />
8. Recital 32 of the GDPR materially states that "When the processing has<br />
<br />
multiple purposes, consent should be given for all of them". Recital 42<br />
<br />
materiallyprovides that "For consent to be informed, the data subject<br />
should be aware at least of the identity of the controllRecital 43<br />
<br />
materially states that "Consent is presumed not to be freely given if it<br />
does not allow separate consent to be given to different personal data<br />
<br />
processing operations despite it being appropriate in the individual<br />
<br />
case".<br />
<br />
<br />
9. "Individual"is defined in regulation 2(1) of PECRas "a living individual<br />
and includes an unincorporated body of such individuals".<br />
<br />
3 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
10. A "subscriber"is defined in regulation 2(1) of PECRas "a person who is<br />
a party to a contract with a provider of public electronic<br />
<br />
communications services for the supply of such services".<br />
<br />
11. "Electronic mail' is defined in regulation 2(1) of PECRas "any text,<br />
<br />
voice, sound or image message sent over a public electronic<br />
<br />
communications network which can be stored in the network or in the<br />
recipient's terminal equipment until it is collected by the recipient and<br />
<br />
includes messages sent using a short message service".<br />
<br />
<br />
12. The term "soft opt-in" is used to describe the rule set out in in<br />
<br />
Regulation 22(3) of PECR.In essence, an organisation may be able to<br />
e-mail its existing customers even if they haven't specifically consented<br />
<br />
to electronic mail. The soft opt-in rule can only be relied upon by the<br />
<br />
organisation that collected the contact details.<br />
<br />
<br />
13. The DPA contains enforcement provisions at Part V which are<br />
exercisable bythe Commissioner. Those provisions are modified and<br />
<br />
extended for the purposes of PECRby Schedule 1 PECR.<br />
<br />
<br />
14. Section 40(1)(a) of the DPA (as extended and modified by PECR)<br />
provides that if the Commissioner is satisfied that a person has<br />
<br />
contravened or is contravening any of the requirementof the<br />
<br />
Regulations, she may serve him with an Enforcement Notice requiring<br />
him to take within such time as may be specified in the Notice, or to<br />
<br />
refrain from taking after such time as may be so specified, such steps<br />
as are so specified.<br />
<br />
<br />
<br />
15. PECRwere enacted to protect the individual's fundamental right to<br />
privacy in the electronic communicationssector. PECRwere<br />
<br />
subsequently amended and strengthened. The Commissioner will<br />
<br />
4 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
interpret PECRin a way which is consistent with the Regulations'<br />
overall aim of ensuring high levels of protection for individuals' privacy<br />
<br />
rights.<br />
<br />
<br />
16. The provisions of the DPA remain in force for the purposes of PECR<br />
<br />
notwithstandingthe introductionof the Data Protection Act 2018 (see<br />
paragraph 58(1) of Part 9, Schedule 20 of that Act).<br />
<br />
<br />
<br />
The contravention<br />
<br />
<br />
17. The Commissioner finds that CCSL contravened regulation 22 of PECR.<br />
<br />
<br />
18. The Commissioner finds that the contravention was as follows:<br />
<br />
<br />
19. The Commissioner finds that between 1 October 2018 and 21 January<br />
<br />
2020 there were 274 direct marketing text messages received by<br />
subscribers which are capable of being evidenced by complaintsThe<br />
<br />
Commissioner finds that CCSL instigated the transmissioof the direct<br />
<br />
marketing messages sent, contrary to regulation 22 of PECR.<br />
<br />
20. The Commissioner is not assisted by CCSL's failure to engage with her<br />
<br />
during this investigatito explain the relationship between CCSL and<br />
However she is satisfied that for the purposes<br />
<br />
of the direct marketing messages sent from<br />
<br />
Text Local account, CCSL positively encouraged the sending of those<br />
messages. She makes this finding in light of the informatprovided<br />
<br />
by Text Local in response to the Commissioner's 3PIN, and in view of<br />
<br />
the content of the unsolicited direct marketing messages sent which<br />
resulted in 274 complaints.<br />
<br />
<br />
21. CCSL, as the instigator of the direct marketiis required to ensure<br />
that it is acting in compliance with the requiremenof regulation 22 of<br />
<br />
5 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
PECR,and to ensure that valid consent to send those messages had<br />
been acquired.<br />
<br />
<br />
22. In this instance, individuals applying for finance via one of CCSL's sites<br />
<br />
were given no option but to agree to receive direct marketing from<br />
CCSL and its unnamed third parties. Indeed, the statement that would<br />
<br />
accompany the applications did not indicate in any manner that the<br />
individual's personal details would be used for direct marketing<br />
<br />
purposes. Furthermore, individuals could not specify the type of direct<br />
<br />
marketing that they might be willing to receive, rather they were<br />
requiredto agree to a suite of contact methods, from an unknown<br />
<br />
number of third parties.<br />
<br />
23. For consent to be valid it is required to be "freely given", by which it<br />
<br />
follows that if consent to marketing is a condition of subscribing to a<br />
<br />
service, the organisation will have to demonstrate how the consent can<br />
be saidto have been given freely. In this instance, CCSL has failed to<br />
<br />
explain how its consent could be said to be freely given.<br />
<br />
24. Consent is also required to be "specific" as to the type of marketing<br />
<br />
communication to be received, and the organisation, or specific type of<br />
<br />
organisation, that will be sending it. Again, this requirement does not<br />
appear to be met in CCSL's case.<br />
<br />
<br />
25. Consent will not be "informed"if individuals do not understand what<br />
<br />
they are consenting to. Organisations should therefore always ensure<br />
that the language used is clear, easy to understand, and not hidden<br />
<br />
away in a privacy policyr small print.Consent will not be valid if<br />
individuals are asked to agree to receive marketing from "similar<br />
<br />
organisations","partners","selected third parties" or other similar<br />
<br />
generic description.<br />
<br />
<br />
<br />
6 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
26. The Commissioner is satisfied that CCSL cannot avail itself to the "solt<br />
opt-in" exemption provided by regulation 22(3) PECR. This exemption<br />
<br />
means that organisations can send marketing messages by text and e<br />
mail to individuals whose details had been obtained in the course or<br />
<br />
negotiation of a sale and in respect of similar products and services.<br />
<br />
The organisation must also give the person a simple opportunity to<br />
refuse or opt out of the marketing, both when first collecting the details<br />
<br />
and in every message alter that.It is apparent from the sign-up page<br />
<br />
on CCSL's websites that individuals were not provided a simple<br />
opportunity to refuse or opt out of the marketing, nor were they<br />
<br />
offered an opt-out in the subsequent direct marketing messages that<br />
they received. The Commissioner therefore finds that CCSL is unable to<br />
<br />
rely on this exemption.<br />
<br />
<br />
27. The Commissioner is satisfied that this contravention could have been<br />
far greater, since there is evidence that a total of 3,650,194 direct<br />
<br />
marketing messages were sent to individuals at the instigation of CCSL<br />
over the contraventionperiod. However, because of CCSL's lack of<br />
<br />
engagement, and the Communications Service Provider's failure to<br />
<br />
retain such records, it has not been possible to determine the exact<br />
number of those messages which were received by subscribers. The<br />
<br />
full extent of the contraventiis therefore unknown.<br />
<br />
<br />
28. The Commissioner is satisfied fromthe evidence she has seen that<br />
CCSL did not have the necessary valid consent for the 274 direct<br />
<br />
marketing messages received by subscribers.<br />
<br />
<br />
29. The Commissioner has considered, as she is required to do under<br />
<br />
section 40(2) of the DPA (as extended and modified by PECR)when<br />
deciding whether to serve an Enforcement Notice, whether any<br />
<br />
contravention has caused or is likely to cause any person damage or<br />
distress. The Commissioner has decided that it is likely that damage or<br />
<br />
7 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
distress has been caused in this instance, not least because of the<br />
<br />
sheer number of complaints.<br />
<br />
30. In view of the matters referred to above the Commissioner<br />
<br />
hereby gives notice that, in exercise of her powers under<br />
section 40 of the DPA, she requires CCSL to take the steps<br />
<br />
specified in Annex 1 of this Notice.<br />
<br />
Right of Appeal<br />
<br />
<br />
31. There is a right of appeal against this Notice to the First-tier Tribunal<br />
(InformationRights), part of the General Regulatory Chamber.<br />
<br />
Informationabout appeals is set out in the attached Annex 2.<br />
<br />
<br />
Dated the 24tday of May 2021<br />
<br />
Andy Curry<br />
Head of Investigations<br />
InformationCommissioner's Office<br />
Wycliffe House<br />
Water Lane<br />
Wilmslow<br />
Cheshire<br />
SK9 SAF<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
8 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
ANNEX 1<br />
<br />
TERMS OF THE ENFORCEMENT NOTICE<br />
<br />
<br />
CCSL shall within 30 days of the date of this notice:<br />
<br />
<br />
• Except in the circumstances referred to in paragraph (3) of<br />
regulation 22 of PECR, neither trnor instigate the<br />
<br />
transmission of, unsolicited communicfor the purposes of<br />
direct marketing by means of electronic mail unless the recipient of<br />
<br />
the electronic mail has previously notified CCSL that he clearly and<br />
specifically consentsthe time being to such communications<br />
being sent by, or at the instigation of, CCSL.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
9 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
ANNEX 2<br />
<br />
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER<br />
<br />
<br />
<br />
1. Section 48 of the Data Protection Act 1998 gives any person upon<br />
<br />
whom an enforcement notice has been served a right of appeal to the<br />
First-tier Tribunal (InformaRights) (the "Tribunalagainst the<br />
<br />
notice.<br />
<br />
<br />
2. If you decide to appeal and if the Tribunal considers: -<br />
<br />
<br />
<br />
a) that the notice against which the appeal is brought is not in<br />
accordance with the law; or<br />
<br />
<br />
b) to the extent that the notice involved an exercise of discretion by<br />
<br />
the Commissioner, that she ought to have exercised her<br />
<br />
discretion differently,<br />
<br />
<br />
the Tribunal will allow the appeal or substitute such other decision as<br />
could have been made by the Commissioner. In any other case the<br />
<br />
Tribunal will dismiss the appeal.<br />
<br />
<br />
3. You may bring an appeal by serving a notice of appeal on the Tribunal<br />
<br />
at the following address:<br />
<br />
<br />
General Regulatory Chamber<br />
HM Courts &Tribunals Service<br />
PO Box 9300<br />
Leicester<br />
LEl 8DJ<br />
<br />
Telephone: 0300 123 4504<br />
Email: grc@justice.gov.uk<br />
<br />
<br />
10 •<br />
ICO.<br />
Information Commissioner's Office<br />
• The notice of appeal should be served on the Tribunal within 28<br />
<br />
days of the date on which the enforcement notice was sent<br />
<br />
4. The statutory provisions concerning appeals to the First-tier Tribunal<br />
<br />
(General Regulatory Chamber) are contained in sections 48 and 49 of,<br />
and Schedule 6 to, the Data Protection Act 1998, and Tribunal<br />
Procedure(First-tier Tribunal) (General Regulatory Chamber) Rules<br />
<br />
2009 (StatutoInstrument2009 No. 1976 (L.20)).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
11<br />
</pre></div>Mariam-hwthhttps://gdprhub.eu/index.php?title=ICO_(UK)_-_We_Buy_Any_Car_Limited&diff=19773ICO (UK) - We Buy Any Car Limited2021-09-19T15:35:17Z<p>Mariam-hwth: Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO (UK) |DPA_With_Country=ICO (UK) |Case_Number_N..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|DPA-BG-Color=background-color:#023868;<br />
|DPAlogo=LogoUK.png<br />
|DPA_Abbrevation=ICO (UK)<br />
|DPA_With_Country=ICO (UK)<br />
<br />
|Case_Number_Name=We Buy Any Car Limited<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ICO<br />
|Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/mpns/4018348/we-buy-any-car-limited-mpn-20210913.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=13.09.2021<br />
|Date_Published=15.09.2021<br />
|Year=2021<br />
|Fine=200000<br />
|Currency=GBP<br />
<br />
|GDPR_Article_1=Article 4(11) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#11<br />
<br />
<br />
|National_Law_Name_1=Regulation 22(3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
|National_Law_Link_1=https://www.legislation.gov.uk/uksi/2003/2426<br />
|National_Law_Name_2=Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
|National_Law_Link_2=https://www.legislation.gov.uk/uksi/2003/2426<br />
<br />
|Party_Name_1=We Buy Any Car Limited<br />
|Party_Link_1=https://www.webuyanycar.com/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=MH<br />
|<br />
}}<br />
<br />
The Information Comissioner's Office imposed a fine of around €234,000 on a car valuation and purchasing company, We Buy Any Car Ltd. WBAC infringed Regulation 22 PECR by sending unsolicited marketing emails and SMS. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
We Buy Any Car Limited (WBAC) is a car purchasing company. Individuals can input details about their vehicle to get a fixed-price valuation. <br />
<br />
Individuals complained that they received unsolicited marketing texts from WBAC. The UK DPA, the Information Commissioner's Office (ICO), started an investigation on the basis of complaints between October 2019 and January 2020. WBAC stated that they only contact individuals that request vehicle valuation. They claimed that these messages were either sent on the request of indivduals or on the basis of the "soft opt-in".<br />
<br />
WBAC informed the ICO that 207.7 million email messages were sent (205.5m delivered) between Apil 2019 and April 2020. These messages were:<br />
- 92.3 million “journey” emails requested by the individuals asking for a valuation;<br />
- 107.6 million “batch” emails sent to customers between 30 days and 4 years since their last valuation; and<br />
- 7.8 million “good news” emails where the valuation offer has increased.<br />
<br />
WBAC also sent 16.3 million SMS between April 2019 and April 2020. 4.2 million ("batch" and "good news" messages) were marketing, 3.6 million of which were delivered. <br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
The Information Commisioner's Office considered that the "journey" messages were unsolicited marketing because the individuals had not specifically requested them, even if WBAC had informed individuals about them. The ICO concluded that the emails were marketing emails rather than services messages, as defined in the ICO's Direct Marketing Code of Practice, because they contained marketing elements even if it wasn't the main purpose. Of all the messages delivered, the ICO considered that only 14.1 million were solicited versus 191.4 million unsolicited marketing emails. WBAC was therefore found in contravention of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (hereafter: PECR) as WBAC did not satisfy the requirement of getting valid consent<br />
<br />
The ICO also considered the “batch” and “good news” SMS to be direct marketing. Although WBAC claimed this was under the soft opt-in rule (Regulation 22(3) PECR), the ICO disagreed. The DPA held that the possibility of opt-in out was not presented to customers during process of collecting their details. Instead, it was only presented to them after they had received a vehicle valuation. There was no meaningful possibility to opt-out, which therefore lead the ICO to conclude that WBAC did not coply with the requirements of regulation 22(3) PECR. The ICO also concluded that WBAC had misunderstood the definition of service messages in relation to the SMS they sent, which the DPA deemed to be marketing ones. <br />
<br />
The ICO also found that complainants were unsuccessful when attempting to unsubscribe from emails and SMS.<br />
<br />
The ICO took into account the large number of emails and text sent over the 1 year period investigated and deemed it a serious contravention of the regulation. The ICO also concluded that WBAC "knew or ought reasonably to have known that there was a risk that this contravention would occur" and therefore considered this contravention to be negligent. The ICO therefore imposed a fine of around €234,000<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
DATA PROTECTION ACT 1998<br />
<br />
<br />
<br />
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER<br />
<br />
<br />
<br />
MONETARY PENALTY NOTICE<br />
<br />
<br />
To: We Buy Any Car Limited<br />
<br />
<br />
<br />
Of: Headway House, Crosby Way, Farnham, Surrey, GU9 7XG<br />
<br />
<br />
<br />
<br />
1. The Information Commissioner (“Commissioner”) has decidedto issue<br />
<br />
We Buy Any Car Limited (”WBAC”) with a monetary penalty under<br />
section 55A of the Data Protection Act 1998 (“DPA”). The penalty is in<br />
<br />
relation to a serious contravention of regulation 22 of the Privacy and<br />
<br />
Electronic Communications (EC Directive) Regulations 2003 (“PECR”).<br />
<br />
<br />
<br />
2. This notice explains the Commissioner’s decision.<br />
<br />
<br />
Legal framework<br />
<br />
<br />
<br />
3. WBAC, whose registered office is given above (companies house<br />
<br />
registration number: 05727953), is the organisation (person) stated in<br />
<br />
this notice to have transmitted unsolicited communications by means<br />
of electronic mail to individual subscribers for the purposes of direct<br />
<br />
marketing contrary to regulation 22 of PECR.<br />
<br />
<br />
<br />
4. Regulation 22 of PECR provides that:<br />
<br />
<br />
<br />
<br />
<br />
<br />
1 “(1) This regulation applies to the transmission of unsolicited<br />
communications by means of electronic mail to individual subscribers.<br />
<br />
<br />
(2) Except in the circumstances referred to in paragraph (3), a person<br />
<br />
shall neither transmit, nor instigate the transmission of, unsolicited<br />
<br />
communications for the purposes of direct marketing by means of<br />
<br />
electronic mail unless the recipient of the electronic mail has previously<br />
<br />
notified the sender that he consents for the time being to such<br />
communications being sent by, or at the instigation of, the sender.<br />
<br />
<br />
<br />
(3) A person may send or instigate the sending of electronic mail for<br />
<br />
the purposes of direct marketing where–<br />
<br />
<br />
<br />
(a) That person has obtained the contact details of the recipient of<br />
that electronic mail in the course of the sale or negotiations for<br />
<br />
the sale of a product or device to that recipient;<br />
<br />
(b) The direct marketing is in respect of that person’s similar<br />
<br />
products and services only; and<br />
<br />
(c) The recipient has been given a simple means of refusing (free of<br />
charge except for the costs of transmission of the refusal) the<br />
<br />
use of his contact details for the purposes of such direct<br />
<br />
marketing, at the time that the details were initially collected,<br />
<br />
and, where he did not initially refuse the use of the details, at the<br />
<br />
time of each subsequent communication.<br />
<br />
<br />
(4) A subscriber shall not permit his line to be used in contravention of<br />
<br />
paragraph (2).”<br />
<br />
<br />
<br />
5. Section 122(5) of the DPA 2018 defines “direct marketing” as “the<br />
<br />
communication (by whatever means) of any advertising material which<br />
<br />
<br />
<br />
<br />
2 is directed to particular individuals”. This definition also applies for the<br />
purposes of PECR.<br />
<br />
<br />
<br />
6. “Electronic mail” is defined in regulation 2(1) PECR as “ any text, voice,<br />
<br />
sound or image sent over a public electronic communications network<br />
<br />
which can be stored in the network or in the recipient’s terminal<br />
<br />
equipment until it is collected by the recipient and includes messages<br />
sent using a short message service”.<br />
<br />
<br />
<br />
7. Consent in PECR is now defined, from 29 March 2019, by reference to<br />
<br />
the concept of consent in Regulation 2016/679 (“the GDPR”):<br />
<br />
Regulation 8(2) of the Data Protection, P rivacy and Electronic<br />
Communications (Amendments etc) (EU Exit) Regulations 2019. Ar ticle<br />
<br />
4(11) of the GDPR sets out the following definition: “‘consent’ of the<br />
<br />
data subject means any freely given, specific, informed and<br />
<br />
unambiguous indication of the data subject’s wishes by which he or<br />
<br />
she, by a statement or by a clear affirmative action, signifies<br />
<br />
agreement to the processing of personal data relating to him or her”.<br />
<br />
<br />
8. Section 55A of the DPA (as amended by the Privacy and Electronic<br />
Communications (EC Directive)(Amendment) Regulations 2011 and the<br />
<br />
Privacy and Electronic Communications (EC Directive) (Amendment)<br />
<br />
Regulations 2015) states:<br />
<br />
<br />
<br />
“(1) The Commissioner may serve a person with a monetary penalty if<br />
the Commissioner is satisfied that –<br />
<br />
<br />
(a) there has been a serious contravention of the requirements<br />
<br />
of the Privacy and Electronic Communications (EC<br />
Directive) Regulations 2003 by the person, and<br />
<br />
<br />
(b) subsection (2) or (3) applies.<br />
<br />
<br />
<br />
3 (2) This subsection applies if the contravention was deliberate.<br />
<br />
(3) This subsection applies if the person –<br />
<br />
(a) knew or ought to have known that there was a risk that<br />
<br />
the contravention would occur, but<br />
<br />
(b) failed to take reasonable steps to prevent the<br />
<br />
contravention.”<br />
<br />
<br />
<br />
9. The Commissioner has issued statutory guidance under section 55C (1)<br />
<br />
of the DPA about the issuing of monetary penalties that has been<br />
published on the ICO’s website. The Data Protection (Monetary<br />
<br />
Penalties)(Maximum Penalty and Notices) Regulations 2010 prescribe<br />
<br />
that the amount of any penalty determined by the Commissioner must<br />
<br />
not exceed £500,000.<br />
<br />
<br />
<br />
10. PECR were enacted to protect the individual’s fundamental right to<br />
privacy in the electronic communications sector. PECR were<br />
<br />
subsequently amended and strengthened. The Commissioner will<br />
<br />
interpret PECR in a way which is consistent with the Regulations’<br />
<br />
overall aim of ensuring high levels of protection for individuals’ privacy<br />
<br />
rights.<br />
<br />
<br />
11. The provisions of the DPA remain in force for the purposes of PECR<br />
<br />
notwithstanding the introduction of the Data Protection Act 2018 (see<br />
<br />
paragraph 58(1) of part 9, Schedule 20 of that Act).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
4 Background to the case<br />
<br />
<br />
<br />
12. WBAC is a vehicle purchasing and wholesale company with branches<br />
<br />
across the UK. Individuals use the WBAC website to input details about<br />
<br />
their vehicle and obtain a fixed-price valuation.<br />
<br />
<br />
13. Phone users can report the receipt of unsolicited marketing text<br />
<br />
messages to the GSMA’s Spam Reporting Service by forwarding the<br />
<br />
message to 7726 (spelling out “SPAM”). The GSMA is an organisation<br />
<br />
that represents the interests of mobile operators worldwide. The<br />
<br />
Commissioner is provided with access to the data on complaints made<br />
to the 7726 service and this data is incorporated into a Monthly Threat<br />
<br />
Assessment (MTA) used to ascertain organisations in breach of PECR.<br />
<br />
<br />
<br />
14. WBAC came to the attention of the Commissioner following monitoring<br />
<br />
of spam email complaints received directly via the ICO spam email<br />
reporting tool. Between 29 October 2019 and 17 January 2020, 10<br />
<br />
complaints from individuals, and a further two from the same<br />
<br />
individual, had been recorded.<br />
<br />
<br />
<br />
15. On 7 April 2020, the ICO sent an investigation letter to WBAC via email<br />
<br />
requesting the volume of marketing messages sent and delivered<br />
between 7 April 2019 and 7 April 2020, the source of the data, and<br />
<br />
evidence of consent relied upon to send marketing messages. The<br />
<br />
letter also provided an index of the twelve complaints and asked for an<br />
<br />
explanation in relation to each one.<br />
<br />
<br />
16. On 3 July 2020, the ICO received a response from WBAC in which it<br />
<br />
explained the service provided. WBAC advised that it does not initiate<br />
<br />
contact with individuals and only responds to individuals who request a<br />
<br />
<br />
<br />
5 vehicle valuation. The vehicle valuation is guaranteed for a set period<br />
of time, within which the individual can sell their vehicle to WBAC. If<br />
<br />
the guarantee period expires then WBAC contacts individuals to give<br />
<br />
them the opportunity to update their valuation. WBAC explained that<br />
<br />
emails are sent either at the request of individuals, or in accordance<br />
<br />
with the ‘soft opt-in’.<br />
<br />
<br />
17. The Commissioner’s investigation accordingly focussed on the<br />
<br />
marketing emails and SMS WBAC say were sent after the initial<br />
<br />
valuation email, and whether those communications satisfied the ‘soft<br />
<br />
opt-in’ criteria.<br />
<br />
<br />
18. WBAC went on to inform the Commissioner that during the period 7<br />
<br />
April 2019 to 7 April 2020 it sent 207.7 million email messages, of<br />
<br />
which 205.5 were delivered. These messages were split into three<br />
<br />
categories:<br />
<br />
<br />
<br />
(a) 92.3 million “journey” emails. Up to 12 emails over a 30 day<br />
period were sent to customers of its website in response to<br />
<br />
14.1 million valuation requests. WBAC explained that<br />
<br />
customers specifically requested “journey” emails when<br />
<br />
completing the valuation process and so believed that this<br />
<br />
category of emails were not “unsolicited” emails regulated by<br />
PECR.<br />
<br />
<br />
<br />
(b) 107.6 million “batch” emails. These are occasional emails sent<br />
<br />
to customers after the 30 day “journey” and up to 4 years<br />
<br />
since their last valuation was provided.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
6 (c) 7.8 million “good news” emails. These were emails whereby<br />
customers are informed that the offer for their vehicle has<br />
<br />
been increased.<br />
<br />
<br />
<br />
19. With regard to the “journey” emails the Commissioner’s view is that for<br />
<br />
a marketing message to be solicited it must be actively requested. The<br />
Commissioner therefore accepts that the initial valuation emails (of<br />
<br />
which 14.1 million were sent during the period under investigation)<br />
<br />
constitute solicited marketing and so are not subject to the<br />
<br />
requirements of PECR.<br />
<br />
<br />
<br />
20. WBAC asserted in representations to the Notice of Intent that the<br />
remaining “journey” emails are also solicited, as in their view recipients<br />
<br />
took an ‘active step’ in requesting a vehicle valuation, at which point<br />
<br />
they were informed about the receipt of vehicle valuation and<br />
<br />
guarantee reminders. The Commissioner however does not agree, and<br />
<br />
finds that the subsequent “journey” messages are unsolicited, because<br />
they are not specifically requested by individuals, even if informed<br />
<br />
about them by WBAC.<br />
<br />
<br />
<br />
21. Furthermore, the Commissioner’s Direct Marketing Guidance states that<br />
<br />
the definition of direct marketing includes any message which includes<br />
<br />
some marketing element, even if that is not its main purpose. The<br />
Commissioner considers that these messages contain an element of<br />
<br />
marketing because they contain material promoting WBAC’s service and<br />
<br />
encouraging recipients to continue the valuation journey, and so are<br />
<br />
subject to the provisions of PECR.<br />
<br />
<br />
22. On the basis that 205.5 million emails from all categories were<br />
<br />
delivered in total, of which 14.1 million were solicited valuation emails,<br />
<br />
<br />
<br />
<br />
7 this equates to 191.4 million unsolicited marketing emails having been<br />
sent by WBAC.<br />
<br />
<br />
<br />
23. In addition to emails WBAC also informed the Commissioner that it sent<br />
<br />
16.3 million SMS over the same period, of which 4.2 million were<br />
<br />
marketing messages. 3.6 million of these were delivered. WBAC later<br />
<br />
confirmed that 2 million of the marketing messages were “batch”<br />
messages and 2.2 were “good news” messages, examples being as<br />
<br />
follows:<br />
<br />
<br />
<br />
Batch SMS: It takes less than 60 seconds to get an updated quote for<br />
<br />
your ~MANUFACTURER~! Click here > ~LINK~. Text STOP to 65800 to<br />
optout<br />
<br />
<br />
<br />
Good news SMS: Price alert: We can offer more for your<br />
<br />
~MANUFACTURER~! Don’t miss out on your higher valuation, click<br />
<br />
~LINK~. Text STOP to 65800 to optout.<br />
<br />
<br />
24. The Commissioner considers that the “batch” and “good news” SMS<br />
<br />
clearly encourage customers to continue with their valuation journey<br />
<br />
and therefore constitute directmarketing, as they promote WBAC’s<br />
<br />
service.<br />
<br />
<br />
25. With regard to consent to send marketing messages, WBAC informed<br />
<br />
the Commissioner that “where we do send emails that customers have<br />
<br />
not specifically requested, we do so relying on the ‘soft opt in’ under<br />
<br />
Regulation 22(3) PECR ”.<br />
<br />
<br />
26. The Commissioner went onto consider whether WBAC either had valid<br />
<br />
consent to send the marketing emails and SMS, or in particular, based<br />
<br />
on assertions made by WBAC, whether it satisfied the criteria for<br />
<br />
<br />
8 reliance upon regulation 22(3) of PECR – the ‘soft opt-in’. In this regard<br />
WBAC stated: “Customer details are collected in the course of the<br />
<br />
customer choosing to use our service, with the opportunity to object<br />
<br />
presented to them once they have been presented with their valuation<br />
<br />
by email.”<br />
<br />
<br />
<br />
27. From a review of WBAC’s website, information presented to customers<br />
at the point of submitting their details to WBAC is as follows:<br />
<br />
<br />
<br />
“When you obtain a valuation, you agree to Webuyanycar’s Terms &<br />
<br />
Conditions, Privacy & Cookies Policy, and our Data & Communication<br />
<br />
Policy, which includes marketing communications regarding your<br />
vehicle. You can update our communication preferences at any time by<br />
<br />
visiting our Contact Preference Centre. We provide links to this in each<br />
<br />
of our emails.”<br />
<br />
<br />
<br />
“We will send you a copy of your valuation to your email address and<br />
<br />
mobile phone, along with reminders of how long your valuation is valid<br />
for. You will also receive updates that we believe will be of interest to<br />
<br />
you, such as significant marketing activity or limited offers in respect of<br />
<br />
your vehicle. You can choose not to receive any further communication<br />
<br />
from us at any time. All our emails have unsubscribe li nks, SMS<br />
<br />
messages accept STOP replies to 65800. Alternatively, you can visit our<br />
contact preference centre to opt-out of all or specific communications.”<br />
<br />
<br />
<br />
28. It is apparent from the above that whilst customers are informed of<br />
<br />
future ways to opt out at the point of collection of their details, the<br />
<br />
opportunity to actually object to marketing messages is presented only<br />
after provision of the vehicle valuation . Individuals have no opportunity<br />
<br />
to refuse marketing when initially inputting their details. WBAC accept<br />
<br />
that the opt-out provision does not occur until receipt of the first<br />
<br />
<br />
9 valuation email however believe that as there is a ‘minor temporal gap’<br />
between the two events it is ‘simultaneous’. The Commissioner does<br />
<br />
not accept WBAC’s position on this point and remains satisfied that<br />
<br />
WBAC do not comply with the requirements of Regulation 22(3)(c) in<br />
<br />
relation to the timing of the opt-out.<br />
<br />
<br />
<br />
29. WBAC also presented the Commissioner with a copy of its data<br />
protection impact assessment (“DPIA”) for the three categories of<br />
<br />
message as detailed in paragraph 18 above. Questions asked of WBAC<br />
<br />
in the DPIA are:<br />
<br />
<br />
<br />
1. Did WBAC obtain individuals’ contact details in the course of a<br />
sale or negotiations of a sale?<br />
<br />
2. Is the marketing message in respect of WBAC’s same or similar<br />
products and services?<br />
<br />
<br />
3. Were individuals given a simple means to refuse marketing when<br />
their details were collected?<br />
<br />
<br />
4. Have individuals been given a simple means of opting-out in each<br />
subsequent message?<br />
<br />
WBAC’s response for each of the three types of marketing message<br />
<br />
was:<br />
<br />
“Yes. All messages to the customer are in respect of our service.<br />
Customers have the option to update their communication<br />
<br />
preferences once they have received their 7 day guarantee<br />
(which is sent immediately), and all our communications contain<br />
an opt-out mechanism.”<br />
<br />
<br />
30. It appears from WBAC’s response to the DPIA that it failed to comply<br />
<br />
with Question 3, and in relation to Question 4 it seems WBAC has<br />
<br />
misunderstood or misinterpreted PECR by providing customers an<br />
<br />
opportunity to opt out only in messages sent following the initial<br />
valuation email. The Commissioner found that because customers were<br />
<br />
<br />
<br />
10 not able to refuse marketing communications at the initial point of<br />
collection of their data, WBAC had in fact failed to meet the<br />
<br />
requirement at Regulation 22(3)(c) of PECR – the ‘soft opt in’.<br />
<br />
<br />
<br />
31. It is noteworthy that upon review of a copy of the unsubscribe journey<br />
<br />
also provided by WBAC, the available customer contact preference<br />
<br />
options refer to: all WBAC communications, “service” emails and SMS,<br />
and newsletters. It is clear from WBAC’s own interpretation of “service”<br />
<br />
as provided during the investigation, that it encompassed “the whole<br />
<br />
business and offering to consumers of WBAC to make offers to<br />
<br />
purchase used vehicles”. This is an unconventional definition of<br />
<br />
“service” and at odds with the Commissioner’s definition of “service<br />
messages” in her own Direct MarketingCode of Practice, which WBAC<br />
<br />
acknowledged it had consulted. In this instance the Commissioner<br />
<br />
considered that customers may misinterpret the options in the<br />
<br />
communication preferences centre, which would lead to them<br />
<br />
remaining signed up to receive marketing messages under the<br />
<br />
misapprehension that they have only chosen to opt in to receive<br />
genuine service emails. As such the Commissioner considers that WBAC<br />
<br />
is unable to satisfy the requirement in Regulation 22(3)(c) relating to<br />
<br />
provision of a “simple means” of refusal.<br />
<br />
<br />
<br />
32. In conclusion the Commissioner considers that WBAC’s business model<br />
is fundamentally flawed in that it is unable to satisfy Regulation 22 in<br />
<br />
terms of valid consent, nor the requirements of the ‘soft opt-in’ under<br />
<br />
Regulation 22(3), in order to send unsolicited marketing messages to<br />
<br />
its customers.<br />
<br />
<br />
<br />
33. Further analysis of complaints data established that in addition to 12<br />
complaints received about emails, 26 SMS messages were reported as<br />
<br />
<br />
<br />
<br />
11 SPAM to the 7726 service, and the Commissioner received 4 complaints<br />
about SMS directly via her online reporting tool (“OLRT”).<br />
<br />
<br />
<br />
34. Examples of some of the complaints are as follows:<br />
<br />
<br />
<br />
“I’ve tried to unsubscribe twice and I’m still getting emails.”<br />
<br />
<br />
“Having repeatedly asked them to not send me any more messages, I<br />
<br />
continue to receive direct marketing”<br />
<br />
<br />
<br />
“I got a quote from we buy any car last summer and since then I have<br />
<br />
been bombarded with emails from them about the car I received the<br />
quote for. I have requested to unsubscribe from their service in full at<br />
<br />
least 3 to 4 times possibly more, I have lost count. But still I get emails<br />
<br />
from them - I tend to delete them now but today I decided to try again<br />
<br />
to remove myself from their service. You never get any confirmation<br />
<br />
that you've succeeded either.”<br />
<br />
<br />
“An email asking me if I wanted to sell my car. I have not consented to<br />
<br />
these emails and they have been sent daily despite me unsubscribing<br />
<br />
twice.”<br />
<br />
<br />
<br />
“I did use their website to see how much my car is worth, but I did not<br />
consent to being hassled via text messages to bring my car to their<br />
<br />
local site to sell it( in 3 texts so far, and numerous emails also). When I<br />
<br />
used website to value my car it did not have an opt-out for further<br />
<br />
marketing or if it did it was not in an obvious visible place. It seems<br />
<br />
that they are not upfront about hassling people who use their website,<br />
<br />
the purpose of which seems to be to collect data about people. If there<br />
was an opt-out it was not placed where it was easily visible, so I feel<br />
<br />
deceived.” (compilation of three complaints from the same individual).<br />
<br />
<br />
1235. The Commissioner has made the above findings of fact on the balance<br />
<br />
of probabilities.<br />
<br />
<br />
36. The Commissioner has considered whether those facts constitute a<br />
contravention of regulation 22 of PECR by WBACand, if so, whether the<br />
<br />
conditions of section 55A DPA are satisfied.<br />
<br />
<br />
<br />
The contravention<br />
<br />
<br />
37. The Commissioner finds that WBAC has contravened Regulation 22 of<br />
<br />
PECR. The Commissioner finds that the contravention was as follows:<br />
<br />
<br />
38. Between 7 April 2019 and 7 April 2020 WBAC transmitted 191.4 million<br />
<br />
emails and 3.6 million SMS (totalling 195 million unsolicited<br />
<br />
communications) over a public electronic communications network by<br />
<br />
means of electronic mail to individual subscribers for the purposes of<br />
direct marketing contrary to regulation 22 of PECR.<br />
<br />
<br />
39. Organisations cannot generally send marketing emails or SMS unless<br />
<br />
the recipient has notified the sender that they consent to such emails<br />
<br />
being sent by, or at the instigation of, that sender. The Commissioner<br />
<br />
is satisfied that there was no such consent.<br />
<br />
<br />
40. An organisation which is reliant upon regulation 22(3)of PECR to send<br />
<br />
marketing emails and SMS to its customers, as appears to be the case<br />
here, must ensure the recipient has been given a simple means of<br />
<br />
refusing the use of their contact details for the purposes of such direct<br />
<br />
marketing at the time that the details were initially collected. WBAC<br />
<br />
failed to do so.<br />
<br />
<br />
41. The Commissioner is satisfied that WBAC is unable to satisfy Regulation<br />
<br />
22 in terms of valid consent, nor the requirements of the ‘soft opt in’<br />
<br />
<br />
13 under Regulation 22(3), in order to send unsolicited mar keting<br />
messages to its customers.<br />
<br />
<br />
42. The Commissioner is satisfied that WBAC was responsible for this<br />
<br />
contravention.<br />
<br />
<br />
43. The Commissioner has gone on to consider whether the conditions<br />
<br />
under section 55A DPA were met.<br />
<br />
<br />
<br />
Seriousness of the contravention<br />
<br />
<br />
44. The Commissioner is satisfied that the contravention identified above<br />
<br />
was serious.<br />
<br />
<br />
<br />
45. This is because WBAC sent 191.4 million marketing emails and 3.6<br />
million marketing SMS messages to individuals without fully satisfying<br />
<br />
the requirements of the soft opt in, resulting in 42 complaints to the<br />
<br />
Commissioner, over a period of twelve months.<br />
<br />
<br />
<br />
46. The Commissioner’s guidance in relation to PECR states that “making a<br />
<br />
large number of marketing calls based on recorded messages or<br />
sending large numbers of marketing text messages to individuals who<br />
<br />
have not consented to receive them […] is likely to constitute a serious<br />
<br />
contravention of the Regulations”. The situation here is analogous in<br />
<br />
that substantial numbers of marketing emails and SMS were sent to<br />
<br />
individuals who had not consented to receive them and had not been<br />
provided an opportunity to opt out. WBAC conducted a sustained and<br />
<br />
long term approach to marketing based upon a flawed soft optin<br />
<br />
mechanism.<br />
<br />
<br />
<br />
47. Upon analysis of the 7726 complaints, 83.3% of complainants chose<br />
<br />
the option “It made me annoyed and/or anxious ” in response to the<br />
<br />
14 question “How did this message affect you?”. From this the<br />
Commissioner can infer that the unsolicited marketing messages have<br />
<br />
negatively impacted the recipients.<br />
<br />
<br />
<br />
48. The Commissioner is therefore satisfied that condition (a ) from section<br />
<br />
55A (1) DPA is met.<br />
<br />
<br />
Deliberate or foreseeable contravention<br />
<br />
<br />
<br />
49. The Commissioner has considered whether the contravention identified<br />
<br />
above was deliberate. In the Commissioner’s view, this means that<br />
WBAC’s actions which constituted that contravention were deliberate<br />
<br />
actions (even if WBAC did not actually intend thereby to contravene<br />
<br />
PECR).<br />
<br />
<br />
<br />
50. The Commissioner considers that WBAC’s actions in failing to include a<br />
consent statement at the point of collection of customer’s information<br />
<br />
was not a deliberate act.<br />
<br />
<br />
<br />
51. Accordingly the Commissionerhas gone on to consider whether the<br />
<br />
contravention identified above was negligent.<br />
<br />
<br />
52. First, she has considered whether WBAC knew or ought reasonably to<br />
<br />
have known that there was a risk that this contravention would occur.<br />
<br />
She is satisfied that this condition is met, given that WBAC is a well-<br />
<br />
established organisation and its business model relied heavily on direct<br />
<br />
marketing.<br />
<br />
<br />
53. WBAC is registered with the ICO as a data controller and as such<br />
<br />
should be aware of the Regulations. As the sender of the emails and<br />
<br />
SMS it was the responsibility of WBAC to ensure either valid consent<br />
<br />
<br />
15 had been obtained prior to their transmission, or all the criteria for the<br />
soft opt in had been satisfied.<br />
<br />
<br />
<br />
54. The Commissioner has published detailed guidance for those carrying<br />
<br />
out direct marketing explaining their legal obligation s under PECR. This<br />
<br />
guidance explains the circumstances under which organisations are<br />
<br />
able to carry out marketing over the phone, by text, by email, or by<br />
fax. The ICO also operates a helpline should organisations require<br />
<br />
further clarification or assistance with specific enquiries.<br />
<br />
<br />
55. Furthermore, the issue of unsolicited marketing has been widely<br />
<br />
publicised by the media as being a problem.<br />
<br />
<br />
<br />
56. WBAC took some steps to ensure compliance by consulting the<br />
Commissioner’s guidance and Direct Marketing Code of Practice, and<br />
<br />
completing a DPIA. This demonstrates some awareness on the part of<br />
<br />
WBAC as to its statutory obligations.<br />
<br />
<br />
<br />
57. It is therefore reasonable to suppose that WBACknew or ought<br />
reasonably to have known that there was a risk that these<br />
<br />
contraventions would occur.<br />
<br />
<br />
<br />
58. The Commissioner has also considered whether WBAC failed to take<br />
<br />
reasonable steps to prevent the contraventions.<br />
<br />
<br />
59. Reasonable steps could have included seeking and fully implementing<br />
appropriate guidance on the rules in relation to electronic direct<br />
<br />
marketing. Regulation 22 is clear that a data controller must not send<br />
<br />
direct marketing via electronic means unless it can evidence consent or<br />
<br />
satisfy all the requirements of the soft opt in.<br />
<br />
<br />
<br />
<br />
<br />
1660. WBAC confirmed that it had consulted the guidance and outlined the<br />
requirements of the soft opt in in the DPIA, but have not satisfied its<br />
<br />
requirements. It has also sought legal advice. Whilst WBAC included<br />
<br />
information about marketing activity and how an individual can update<br />
<br />
their preferences in the information presented to customers at the point<br />
<br />
of inputting their details into the website, it did not allow individuals the<br />
<br />
opportunity to opt out of marketing at the time their details are<br />
collected. Proper review and understanding of Regulation 22 would<br />
<br />
have made it clear that this option should be presented to individuals at<br />
<br />
the point of requesting a valuation to ensure compliance.<br />
<br />
<br />
<br />
61. It is also noteworthy that in relation to its contact preference options<br />
(see paragraph 31 above) WBAC has acknowledged that its own<br />
<br />
definition of “service messages” is at odds with general understanding<br />
<br />
and ICO guidance but has given no indication that it intends to make<br />
<br />
any changes to its contact preference options. Individuals should be<br />
<br />
presented with options which clearly distinguish marketing<br />
<br />
communications from genuine “service” messages so as to avoid<br />
customers inadvertently signing up to unwanted direct marketing.<br />
<br />
<br />
<br />
62. The Commissioner is therefore satisfied that condition (b ) from section<br />
<br />
55A (1) DPA is met.<br />
<br />
<br />
The Commissioner’s decision to impose a monetary penalty<br />
<br />
<br />
63. The Commissioner considers there are no aggravating features of<br />
<br />
this case.<br />
<br />
<br />
<br />
64. The Commissioner has taken into account the following mitigating<br />
<br />
factors:<br />
<br />
<br />
<br />
<br />
17 • WBAC made some effort towards ensuring compliance with PECR<br />
such as consulting the ICO Guidance, seeking legal advice and<br />
<br />
completing a DPIA, albeit these steps ultimately failed to achieve<br />
<br />
compliance.<br />
<br />
<br />
<br />
65. For the reasons explained above, the Commissioner is satisfied that the<br />
<br />
conditions from section 55A(1) DPA have been met in this case. She is<br />
also satisfied that the procedural rights under section 55B have been<br />
<br />
complied with.<br />
<br />
<br />
<br />
66. This has included issuing a Notice of Intent on 26 May 2021, in which<br />
<br />
the Commissioner set out her preliminary thinking, and invited WB AC<br />
to make representations in response.<br />
<br />
<br />
<br />
67. The Commissioner received and has considered Representations from<br />
<br />
WBAC dated 16 July 2021.<br />
<br />
<br />
<br />
68. The Commissioner is accordingly entitled to issue a monetary penalty<br />
in this case.<br />
<br />
<br />
<br />
69. The Commissioner has considered whether , in the circumstances, she<br />
<br />
should exercise her discretion so as to issue a monetary penalty. She<br />
<br />
has decided that a monetary penalty is an appropriate and<br />
proportionate response to the finding of a serious contravention of<br />
<br />
Regulation 22 of PECR by WBAC.<br />
<br />
<br />
<br />
70. The Commissioner’s underlying objective in imposing a monetary<br />
<br />
penalty notice is to promote compliance with PECR. The sending of<br />
<br />
unsolicited direct marketing emails and SMS is a matter of significant<br />
public concern. A monetary penalty in this case should act as a general<br />
<br />
encouragement towards compliance with the law, or at least as a<br />
<br />
<br />
18 deterrent against non-compliance, on the part of all persons running<br />
businesses currently engaging in these practices. This is an opportunity<br />
<br />
to reinforce the need for businesses to ensure that they are only<br />
<br />
contacting consumers who want to receive these emails and SMS.<br />
<br />
<br />
<br />
71. The Commissioner has also considered the likely impact of a monetary<br />
<br />
penalty on WBAC.<br />
<br />
<br />
The amount of the penalty<br />
<br />
<br />
<br />
72. Taking into account all of the above, the Commissioner has decided<br />
<br />
that the amount of the penalty is £200,000 (two hundred thousand<br />
pounds).<br />
<br />
<br />
<br />
Conclusion<br />
<br />
<br />
<br />
73. The monetary penalty must be paid to the Commissioner’s office by BACS<br />
transfer or cheque by 12 October 2021 at the latest. The monetary<br />
<br />
penalty is not kept by the Commissioner but will be paid into the<br />
<br />
Consolidated Fund which is the Government’s general bank account at the<br />
<br />
Bank of England.<br />
<br />
<br />
74. If the Commissioner receives full payment of the monetary penalty by 11<br />
<br />
October 2021 the Commissioner will reduce the monetary penalty by<br />
<br />
20% to £ 160,000 ( one hundred and sixty thousand pounds).<br />
<br />
However, you should be aware that the early payment discount is not<br />
<br />
available if you decide to exercise your right of appeal.<br />
<br />
<br />
75. There is a right of appeal to the Firstier Tribunal (Information Rights)<br />
<br />
against:<br />
<br />
<br />
<br />
<br />
19 (a) the imposition of the monetary penalty and/or;<br />
<br />
<br />
(b) the amount of the penalty specified in the monetary penalty<br />
<br />
notice.<br />
<br />
<br />
<br />
73. Any notice of appeal should be received by the Tribunal within 28 days<br />
<br />
of the date of this monetary penalty notice.<br />
<br />
<br />
74. Information about appeals is set out in Annex 1.<br />
<br />
<br />
75. The Commissioner will not take action to enforce a monetary penalty<br />
<br />
unless:<br />
<br />
<br />
• the period specified within the notice within which a monetary penalty<br />
<br />
must be paid has expired and all or any of the monetary penalty has<br />
<br />
not been paid;<br />
<br />
<br />
<br />
• all relevant appeals against the monetary penalty notice and any<br />
<br />
variation of it have either been decided or withdrawn; and<br />
<br />
• period for appealing against the monetary penalty and any variation<br />
<br />
of it has expired.<br />
<br />
<br />
76. In England, Wales and Northern Ireland, the monetary penalty is<br />
<br />
recoverable by Order of the County Court or the High Court. In<br />
<br />
Scotland, the monetary penalty can be enforced in the same manner<br />
as an extract registered decree arbitral bearing a warrant for execution<br />
<br />
issued by the sheriff court of any sheriffdom in Scotland.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
20Dated the 13th day of September 2021<br />
<br />
<br />
<br />
Andy Curry<br />
Head of Investigations<br />
<br />
Information Commissioner’s Office<br />
Wycliffe House<br />
Water Lane<br />
Wilmslow<br />
Cheshire<br />
<br />
SK9 5AF<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
21ANNEX 1<br />
<br />
<br />
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998<br />
<br />
<br />
<br />
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER<br />
<br />
<br />
<br />
1. Section 55B(5) of the Data Protection Act 1998 gives any person<br />
upon whom a monetary penalty notice has been served a right of<br />
<br />
appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’)<br />
<br />
against the notice.<br />
<br />
<br />
<br />
2. If you decide to appeal and if the Tribunal considers:-<br />
<br />
<br />
a) that the notice against which the appeal is brought is not in<br />
<br />
accordance with the law; or<br />
<br />
<br />
<br />
b) to the extent that the notice involved an exercise of<br />
<br />
discretion by the Commissioner, that she ought to have exercised<br />
her discretion differently,<br />
<br />
<br />
<br />
the Tribunal will allow the appeal or substitute such other decision as<br />
<br />
could have been made by the Commissioner. In any other case the<br />
<br />
Tribunal will dismiss the appeal.<br />
<br />
<br />
3. You may bring an appeal by serving a notice of appeal on the<br />
<br />
Tribunal at the following address:<br />
<br />
<br />
<br />
General Regulatory Chamber<br />
HM Courts & Tribunals Service<br />
PO Box 9300<br />
Leicester<br />
<br />
LE1 8DJ<br />
Telephone: 0203 936 8963<br />
<br />
22 Email: grc@justice.gov.uk<br />
<br />
<br />
a) The notice of appeal should be sent so it is received by the<br />
Tribunal within 28 days of the date of the notice.<br />
<br />
<br />
<br />
b) If your notice of appeal is late the Tribunal will not admit it<br />
<br />
unless the Tribunal has extended the time for complying with this<br />
<br />
rule.<br />
<br />
<br />
4. The notice of appeal should state:-<br />
<br />
<br />
<br />
a) your name and address/name and address of your<br />
<br />
representative (if any);<br />
<br />
<br />
b) an address where documents may be sent or delivered to<br />
<br />
you;<br />
<br />
<br />
<br />
c) the name and address of the Information Commissioner;<br />
<br />
<br />
<br />
d) details of the decision to which the proceedings relate;<br />
<br />
<br />
e) the result that you are seeking;<br />
<br />
<br />
<br />
f) the grounds on which you rely;<br />
<br />
<br />
g) you must provide with the notice of appeal a copy of the<br />
<br />
monetary penalty notice or variation notice;<br />
<br />
<br />
<br />
h) if you have exceeded the time limit mentioned above the<br />
<br />
notice of appeal must include a request for a n extension of time<br />
<br />
<br />
<br />
<br />
23 and the reason why the notice of appeal was not provided in<br />
time.<br />
<br />
<br />
<br />
5. Before deciding whether or not to appeal you may wish to consult<br />
<br />
your solicitor or another adviser. At the hearing of an appeal a party<br />
<br />
may conduct his case himself or may be represented by any person<br />
<br />
whom he may appoint for that purpose.<br />
<br />
<br />
6. The statutory provisions concerning appeals to the First- tier<br />
<br />
Tribunal (Information Rights) are contained in section 55B(5) of, and<br />
<br />
Schedule 6 to, the Data Protection Act 1998, an d Tribunal Procedure<br />
<br />
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009<br />
(Statutory Instrument 2009 No. 1976 (L.20)).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
24<br />
</pre></div>Mariam-hwthhttps://gdprhub.eu/index.php?title=CJEU_-_C-398/15_-_Salvatore_Manni&diff=19698CJEU - C-398/15 - Salvatore Manni2021-09-16T16:26:27Z<p>Mariam-hwth: Created page with "{{CJEUdecisionBOX |Case_Number_Name=C-398/15 Salvatore Manni |ECLI=ECLI:EU:C:2017:197 |Opinion_Link= |Judgement_Link=http://curia.europa.eu/juris/document/document.jsf?text=..."</p>
<hr />
<div>{{CJEUdecisionBOX<br />
<br />
|Case_Number_Name=C-398/15 Salvatore Manni<br />
|ECLI=ECLI:EU:C:2017:197<br />
<br />
|Opinion_Link=<br />
|Judgement_Link=http://curia.europa.eu/juris/document/document.jsf?text=&docid=218462&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=875890/<br />
<br />
|Date_Decided=09.03.2017<br />
|Year=2017<br />
<br />
<br />
|EU_Law_Name_1=Article 2 of First Council Directive 68/151/EEC (1968) on co-ordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31968L0151&from=EN<br />
|EU_Law_Name_2=Article 3 of First Council Directive 68/151/EEC (1968) on co-ordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community <br />
|EU_Law_Link_2=https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31968L0151&from=EN<br />
|EU_Law_Name_3=Article 6 of Data Protection Directive 1995 (95/46/EC)<br />
|EU_Law_Link_3=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:31995L0046<br />
|EU_Law_Name_4=Article 6(1)(e) of Data Protection Directive 1995 (95/46/EC)<br />
|EU_Law_Link_4=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:31995L0046<br />
|EU_Law_Name_5=Article 7 of Charter of Fundamental Rights of the European Union<br />
|EU_Law_Link_5=https://www.europarl.europa.eu/charter/pdf/text_en.pdf<br />
|EU_Law_Name_6=Article 8 of Charter of Fundamental Rights of the European Union<br />
|EU_Law_Link_6=https://www.europarl.europa.eu/charter/pdf/text_en.pdf<br />
|EU_Law_Name_7=Directive 2003/58/EC of the European Parliament and of the Council of 15 July 2003<br />
|EU_Law_Link_7=https://www.legislation.gov.uk/eudr/2003/58/pdfs/eudr_20030058_adopted_en.pdf<br />
|EU_Law_Name_8=Directive 2009/101/EC (2009) on coordination of safeguards which, for the protection of the interests of members and third parties, are required by Member States of companies within the meaning of the second paragraph of Article 48 of the Treaty, with a view to making such safeguards equivalent<br />
|EU_Law_Link_8=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32009L0101<br />
|EU_Law_Name_9=Directive 2012/17/EU (2012)<br />
|EU_Law_Link_9=https://www.legislation.gov.uk/eudr/2012/17/article/1<br />
|EU_Law_Name_10=Article 7 of Data Protection Directive 1995 (95/46/EC)<br />
|EU_Law_Link_10=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:31995L0046<br />
<br />
|National_Law_Name_1= Article 2188 of the Italian Civil Code (codice civil)<br />
|National_Law_Link_1=https://www.ricercagiuridica.com/codici/vis.php?num=10690#id1<br />
<br />
|Party_Name_1=Camera di Commercio Lecce (Lecce Chamber of Commerce)<br />
|Party_Link_1=https://www.le.camcom.gov.it/<br />
|Party_Name_2=Salvatore Manni<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Reference_Body=Corte suprema di cassazione<br />
|Reference_Case_Number_Name=<br />
<br />
|Initial_Contributor=MH<br />
|<br />
}}<br />
<br />
The Court of Justice of the European Union held that Members States have to determine on a case-by-case basis whether the right to obtain the erasure of personal data from their national register of companies would outweighs the right to make these details publicly available for legal certainty and fair trading in the internal market. The data subject making the erasure request must demonstrate overriding and legitimate reasons.<br />
<br />
==English Summary==<br />
<br />
=== Facts ===<br />
Article 2188 of the Italian civil code states that companies must be on a publicly available register.<br />
<br />
Salvatore Manni is a sole director of a building company, Italiana Costruzioni Srl, awarded a building contract. Manni brought proceedings claiming that the properties in the building complex refused the sell on the basis that he was sole directore of another company ('Immobiliare Salentina’), delcared insolvent and struck off the register a few years prior.<br />
<br />
Manni argued that personal data concerning him appeared on the registered and processed by a company which subsequently gave him a negative rating. <br />
<br />
Mr Manni requested the Lecce Chamber of Commerce in charge of the register to erase, anonymise or block the data linking him to Immobiliare Salentina. He also asked for damages as compensation for injury to his reputation.<br />
<br />
The Court of Lecce initially upheld his claim, ordered the Lecce Chamber of Commerce to anonymise his data and awarded him 2000 EUR in damages. The Lecce Chamber of Commerce appealed this decision to the Court of Cassation which referred questions to the Court of Justice for a preliminary ruling:<br />
- Does the obligation to remove data no longer necessary for the purpose stated under Article 6(1)(e) take precedence over the Italian law obligation to include details on the register?<br />
- Is there a derogation to the principle under Article 3 Directive 68/151 that there should be no time limit to data published in the companies registered? <br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
The Court highlighted that under Article 2(1)(d) Directive 68/151, Member States must make the disclosure by companies of appointments, termination of office, legal proceedings, entering into administration etc... compulsory. Articles 3(1) and (3) of the same Directive outlines that this must be in a register of companies, which may consitute personal data of identified or identifiable natural persons as per the Data Protection Directive 95/46. <br />
<br />
The Court held that the data controller for this personal data would be the authority responsible for maintaining the register. <br />
<br />
The Court highlighted the fact that the Data Protection Directive aims to provide a high level of protection to fundamental rights and cited Google Spain (C-131/12). Additionally, the Court mentioned that the rights under the Data Protection Directive must be read in the light of the fundamental rights guaranteed by the EU Charter (Article 7, respect for private life and Article 8, right to data protection), citing Schrems I (C-362/14). <br />
<br />
The Court went on to highlight the principle of "data quality" under Article 6 of the Data Protection Directive, as well as having a legitimate "criteria" for processing data under Article 7 of that same Directive. It considered that Articles 2 and 3 of Directive 68/151 provided several lawful bases for processing by the authority responsible for the register: legal obligation, public interest task and legitimate interest. The Court highlighted that it has previously held in Compass-Datenbank (C‑138/11) that the activity of a public authority storing data under a legal obligation would fall within the exercise of their public powers qnd in the public interest. <br />
<br />
However, the Court noted that processing such data under that lawful basis is possible only so long as it is necessary for the purposes outlined (Article 6(1)(e) Data Protection Directive). If that is not the case, the data subject, has a right to obtain the erasure or blocking of the data. <br />
<br />
The Court went on to determine the purpose of Directive 68/151 as providing legal certainty in relation to dealings between companies and third parties, as well as faciliatating the creation of the internal market. Additionally, caselaw (Daihatsu Deutschland, C‑97/96 and Springer, C‑435/02) outlines that Article 3 of Directive 68/151 is intended to enable third parties to inform themselves and protect themselves, reflecting the EEC Treaty wording (Article 54(3)(g)). However, the Directive 68/151 makes no mention of whether providing personal data on the register in necessary to achieve that aim. The Court nonetheless considered that it may be necessary to have that information despite the dissolution of a company for any rights and legal relations that may continue to exist. As each Member States have different limitation periods, there is no specific time frame for which this data may be required. Therefore, the Court found that Member States cannot guarantee that individuals, whose personal data is on their register, will have the right to obtain erasure or blocking of their data. <br />
<br />
The Court did not consider that this cause an interference with the rights under the Charter as Directive 68/151 only requires limited personal data to be put on registers. Additionally, it considered it natural that individuals who choose to participate in trade through a company would be required to disclose data relating to their identity. Finally, it considered that the need to protect the interest of third parties and ensure legal certainty and fair trading for the internal market may take precedence. However, the Court did not exclude that in specific scenarios, there may be overriding and legitimate reasons for the data of the person concerned to be kept for a limited (and shorter) period of time after expiry. The burden of proof of demonstrating this specific reason falls on the data subject. <br />
<br />
The Court concluded that the balancing of rights under the Data Protection Directive and Directive 68/151 should be done on a case by case basis. The Court therefore left it for the natioanl court to make the assessment of whether Salvatore Manni's data protection rights outweigh the rights under Directive 68/151. The Court did note that the fact that Manni could not purchase the buildings based on the data available on the register would not be a sufficient reason. <br />
<br />
== Comment ==<br />
This decision is quite interesting for anyone interested in the balancing of fundamental rights in the EU, especially when it comes to economic interests. Although the Court stated that it was for the national court to make the assessment, it considered that Manni's reasons (having been prevented from purchasing a building complex) were insufficient. It seems, from this judgement, that in 2017, the requirement of transparency for fair trading reasons seemed to outweigh the right to have personal data erased from publicly available registers.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''</div>Mariam-hwthhttps://gdprhub.eu/index.php?title=ICO_(UK)_-_Emailmovers_Limited&diff=17525ICO (UK) - Emailmovers Limited2021-07-24T16:41:03Z<p>Mariam-hwth: Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO (UK) |DPA_With_Country=ICO (UK) |Case_Number_N..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|DPA-BG-Color=background-color:#023868;<br />
|DPAlogo=LogoUK.png<br />
|DPA_Abbrevation=ICO (UK)<br />
|DPA_With_Country=ICO (UK)<br />
<br />
|Case_Number_Name=Emailmovers Limited<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Information Commissioner's Office<br />
|Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/enforcement-notices/2620027/emailmovers-limited-en.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=22.06.2021<br />
|Date_Published=25.06.2021<br />
|Year=2021<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4(7) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#7<br />
|GDPR_Article_2=Article 4(11) GDPR<br />
|GDPR_Article_Link_2=Article 4 GDPR#11<br />
|GDPR_Article_3=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1a<br />
<br />
<br />
<br />
|Party_Name_1= Emailmovers Limited<br />
|Party_Link_1=https://www.qwant.com/?q=+Emailmovers+Limited+&client=ext-firefox-sb&t=web<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The UK DPA (Information Commissioner's Office) found Emailmovers Limited (EML) in violation of Article 5(1)(f) of the GDPR for having a email database with no clear lawful basis, nor evidence that individuals wree informed that EML had acquired their personal data. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Emailmovers Limited (EML) advertises its services, such as email data, email cleansing, email marketing, etc...). It has a database of data subjects' email addresses. On its website, it claims that it has a "GDPR and PECR [Privacy and Electronic Communications (EC Directive) Regulations 2003] compliant email database". The data was received from an unamed organisation that collected the individual's personal data and mentioned that it may be shared with thrid parties for marketing purposes. <br />
<br />
In 2018, EML was investigated by the Information Commissioner's Office (ICO). EML provided the ICO enforcement team with 7000 records of personal data (names, dates of birth, postcodes, phone numbers, email addresses).<br />
<br />
Emailmovers Limited claimed to be a data processor rather than a controller to the ICO. It claimed so on the basis that it processed data subjects' personal data on behalf of business clients that it had. It also relied on a document ("Legal and Commercial Terms for the Supply of Commercial and Personal Data") where it classified itself as a processor to its business clients. <br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
The Information Commissioner's Office first established that Emailmovers Limited (EML) was a data controller by virtue of the definition in [[Article 4 GDPR#7|Article 4(7) GDPR]]. First, the ICO highlighted that EML's "Legal and Commercial Terms..." points to the fact that EML decided who it supplied the personal data to. Additionally, the ICO found that EML determined the purposes of processing the personal data when deciding whether to disclose the database to certain business clients. EML also had broad discretion over how the data is created, stored and manipulated. The ICO also clarified that the fact that the "Legal and Commercial Terms..." document specified that EML was a processor is not conclusive. Instead, one must rely on the definition of controller found in [[Article 4 GDPR#7|Article 4(7) GDPR]]. The ICO concluded that EML determines the purposes and means of processing and is as such a data controller. <br />
<br />
The ICO considered that EML has processed personal data in a manner that is not fair, lawful nor transparent. It is therefore in violation of Article 5(1)(a) of the GDPR. The ICO concluded that EML did not identify a lawful basis to engage in business to consumer marketing, presumably because EML argued to be a processor. The only possible lawful basis that could have be relied upon is consent according to evidence provided by EML. However, the ICO is not satisfied that consent would have been effectively collected. <br />
<br />
The ICO found that the privacy policy of the organisation that collected the personal data, despite stating that individual's personal data would be shared with third parties for marketing purposes, was not specific enough. It did not clearly name the third party recipients. <br />
<br />
The ICO highlighted the requirements for consent, including that it need to be "specific and informed". It specified that consent for purchased "consented" data is valid only where the purchaser is identified at the time of collection of the data (poitn where consent was given). Therefore, EML could not have purchased the data on the basis of valid consent as a lawful basis as it was not identified as a potential buyer to individuals. <br />
<br />
Additionally, EML did not process personal data in a transparent way as individuals were not aware EML was processing their data and EML's clients were not identified to data subjects either. <br />
<br />
Therefore, the ICO found EML in violation of Article 5(1)(f) of the GDPR. The ICO therefore requires that EML complies with the following within three months:<br />
- notify individuals whose personal data was or is processed by EML the purposes of processing, the legal basis, the categories of personal data concerned and the recipients of this data (Article 14 GDPR);<br />
- cease to process personal data of data subject to whom information notices mentioned in the point above have not been sent to;<br />
- cease to process personal data obtained on the (alleged) basis of consent;<br />
- ensure that appropriate records of consent are kept. <br />
Compliance with the ICO's notice would remedy the violation in the ICO's view and a fine may be imposed if it is not. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
THE DATA PROTECTION ACT 2018<br />
<br />
(PART 6, SECTION 149)<br />
<br />
<br />
ENFORCEMENT POWERS OF THE INFORMATION COMMISSIONER<br />
<br />
<br />
<br />
ENFORCEMENT NOTICE<br />
<br />
<br />
<br />
To: Emailmovers Limited<br />
<br />
<br />
Of: C/O Jackson Robson Licence<br />
<br />
33-35 Exchange Street<br />
<br />
Driffield<br />
<br />
East Yorkshire<br />
<br />
YO25 6LL<br />
<br />
<br />
1. The Information Commissioner ("Commissioner") has decided that it<br />
<br />
would be appropriate to issue Emailmovers Limited ("EML") with an<br />
<br />
enforcement notice under section 149 of the Data Protection Act<br />
<br />
2018 ("DPA") based on a failure by EML to comply with Art 5(1)(a)<br />
of the General Data Protection Regulation EU2016/679 as it forms<br />
<br />
part of the law of England and Wales, Scotland and Northern<br />
<br />
Ireland by virtue of section 3 of the European Union (Withdrawal)<br />
<br />
Act 2018 ("UK GDPR").<br />
<br />
<br />
<br />
2. This notice explains the Commissioner's reasons for that opinion.<br />
<br />
<br />
3. A Preliminary Enforcement Notice was given to EML on 4 September<br />
2019 and an opportunity to make representations was provided. A<br />
<br />
further opportunity to make representations was also afforded to<br />
<br />
EML on 23 April 2021. The Commissioner has considered those<br />
<br />
<br />
<br />
<br />
1 representations and taken them into account in determining<br />
<br />
whether an Enforcement Notice should be issued.<br />
<br />
<br />
Legal Framework<br />
<br />
<br />
<br />
Controller<br />
<br />
<br />
<br />
4. The Commissioner is of the view that EML is a controller as defined<br />
<br />
in Article 4(7) of the UK GDPR and section 6 of the Data Protection<br />
Act 2018 ("DPA"). A controller is "the natural or legal person, public<br />
<br />
authority, agency or other body which, alone or jointly with others,<br />
<br />
determines the purposes and means of the processing of personal<br />
<br />
data".<br />
<br />
<br />
<br />
5. Although EML characterises itself as a processor, the Commissioner<br />
does not accept that characterisation for the reasons set out below.<br />
<br />
<br />
<br />
The obligation to process data fairly, lawfully and transparently<br />
<br />
<br />
<br />
6. Personal data must be "processed lawfully, fairly and in a<br />
transparent manner in relation to the data subject": UK GDPR Art<br />
<br />
5(1)(a). This provision is supplemented by Recital 39 which<br />
<br />
provides, relevantly:<br />
<br />
<br />
"Any processing of personal data should be lawful and fair. It should<br />
<br />
be transparent to natural persons that personal data concerning<br />
<br />
them are collected, used, consulted or otherwise processed and to<br />
<br />
what extent the personal data are or will be processed. The<br />
principle of transparency requires that any information and<br />
<br />
communication relating to the processing of those personal data be<br />
<br />
easily accessible and easy to understand, and that clear and plain<br />
<br />
language be used. That principle concerns, in particular, information<br />
<br />
<br />
2 to the data subjects on the identity of the controller and the<br />
<br />
purposes of the processing and further information to ensure fair<br />
<br />
and transparent processing in respect of the natural persons<br />
<br />
concerned and their right to obtain confirmation and communication<br />
of personal data concerning them which are being processed.<br />
<br />
Natural persons should be made aware of risks, rules, safeguards<br />
<br />
and rights in relation to the processing of personal data and how to<br />
<br />
exercise their rights in relation to such processing."<br />
<br />
<br />
7. Recital 58 also emphasises the need for transparency in processing:<br />
<br />
<br />
<br />
"The principle of transparency requires that any information<br />
<br />
addressed to the public or to the data subject be concise, easily<br />
<br />
accessible and easy to understand, and that clear and plain<br />
<br />
language and, additionally, where appropriate, visualisation be<br />
used. Such information could be provided in electronic form, for<br />
<br />
example, when addressed to the public, through a website. This is<br />
<br />
of particular relevance in situations where the proliferation of actors<br />
<br />
and the technological complexity of practice makes it difficult for the<br />
<br />
data subiect to know and understand whether, by whom and for<br />
what purpose personal data relating to him or her are being<br />
<br />
collected, such as in the case on online advertising ..." (Emphasis<br />
<br />
added)<br />
<br />
<br />
<br />
Lawful bases of processing<br />
<br />
<br />
8. Processing will only be lawful where at least one of the<br />
<br />
circumstances in UK GDPR Art 6(1) applies. Those circumstances<br />
<br />
include:<br />
<br />
<br />
<br />
"(a) the data subject has given consent to the processing of his or<br />
her personal data for one or more specific purposes"<br />
<br />
<br />
39. Consent is defined in the UK GDPR as "any freely given, specific,<br />
<br />
informed and unambiguous indication of the data subject's wishes<br />
<br />
by which he or she, by a statement or by a clear affirmative action,<br />
signifies agreement to the processing of personal data relating to<br />
<br />
him or her": Art 4(11), see also Recital 32.<br />
<br />
<br />
<br />
10. The conditions for "consent" are set out in UK GDPR Art 7. Article<br />
<br />
7(1) states, relevantly:<br />
<br />
<br />
"1. Where processing is based on consent, the controller shall be<br />
<br />
able to demonstrate that the data subject has consented to<br />
<br />
processing of his or her personal data."<br />
<br />
<br />
<br />
11. Where consent is relied upon as the basis for processing, the data<br />
subject "should be aware at least of the identity of the controller<br />
<br />
and purposes of the processing for which the personal data are<br />
<br />
intended": UK GDPR Recital 42.<br />
<br />
<br />
<br />
Commissioner's Powers<br />
<br />
<br />
12. If the Commissioner is satisfied that a person has failed, or is<br />
<br />
failing, to comply with a provision of Chapter II of the UK GDPR, the<br />
<br />
Commissioner may give the person an Enforcement Notice requiring<br />
<br />
them to take within such time as may be specified in the Notice, or<br />
<br />
to refrain from taking after such time as may be so specified, such<br />
steps as are so specified: DPA 2018 s 149.<br />
<br />
<br />
<br />
Background<br />
<br />
<br />
<br />
13. EML is a company that advertises its services as including email<br />
data, email cleansing, email marketing and data appending.<br />
<br />
<br />
4 According to its website, it licenses in a wide range of personal data<br />
<br />
which includes email addresses, gender, age, employment status,<br />
<br />
and income bracket. It markets itself as having a "GDPR and PECR<br />
<br />
compliant email database".<br />
<br />
<br />
<br />
14. On 31 January 2018, during an operation conducted by the<br />
<br />
Information Commissioner, EML provided 7000 records consisting of<br />
personal ID numbers, forenames, surnames, dates of birth,<br />
<br />
postcodes, mobile numbers (for some entries), email addresses (for<br />
<br />
some entries) and landline numbers to members of the<br />
<br />
Commissioner's Enforcement Team. The data was provided<br />
<br />
pursuant to a 12 month licence. 15% of the records related persons<br />
between the ages 75-79 and 1% related to persons over 80. The<br />
<br />
Commissioner expressly does not rely upon this sale otherwise than<br />
<br />
as background for the purposes of this Enforcement Notice. This<br />
<br />
failing occurred prior to the implementation of the GDPR and,<br />
<br />
although the Commissioner is able to rely upon enforcement powers<br />
<br />
available to her under the Data Protection Act 1998 (see DPA 2018<br />
Sch 20, Pt 7, para 33(1)(b) she has elected not to do so in this<br />
<br />
case.<br />
<br />
<br />
<br />
15. Following this sale, the Commissioner commenced an investigation<br />
<br />
into EML's data protection practices.<br />
<br />
<br />
16. In the course of that investigation, EML informed the Commissioner<br />
<br />
that:<br />
<br />
<br />
a. it was a processor with respect to the personal data sourced<br />
on behalf of a client for the purposes of business to consumer<br />
<br />
marketing; and<br />
<br />
<br />
<br />
<br />
<br />
<br />
5 b. its business to consumer data was provided by<br />
<br />
(now known as<br />
<br />
<br />
EML is a controller, not a processor<br />
<br />
<br />
<br />
17. While the Commissioner notes that EML characterises itself as a<br />
processor under the GDPR in relation to business to consumer<br />
<br />
marketing, the Commissioner does not accept that this<br />
<br />
characterisation is correct for the reasons that follow.<br />
<br />
<br />
18. As part of its first round of representations to the Commissioner,<br />
<br />
EML produced a document setting out the "Legal and Commercial<br />
<br />
Terms for the Supply of Commercial and Personal Data" ("Terms"),<br />
which included as an appendix, a data processing agreement<br />
<br />
("Processing Agreement"). The Terms, containing the Processing<br />
<br />
Agreement, were executed on 25 July 2018. EML relies upon this as<br />
<br />
evidence that it was a processor rather than a controller.<br />
<br />
<br />
19. The Commissioner has reviewed the Terms and the Processing<br />
<br />
Agreement and remains of the view that EML is a controller. The<br />
<br />
Terms and Processing Agreement demonstrate that<br />
licenses data to EML so that EML can enter into subscription<br />
<br />
agreements with third parties to supply them with that data. The<br />
<br />
choice as to which third parties are supplied with data is a decision<br />
<br />
made by EML. The purposes of processing data in this way<br />
<br />
(disclosure to third parties) are determined by EML. EML also<br />
<br />
selects the means by which the data are processed. The Terms<br />
provides EML with a broad discretion to undertake many processing<br />
<br />
activities including using the data, creating derived data, storing the<br />
<br />
data, and manipulating the data (see generally, Clause 10 of the<br />
<br />
Terms).<br />
<br />
<br />
<br />
<br />
<br />
620. Further, the Processing Agreement does not provide support for<br />
<br />
EML's claim. The Processing Agreement does not adopt a clear<br />
<br />
position on whether the Data Receiver (EML) is a controller or<br />
processor. Indeed, para 3.1 states that EML<br />
<br />
<br />
"...is either a Data Controller or a Data Processor in their capacity<br />
<br />
as foreseen under this Agreement. The Data Receiver acknowledges<br />
<br />
that, if acting as a Data Processor, they could be deemed to be a<br />
<br />
Data Contoller depending upon their use of the Shared Personal<br />
Data and would be deemed to be a Data Controller if they make use<br />
<br />
of the Shared Personal Data in a way that is not in accordance with<br />
<br />
this Agreement."<br />
<br />
<br />
21. In any event, even if EML were characterised as a processor by the<br />
<br />
Terms of the Processing Agreement, that does not determine<br />
<br />
whether EML is a processor or a controller. That must be<br />
determined by reference to the definitions in the UK GDPR and the<br />
<br />
DPA 2018.<br />
<br />
<br />
<br />
22. The Processing Agreement requires the parties to process the<br />
<br />
Shared Personal Data for the "Agreed Purpose", namely:<br />
<br />
<br />
"To broadcast marketing emails on behalf of a customer or to share<br />
the data for email marketing purposes with a customer who is<br />
<br />
promoting products or services within the Categories of Recipients<br />
<br />
where a consumer has given consent for a third party marketing or<br />
<br />
where there is a legitimate interest to share the data for marketing<br />
<br />
purpose."<br />
<br />
<br />
23. This purpose is too broadly expressed to constitute a genuine<br />
<br />
restriction on the purposes for individual acts of processing.<br />
<br />
It remains the case that EML is able to determine if, when and for<br />
<br />
what purposes (within the scope of the broadly expressed Agreed<br />
<br />
7 Purpose) processing should take place as well as the means by<br />
<br />
which the data is processed.<br />
<br />
<br />
24. The Commissioner is accordingly satisfied that, with respect to data<br />
<br />
obtained from and licensed to customers of EML, EML<br />
<br />
determines the purposes of that processing and the means by which<br />
<br />
it is done. It is, accordingly, a controller with respect to that data.<br />
<br />
<br />
<br />
25. The Commissioner notes that EML provided a revised Data<br />
Processing Agreement in response to the further invitation to make<br />
<br />
representations. That Agreement was provided in template form,<br />
<br />
with no reference to how the relationship with putative data<br />
<br />
controllers operates in practice. No evidence of any executed<br />
<br />
agreement was provided. The revised Data Processing Agreement<br />
<br />
does not alter the fact that EML previously mischaracterised itself as<br />
a processor.<br />
<br />
<br />
26. Further, EML informed the Commissioner that it was now - having<br />
<br />
seen the Commissioner's Preliminary Enforcement Notice -<br />
<br />
operating "purely as an introducer". No acceptable explanation was<br />
<br />
provided as to the actual practices adopted by EML, or how it<br />
<br />
conceived the role of an "introducer" fit within the data protection<br />
concepts of "controllers" and "processors". The Commissioner is<br />
<br />
also not satisfied, on the basis of the information that has now been<br />
<br />
provided, that EML does not continue to mischaracterise itself as<br />
<br />
such.<br />
<br />
<br />
<br />
The Failure<br />
<br />
<br />
27. The Commissioner is of the view that EML has processed, and is<br />
<br />
processing, personal data in a manner that is not fair, lawful, or<br />
<br />
<br />
<br />
<br />
8 transparent, thereby failing to comply with UK GDPR Art S(l)(a).<br />
<br />
The Commissioner's reasons for forming this view are as follows.<br />
<br />
<br />
28. EML has not sought to identify the lawful basis upon which it<br />
<br />
processes personal data when engaging in business to consumer<br />
<br />
marketing. This appears to be the consequence of its<br />
<br />
misclassification as a data processor. In response to a request for<br />
<br />
policies concerning privacy and data protection, EML provided a<br />
<br />
number of policies. None of those policies addressed the manner in<br />
which, and the purposes for which, EML processed data provided to<br />
<br />
it by third parties in business to consumer marketing.<br />
<br />
<br />
29. However, EML has informed the Commissioner that it relies on-I<br />
<br />
to provided appropriately consented marketing lists. On<br />
<br />
this basis, the Commissioner infers that EML relies upon consent as<br />
<br />
the basis for processing. The Commissioner does not accept that<br />
<br />
any consent to processing provided tol is effective<br />
to permit processing by EML.<br />
<br />
<br />
<br />
30. The Commissioner understands that acquires<br />
<br />
personal data from the following sources:<br />
<br />
<br />
a. the website owned by , and<br />
<br />
<br />
<br />
b. the website operated by<br />
<br />
<br />
<br />
31. The website includes a link to the<br />
<br />
privacy policy. That policy states that they will "Pass on your details<br />
to selected Companies and Trusted Partners which provide you with<br />
<br />
other offers and promotions of interest to you". The policy lists only<br />
<br />
a selection of those "partners". Despite that selection being lengthy<br />
<br />
and covering a very broad range of named companies, it does not<br />
<br />
<br />
9 identify either or EML as potential third party<br />
<br />
recipients of personal data. The policy further does not indicate that<br />
<br />
those third party recipients may themselves disclose personal data<br />
to additional unnamed third parties for any purpose.<br />
<br />
<br />
<br />
32. privacy policy indicates that personal data may be<br />
<br />
shared with marketing service providers. The policy states that<br />
<br />
those providers may combine the information with data from other<br />
<br />
sources, analyse and profile it and pass their knowledge on to other<br />
companies. It also indicates that names and addresses may be<br />
<br />
passed on by those providers to other companies so that those<br />
<br />
other companies can contact the individual about relevant products,<br />
<br />
services and offers. It states that this will occur "either directly or<br />
<br />
indirectly via a data broker who may legitimately process your<br />
<br />
data". The list of marketing service providers includes<br />
but not EML. The companies that marketing service providers may<br />
<br />
disclose personal data to are also not identified.<br />
<br />
<br />
33. Further, privacy policy indicates that it will share<br />
<br />
personal data for commercial gain with third parties who "have a<br />
<br />
relationship with you" or where the third party has "a lawful reason,<br />
<br />
which may include the organisation's own legitimate interest". It<br />
states that that "data will be used ... to create a data product ... in<br />
<br />
line with ICO code of practice". It is unclear what ICO Code of<br />
<br />
Practice this was intended to refer to. The specific third parties with<br />
<br />
whom data may be shared for these purposes are not identified.<br />
<br />
The policy also indicates that data will be shared with specified<br />
<br />
"Marketing Services Providers and special Marketing Agencies".<br />
is identified as a potential third party recipient, but<br />
<br />
EML is not. A link for more information about -takes the<br />
i<br />
user to the website, which identifies EML as a<br />
<br />
"marketing partner".<br />
<br />
<br />
1034. The ICO's Guidance on Consent under the GDPR makes clear that<br />
<br />
for consent to be "specific and informed", it must specifically<br />
<br />
identify the controller collecting the data and name any third party<br />
<br />
controllers who will be relying upon the consent. Consent for<br />
<br />
purchased "consented" data is valid only if the purchaser is<br />
specifically identified at the time consent is given. That has not<br />
<br />
occurred here.<br />
<br />
<br />
35. EML is not identified as an organisation that may ultimately process<br />
<br />
an individual's data at the point where consent is obtained. The<br />
<br />
identity of EML's client would also not be clear to the data subject at<br />
<br />
the time consent is given.<br />
<br />
<br />
36. Accordingly, the Commissioner is of the view that any consent given<br />
<br />
at the point of collection was not sufficiently specific or informed to<br />
extend so far as consenting to disclosure to EML or one of EML's<br />
<br />
customers. Any "consent" to processing could not extend to the<br />
<br />
obtaining of that data by EML, processing of that data by EML, or<br />
<br />
disclosure by EML to any of its clients.<br />
<br />
<br />
37. Further, irrespective of the Commissioner's views about the<br />
<br />
lawfulness of processing by EML, the Commissioner is also of the<br />
view that the methods of collection identified above demonstrate<br />
<br />
that EML is not processing personal data in a transparent way. This<br />
<br />
is because (a) data subjects are unlikely to be aware that EML is<br />
<br />
processing their data at all; and (b) the identity of any EML client<br />
<br />
and how they would process the personal data is unlikely to be clear<br />
<br />
to the data subject at the time of collection.<br />
<br />
<br />
38. Accordingly, the Commissioner is of the opinion that EML has failed<br />
to comply with its obligation to process data fairly, lawfully and<br />
<br />
transparently under Article 5(1)(a) of the UK GDPR.<br />
<br />
<br />
<br />
11Damage/distress<br />
<br />
<br />
39. The Commissioner has considered, as she is required to do under<br />
<br />
DPA 2018 s 149(2), whether the failure has caused, or is likely to<br />
<br />
cause, any person damage or distress. The sale of lists of personal<br />
<br />
data can cause substantial damage and distress. Such damage and<br />
<br />
distress can result in individuals being bombarded with unwanted<br />
direct marketing, or their data falling into the hands of<br />
<br />
unscrupulous individuals including scammers.<br />
<br />
<br />
<br />
40. Moreover, data subjects are, at the least, likely to be concerned<br />
<br />
about the processing of their personal data in circumstances where<br />
they are not aware of the identity of the controller and where the<br />
<br />
nature of, and purposes of, processing have not been clearly drawn<br />
<br />
to their attention.<br />
<br />
<br />
Requirements<br />
<br />
<br />
<br />
41. In view of the matters referred to above, the Commissioner is of the<br />
<br />
opinion that it is appropriate, in the exercise of her powers under<br />
DPA 2018 section 149, that she require EML, within three months,<br />
<br />
to:<br />
<br />
<br />
a. Notify all data subjects whose personal data are being<br />
<br />
processed by EML of the matters required by UK GDPR Art 14<br />
<br />
including, but not limited to, the purposes of the processing<br />
<br />
for which the personal data are intended as well as the legal<br />
<br />
basis for the processing, the categories of personal data<br />
concerned, and the recipients or categories of recipients of<br />
<br />
the personal data.<br />
<br />
<br />
<br />
<br />
<br />
<br />
12 b. Cease processing the personal data of any data subject to<br />
<br />
whom an Article 14-compliant notice is not sent or cannot be<br />
<br />
sent because EML does not possess contact information.<br />
<br />
<br />
c. Cease processing personal data (as described in this<br />
<br />
Enforcement Notice) purportedly obtained and/or otherwise<br />
processed on the basis of consent.<br />
<br />
<br />
<br />
d. Ensure that appropriate records are kept as to what<br />
<br />
individuals have consented to; including the information they<br />
<br />
were provided with at the time of consent, when they<br />
consented, and how they provided that consent.<br />
<br />
<br />
42. The Commissioner considers that the above requirements are<br />
<br />
appropriate for the purpose of remedying the failure identified.<br />
<br />
<br />
<br />
43. In representations to the Commissioner, EML initially claimed to<br />
<br />
have already complied with the requirements above. No evidence<br />
<br />
was provided at that time to demonstrate compliance. In<br />
subsequent representations, EML claimed that "Any personal data<br />
<br />
being processed on the basis of consents that are insufficiently<br />
<br />
specific, informed and not freely given has been deleted from the<br />
<br />
company". No explanation was given by EML as to how it formed<br />
<br />
the view about the sufficiency of the data subject's consent, or how<br />
<br />
much data had in fact been deleted by it. Having regard to the<br />
additional evidence provided by EML, the Commissioner nonetheless<br />
<br />
considers that it is appropriate to impose the requirements set out<br />
<br />
above.<br />
<br />
<br />
Consequences of Failing to Comply with the Notice<br />
<br />
<br />
44. If a person fails to comply with an Enforcement Notice, the<br />
<br />
Commissioner may serve a penalty notice on that person under<br />
<br />
<br />
13 section 155(l)(b) DPA, requiring payment of a penalty in an<br />
<br />
amount up to £17,500,000 or 4% of annual worldwide turnover,<br />
<br />
whichever is the higher.<br />
<br />
<br />
Right of Appeal<br />
<br />
<br />
<br />
45. By virtue of section 162(l)(c) DPA there is a right of appeal against<br />
<br />
this Notice to the First-tier Tribunal (Information Rights). If an<br />
<br />
appeal is brought against this Notice, it need not be complied with<br />
pending determination or withdrawal of that appeal. Information<br />
<br />
about the appeals process may be obtained from:<br />
<br />
<br />
<br />
First-tier Tribunal (Information Rights)<br />
<br />
GRC Tribunals<br />
<br />
PO Box 9300<br />
Leicester<br />
<br />
LEl 8DJ<br />
<br />
Tel: 0300 1234504<br />
<br />
Fax: 0870 7395836<br />
<br />
Email: GRC@hmcts.gsi.gov.uk<br />
Website: www.justice.gov.uk/tribunals/general-regulatory-chamber<br />
<br />
<br />
<br />
Any Notice of Appeal should be served on the Tribunal within 28<br />
<br />
calendar days of the date on which this Notice is sent.<br />
<br />
<br />
<br />
Dated the 22 nd day of June 2021<br />
<br />
<br />
<br />
<br />
Stephen Eckersley<br />
<br />
Director of Investigations<br />
Information Commissioner's Office<br />
Wycliffe House<br />
Water Lane<br />
<br />
<br />
14Wilmslow<br />
Cheshire<br />
SK9 SAF<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
15<br />
</pre></div>Mariam-hwthhttps://gdprhub.eu/index.php?title=ICO_(UK)_-_Mermaids&diff=17522ICO (UK) - Mermaids2021-07-24T13:44:18Z<p>Mariam-hwth: Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO (UK) |DPA_With_Country=ICO (UK) |Case_Number_N..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|DPA-BG-Color=background-color:#023868;<br />
|DPAlogo=LogoUK.png<br />
|DPA_Abbrevation=ICO (UK)<br />
|DPA_With_Country=ICO (UK)<br />
<br />
|Case_Number_Name=Mermaids<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Information Commissioner's Office<br />
|Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/mpns/2620171/mermaids-mpn-20210705.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=05.07.2021<br />
|Date_Published=08.07.2021<br />
|Year=2021<br />
|Fine=25000<br />
|Currency=GBP<br />
<br />
|GDPR_Article_1=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1f<br />
|GDPR_Article_2=Article 32(1) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#1<br />
|GDPR_Article_3=Article 32(2) GDPR<br />
|GDPR_Article_Link_3=Article 32 GDPR#2<br />
<br />
<br />
<br />
|Party_Name_1=Mermaids<br />
|Party_Link_1=https://mermaidsuk.org.uk/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
TBA<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Mermaids is a registered charity supporting children, young people and their families in relation to gender non-conformity. <br />
<br />
In 2016, Mermaids created an internet-based email group service at https://groups.io, overseen by a third party in the USA. This email group was intende to be shared between the CEO of Mermaids and 12 trustees. The default security and privacy settings were left in place, including "Group listed in directory, publicly viewable <br />
messages".<br />
<br />
Mermaids was notified in 2019 by a user of the charity that internal emails, sent using the groups.io email group service, were publicly available online and were searchable through search engines. These contained personal data, including special category data. The service user, who's child is gender non-conforming, was made aware that her child's name, "dead name", date of birth, mental and physical health were available online, as well as the mother's name, telehpone number and address. <br />
<br />
Overall, 780 pages of confidential emails were available online. This corresponded to 550 data subjects. 15 data subjects had special category data concerning them made available online (mental or physical health; sex life; sexual orientation) and 9 data subject's personal data was considered sensitive in the context. Of these 24 data subjects, 4 were 13 years old or under. <br />
<br />
Mermaid notified the ICO on the day it was told about this. <br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
The Information Commissioner's Office (ICO) considered that Mermaids processed emails on an email group without appropriate restricted access settings. Due to this failure, third parties could gain unauthorised access to emails containing personal data, including special category data. The ICO deemed this in contravention of the principe of integrity and confidentiality (Article 5(1)(f) GDPR)<br />
<br />
The ICO also considered that Mermaid failed to satisfy its obligations under Articles 32(1) and 32(2) GDPR. It did not have adequate security measures in place to protect the email group affected. As a consequence, special category data was publicly accessible online for over a year between 2018 and 2019. <br />
<br />
The ICO considered various factors that aggravated the violation in order to assess whether a penalty was appropriate. Accordingly, the ICO considered the sensitive nature of the publicly available personal data (special category data: gender and health data). It also assessed the gravity of the matter. In relation to this, it deemed that Meraaid's failures increased the vulnerability of the people who's special category data and personal data was made publicly available. The risk of damage or distress for gender non-conforming children was considered particularly high due to discrimination and prejudice. The ICO also considered the types and number of data subjects (some children) affected and the fact that this concerned special category data or sensitive data in context.<br />
<br />
<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
ICO.<br />
Information Commissioner'sOffice<br />
<br />
DATA PROTECTION ACT 2018 (PART 6, SECTION 155)<br />
<br />
<br />
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER<br />
<br />
<br />
MONETARY PENALTY NOTICE<br />
<br />
<br />
TO: Mermaids<br />
<br />
<br />
<br />
OF: Main Office, Suite 4, Tarn House, 77 the High Street, Yeadon, Leeds,<br />
LS19 7SP; London Office, Office 3, 63 Charterhouse Street, London,<br />
<br />
EClM 6HJ<br />
<br />
<br />
1. Mermaids is Registered Charity Number 1160575.<br />
<br />
<br />
2. The Information Commissioner ("the Commissioner") has decided to<br />
<br />
issue Mermaids with a Penalty Notice under section 155 of the Data<br />
<br />
Protection Act 2018 ("the DPA"). This penalty notice imposes an<br />
administrative fine on Mermaids, in accordance with the<br />
<br />
Commissioner's powers under Article 83 of the General Data Protection<br />
Regulation 2016 ("the GDPR"). The amount of the monetary penalty is<br />
<br />
£25,000.<br />
<br />
<br />
3. This penalty has been issued because of contraventions by Mermaids of<br />
<br />
Articles 5(l)(f) and 32(1) and (2) of the GDPR in that during the period<br />
of 25 May 2018 to 14 June 2019 Mermaids failed to implement an<br />
<br />
appropriate level of organisational and technical security to its internal<br />
<br />
email systems, which resulted in documents or emails containing<br />
personal data, including in some cases relating to children and / or<br />
<br />
including in some cases special category data, being searchable and<br />
viewable online by third parties through internet search engine results.<br />
<br />
<br />
1 ICO.<br />
Information Commissioner'sOffice<br />
In the interests of clarity, 25 May 2018 is the date on which the GDPR<br />
became applicable in all member states, including the United Kingdom<br />
<br />
("the UK"), and 14 June 2019 is the date on which the controller took<br />
<br />
steps to secure the email group in question.<br />
<br />
<br />
4. This Monetary Penalty Notice explains the Commissioner's decision,<br />
<br />
including the Commissioner's reasons for issuing the penalty and for<br />
the amount of the penalty.<br />
<br />
<br />
Legal framework for this Monetary Penalty Notice<br />
<br />
<br />
Obligations of the controller<br />
<br />
<br />
5. Mermaids is a controller for the purposes of the GDPR and the DPA,<br />
<br />
because it determines the purposes and means of processing of<br />
<br />
personal data (GDPR Article 4(7)).<br />
<br />
6. 'Personal data' is defined by Article 4(1) of the GDPR to mean:<br />
<br />
<br />
information relating to an identified or identifiable natural person<br />
('data subject'); an identifiable natural person is one who can be<br />
identified, directly or indirectly, in particular by reference to an<br />
identifier such as a name, an identification number, location data,<br />
<br />
an online identifier or to one or more factors specific to the physical,<br />
physiological, genetic, mental, economic, cultural or social identity<br />
of that natural person.<br />
<br />
7. 'Processing' is defined by Article 4(2) of the GDPR to mean:<br />
<br />
<br />
any operation or set of operations which is performed on personal<br />
data or on sets of personal data, whether or not by automated<br />
means, such as collection, recording, organisation, structuring,<br />
storage, adaptation or alteration, retrieval, consultation, use,<br />
disclosure by transmission, dissemination or otherwise making<br />
available, alignment or combination, restriction, erasure or<br />
destruction<br />
<br />
<br />
<br />
2 ICO.<br />
Information Commissioner'sOffice<br />
8. Article 9 GDPR prohibits the processing of 'special categories of personal<br />
data' unless certain conditions are met. The special categories of<br />
<br />
personal data subject to Article 9 include 'data concerning health or data<br />
<br />
concerning a natural person's sex life or sexual orientation'.<br />
<br />
<br />
9. Controllers are subject to various obligations in relation to the processing<br />
<br />
of personal data, as set out in the GDPR and the DPA. They are obliged<br />
by Article 5(2) to adhere to the data processing principles set out in<br />
<br />
Article 5(1) of the GDPR.<br />
<br />
<br />
10. In particular, controllers are required to implement appropriate<br />
<br />
technical and organisational measures to ensure that their processing of<br />
personal data is secure, and to enable them to demonstrate that their<br />
<br />
processing is secure. Article 5(l)(f) stipulates that:<br />
<br />
<br />
Personal data shall be[. ..] processed in a manner that ensures<br />
appropriate security of the personal data, including protection<br />
against unauthorised or unlawful processing and against<br />
accidental loss, destruction or damage, using appropriate<br />
technical or organisational measures<br />
<br />
<br />
11. Article 32 ("Security of processing") provides, in material part:<br />
<br />
<br />
<br />
1. Taking into account the state of the art, the costs of<br />
implementation and the nature, scope, context and purposes of<br />
processing as well as the risk of varying likelihood and severity<br />
for the rights and freedoms of natural persons, the controller and<br />
the processor shall implement appropriate technical and<br />
organisational measures to ensure a level of security appropriate<br />
<br />
to the risk, including inter alia as appropriate:<br />
<br />
(a) the pseudonymisation and encryption of personal<br />
data;<br />
<br />
(b) the ability to ensure the ongoing confidentiality,<br />
integrity, availability and resilience of processing<br />
systems and services;<br />
<br />
3 ICO.<br />
Information Commissioner'sOffice<br />
<br />
(c) the ability to restore the availability and access to<br />
personal data in a timely manner in the event of a<br />
physical or technical incident;<br />
<br />
(d) a process for regularly testing, assessing and<br />
evaluating the effectiveness of technical and<br />
organisational measures for ensuring the security of<br />
<br />
the processing.<br />
<br />
2. In assessing the appropriate level of security account shall be<br />
taken in particular of the risks that are presented by processing,<br />
in particular from accidental or unlawful destruction, loss,<br />
alteration, unauthorised disclosure of, or access to personal data<br />
transmitted, stored or otherwise processed.<br />
<br />
<br />
The Commissioner's powers of enforcement<br />
<br />
<br />
<br />
12. The Commissioner is the supervisory authority for the UK, as<br />
provided for by Article 51 of the GDPR.<br />
<br />
<br />
13. By Article 57(1) of the GDPR, it is the Commissioner's task to<br />
<br />
monitor and enforce the application of the GDPR.<br />
<br />
14. By Article 58(2)(d) of the GDPR the Commissioner has the power<br />
<br />
to notify controllers of alleged infringements of GDPR. By Article 58(2)(i)<br />
<br />
she has the power to impose an administrative fine, in accordance with<br />
Article 83, in addition to or instead of the other corrective measures<br />
<br />
referred to in Article 58(2), depending on the circumstances of each<br />
<br />
individual case.<br />
<br />
15. By Article 83(1), the Commissioner is required to ensure that<br />
<br />
administrative fines issued in accordance with Article 83 are effective,<br />
<br />
proportionate, and dissuasive in each individual case. Article 83(2) goes<br />
on to provide that:<br />
<br />
<br />
<br />
<br />
4 •<br />
<br />
<br />
ICO.<br />
Information Commissioner'sOffice<br />
<br />
When deciding whether to impose an administrative fine<br />
and deciding on the amount of the administrative fine in<br />
each individual case due regard shall be given to the<br />
following:<br />
<br />
(a) the nature, gravity and duration of the<br />
infringement taking into account the nature scope or<br />
purpose of the processing concerned as well as the<br />
number of data subjects affected and the level of<br />
damage suffered by them;<br />
<br />
(b) the intentional or negligent character of the<br />
infringement;<br />
<br />
(c) any action taken by the controller or processor to<br />
mitigate the damage suffered by data subjects;<br />
<br />
<br />
(d) the degree of responsibility of the controller or<br />
processor taking into account technical and<br />
organisational measures implemented by them<br />
pursuant to Articles 25 and 32;<br />
<br />
(e) any relevant previous infringements by the<br />
controller or processor;<br />
<br />
(f) the degree of cooperation with the supervisory<br />
authority, in order to remedy the infringement and<br />
mitigate the possible adverse effects of the<br />
infringement;<br />
<br />
(g) the categories of personal data affected by the<br />
infringement;<br />
<br />
(h) the manner in which the infringement became<br />
<br />
known to the supervisory authority, in particular<br />
whether, and ifsoto what extent, the controller or<br />
processor notified the infringement;<br />
<br />
(i) where measures referred to in Article 58(2) have<br />
previously been ordered against the controller or<br />
processor concerned with regard to the same<br />
subject-matter, compliance with those measures;<br />
<br />
(j) adherence to approved codes of conduct pursuant<br />
to Article 40 or approved certification mechanisms<br />
pursuant to Article 42; and<br />
<br />
5 •<br />
<br />
<br />
ICO.<br />
Information Commissioner'sOffice<br />
<br />
(k) any other aggravating or mitigating factor<br />
<br />
applicable to the circumstances of the case, such as<br />
financial benefits gained, or losses avoided, directly<br />
or indirectly, from the infringement.<br />
<br />
<br />
16. The DPA contains enforcement provisions in Part 6 which are<br />
exercisable by the Commissioner. Section 155 of the DPA ("Penalty<br />
<br />
Notices") provides that:<br />
<br />
(1) If the Commissioner is satisfied that a person<br />
<br />
<br />
(a) has failed or is failing as described in section<br />
149(2) ...<br />
<br />
the Commissioner may, by written notice (a "penalty<br />
notice"), require the person to pay to the Commissioner an<br />
amount in sterling specified in the notice.<br />
<br />
(2) Subject to subsection (4), when deciding whether to<br />
give a penalty notice to a person and determining the<br />
amount of the penalty, the Commissioner must have<br />
regard to the followingso far as relevant-<br />
<br />
(a) to the extent that the notice concerns a matter to<br />
which the GDPR applies, the matters listed in Article<br />
83(1) and (2) of the GDPR.<br />
<br />
<br />
17. The failures identified in section 149(2) DPA 2018 are, insofar as<br />
<br />
relevant here:<br />
<br />
(2) The first type of failure is where a controller or<br />
processor has failed, or is failing, to comply with any of the<br />
following-<br />
<br />
(a) a provision of Chapter II of the GDPR or Chapter<br />
2 of Part 3 or Chapter 2 of Part 4 of this Act<br />
<br />
(principles of processing);<br />
<br />
..,<br />
<br />
<br />
6 ICO.<br />
Information Commissioner'sOffice<br />
(c) a provision of Articles 25 to 39 of the GDPR or<br />
section 64 or 65 of this Act (obligations of controllers<br />
and processors)[. ..]<br />
<br />
<br />
Factual background to the incident<br />
<br />
<br />
<br />
18. The origins of Mermaids lie in a parents' support group formed by<br />
parents whose children were experiencing gender incongruence. It<br />
<br />
was registered in 1999 with the Charity Commissioner. Mermaids was<br />
incorporated as a registered charity in 2015 and offers support to<br />
<br />
children, young people and their families in relation to gender non<br />
<br />
conformity.<br />
<br />
<br />
19. On 15 August 2016, which is the date on which the email group<br />
<br />
of relevance to the contraventions set out in this notice was created,<br />
the Chief Executive Officer ("the CEO") was at that date the only paid<br />
<br />
staff member at Mermaids. On 14 June 2019, Mermaids were notified<br />
<br />
by a service user of the charity that internal emails containing personal<br />
data were publicly available onlinMermaids contacted the<br />
<br />
Commissioner later that day to report the concerns. On 17 June 2019,<br />
the CEO telephoned the Commissioner to update her and sent a follow<br />
<br />
up email detailing the remedial steps which Mermaids had taken.<br />
<br />
<br />
Contraventions of Articles S(ll(fl, 32(1) (2) of the GDPR<br />
<br />
<br />
<br />
20. In regard to the principle of integrity and confidentiality under<br />
Article (5)(l)(f) of the GDPR, the Commissioner considers that emails<br />
<br />
were processed by Mermaids on an email group without Mermaids<br />
<br />
applying the appropriate restricted access settings. If the appropriate<br />
security access settings had been applied, then access would have<br />
<br />
been restricted to approved members of the group only and it would<br />
not have been possible for third parties to gain unauthorised access<br />
<br />
7 ICO.<br />
Information Commissioner'sOffice<br />
through the internet to the emails containing personal data, in some<br />
cases concerning children and/ or in some cases containing special<br />
<br />
category data, in the period 25 May 2018 to 14 June 2019. In the<br />
<br />
interests of clarity, 25 May 2018 is the date on which GDPR became<br />
applicable in all member states, including the UK, and 14 June 2019 is<br />
<br />
the date on which the controller took steps to secure the email group in<br />
<br />
question.<br />
<br />
<br />
21. In regard to the requirement under Articles 32(1) and (2) of the<br />
<br />
GDPR to implement a level of security appropriate to the risk when<br />
processing data, the Commissioner considers that Mermaids failed to<br />
<br />
have adequate security measures in place to ensure the appropriate<br />
security for personal data in the period 25 May 2018 to 14 June 2019.<br />
<br />
The email group did not have the appropriate restricted access settings<br />
<br />
applied to it and therefore the personal data including the special<br />
category data were accessible to third parties. Consideration should<br />
<br />
have been given to pseudonymisation or encryption of the data, either<br />
<br />
of which would have offered an extra layer of protection to the<br />
personal data. Taking such a step may have reduced the opportunity<br />
<br />
for the emails to be placed at risk in circumstances where Mermaids'<br />
<br />
organisational memory had failed to account for the existence of the<br />
dormant email group after it stopped being used on 21 July 2017. For<br />
<br />
the avoidance of doubt, the Commissioner has concluded that the<br />
nature and gravity of the contraventions are unaffected by the<br />
<br />
unanswered question as to whether the journalist and third party<br />
<br />
stumbled across the data by accident or by any possibility, however<br />
remote, that individuals deliberately set out to find the information by<br />
<br />
using a precise and unusual syntactical search. Further, it is<br />
<br />
considered by the Commissioner that the nature of the contraventions<br />
is unaffected by the unanswered question as to the extent to which any<br />
<br />
other third party or parties accessed the data.<br />
<br />
8 ICO.<br />
Information Commissioner'sOffice<br />
<br />
22. The contraventions by Mermaids between 25 May 2018 and 14<br />
<br />
June 2019 involved personal data which in some cases included special<br />
<br />
category data and/ or data which was sensitive in its context. The<br />
incident involved data which in many cases belonged to children and/<br />
<br />
or vulnerable individuals. It involved a large group of 550 data<br />
<br />
subjects and around 24 data subjects whose data was sensitive in its<br />
context and/ or belonged to children and/ or belonged to vulnerable<br />
<br />
individuals. It has been confirmed in the course of Representations that<br />
<br />
of those 24 data subjects whose data could be said to be sensitive in<br />
context, and/ or belonged to children or vulnerable individuals, 15 of<br />
<br />
the data subjects had special category data accessible. The sensitive<br />
nature of the data which was accessible to third parties means that the<br />
<br />
contraventions necessarily involved significant damageand/ or<br />
<br />
distress to the data subjects, whether or not it was also special<br />
category data. The Commissioner has not taken account of any<br />
<br />
contraventions which may have occurred between 15 August 2016<br />
<br />
(i.e., the date of creation of the email group) and 25 May 2018 but has<br />
had regard to how the failure first arose and persisted. The<br />
<br />
Commissioner considers the contraventions to have been negligent.<br />
<br />
<br />
Notice of Intent<br />
<br />
<br />
23. On 19 March 2021, in accordance with s.55(5) and paragraphs<br />
<br />
2 and 3 of Schedule 16 DPA 2018, the Commissioner issued Mermaids<br />
<br />
with a Notice of Intent to impose a penalty under s.155 DPA 2018. The<br />
Notice of Intent described the circumstances and the nature of the<br />
<br />
personal data in question, explained the Commissioner's reasons for a<br />
<br />
proposed penalty, and invited written representations from Mermaids.<br />
<br />
<br />
<br />
<br />
9 ICO.<br />
Information Commissioner'sOffice<br />
24. On 20 April 2021, Mermaids provided written representations in<br />
<br />
respect of the Notice, together with a supporting document.<br />
<br />
<br />
25. On 17 May 2021 the Commissioner held a 'representations<br />
meeting' to thoroughly consider the representations provided by<br />
<br />
Mermaids.<br />
<br />
<br />
Factors relevant to whether a penalty is appropriate, and if so, the<br />
<br />
amount of the penalty<br />
<br />
<br />
26. The Commissioner has considered the factors set out in Article<br />
<br />
83(2) of the GDPR in deciding whether to issue a penalty. For the reasons<br />
<br />
given below, she is satisfied that (i) the contraventions are sufficiently<br />
serious to justify issuing a penalty in addition to exercising her corrective<br />
<br />
powers; and (ii) the contraventions are serious enough to justify a<br />
<br />
significant fine.<br />
<br />
<br />
27. In regard to the amount of the penalty, the Commissioner has<br />
<br />
considered the following facts: Mermaids' total income rose from<br />
1<br />
£317,580 in the year ending 31 March 2018 , to £715,330 in the year<br />
ending 31 March 2019, to £902,440 in the year ending 31 March 2020.<br />
<br />
The Commissioner is mindful that the penalty must be effective,<br />
<br />
proportionate and dissuasive.<br />
<br />
<br />
<br />
(al the nature, gravity and duration of the infringement taking into<br />
<br />
account the nature, scope or purpose of the processing concerned as<br />
<br />
<br />
<br />
<br />
1<br />
https://register-of-charities.charitycommission.gov.uk/charity-search/-/charity-details/5054976/financial<br />
history<br />
<br />
<br />
10 ICO.<br />
Information Commissioner'sOffice<br />
well as the number of data subjects affected, and the level of<br />
damage suffered by them<br />
<br />
<br />
<br />
28. Nature: The CEO set up an internet-based email group service<br />
at https: /groups.io, which is overseen by a third party based in the<br />
<br />
United States of America ("the USA"). In particular, the CEO created<br />
<br />
Generalinfo@Groups.IO so that emails could be shared between the<br />
CEO and the 12 trustees. An absence of records relating to the<br />
<br />
creation of the group and the controls that were considered at that<br />
<br />
time has meant that it has been impossible to establish exactly how<br />
the group service was set up, and therefore how the incident<br />
<br />
originated. The CEO is unable to recall whether the emails were left<br />
accessible deliberately to facilitate a general discussion or whether it<br />
<br />
was an oversight not to select a more secure option and to leave a<br />
<br />
default security setting in operation. However, after being made aware<br />
that the emails were accessible, Mermaids established that the default<br />
<br />
setting for security and privacy on the Groups.IQ internet-based email<br />
<br />
service provided, "Group listed in directory, publicly viewable<br />
messages," which was an insecure and inappropriate setting.<br />
<br />
Alternative settings available to users of the email service were,<br />
<br />
"Group not listed in directory, publicly viewable messages,", "Group<br />
listed in directory, private messages," and, "Group not listed in<br />
<br />
directory, private messages," which, if selected, may have provided<br />
more appropriately secure settings.<br />
<br />
<br />
<br />
29. The Groups.IQ internet-based email group service was in active<br />
use by Mermaids from 15 August 2016 to 21 July 2017. After it<br />
<br />
became dormant it nevertheless continued to hold emails. Mermaids'<br />
<br />
failure to implement appropriate security settings meant that the email<br />
group was listed in the Groups.IQ search directory and was indexed on<br />
<br />
large search engines such as Google. In addition to communications<br />
<br />
11 ICO.<br />
Information Commissioner'sOffice<br />
between the trustees, the emails included some forwarded emails from<br />
Mermaids' service users. Mermaids failed to implement an appropriate<br />
<br />
level of security to its internal email systems, which resulted in<br />
<br />
documents or emails containing personal data, including in some cases<br />
relating to children and/ or including in some cases special category<br />
<br />
data, being searchable and viewable online by third parties through<br />
<br />
internet search engine results. Mermaids was unaware that it had<br />
failed to implement an appropriate level of security or that personal<br />
<br />
data of its service users was searchable and viewable online by third<br />
<br />
parties.<br />
<br />
<br />
30. The last email on the Groups.IQ service was sent on 21 July<br />
2017. Nevertheless, the email group remained live and the emails<br />
<br />
remained publicly visible on the Groups.IQ website until remedial<br />
<br />
actions were taken in June 2019.<br />
<br />
<br />
31. On 14 June 2019, a service user of the charity, who was the<br />
<br />
mother of a gender non-conforming child, informed the CEO that she<br />
had been called by a journalist from the Sunday Times, who had told<br />
<br />
her that her personal data could be viewed online. The journalist had<br />
<br />
informed the parent that by searching online he could view confidential<br />
emails, including her child's current name, the child's "dead name", the<br />
<br />
date of birth, the mother's maiden name and married name, her<br />
employer's address, her mobile telephone number and details of her<br />
<br />
child's mental and physical health. On the same day, Mermaids<br />
<br />
received pre-publication notice from the Sunday Times that the emails<br />
were accessible online and the newspaper would be publishing an<br />
<br />
article about the incident. Mermaids are understood to have taken<br />
<br />
immediate steps to block access to the email site before the newspaper<br />
report of the incident was published.<br />
<br />
<br />
<br />
12 ICO.<br />
Information Commissioner'sOffice<br />
32. Gravity: The topic of gender incongruence is still regarded, by<br />
<br />
many commentators and members of the public, to be controversial,<br />
<br />
and the fact that a child or adult may be experiencing gender<br />
incongruence is a sensitive issue which can lead to increased<br />
<br />
vulnerability. The Commissioner considers that the likely increased<br />
<br />
vulnerability of a data subject in turn increases the risk of damage or<br />
<br />
distress being caused to the data subject by any data contravention<br />
that reveals that an individual is seeking information about, or support<br />
<br />
for, gender incongruence. The Commissioner considers that the data<br />
<br />
about gender incongruence was sensitive in its context. The<br />
Government ran a consultation on reform of the Gender Recognition<br />
<br />
Act 2004 between July and October 2018, which generated widespread<br />
<br />
public interest in and debate about gender incongruence. Groups<br />
<br />
supporting transgender rights and people experiencing gender<br />
incongruence may be at a higher risk of experiencing prejudice,<br />
<br />
harassment, physical abuse or hate crime. According to the Home<br />
2<br />
Office Hate Crime report published on 15 October 2019 , transgender<br />
identity is the least commonly recorded hate crime, however, in 2018 it<br />
<br />
increased by 37%. The large percentage increase may be due to the<br />
<br />
relatively small number of transgender identity hate crimes of 2,333<br />
<br />
during the 2018-2019 period, improvements by the police in identifying<br />
and recording such crimes, more people coming forward to report the<br />
<br />
crimes, or a genuine increase in transgender hate crimes. The<br />
<br />
Commissioner has had regard to such risks when considering the<br />
potential harm that may be caused to affected data subjects.<br />
<br />
<br />
<br />
33. In regard to 15 data subjects, the emails included special<br />
<br />
category data, such as details of the data subject's mental or physical<br />
<br />
<br />
<br />
hate-crime-1819-hosb2419.pdfrvice.gov.uk/government/uploads/system/uploads/attachment_data/fi le/839172/<br />
<br />
<br />
13 ICO.<br />
Information Commissioner'sOffice<br />
health and/ or sex life and/ or sexual orientation, with a further 9<br />
data subjects whose data could be classified as sensitive in context.<br />
<br />
Four of those 24 data subjects were aged 13 or under in June 2019<br />
<br />
and therefore must have been aged 12 or under in the period between<br />
25 May 2018 and 14 June 2019.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
35. Duration: The Commissioner has been unable to confirm the<br />
exact duration of the contraventions. However, given the age of some<br />
<br />
of the data, she is satisfied that it has been occurring, to some extent,<br />
<br />
since at least 25 May 2018, and she has not considered any<br />
contravention prior to this date, which would fall to be considered<br />
<br />
under the previous data protection regime. The Commissioner<br />
<br />
considers that Mermaids was in contravention of the GDPR from the<br />
date on which it came into force on 25 May 2018 until the issue was<br />
<br />
remedied by 14 June 2019.<br />
<br />
<br />
36. Number of data subjects affected: The Commissioner<br />
<br />
understands that around 780 pages of confidential emails were visible<br />
online, which included sensitive data relating to gender incongruence<br />
<br />
and personal data relating to 550 data subjects, such as name, email<br />
<br />
address, job title, or employer's name.<br />
<br />
<br />
37. Damage: It has not been possible to establish whether or not the<br />
<br />
data which was exposed online was accessed by third parties other than<br />
the Sunday Times journalist. Two data subjects, a mother and a child,<br />
<br />
<br />
<br />
14 ICO.<br />
Information Commissioner'sOffice<br />
made complaints to Mermaids about the contraventions. The<br />
<br />
Commissioner also received two complaints.<br />
<br />
<br />
38. It is reported that 550 emails were accessible and could be viewed<br />
<br />
online from August 2016 until 14 June 2019. They contained personal<br />
data such as names, emails address, job title, employer's name which<br />
<br />
identified individuals and their connection with the transgender charity.<br />
<br />
It can be inferred that the individuals whose email addresses were on<br />
the group are users of Mermaids, who are a transgender charity, that<br />
<br />
their data would be sensitive data in context. Most of the email threads<br />
<br />
contained general discussions, for example, concerning fundraising,<br />
arranging attendance at conferences and advice about anti-bullying, and<br />
<br />
the data subjects were open about their connection with Mermaids.<br />
<br />
Twenty-four emails have been identified by Mermaids as being of a<br />
higher risk, containing more sensitive details within conversations<br />
<br />
between the CEO, stakeholders and subscribers of Mermaids and<br />
<br />
included discussions of transgender issues and how the data subjects<br />
were feeling and coping with their experiences. Four of these emails<br />
<br />
related to data subjects who were aged 13 or under as of June 2019.<br />
<br />
With the introduction of the GDPR, children should be afforded more<br />
protection in relation to their data.<br />
<br />
<br />
<br />
39. If someone had accessed the email group online there would have<br />
been sufficient available identifying data to potentially "out" the data<br />
<br />
subject, removing any choice and infringing their privacy.<br />
<br />
<br />
40. Due to the nature of the services offered by the Mermaids charity,<br />
<br />
being an organisation who offer support to transgender individuals, the<br />
<br />
Commissioner expected them to ensure stringent safeguards were in<br />
place to protect service users and their personal data. Mermaids received<br />
<br />
four complaints from former trustees and two from service users. All<br />
<br />
15 ICO.<br />
Information Commissioner'sOffice<br />
complaints have been resolved.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(bl the intentional or negligent character of the infringement<br />
<br />
<br />
41. By 25 May 2018, Mermaids was a well-established significant<br />
<br />
charity and should have implemented appropriate measures to ensure<br />
that personal data was safeguarded, particularly since the data in some<br />
<br />
cases related to vulnerable children and/ or vulnerable adults and/ or<br />
included special category data and/ or a significant proportion of data<br />
<br />
was sensitive in its context. In the period 25 May 2018 to 14 June<br />
<br />
2019, there was a negligent approach towards data protection at<br />
Mermaids, data protection policies were inadequate and there was a<br />
<br />
lack of adequate training, including a lack of face-to-face training, on<br />
<br />
data protection. Following the introduction of the GDPR, Mermaids'<br />
data protection policies had not been updated to ensure compliance.<br />
<br />
Safeguards should have been in place to protect the young and/ or<br />
vulnerable data subjects who had used or were using the charity's<br />
<br />
services, particularly given the probability that personal data controlled<br />
<br />
or processed by Mermaids would include special category data and/ or<br />
data which was sensitive in its context.<br />
<br />
<br />
42. The Commissioner considers that the contraventions were not<br />
<br />
deliberate, although there is an element of negligence as the CEO<br />
<br />
created the email group with the least secure settings in error. This<br />
was compounded by the fact the CEO, not nor any other person<br />
<br />
associated with the charity, did not correctly close down the email<br />
group, thereby leaving it accessible, albeit dormant.<br />
<br />
<br />
<br />
16 ICO.<br />
Information Commissioner'sOffice<br />
(cl any action taken by the controller or processor to mitigate the<br />
damage suffered by data subjects<br />
<br />
<br />
43. As soon as Mermaids were made aware, by the service user, that<br />
<br />
the email group was accessible, the charity immediately took the email<br />
group down and took proportionate action to ensure any data collected<br />
was removed from any archive website.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
-<br />
<br />
<br />
(dl the degree of responsibility of the controller or processor taking<br />
into account technical and organisational measures implemented by<br />
<br />
them pursuant to Articles 25 and 32<br />
<br />
<br />
45. All Mermaids staff and volunteers received mandatory data<br />
protection training in December 2018, which is updated annually,<br />
however, the ongoing contraventions were not identified by anyone at<br />
<br />
Mermaids during the period of operation of the insecure email system,<br />
which demonstrates that the training was inadequate and/ or<br />
<br />
ineffective.<br />
<br />
<br />
46. The CEO of Mermaids created the email group with the least<br />
secure settings. Even though it was created in 2016 which would have<br />
been covered by the Data Protection Act 1998, the group remained live<br />
<br />
and accessible until June 2019, with the same settings that were<br />
applied on its creation in 2016. The settings were the least secure and<br />
<br />
allowed access to the email group and the contents of the emails were<br />
<br />
17 ICO.<br />
Information Commissioner'sOffice<br />
viewable online. When the use of the email group ceased there was no<br />
clear documentation to demonstrate how it was created or<br />
<br />
decommissioned. The email group remained dormant but accessible<br />
<br />
and appears to have been forgotten.<br />
<br />
<br />
47. In addition to the change in data protection legislation such as<br />
<br />
the introduction of the GDPR, the Government consultation concerning<br />
the Gender Recognition Act 2004 ("GRA") and associated public debate<br />
<br />
on gender incongruence should have prompted Mermaids to re-visit<br />
<br />
their policies and procedures to ensure appropriate measures were in<br />
place to protect individuals' privacy rights.<br />
<br />
<br />
<br />
(el any relevant previous infringements by the controller or<br />
processor<br />
<br />
<br />
48. The Commissioner is unaware of any previous data protection<br />
<br />
infringements by Mermaids.<br />
<br />
<br />
(fl the degree of cooperation with the supervisory authority, in<br />
<br />
order to remedy the infringement and mitigate the possible adverse<br />
<br />
effects of the infringement<br />
<br />
<br />
49. Mermaids were co-operative and replied to the enquiries<br />
promptly. They employed both solicitors and a data protection<br />
<br />
consultant to review the incident and to oversee any remedial action.<br />
<br />
Mermaids also instructed a specialist media law firm on 14 June 2019.<br />
They received four complaints from former trustees and two from<br />
<br />
service users - all of which have been concluded.<br />
<br />
<br />
50. Mermaids immediately adjusted the settings on the Groups.IQ<br />
<br />
website so that the data was no longer accessible to third parties.<br />
<br />
18 ICO.<br />
Information Commissioner'sOffice<br />
Mermaids staff began reviewing all the emails which had been exposed<br />
to viewing by third parties. Mermaids also reported itself to the<br />
<br />
Commissioner on 14 June 2019.<br />
<br />
<br />
51. On 15 June 2019,<br />
<br />
The same day,<br />
<br />
the Sunday Times printed an online article stating that 1,000 pages of<br />
confidential emails by Mermaids were available on the 10 platform<br />
<br />
which had been active between 2016 and 2017 and could be viewable<br />
<br />
online. The same day, Mermaids informed an initial number of data<br />
subjects, whom it regarded as "sensitive data subjects", and for whom<br />
<br />
Mermaids had contact details, about the incident. Also on 15 June<br />
2019, Mermaids published a press statement on its website which<br />
<br />
included an apology. Also on 15 June 2019, Mermaids notified the<br />
<br />
Charity Commission of the existence of a serious risk incident. Also on<br />
15 June 2019, Mermaids liaised with Groups.IQ to obtain metadata to<br />
<br />
identify when the relevant data had been accessed by third parties and<br />
<br />
Mermaids were told by Groups.IQ that they did not collect that<br />
metadata.<br />
<br />
<br />
<br />
52. On 16 June 2019, a printed article was published in the hard<br />
copy Sunday Times, drawing attention to the matter. Also on 16 June<br />
<br />
2019, Mermaids notified all former trustees and major funders of the<br />
incident; and took initial steps to transition its email service to a more<br />
<br />
secure email platform.<br />
<br />
<br />
53. On 17 June 2019, Mermaids engaged a data protection<br />
<br />
consultant. Also on 17 June 2019, Mermaids updated the Charity<br />
<br />
Commission about the incident.<br />
<br />
<br />
<br />
<br />
19 ICO.<br />
Information Commissioner'sOffice<br />
54. On 18 June 2019, Mermaids learnt that various archived or<br />
cached versions of the data remained online, and therefore their<br />
<br />
solicitors requested Google to remove them, and the data were<br />
<br />
immediately removed. Similar steps were taken by Mermaids to<br />
remove data from Archive.Ii. The same day, Mermaids sent the<br />
<br />
Commissioner an update.<br />
<br />
<br />
55. On 19 June 2019, Mermaids liaised with Groups.IQ to request<br />
<br />
information regarding users making requests of the Mermaids' group's<br />
archives. Three further data subjects were identified by Mermaids as<br />
<br />
"sensitive data subjects". Mermaids continued its efforts to remove<br />
access to the data via Archive.Ii.<br />
<br />
<br />
<br />
56. On 20 June 2019, the three additional "sensitive data subjects"<br />
were notified of the incident. Legal advisors to Mermaids reviewed<br />
<br />
with staff the current data systems at Mermaids for any further areas<br />
of vulnerability. The same day, Mermaids instructed their solicitors to<br />
<br />
begin liaising with the "sensitive data subjects".<br />
<br />
<br />
57. On 21 June 2019, Groups.IQ confirmed that they did not hold<br />
<br />
any relevant information in their logs. The same day, Mermaids<br />
<br />
engaged an information technology security auditor, to begin to review<br />
the incident on 27 June 2019.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
20 ICO.<br />
Information Commissioner'sOffice<br />
<br />
58. On 22 June 2019, - confirmed that the data had been<br />
<br />
removed. Mermaids' solicitors contacted all the "sensitive data<br />
<br />
subjects" to explain the remedial steps which had been taken and<br />
provided copies of their data which had been affected. They also<br />
<br />
sought permission from the data subjects whose data had been<br />
<br />
uploaded on Archive.Ii to contact Archive.Ii on their behalf to seek<br />
removal of their data.<br />
<br />
<br />
<br />
<br />
59. Between 24 June 2019 and 25 June 2019, the law firm obtained<br />
<br />
all the consents required from the data subjects to remove the data<br />
from Archive.Ii and sent compliance notices to Archive.Ii and its<br />
<br />
webhost, copied to their local data protection authorities. Mermaids<br />
<br />
held a trustee meeting to provide an update to trustees on the<br />
remedial steps which had been taken to address the contraventions,<br />
<br />
with Mermaids' external legal advisers in attendance.<br />
<br />
<br />
60. On 26 June 2019, Mermaids updated their website message to<br />
<br />
include reference to Archive.Ii.<br />
<br />
<br />
61. On 27 June 2019, two additional "sensitive data subjects" were<br />
<br />
identified by Mermaids, they were updated on the remedial steps which<br />
had been taken and they were sent copies of the personal data which<br />
<br />
had been exposed. On the same day, Mermaids was alerted to the fact<br />
<br />
that a larger group of data subjects had been affected by the incident.<br />
On Mermaids' instruction, the solicitors then reviewed all the data<br />
<br />
which had been accessible online to ensure all remedial actions had<br />
<br />
been taken. Mermaids, through their lawyers, notified the<br />
Commissioner and also chased the Sunday Times for a substantive<br />
<br />
response to their letter of 21 June 2019.<br />
<br />
21 ICO.<br />
Information Commissioner'sOffice<br />
<br />
62. On 28 June 2019, Mermaids' solicitors updated the "sensitive<br />
<br />
data subjects" whose data had been uploaded to Archive.Ii to confirm<br />
<br />
that the relevant webpages had been removed. They also sent an<br />
update to the Commissioner; continued to review the data; wrote<br />
<br />
seeking further information from Groups.IQ, if available, about the<br />
<br />
extent of any third-party access to the data in question; and updated<br />
the Commissioner on what remedial actions had been taken.<br />
<br />
<br />
<br />
63. On 25 July 2019, the CEO completed half a day of data<br />
protection training from an external trainer, in response to the<br />
<br />
contraventions.<br />
<br />
<br />
64. The Commissioner understands that the specialist data<br />
<br />
consultant appointed by Mermaids completed a review of all Mermaids'<br />
data systems and policies to ensure they were compliant with the<br />
<br />
GDPR and that Mermaids undertook to implement all his<br />
<br />
recommendations. The Commissioner understands that the<br />
contravention has been identified as an isolated incident and no wider<br />
<br />
issues were identified during the review. Further, it appears that all<br />
<br />
policies at Mermaids have now been updated to conform to the GDPR<br />
and that Mermaids undertook to put all data protection policies on one<br />
<br />
place on the intranet where they would be easily accessible to all staff<br />
and volunteers. Further, a security assessment was undertaken by a<br />
<br />
specialist consultancy, over a three-week period in June to July 2019,<br />
<br />
involving a review of all systems and processes at Mermaids to assess<br />
security and access controls, recommendations were made,<br />
<br />
implementation was agreed and the recommendations were then<br />
<br />
implemented by Mermaids to strengthen security and privacy.<br />
<br />
<br />
(gl the categories of personal data affected by the infringement<br />
<br />
22 ICO.<br />
Information Commissioner'sOffice<br />
<br />
65. These include information allowing identification of individuals,<br />
<br />
including children; in some cases the data was sensitive in context<br />
<br />
relating to gender incongruence, and in some cases it was special<br />
category data, including data relating to health.<br />
<br />
<br />
66. The email addresses identified 550 data subjects, all of whom had<br />
<br />
been in contact with Mermaids at some point. Due to the nature of the<br />
<br />
services offered by Mermaids it can be inferred that some of data of<br />
those individuals can be identified as special category data. 24 have been<br />
<br />
identified by Mermaids as being of a higher risk, containing more<br />
sensitive details with conversations between the CEO, stakeholders and<br />
<br />
subscribers of Mermaids and included discussions around transgender<br />
<br />
issues and how the data subjects were feeling and coping with their<br />
experiences. 15 of those 24 data subjects had special category data<br />
<br />
accessible. Some of the emails show an exchange with Tavistock and<br />
Portman NHS Foundation Trust, who run a gender identity clinic. These<br />
<br />
emails disclose health information. 4 of those 24 data subjects were<br />
<br />
under 13 as of June 2019.<br />
<br />
<br />
(hl the manner in which the infringement became known to the<br />
supervisory authority, in particular whether, and if so to what extent,<br />
<br />
the controller or processor notified the infringement<br />
<br />
<br />
67. Mermaids notified the Commissioner about the infringement on<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
23 ICO.<br />
Information Commissioner'sOffice<br />
<br />
<br />
<br />
<br />
<br />
<br />
Mermaids reported themselves to the<br />
<br />
Commissioner on the same day.<br />
<br />
<br />
(il where measures referred to in Article 58(2) have previously<br />
<br />
been ordered against the controller or processor concerned with<br />
regard to the same subject-matter, compliance with those measures;<br />
<br />
<br />
68. Not applicable.<br />
<br />
<br />
<br />
(j) adherence to approved codes of conduct pursuant to Article 40<br />
or approved certification mechanisms pursuant to Article 42;<br />
<br />
<br />
69. Not applicable.<br />
<br />
<br />
<br />
(kl any other aggravating or mitigating factor applicable to the<br />
circumstances of the case, such as financial benefits gained, or<br />
<br />
losses avoided, directly or indirectly, from the infringement.<br />
<br />
<br />
70. An aggravating factor is the duration of the infringement from<br />
<br />
2017 to 2019.<br />
<br />
<br />
71. Since 2016, Mermaids has raised its profile and in recent years it<br />
<br />
has received funding from various sources, including from the National<br />
Lottery, Children in Need and the Government. These factors have<br />
<br />
contributed to an increase in the public attention which Mermaids<br />
receives and the good standing from which it has benefited.<br />
<br />
Regulatory action against Mermaids will serve as an important<br />
<br />
24 ICO.<br />
Information Commissioner'sOffice<br />
deterrent to other entities or persons who are not complying or who<br />
are risking not complying with their duties under the GDPR.<br />
<br />
<br />
<br />
72. The Commissioner has taken account of the prompt remedial<br />
actions taken by Mermaids in response to becoming aware of the<br />
<br />
incident, which reduced the detriments caused to the data subjects,<br />
<br />
and of Mermaids' co-operation with the Commissioner.<br />
<br />
<br />
73. Mermaids' profile significantly increased after being linked to a<br />
<br />
television programme. This breach was highlighted in a national<br />
newspaper and that resulted in a degree of reputational damage to the<br />
<br />
charity. The Commissioner considers that whilst the fine itself should<br />
act as a deterrent, it was important to balance this against ensuring<br />
<br />
the charity is able to maintain effective provisions for service users nor<br />
<br />
taking away donations made by the public.<br />
<br />
<br />
Summary and decided penalty<br />
<br />
<br />
74. For the reasons set out above, the Commissioner has decided to<br />
impose a financial penalty on Mermaids. The Commissioner has taken<br />
<br />
into account the size of Mermaids and the financial information which is<br />
<br />
available about the charity on the Charity Commission website, as well<br />
as the representations that Mermaids has made to her about its<br />
<br />
financial position. She is mindful that the penalty must be effective,<br />
<br />
proportionate and dissuasive.<br />
<br />
<br />
75. Taking into account all of the factors set out above, the<br />
<br />
Commissioner has decided to impose a penalty on Mermaids of<br />
£25,000 (twenty-five thousand pounds).<br />
<br />
<br />
Payment of the penalty<br />
<br />
<br />
25 ICO.<br />
Information Commissioner'sOffice<br />
76. The penalty must be paid to the Commissioner's office by BACS<br />
<br />
transfer or cheque by 3 August 2021 at the latest. The penalty is not<br />
kept by the Commissioner but will be paid into the Consolidated Fund<br />
<br />
which is the Government's general bank account at the Bank of<br />
<br />
England.<br />
<br />
<br />
77. There is a right of appeal to the First-tier Tribunal (Information<br />
<br />
Rights) against:<br />
<br />
(a) The imposition of the penalty; an/or,<br />
<br />
(b) The amount of the penalty specified in the penalty notice<br />
<br />
<br />
78. Any notice of appeal should be received by the Tribunal within 28<br />
days of the date of this penalty notice.<br />
<br />
<br />
<br />
79. The Commissioner will not take action to enforce a penalty<br />
unless:<br />
<br />
<br />
<br />
• the period specified within the notice within which a penalty must<br />
be paid has expired and all or any of the penalty has not been<br />
<br />
paid;<br />
<br />
• all relevant appeals against the penalty notice and any variation<br />
of it have either been decided or withdrawn; and<br />
<br />
• the period for appealing against the penalty and any variation of<br />
<br />
it has expired<br />
<br />
<br />
80. In England, Wales and Northern Ireland, the penalty is<br />
<br />
recoverable by Order of the County Court or the High Court. In<br />
<br />
Scotland, the penalty can be enforced in the same manner as an<br />
extract registered decree arbitral bearing a warrant for execution<br />
<br />
issued by the sheriff court of any sheriffdom in Scotland.<br />
<br />
<br />
26 ICO.<br />
Information Commissioner'sOffice<br />
<br />
<br />
81. Your attention is drawn to Annex 1 to this Notice, which sets out<br />
details of your rights of appeal under s.162 DPA 2018.<br />
<br />
<br />
Dated the 5 day of July 2021<br />
<br />
<br />
Stephen Eckersley<br />
Director of Investigations<br />
Information Commissioner's Office<br />
Wycliffe House<br />
Water Lane<br />
Wilmslow<br />
Cheshire<br />
SK9 SAF<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
27 ICO.<br />
Information Commissioner'sOffice<br />
ANNEX 1<br />
<br />
<br />
Rights of appeal against decisions of the commissioner<br />
<br />
<br />
1. Section 162 of the Data Protection Act 2018 gives any person upon<br />
<br />
whom a penalty notice or variation notice has been served a right of<br />
<br />
appeal to the First-tier Tribunal (Information Rights) (the 'Tribunal')<br />
against the notice.<br />
<br />
<br />
<br />
2. If you decide to appeal and if the Tribunal considers:-<br />
<br />
<br />
a) that the notice against which the appeal is brought is not in<br />
accordance with the law; or<br />
<br />
<br />
<br />
b) to the extent that the notice involved an exercise of discretion by<br />
the Commissioner, that she ought to have exercised her<br />
<br />
discretion differently,<br />
<br />
<br />
the Tribunal will allow the appeal or substitute such other decision as<br />
<br />
could have been made by the Commissioner. In any other case the<br />
<br />
Tribunal will dismiss the appeal.<br />
<br />
<br />
3. You may bring an appeal by serving a notice of appeal on the Tribunal<br />
at the following address:<br />
<br />
<br />
<br />
GRC & GRP Tribunals<br />
PO Box 9300<br />
Arnhem House<br />
31 Waterloo Way<br />
Leicester<br />
LEl 8DJ<br />
<br />
Telephone: 0203 936 8963<br />
Email:<br />
grc@justice.gov.uk<br />
28 ICO.<br />
Information Commissioner'sOffice<br />
<br />
<br />
a) The notice of appeal should be sent so it is received by the<br />
<br />
Tribunal within 28 days of the date of the notice.<br />
<br />
<br />
b) If your notice of appeal is late the Tribunal will not admit it<br />
<br />
unless the Tribunal has extended the time for complying with this<br />
rule.<br />
<br />
<br />
4. The notice of appeal should state:-<br />
<br />
<br />
<br />
a) your name and address name and address of your representative<br />
(if any);<br />
<br />
<br />
<br />
b) an address where documentsmay be sent or delivered to you;<br />
<br />
<br />
c) the name and address of the Information Commissioner;<br />
<br />
<br />
d) details of the decision to which the proceedings relate;<br />
<br />
<br />
e) the result that you are seeking;<br />
<br />
<br />
<br />
f) the grounds on which you rely;<br />
<br />
<br />
g) you must provide with the notice of appeal a copy of the penalty<br />
notice or variation notice;<br />
<br />
<br />
<br />
h) if you have exceeded the time limit mentioned above the notice<br />
of appeal must include a request for an extension of time and the<br />
<br />
reason why the notice of appeal was not provided in time.<br />
<br />
<br />
<br />
<br />
29 ICO.<br />
Information Commissioner'sOffice<br />
5. Before deciding whether or not to appeal you may wish to consult your<br />
solicitor or another adviser. At the hearing of an appeal a party may<br />
<br />
conduct his case himself or may be represented by any person whom<br />
he may appoint for that purpose.<br />
<br />
<br />
6. The statutory provisions concerning appeals to the First-tier Tribunal<br />
(General Regulatory Chamber) are contained in sections 162 and 163<br />
<br />
of, and Schedule 16 to, the Data Protection Act 2018, and Tribunal<br />
Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules<br />
<br />
2009 (Statutory Instrument 2009 No. 1976 (L.20))<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
30<br />
</pre></div>Mariam-hwthhttps://gdprhub.eu/index.php?title=ICO_(UK)_-_Global_One_2015&diff=16630ICO (UK) - Global One 20152021-06-17T21:01:51Z<p>Mariam-hwth: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|DPA-BG-Color=background-color:#023868;<br />
|DPAlogo=LogoUK.png<br />
|DPA_Abbrevation=ICO (UK)<br />
|DPA_With_Country=ICO (UK)<br />
<br />
|Case_Number_Name=Global One 2015<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Information Commissioner's Office<br />
|Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/mpns/2619970/global-one-2015-mpn.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=14.06.2021<br />
|Date_Published=15.06.2021<br />
|Year=2021<br />
|Fine=10000<br />
|Currency=GBP<br />
<br />
<br />
<br />
|National_Law_Name_1=Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
|National_Law_Link_1=https://www.legislation.gov.uk/uksi/2003/2426/contents<br />
|National_Law_Name_2=Regulation 23 of the Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
|National_Law_Link_2=https://www.legislation.gov.uk/uksi/2003/2426/contents<br />
<br />
|Party_Name_1=Global One 2015<br />
|Party_Link_1=https://globalone.org.uk/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The UK DPA (ICO) imposed a fine of around €11600 on Global One 2015. This charity infringed regulations 22 and 23 PECR by sending unsolicited marketing messages without consent and without providing an address for individuals to refuse such marketing.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Global One is a charity that aims to impove health, sanitation and agriculture. The Information Commissioner's Office received 539 complaints from individuals having received unsolicited text messages from Global One. These complaints occured between the 30 April 2020 and 22 May 2020 where 573,000 texts were sent overall. The texts did not offer individuals the opportunity to opt-out. <br />
<br />
Global One had entered into an agreement with a third party (X) that was to provide them with a marketing strategy. The third party (X) informed Global One that it would start an SMS campaign to gian donations. Global One says it assumed that this would be a marketing list that belonged to the third party (X). However, the third party (X) themselves commissioned another third party (Y) to deliver the test messaging campaign. The third party (Y) claimed that the list they used was compliant with relevant laws.<br />
<br />
However, there was no evidence of consent being provided. Global One claimed to have undertaken due diligence, whilst the party it contracted with (X) claimed that it only advised Global One onto various other agencies. <br />
<br />
=== Dispute ===<br />
Does sending marketing text to individuals where consent was gathered by a third party breach regulations 22 and 23 PECR?<br />
<br />
=== Holding ===<br />
The Information Commissioner's Office hld that Global One infringed Regulations 22 and 23 PECR. <br />
<br />
Global One relied on consent obtained by another organisation to send these text messages. However, the ICO's view is that organisations must gather better consent. Indirect consent collected by a third party is only authorised where it is clear and specific enough.<br />
<br />
As there is no evidence of individuals consenting to third party marketing, the ICO concluded that Global One did not have the necessary valid consent to send marketing messages. Therefore, Global One breach regulation 22 PECR.<br />
<br />
The ICO also held that Global One breached Regulation 23(b) PECR as it did not provide a valid address to recipients of marketing for them to send a request to refuse marketing. There was no procedure in place for handling such requests from individuals.<br />
<br />
The ICO therefore decided to imposed a fine of around €11600 on Global One from breaching regulations 22 and 23 PECR. The ICO concluded that the contravention was serious and negligent. The fine can be reduced by 20% if paid within a month.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
•<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
DATA PROTECTION ACT 1998<br />
<br />
<br />
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER<br />
<br />
<br />
<br />
MONETARY PENAL TY NOTICE<br />
<br />
<br />
<br />
<br />
To: Global One 2015<br />
<br />
<br />
Of: 4 Gateway Mews, Bounds Green, London, Nll 2UT<br />
<br />
<br />
<br />
1. The InformationCommissioner ("Commissioner") has decided to issue<br />
Global One 2015 ("Global One") with a monetary penalty under section<br />
<br />
SSA of the Data Protection Act 1998 ("DPA"). The penalty is in relation<br />
to a serious contraventiof Regulation 22 of the Privacy and<br />
<br />
Electronic Communications(EC Directive) Regulations 2003 ("PECR").<br />
<br />
<br />
2. This notice explainse Commissioner's decision.<br />
<br />
<br />
Legal framework<br />
<br />
<br />
<br />
3. Global One, whose registered office is given above (Companies House<br />
Registration Number: 07517992) is the organisatistated in this<br />
<br />
notice to have instigated the transmission of unsolicited<br />
communications by means of electronic mail to individual subscribers<br />
<br />
for the purposes of direct marketing contrary to regulation 22 of PECR.<br />
<br />
<br />
4. Regulation 22 of PECRstates:<br />
<br />
<br />
<br />
<br />
1 •<br />
<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
"(l) This regulation applies to the transmission of unsolicited<br />
communications by means of electronic mail to individual<br />
<br />
subscribers.<br />
<br />
(2) Except in the circumstances referred to in paragraph (3), a person<br />
<br />
shall neither transmit,nor instigate the transmission of, unsolicited<br />
communications for the purposes of direct marketing by means of<br />
<br />
electronic mail unless the recipient of the electronic mail has<br />
<br />
previously notifiedthe sender that he consents for the time being<br />
to such communications being sent by, or at the instigation of, the<br />
<br />
sender.<br />
<br />
(3) A person may send or instigate the sending of electronic mail for<br />
<br />
the purposes of direct marketing where-<br />
<br />
(a) that person has obtained the contact details of the recipient<br />
of that electronic mail in the course of the sale or<br />
<br />
negotiations for the sale of a product or service to that<br />
<br />
recipient;<br />
<br />
(b) the direct marketing is in respect of that person's similar<br />
products and services only; and<br />
<br />
<br />
(c) the recipient has been given a simple means of refusing<br />
(free of charge except for the costs of the transmission of<br />
<br />
the refusal) the use of his contact details for the purposes<br />
of such direct marketing, at the time that the details were<br />
<br />
initially collected, and, where he did not initially refuse the<br />
<br />
use of the details, at the time of each subsequent<br />
communication.<br />
<br />
(4) A subscriber shall not permit his line to be used in contraventionof<br />
<br />
paragraph (2)."<br />
<br />
<br />
<br />
<br />
<br />
2 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
5. Regulation 23 of PECRstates that "A person shall neither transmitnor<br />
instigate the transmission of, a communicationfor the purposes of<br />
<br />
direct marketing by means of electronic mail -<br />
<br />
<br />
(a) where the identity of the person on whose behalf the<br />
<br />
communication has been sent has been disguised or<br />
concealed;<br />
<br />
(b) where a valid address to which the recipient of the<br />
<br />
communication may send a request that such<br />
<br />
communications cease has not been provided;<br />
<br />
(c) where that electronic mail would contravene regulatio7 of<br />
the Electronic Commerce (EC Directive) Regulations 2002;<br />
<br />
or<br />
<br />
(d) where that electronic mail encourages recipients to visit<br />
<br />
websites which contravene that regulation."<br />
<br />
<br />
6. Section 122(5) of the DPA 2018 defines "direct marketing" as "the<br />
<br />
communication (by whatever means) of any advertising material which<br />
is directedo particular individuals". This definition also applies for the<br />
<br />
purposes of PECR.<br />
<br />
<br />
7. Consent is defined in Article 4(11) the General Data Protection<br />
<br />
Regulation 2016/679 as "any freely given, specific, informed and<br />
unambiguous indication of the data subject's wishes by which he or<br />
<br />
she, by a statement or by a clear affirmatiaction, signifies<br />
<br />
agreement to the processing of personal data relating to him or her".<br />
<br />
<br />
8. "Individual"is defined in regulation 2(1) of PECRas "a living individual<br />
<br />
and includes an unincorporated body of such individuals".<br />
<br />
<br />
3 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
9. A "subscriber"is defined in regulation 2(1) of PECRas "a person who is<br />
a party to a contract with a provider of public electronic<br />
<br />
communications services for the supply of such services".<br />
<br />
10. "Electronic mail" is defined in regulation 2(1) of PECRas "any text,<br />
<br />
voice, sound or image message sent over a public electronic<br />
<br />
communications network which can be stored in the network or in the<br />
recipient's terminal equipment until it is collected by the recipient and<br />
<br />
includes messages sent using a short message service".<br />
<br />
<br />
11. Section SSA of the DPA (as amended by the Privacy and Electronic<br />
<br />
Communications (EC Directive)(Amendment) Regulations 2011 and the<br />
Privacy and Electronic Communications (Amendment) Regulations<br />
<br />
2015) states:<br />
<br />
<br />
"(l) The Commissioner may serve a person with a monetary penalty if<br />
<br />
the Commissioner is satisfied that -<br />
<br />
(a) there has been a serious contraventionof the requirements<br />
of the Privacy and Electronic Communications (EC<br />
<br />
Directive) Regulations 2003 by the person,<br />
<br />
(b) subsection (2) or (3) applies.<br />
<br />
(2) This subsection applies if the contraventiwas deliberate.<br />
<br />
(3) This subsection applies if the person -<br />
<br />
(a) knew or ought to have known that there was a risk that<br />
<br />
the contravention would occur, but<br />
<br />
(b) failed to take reasonable steps to prevent the<br />
<br />
contravention."<br />
<br />
<br />
12. The Commissioner has issued statutory guidance under section SSC (1)<br />
of the DPA about the issuing of monetary penalties that has been<br />
<br />
4 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
published on the ICO's website. The Data Protection (Monetary<br />
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe<br />
<br />
that the amount of any penalty determined by the Commissioner must<br />
not exceed £500,000.<br />
<br />
<br />
13. PECRwere enacted to protect the individual's fundamentaright to<br />
<br />
privacy in the electronic communicatiosector. PECRwere<br />
<br />
subsequently amended and strengthened. The Commissioner will<br />
interpret PECRin a way which is consistent with the Regulations'<br />
<br />
overall aim of ensuring high levels of protection for individuals' privacy<br />
rights.<br />
<br />
<br />
<br />
14. The provisions of the DPA remain in force for the purposes of PECR<br />
notwithstanding the introductioof the Data Protection Act 2018 (see<br />
<br />
paragraph 58(1) of Part 9, Schedule 20 of that Act).<br />
<br />
<br />
Background to the case<br />
<br />
<br />
15. Phone users can report the receipt of unsolicited marketing text<br />
messages to the GSMA's Spam Reporting Service by forwarding the<br />
<br />
message to 7726 (spelling out "SPAM"). The GSMA is an organisation<br />
<br />
that represents the interests of mobile operators worldwidThe<br />
Commissioner is provided with access to the data on complaints made<br />
<br />
to the 7726 service and this data is incorporated into a Monthly Threat<br />
Assessment (MTA) used to ascertain organisations in breach of PECR.<br />
<br />
<br />
<br />
16. Global One operates as a charity involved in issues such as improving<br />
health, sanitation and agriculture. Their work covers a number of<br />
<br />
internationalcountries, including the United Kingdom. Global One is<br />
registered with the Charity Commission, Companies House and the<br />
<br />
ICO.<br />
<br />
5 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
17. Global One came to the attention of the Commissioner after numerous<br />
complaints were received via the 7726 complaints tool about<br />
<br />
unsolicited text messages. Between 30 April 2020 and 22 May 2020<br />
<br />
539 complaints had been recorded on the 7726 system and 9 on the<br />
ICO's online recording tool. These text messages contained, or<br />
<br />
contained slight variations of, the following text:<br />
<br />
"Coronavirus Emergency Pakistan, Syria &amp; Bangladesh. Donate Food<br />
<br />
&amp; Hygiene Kits. Call (free): 03000113333 Online: globalone.org.uk<br />
Watch us live on SKY 752."<br />
<br />
<br />
18. It was noted that these texts did not offer individuals an ability to 'opt<br />
<br />
out' of future unsolicited text messages.<br />
<br />
<br />
19. An initial investigatletter was sent to Global One on 3 June 2020,<br />
<br />
highlighting the Commissioner's concerns with its PECRcompliance and<br />
requestinginformation relating to the volumes of texts sent, the source<br />
<br />
of data used to send said texts, details of any due diligence<br />
<br />
undertaken, together with evidence of consent relied upon for the<br />
messages sent to individuals identified within complaintAn appendix<br />
<br />
detailinghe complaints received was also attached.<br />
<br />
<br />
20. Global One provided a response on 22 June 2020, stating that on 20<br />
March 2020 it had entered into a "revenue raising and sharing<br />
<br />
agreement" ("the agreement") with (''.")<br />
under which • would provide a marketing strategy in relation to a<br />
<br />
number of key initiativesGlobal One went on to explain that under the<br />
<br />
agreement they "will have no right nor will seek to exercise any<br />
direction, control or supervision over ; and that<br />
<br />
has the sole right to control and direct the means, manner and method<br />
<br />
by which the services required by the Agreement would be performed".<br />
<br />
6 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
21. A copy of the agreement later provided by Global One makes no<br />
<br />
mention of SMS marketing, however the agreement is summarised as<br />
follows:<br />
<br />
<br />
"The charity intends to procure as<br />
consultant/advisers to develop and execute a revenue sharing<br />
<br />
agreement, which will raise funds from public donations and allow the<br />
charity to enhance and apply for more institutionafunding. The charity<br />
<br />
wishes to diversify its fundraising income streams".<br />
<br />
<br />
22. The letter went on to state that on 23 April 202 informed Global<br />
One that it would be undertaking an SMS campaign to maximise<br />
<br />
donations, which Global One says it assumed would be based on the<br />
use of third-partymarketing lists belonging to •.<br />
<br />
<br />
23. Global One advised that between April 2020 and May 2020, 573,000<br />
<br />
SMS marketing messages were sent on its behalf. During this period,<br />
• managed the SMS marketing campaign, and Global One say it only<br />
<br />
became aware on 1 June 2020 that- had entered into a verbal<br />
contract with a third party data supplier who undertook the sending of<br />
<br />
the SMS using a marketing list belonging to that supplier.<br />
<br />
<br />
24. In response to the Commissioner's request for evidence of consent to<br />
send SMS messages to those who had been identified on the list of<br />
<br />
complaints, Global One said it had not been provided this information<br />
from and would need to approach. to obtain this. In a further<br />
response dated 23 July 2020 Global One provided the following<br />
<br />
information:<br />
<br />
have confirmed that they commissioned the [third party<br />
provider]to deliver the text messaging campaign.<br />
<br />
<br />
<br />
7 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
The [third party provider]have confirmed in writing that the lists they<br />
use are fully compliant data, please see the attached letter and<br />
accompanying spreadsheet with their comments."<br />
<br />
The attached letter indicated that the data is obtained from multiple<br />
<br />
sources including "government records, licensing boards, directories,<br />
telephone searches, memberships, attendee registers, website<br />
<br />
registrationcounty courthouse records, credit reference agency data,<br />
Secretary of State data, business magazines and newspaper<br />
<br />
subscriptions". The spreadsheet of complaints provided by the<br />
<br />
Commissioner had been amended to add a new column titled "Consent"<br />
and the words "opt in for third party marketing" next to each<br />
<br />
complainant.<br />
<br />
<br />
25. On 21 August 2020 the Commissioner requested that Global One<br />
provide evidence of the consent that had been obtained by the third<br />
<br />
party data provider to market the complainants. In response, Global<br />
One explained that it did not have access to this information and the<br />
<br />
third party provider was reluctant to supply it. As such, no evidence of<br />
<br />
consent has been provided.<br />
<br />
<br />
26. The Commissioner went on to request copies of correspondence<br />
between Global One, • and the third party data provider relating to<br />
<br />
promotional or marketing activities. On 27 August 2020 Global One<br />
<br />
replied, statinghat they had been unable to locate any such written<br />
communications regarding the SMS marketing campaign which was<br />
<br />
carried out on their behalf. The reason given was that all such<br />
communications were conducted by telephone.<br />
<br />
<br />
<br />
27. Enquiries raised by the Commissioner directly with •elicited the<br />
following response:<br />
<br />
<br />
<br />
<br />
8 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
" is aware of the current investigation being conducted by<br />
the ICO in relation to one of our clients, Global One 2015. Other than<br />
<br />
providing strategic recommendationson how to deliver charitable<br />
appeal campaigns, we have done nothing more than advice/refer a<br />
<br />
client onto various other agencies/companieto support them in being<br />
<br />
able to reach a wider audience. We in this situation are not responsible<br />
for due diligence or any contractual obligations for any work Global One<br />
<br />
decide to undertake with any third party."<br />
<br />
<br />
In subsequent Representations to the Notice of Intent however, Global<br />
<br />
One evidenced an email from in which the contrary was<br />
stated: "we undertook our responsibility to carry out due diligence on<br />
<br />
the provider ". This statement was made in response to<br />
<br />
enquiries made of by Global One dated 1 June 2020, and<br />
which post-dated the SMS campaign.<br />
<br />
<br />
28. The Commissioner has made the above findings of fact on the<br />
<br />
balance of probabilities.<br />
<br />
<br />
29. The Commissioner has considered whether those facts constitute<br />
a contraventionof regulation 22 of PECRby Global One and, if so,<br />
<br />
whether the conditions of section SSA DPA are satisfied.<br />
<br />
<br />
The contravention<br />
<br />
<br />
30. The Commissioner finds that Global One contravened regulations 22<br />
<br />
and 23 of PECR.<br />
<br />
<br />
31. The Commissioner finds that the contraventiowas as follows:<br />
<br />
<br />
<br />
<br />
<br />
9 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
32. Between 24 April 2020 and 23 May 2020 Global One instigated the<br />
transmission of 573,000 unsolicited direct marketing texts contrary to<br />
<br />
Regulations 22 & 23 of PECR. This resulted in a total of 539 complaints<br />
being received via the 7726 service and 9 via the Commissioner's<br />
<br />
online reporting tool.<br />
<br />
<br />
33. Global One, as the instigator of the direct marketing, is required to<br />
ensure that it is acting in compliance with the requirementof<br />
<br />
regulation 22 of PECR,and to ensure that valid consent to send those<br />
messages had been acquired. The only exception to this is where the<br />
<br />
provisions of Regulation 22(3) apply, otherwise referred to as the 'soft<br />
opt-in'. As a charitable organisation, the 'soft opt-in' would not be<br />
<br />
applicablein this instance.<br />
<br />
<br />
34. Global One relied on consent obtained by another organisation for its<br />
<br />
own purposes, i.e.'indirect consent'.The Commissioner's direct<br />
marketing guidance says "organisations need to be aware that indirect<br />
<br />
consent will not be enough for texts, emails or automated calls. This is<br />
<br />
because the rules on electronic marketing are stricter, to reflect the<br />
more intrusive nature of electronic messages."<br />
<br />
<br />
35. It goes on to say that indirect consent can be valid but only if it is clear<br />
and specific enough. Moreover, "the customer must have anticipated<br />
<br />
that their details would be passed to the organisation in question, and<br />
<br />
that they were consenting to messages from that organisation. This will<br />
depend on what exactly they were told when consent was obtained".<br />
<br />
<br />
36. The data lists utilised to transmit the SMS had been compiled from a<br />
diverse listf sources. Whilst the third party data provider stated that<br />
<br />
each complainant was "opted-in for third party marketing" Global One<br />
has not provided any evidence of this to the Commissioner and appears<br />
<br />
to have been reliant on the 's verbal assurances that this was the<br />
<br />
10 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
case. In representations to the Commissioner, Global One<br />
demonstrated that some due diligence enquiries had been made of.<br />
<br />
- in early June 2020, however these post-dated the<br />
contravention and were insufficient to establish the existence of valid<br />
<br />
consent to send the SMS.<br />
<br />
<br />
37. The Commissioner is therefore satisfied from the evidence she has<br />
<br />
seen that Global One did not have the necessary valid consent to<br />
<br />
instigate the sending of the direct marketing messages. This<br />
constitutes a contraventionof regulation 22 PECR.<br />
<br />
<br />
38. Furthermore, Regulation 23(b) provides that individuals must be<br />
<br />
provided with a valid address to which the recipient of the marketing<br />
<br />
communication may send a request to refuse marketing. In<br />
representations to the Commissioner, Global One stated that it had an<br />
<br />
effective complaints process in place whereby any complaints it<br />
received directly would be sent to in order that the data<br />
<br />
could be supressed. was said to dear with their own<br />
<br />
requests. The Commissioner finds it difficult to accept that<br />
were in any position to handle direct requests, given that recipients of<br />
<br />
SMS were unaware of .,s involvement and were not provided with<br />
contact details. Althoughthe content of the messages identified Global<br />
<br />
One and contained a link to their website, no address has been<br />
<br />
provided for the third party who sent the messages. As Global One<br />
were unaware that a third party was the sender of the messages<br />
<br />
duringthe SMS marketing campaign, individuals informing Global One<br />
<br />
that they objected to receiving such communications would have been<br />
reliant upon Global One relaying these to , and then in turn<br />
<br />
to the third party sender, and so in effect produced a convoluted,<br />
unreliable and therefore ineffectual remedy. As such the Commissioner<br />
<br />
considers that Global One are also in breach of Regulation 23.<br />
<br />
11 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
39. The Commissioner has gone on to consider whether the conditions<br />
<br />
under section SSA DPA are met.<br />
<br />
<br />
Seriousness of the contravention<br />
<br />
<br />
40. The Commissioner is satisfied that the contraventiidentified<br />
above was serious. This is because between 24 April 2020 and 23 May<br />
<br />
2020 Global One instigated a total of 573,000 unsolicited direct<br />
marketing messages, resulting in total of 548 complaints.<br />
<br />
<br />
<br />
41. In representationsto the Notice of Intent, Global One stated that it had<br />
been the subject of a social media campaign of harassment, and SMS<br />
<br />
recipients encouraged to make complaints against Global One. Details<br />
provided to the Commissioner by way of evidence demonstrated that<br />
<br />
any such campaign (in relation to which the Commissioner makes no<br />
finding) post-dated the contraventioperiod and so the Commissioner<br />
<br />
finds no good reasonto disregard the complaints as disingenuous.<br />
<br />
<br />
42. Global One has failed to provide evidence of valid consent for any of<br />
<br />
the 573,000 unsolicited direct marketing messages it instigated.<br />
<br />
43. Furthermore, the messages did not contain adequate instruction on<br />
<br />
how individualsmay opt-out of receiving further marketing.<br />
<br />
<br />
44. It is apparent that Global One adopted a targeted strategy in order<br />
both to raise their profile and increase their revenue stream during the<br />
<br />
Covid-19 pandemic.<br />
<br />
<br />
<br />
<br />
<br />
<br />
12 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
45. The Commissioner is therefore satisfied that condition (a) from<br />
section 55A(l)DPA is met.<br />
<br />
<br />
Deliberate or negligent contraventions<br />
<br />
<br />
46. The Commissioner has considered whether the contravention identified<br />
<br />
above was deliberate.<br />
<br />
<br />
47. The Commissioner considers that Global One did not deliberately set<br />
<br />
out to contravene PECRin this instance.<br />
<br />
<br />
48. The Commissioner has gone on to consider whether the contravention<br />
identified above was negligent. This consideration comprises two<br />
<br />
elements:<br />
<br />
<br />
49. Firstly, she has considered whether Global One knew or ought<br />
<br />
reasonably to have known that there was a risk that these<br />
contraventionswould occur. She is satisfied that this condition is met,<br />
<br />
not least since the issue of unsolicited text messages have been widely<br />
publicised by the media as being a problem.<br />
<br />
<br />
<br />
50. The Commissioner has published detailed guidance for those carrying<br />
out direct marketing explaining their legal obligations under PECR.<br />
<br />
This guidance gives clear advice regarding the requirements of consent<br />
for direct marketing and explains the circumstances under which<br />
<br />
organisations are able to carry out marketing over the phone, by text,<br />
by email, by post, or by fax. In particular it states that organisations<br />
<br />
can generally only send,r instigate, marketing messages to<br />
<br />
individuals if that person has specifically consented to receiving them.<br />
The guidance is also clear about the significant risks of relying on<br />
<br />
indirect consent, as Global One did in this instance.<br />
<br />
13 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
51. In 2018 the charity sector came under much scrutiny following<br />
investigations and penalties in respect of contraventiof PECR.<br />
<br />
These investigations were well publicised at the time, receiving much<br />
media attention and further engagement with the Charity Commission<br />
<br />
and the ICO, including conferences to the third sector to highlight the<br />
issues and promote compliance. The introduction of the Fund Raising<br />
Preference Service in 2016 also provides advice and support to<br />
<br />
charities with the aim of making it easier for them to understand the<br />
standards expected when fundraising.<br />
<br />
<br />
52. It is therefore reasonable to suppose that Global One should have been<br />
<br />
aware of its responsibilities in this area.<br />
<br />
53. Secondly, the Commissioner has gone on to consider whether Global<br />
One failed to take reasonable steps to prevent the contraventions.<br />
<br />
Again, she is satisfied that this condition is met.<br />
<br />
54. During the course of the Commissioner's investigationresponses<br />
provided by Global One indicated that they were aware that proper due<br />
<br />
diligence should have been undertaken prior to entering into the<br />
agreement with however due to time constraints no due diligence<br />
<br />
was conducted, stating:"under normal circumstances we would have<br />
had further meetings to fully review contractual terms and conduct<br />
proper due diligence with regards to databases and compliance,<br />
<br />
regrettably this was not the case". Global One instead relied on verbal<br />
assurances provided by <br />
<br />
55. Reasonable steps which the Commissioner might expect in these<br />
<br />
circumstances could have included ensuring a comprehensive contract<br />
was in place with • relating to the marketing campaign and the<br />
<br />
provision of the data to be relied upon, to ensure its reliability and<br />
<br />
14 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
validity. Global One failed to provide any evidence of communications<br />
<br />
between itself and regarding the SMS marketing campaign, other<br />
than to say the matter was discussed and concluded in two telephone<br />
meetings with •. Failure to formalise the obligation of due diligence<br />
<br />
also ledto conflicting evidence during the investigation and subsequent<br />
representations as to which party was thought to be responsible. There<br />
<br />
was a clear lack of control over a direct marketing campaign launched<br />
at their instruction o<br />
<br />
<br />
56. Global One did later ask. for evidence of consent, but only after<br />
<br />
commencement of the campaign, and after it had received complaints<br />
directly in early May 2020. At that point Global One took no action to<br />
<br />
pause or suspend the campaign whilst enquiries were made. Even then<br />
Global One continued to rely upon .,s assurances without any actual<br />
<br />
evidence of consent. Whilst Global One did attempt to undertake some<br />
due diligence in early June 2020, it was only after it became aware that<br />
<br />
the leads were supplied by a third party, and at the end of the<br />
campaign in question. It would have been reasonable for Global One<br />
<br />
to carry out its own checks as to how consent was being obtained prior<br />
to instigating the SMS campaign, notwithstanding any assurances by<br />
<br />
•· In short, simple reliance on assurances of indirect consent alone<br />
without undertaking proper due diligence is not acceptable.<br />
<br />
<br />
57. In the circumstances, the Commissioner is satisfied that Global One<br />
failed to take reasonable steps to prevent the contraventions.<br />
<br />
<br />
58. The Commissioner is therefore satisfied that condition (b) from section<br />
<br />
SSA (1) DPA is met.<br />
<br />
<br />
<br />
<br />
<br />
15 •<br />
<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
The Commissioner's decision to impose a monetary penalty<br />
<br />
<br />
59. The Commissioner finds that there are no aggravating features of<br />
<br />
this case.<br />
<br />
<br />
60. The Commissioner has taken into account the following mitigating<br />
<br />
features of this case:<br />
<br />
<br />
• Since the commencement of the Commissioner's investigation<br />
<br />
Global One has ceased all direct marketing activitiesand is<br />
<br />
undertaking a full review of its data protection compliance.<br />
<br />
<br />
61. Forthe reasons explained above, the Commissioner is satisfied that the<br />
<br />
conditions from section 55A(l)DPA have been met in this case. She is<br />
also satisfiedhat the procedural rights under section 55B have been<br />
<br />
complied with.<br />
<br />
<br />
62. This has included the issuing of a Notice of Intent, in which the<br />
<br />
Commissioner set out her preliminary thinking, and invited Global One<br />
2015 to make representations in response.<br />
<br />
<br />
<br />
63. The Commissioner has received and considered Representations in<br />
response to the Notice of Intent dated 30 April 2021.<br />
<br />
<br />
<br />
64. The Commissioner is accordingly entitledo issue a monetary penalty in<br />
this case.<br />
<br />
<br />
<br />
65. The Commissioner has considered whether, in the circumstances, she<br />
should exercise her discretion so as to issue a monetary penalty. She<br />
<br />
has decided that a monetary penalty is an appropriate and proportionate<br />
<br />
<br />
<br />
16 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
response to the finding of a serious contraventof regulations 22 and<br />
23 of PECRby Global One.<br />
<br />
<br />
66. The Commissioner's underlying objective in imposing a monetary<br />
<br />
penalty notice is to promote compliance with PECR. The instigation or<br />
<br />
making of unsolicited direct marketingtexts is a matter of significant<br />
public concern. A monetary penalty in this case should act as a general<br />
<br />
encouragement towards compliance with the law, or at least as a<br />
<br />
deterrent against non-compliance, on the part of all persons running<br />
businesses currently engaging in these practices. This is an opportunity<br />
<br />
to reinforce the need for businesses to ensure that they are only texting<br />
consumers who want to receive these messages.<br />
<br />
<br />
<br />
67. The Commissioner has also considered the likely impact of a monetary<br />
penalty on Global One and in doing so has reviewed financial evidence<br />
<br />
supplied alongside its representations.<br />
<br />
<br />
The amount of the penalty<br />
<br />
<br />
68. Taking into account all of the above, the Commissioner has decided that<br />
<br />
the amount of the penalty is £10,000(Ten thousand pounds).<br />
<br />
<br />
Conclusion<br />
<br />
<br />
69. The monetary penalty must be paid to the Commissioner's office by<br />
<br />
BACS transfer or cheque by 15 July 2021 at the latest. The monetary<br />
penalty is not kept by the Commissioner but will be paid into the<br />
<br />
Consolidated Fund which is the Government's general bank account at<br />
the Bank of England.<br />
<br />
<br />
<br />
<br />
<br />
17 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
70. If the Commissioner receives full payment of the monetary penalty by<br />
14 July 2021 the Commissioner will reduce the monetary penalty by<br />
<br />
20% to £8,000 (Eight thousand pounds). However, you should be<br />
aware that the early payment discount is not available if you decide to<br />
<br />
exercise your right of appeal.<br />
<br />
<br />
71. There is a right of appeal to the First-tier Tribunal (InformRights)<br />
<br />
against:<br />
<br />
<br />
a) the imposition of the monetary penalty<br />
and/or;<br />
<br />
<br />
<br />
b) the amount of the penalty specified in the monetary penalty<br />
notice.<br />
<br />
<br />
70. Any notice of appeal should be received by the Tribunal within 28 days<br />
<br />
of the date of this monetary penalty notice.<br />
<br />
<br />
71. Informationabout appeals is set out in Annex 1.<br />
<br />
<br />
72. The Commissioner will not take action to enforce a monetary penalty<br />
unless:<br />
<br />
<br />
• the period specified within the notice within which a monetary penalty<br />
<br />
must be paid has expired and all or any of the monetary penalty has<br />
not been paid;<br />
<br />
<br />
<br />
• all relevant appeals against the monetary penalty notice and any<br />
variation of it have either been decided or withdraand<br />
<br />
<br />
• period for appealing against the monetary penalty and any variation of<br />
it has expired.<br />
<br />
18 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
73. In England, Wales and Northern Ireland, the monetary penalty is<br />
recoverable by Order of the County Court or the High Court. In<br />
<br />
Scotland, the monetary penalty can be enforced in the same manner<br />
as an extract registered decree arbitral bearing a warrant for execution<br />
<br />
issued by the sheriff court of any sheriffdom in Scotland.<br />
<br />
<br />
Datedthe 14th day of June 2021<br />
<br />
<br />
Andy Curry<br />
Head of Investigations<br />
InformatioCommissioner's Office<br />
Wycliffe House<br />
Water Lane<br />
Wilmslow<br />
Cheshire<br />
SK9 SAF<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
19 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
<br />
<br />
ANNEX 1<br />
<br />
<br />
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998<br />
<br />
<br />
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER<br />
<br />
<br />
1. Section 48 of the Data Protection Act 1998 gives any person upon<br />
whom a monetary penalty notice or variation notice has been served a right<br />
of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal')<br />
<br />
against the notice.<br />
<br />
2. If you decide to appeal and if the Tribunal considers:-<br />
<br />
<br />
a) that the notice against which the appeal is brought is not in accordance<br />
with the law; or<br />
<br />
b) to the extent that the notice involved an exercise of discretion by the<br />
<br />
Commissioner, that she ought to have exercised her discretion differently,<br />
<br />
the Tribunal will allow the appeal or substitute such other decision as could<br />
have been made by the Commissioner. In any other case the Tribunal will<br />
<br />
dismiss the appeal.<br />
<br />
3. You may bring an appeal by serving a notice of appeal on the Tribunal<br />
at the following address:<br />
<br />
<br />
<br />
GRC & GRPTribunals<br />
PO Box 9300<br />
Arnhem House<br />
<br />
31 Waterloo Way<br />
Leicester<br />
LEl 8DJ<br />
<br />
<br />
a) The notice of appeal should be sent so it is received by the Tribunal<br />
within 28 days of the date of the notice.<br />
<br />
20 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
b) If your notice of appeal is late the Tribunal will not admit it unless the<br />
Tribunal has extended the time for complying with this rule.<br />
<br />
<br />
4. The notice of appeal should state:-<br />
<br />
a) your name and address/name and address of your representative<br />
(if any);<br />
<br />
<br />
b) an address where documents may be sent or delivered to you;<br />
<br />
c) the name and address of the Information Commissioner;<br />
<br />
<br />
d) details of the decision to which the proceedings relate;<br />
<br />
e) the result that you are seeking;<br />
<br />
<br />
f) the grounds on which you rely;<br />
<br />
g) you must provide with the notice of appeal a copy of the<br />
monetary penalty notice or variation notice;<br />
<br />
<br />
h) if you have exceeded the time limit mentioned above the notice<br />
of appeal must include a request for an extension of time and the<br />
reason why the notice of appeal was not provided in time.<br />
<br />
<br />
5. Before deciding whether or not to appeal you may wish to consult your<br />
solicitor or another adviser. At the hearing of an appeal a party may conduct<br />
his case himself or may be represented by any person whom he may<br />
appoint for that purpose.<br />
<br />
<br />
6. The statutory provisions concerning appeals to the First-tier Tribunal<br />
(Information Rights) are contained in sections 48 and 49 of, and Schedule 6<br />
to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal)<br />
<br />
(General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No.<br />
1976 (L.20)).<br />
<br />
<br />
<br />
<br />
<br />
<br />
21<br />
</pre></div>Mariam-hwthhttps://gdprhub.eu/index.php?title=ICO_(UK)_-_Global_One_2015&diff=16629ICO (UK) - Global One 20152021-06-17T21:01:13Z<p>Mariam-hwth: Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO (UK) |DPA_With_Country=ICO (UK) |Case_Number_N..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|DPA-BG-Color=background-color:#023868;<br />
|DPAlogo=LogoUK.png<br />
|DPA_Abbrevation=ICO (UK)<br />
|DPA_With_Country=ICO (UK)<br />
<br />
|Case_Number_Name=Global One 2015<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Information Commissioner's Office<br />
|Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/mpns/2619970/global-one-2015-mpn.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=14.06.2021<br />
|Date_Published=15.06.2021<br />
|Year=2021<br />
|Fine=10000<br />
|Currency=GBP<br />
<br />
<br />
<br />
|National_Law_Name_1=Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
|National_Law_Link_1=https://www.legislation.gov.uk/uksi/2003/2426/contents<br />
|National_Law_Name_2=Regulation 23 of the Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
|National_Law_Link_2=https://www.legislation.gov.uk/uksi/2003/2426/contents<br />
<br />
|Party_Name_1=Global One 2015<br />
|Party_Link_1=https://globalone.org.uk/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The UK DPA (ICO) imposed a fine of around €11600 on a charity called Global One 2015. The charity infringed regulations 22 and 23 PECR by sending unsolicited marketing messages without consent and without providing an address for individual to refuse such marketing.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Global One is a charity that aims to impove health, sanitation and agriculture. The Information Commissioner's Office received 539 complaints from individuals having received unsolicited text messages from Global One. These complaints occured between the 30 April 2020 and 22 May 2020 where 573,000 texts were sent overall. The texts did not offer individuals the opportunity to opt-out. <br />
<br />
Global One had entered into an agreement with a third party (X) that was to provide them with a marketing strategy. The third party (X) informed Global One that it would start an SMS campaign to gian donations. Global One says it assumed that this would be a marketing list that belonged to the third party (X). However, the third party (X) themselves commissioned another third party (Y) to deliver the test messaging campaign. The third party (Y) claimed that the list they used was compliant with relevant laws.<br />
<br />
However, there was no evidence of consent being provided. Global One claimed to have undertaken due diligence, whilst the party it contracted with (X) claimed that it only advised Global One onto various other agencies. <br />
<br />
=== Dispute ===<br />
Does sending marketing text to individuals where consent was gathered by a third party breach regulations 22 and 23 PECR?<br />
<br />
=== Holding ===<br />
The Information Commissioner's Office hld that Global One infringed Regulations 22 and 23 PECR. <br />
<br />
Global One relied on consent obtained by another organisation to send these text messages. However, the ICO's view is that organisations must gather better consent. Indirect consent collected by a third party is only authorised where it is clear and specific enough.<br />
<br />
As there is no evidence of individuals consenting to third party marketing, the ICO concluded that Global One did not have the necessary valid consent to send marketing messages. Therefore, Global One breach regulation 22 PECR.<br />
<br />
The ICO also held that Global One breached Regulation 23(b) PECR as it did not provide a valid address to recipients of marketing for them to send a request to refuse marketing. There was no procedure in place for handling such requests from individuals.<br />
<br />
The ICO therefore decided to imposed a fine of around €11600 on Global One from breaching regulations 22 and 23 PECR. The ICO concluded that the contravention was serious and negligent. The fine can be reduced by 20% if paid within a month.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
•<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
DATA PROTECTION ACT 1998<br />
<br />
<br />
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER<br />
<br />
<br />
<br />
MONETARY PENAL TY NOTICE<br />
<br />
<br />
<br />
<br />
To: Global One 2015<br />
<br />
<br />
Of: 4 Gateway Mews, Bounds Green, London, Nll 2UT<br />
<br />
<br />
<br />
1. The InformationCommissioner ("Commissioner") has decided to issue<br />
Global One 2015 ("Global One") with a monetary penalty under section<br />
<br />
SSA of the Data Protection Act 1998 ("DPA"). The penalty is in relation<br />
to a serious contraventiof Regulation 22 of the Privacy and<br />
<br />
Electronic Communications(EC Directive) Regulations 2003 ("PECR").<br />
<br />
<br />
2. This notice explainse Commissioner's decision.<br />
<br />
<br />
Legal framework<br />
<br />
<br />
<br />
3. Global One, whose registered office is given above (Companies House<br />
Registration Number: 07517992) is the organisatistated in this<br />
<br />
notice to have instigated the transmission of unsolicited<br />
communications by means of electronic mail to individual subscribers<br />
<br />
for the purposes of direct marketing contrary to regulation 22 of PECR.<br />
<br />
<br />
4. Regulation 22 of PECRstates:<br />
<br />
<br />
<br />
<br />
1 •<br />
<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
"(l) This regulation applies to the transmission of unsolicited<br />
communications by means of electronic mail to individual<br />
<br />
subscribers.<br />
<br />
(2) Except in the circumstances referred to in paragraph (3), a person<br />
<br />
shall neither transmit,nor instigate the transmission of, unsolicited<br />
communications for the purposes of direct marketing by means of<br />
<br />
electronic mail unless the recipient of the electronic mail has<br />
<br />
previously notifiedthe sender that he consents for the time being<br />
to such communications being sent by, or at the instigation of, the<br />
<br />
sender.<br />
<br />
(3) A person may send or instigate the sending of electronic mail for<br />
<br />
the purposes of direct marketing where-<br />
<br />
(a) that person has obtained the contact details of the recipient<br />
of that electronic mail in the course of the sale or<br />
<br />
negotiations for the sale of a product or service to that<br />
<br />
recipient;<br />
<br />
(b) the direct marketing is in respect of that person's similar<br />
products and services only; and<br />
<br />
<br />
(c) the recipient has been given a simple means of refusing<br />
(free of charge except for the costs of the transmission of<br />
<br />
the refusal) the use of his contact details for the purposes<br />
of such direct marketing, at the time that the details were<br />
<br />
initially collected, and, where he did not initially refuse the<br />
<br />
use of the details, at the time of each subsequent<br />
communication.<br />
<br />
(4) A subscriber shall not permit his line to be used in contraventionof<br />
<br />
paragraph (2)."<br />
<br />
<br />
<br />
<br />
<br />
2 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
5. Regulation 23 of PECRstates that "A person shall neither transmitnor<br />
instigate the transmission of, a communicationfor the purposes of<br />
<br />
direct marketing by means of electronic mail -<br />
<br />
<br />
(a) where the identity of the person on whose behalf the<br />
<br />
communication has been sent has been disguised or<br />
concealed;<br />
<br />
(b) where a valid address to which the recipient of the<br />
<br />
communication may send a request that such<br />
<br />
communications cease has not been provided;<br />
<br />
(c) where that electronic mail would contravene regulatio7 of<br />
the Electronic Commerce (EC Directive) Regulations 2002;<br />
<br />
or<br />
<br />
(d) where that electronic mail encourages recipients to visit<br />
<br />
websites which contravene that regulation."<br />
<br />
<br />
6. Section 122(5) of the DPA 2018 defines "direct marketing" as "the<br />
<br />
communication (by whatever means) of any advertising material which<br />
is directedo particular individuals". This definition also applies for the<br />
<br />
purposes of PECR.<br />
<br />
<br />
7. Consent is defined in Article 4(11) the General Data Protection<br />
<br />
Regulation 2016/679 as "any freely given, specific, informed and<br />
unambiguous indication of the data subject's wishes by which he or<br />
<br />
she, by a statement or by a clear affirmatiaction, signifies<br />
<br />
agreement to the processing of personal data relating to him or her".<br />
<br />
<br />
8. "Individual"is defined in regulation 2(1) of PECRas "a living individual<br />
<br />
and includes an unincorporated body of such individuals".<br />
<br />
<br />
3 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
9. A "subscriber"is defined in regulation 2(1) of PECRas "a person who is<br />
a party to a contract with a provider of public electronic<br />
<br />
communications services for the supply of such services".<br />
<br />
10. "Electronic mail" is defined in regulation 2(1) of PECRas "any text,<br />
<br />
voice, sound or image message sent over a public electronic<br />
<br />
communications network which can be stored in the network or in the<br />
recipient's terminal equipment until it is collected by the recipient and<br />
<br />
includes messages sent using a short message service".<br />
<br />
<br />
11. Section SSA of the DPA (as amended by the Privacy and Electronic<br />
<br />
Communications (EC Directive)(Amendment) Regulations 2011 and the<br />
Privacy and Electronic Communications (Amendment) Regulations<br />
<br />
2015) states:<br />
<br />
<br />
"(l) The Commissioner may serve a person with a monetary penalty if<br />
<br />
the Commissioner is satisfied that -<br />
<br />
(a) there has been a serious contraventionof the requirements<br />
of the Privacy and Electronic Communications (EC<br />
<br />
Directive) Regulations 2003 by the person,<br />
<br />
(b) subsection (2) or (3) applies.<br />
<br />
(2) This subsection applies if the contraventiwas deliberate.<br />
<br />
(3) This subsection applies if the person -<br />
<br />
(a) knew or ought to have known that there was a risk that<br />
<br />
the contravention would occur, but<br />
<br />
(b) failed to take reasonable steps to prevent the<br />
<br />
contravention."<br />
<br />
<br />
12. The Commissioner has issued statutory guidance under section SSC (1)<br />
of the DPA about the issuing of monetary penalties that has been<br />
<br />
4 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
published on the ICO's website. The Data Protection (Monetary<br />
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe<br />
<br />
that the amount of any penalty determined by the Commissioner must<br />
not exceed £500,000.<br />
<br />
<br />
13. PECRwere enacted to protect the individual's fundamentaright to<br />
<br />
privacy in the electronic communicatiosector. PECRwere<br />
<br />
subsequently amended and strengthened. The Commissioner will<br />
interpret PECRin a way which is consistent with the Regulations'<br />
<br />
overall aim of ensuring high levels of protection for individuals' privacy<br />
rights.<br />
<br />
<br />
<br />
14. The provisions of the DPA remain in force for the purposes of PECR<br />
notwithstanding the introductioof the Data Protection Act 2018 (see<br />
<br />
paragraph 58(1) of Part 9, Schedule 20 of that Act).<br />
<br />
<br />
Background to the case<br />
<br />
<br />
15. Phone users can report the receipt of unsolicited marketing text<br />
messages to the GSMA's Spam Reporting Service by forwarding the<br />
<br />
message to 7726 (spelling out "SPAM"). The GSMA is an organisation<br />
<br />
that represents the interests of mobile operators worldwidThe<br />
Commissioner is provided with access to the data on complaints made<br />
<br />
to the 7726 service and this data is incorporated into a Monthly Threat<br />
Assessment (MTA) used to ascertain organisations in breach of PECR.<br />
<br />
<br />
<br />
16. Global One operates as a charity involved in issues such as improving<br />
health, sanitation and agriculture. Their work covers a number of<br />
<br />
internationalcountries, including the United Kingdom. Global One is<br />
registered with the Charity Commission, Companies House and the<br />
<br />
ICO.<br />
<br />
5 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
17. Global One came to the attention of the Commissioner after numerous<br />
complaints were received via the 7726 complaints tool about<br />
<br />
unsolicited text messages. Between 30 April 2020 and 22 May 2020<br />
<br />
539 complaints had been recorded on the 7726 system and 9 on the<br />
ICO's online recording tool. These text messages contained, or<br />
<br />
contained slight variations of, the following text:<br />
<br />
"Coronavirus Emergency Pakistan, Syria &amp; Bangladesh. Donate Food<br />
<br />
&amp; Hygiene Kits. Call (free): 03000113333 Online: globalone.org.uk<br />
Watch us live on SKY 752."<br />
<br />
<br />
18. It was noted that these texts did not offer individuals an ability to 'opt<br />
<br />
out' of future unsolicited text messages.<br />
<br />
<br />
19. An initial investigatletter was sent to Global One on 3 June 2020,<br />
<br />
highlighting the Commissioner's concerns with its PECRcompliance and<br />
requestinginformation relating to the volumes of texts sent, the source<br />
<br />
of data used to send said texts, details of any due diligence<br />
<br />
undertaken, together with evidence of consent relied upon for the<br />
messages sent to individuals identified within complaintAn appendix<br />
<br />
detailinghe complaints received was also attached.<br />
<br />
<br />
20. Global One provided a response on 22 June 2020, stating that on 20<br />
March 2020 it had entered into a "revenue raising and sharing<br />
<br />
agreement" ("the agreement") with (''.")<br />
under which • would provide a marketing strategy in relation to a<br />
<br />
number of key initiativesGlobal One went on to explain that under the<br />
<br />
agreement they "will have no right nor will seek to exercise any<br />
direction, control or supervision over ; and that<br />
<br />
has the sole right to control and direct the means, manner and method<br />
<br />
by which the services required by the Agreement would be performed".<br />
<br />
6 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
21. A copy of the agreement later provided by Global One makes no<br />
<br />
mention of SMS marketing, however the agreement is summarised as<br />
follows:<br />
<br />
<br />
"The charity intends to procure as<br />
consultant/advisers to develop and execute a revenue sharing<br />
<br />
agreement, which will raise funds from public donations and allow the<br />
charity to enhance and apply for more institutionafunding. The charity<br />
<br />
wishes to diversify its fundraising income streams".<br />
<br />
<br />
22. The letter went on to state that on 23 April 202 informed Global<br />
One that it would be undertaking an SMS campaign to maximise<br />
<br />
donations, which Global One says it assumed would be based on the<br />
use of third-partymarketing lists belonging to •.<br />
<br />
<br />
23. Global One advised that between April 2020 and May 2020, 573,000<br />
<br />
SMS marketing messages were sent on its behalf. During this period,<br />
• managed the SMS marketing campaign, and Global One say it only<br />
<br />
became aware on 1 June 2020 that- had entered into a verbal<br />
contract with a third party data supplier who undertook the sending of<br />
<br />
the SMS using a marketing list belonging to that supplier.<br />
<br />
<br />
24. In response to the Commissioner's request for evidence of consent to<br />
send SMS messages to those who had been identified on the list of<br />
<br />
complaints, Global One said it had not been provided this information<br />
from and would need to approach. to obtain this. In a further<br />
response dated 23 July 2020 Global One provided the following<br />
<br />
information:<br />
<br />
have confirmed that they commissioned the [third party<br />
provider]to deliver the text messaging campaign.<br />
<br />
<br />
<br />
7 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
The [third party provider]have confirmed in writing that the lists they<br />
use are fully compliant data, please see the attached letter and<br />
accompanying spreadsheet with their comments."<br />
<br />
The attached letter indicated that the data is obtained from multiple<br />
<br />
sources including "government records, licensing boards, directories,<br />
telephone searches, memberships, attendee registers, website<br />
<br />
registrationcounty courthouse records, credit reference agency data,<br />
Secretary of State data, business magazines and newspaper<br />
<br />
subscriptions". The spreadsheet of complaints provided by the<br />
<br />
Commissioner had been amended to add a new column titled "Consent"<br />
and the words "opt in for third party marketing" next to each<br />
<br />
complainant.<br />
<br />
<br />
25. On 21 August 2020 the Commissioner requested that Global One<br />
provide evidence of the consent that had been obtained by the third<br />
<br />
party data provider to market the complainants. In response, Global<br />
One explained that it did not have access to this information and the<br />
<br />
third party provider was reluctant to supply it. As such, no evidence of<br />
<br />
consent has been provided.<br />
<br />
<br />
26. The Commissioner went on to request copies of correspondence<br />
between Global One, • and the third party data provider relating to<br />
<br />
promotional or marketing activities. On 27 August 2020 Global One<br />
<br />
replied, statinghat they had been unable to locate any such written<br />
communications regarding the SMS marketing campaign which was<br />
<br />
carried out on their behalf. The reason given was that all such<br />
communications were conducted by telephone.<br />
<br />
<br />
<br />
27. Enquiries raised by the Commissioner directly with •elicited the<br />
following response:<br />
<br />
<br />
<br />
<br />
8 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
" is aware of the current investigation being conducted by<br />
the ICO in relation to one of our clients, Global One 2015. Other than<br />
<br />
providing strategic recommendationson how to deliver charitable<br />
appeal campaigns, we have done nothing more than advice/refer a<br />
<br />
client onto various other agencies/companieto support them in being<br />
<br />
able to reach a wider audience. We in this situation are not responsible<br />
for due diligence or any contractual obligations for any work Global One<br />
<br />
decide to undertake with any third party."<br />
<br />
<br />
In subsequent Representations to the Notice of Intent however, Global<br />
<br />
One evidenced an email from in which the contrary was<br />
stated: "we undertook our responsibility to carry out due diligence on<br />
<br />
the provider ". This statement was made in response to<br />
<br />
enquiries made of by Global One dated 1 June 2020, and<br />
which post-dated the SMS campaign.<br />
<br />
<br />
28. The Commissioner has made the above findings of fact on the<br />
<br />
balance of probabilities.<br />
<br />
<br />
29. The Commissioner has considered whether those facts constitute<br />
a contraventionof regulation 22 of PECRby Global One and, if so,<br />
<br />
whether the conditions of section SSA DPA are satisfied.<br />
<br />
<br />
The contravention<br />
<br />
<br />
30. The Commissioner finds that Global One contravened regulations 22<br />
<br />
and 23 of PECR.<br />
<br />
<br />
31. The Commissioner finds that the contraventiowas as follows:<br />
<br />
<br />
<br />
<br />
<br />
9 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
32. Between 24 April 2020 and 23 May 2020 Global One instigated the<br />
transmission of 573,000 unsolicited direct marketing texts contrary to<br />
<br />
Regulations 22 & 23 of PECR. This resulted in a total of 539 complaints<br />
being received via the 7726 service and 9 via the Commissioner's<br />
<br />
online reporting tool.<br />
<br />
<br />
33. Global One, as the instigator of the direct marketing, is required to<br />
ensure that it is acting in compliance with the requirementof<br />
<br />
regulation 22 of PECR,and to ensure that valid consent to send those<br />
messages had been acquired. The only exception to this is where the<br />
<br />
provisions of Regulation 22(3) apply, otherwise referred to as the 'soft<br />
opt-in'. As a charitable organisation, the 'soft opt-in' would not be<br />
<br />
applicablein this instance.<br />
<br />
<br />
34. Global One relied on consent obtained by another organisation for its<br />
<br />
own purposes, i.e.'indirect consent'.The Commissioner's direct<br />
marketing guidance says "organisations need to be aware that indirect<br />
<br />
consent will not be enough for texts, emails or automated calls. This is<br />
<br />
because the rules on electronic marketing are stricter, to reflect the<br />
more intrusive nature of electronic messages."<br />
<br />
<br />
35. It goes on to say that indirect consent can be valid but only if it is clear<br />
and specific enough. Moreover, "the customer must have anticipated<br />
<br />
that their details would be passed to the organisation in question, and<br />
<br />
that they were consenting to messages from that organisation. This will<br />
depend on what exactly they were told when consent was obtained".<br />
<br />
<br />
36. The data lists utilised to transmit the SMS had been compiled from a<br />
diverse listf sources. Whilst the third party data provider stated that<br />
<br />
each complainant was "opted-in for third party marketing" Global One<br />
has not provided any evidence of this to the Commissioner and appears<br />
<br />
to have been reliant on the 's verbal assurances that this was the<br />
<br />
10 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
case. In representations to the Commissioner, Global One<br />
demonstrated that some due diligence enquiries had been made of.<br />
<br />
- in early June 2020, however these post-dated the<br />
contravention and were insufficient to establish the existence of valid<br />
<br />
consent to send the SMS.<br />
<br />
<br />
37. The Commissioner is therefore satisfied from the evidence she has<br />
<br />
seen that Global One did not have the necessary valid consent to<br />
<br />
instigate the sending of the direct marketing messages. This<br />
constitutes a contraventionof regulation 22 PECR.<br />
<br />
<br />
38. Furthermore, Regulation 23(b) provides that individuals must be<br />
<br />
provided with a valid address to which the recipient of the marketing<br />
<br />
communication may send a request to refuse marketing. In<br />
representations to the Commissioner, Global One stated that it had an<br />
<br />
effective complaints process in place whereby any complaints it<br />
received directly would be sent to in order that the data<br />
<br />
could be supressed. was said to dear with their own<br />
<br />
requests. The Commissioner finds it difficult to accept that<br />
were in any position to handle direct requests, given that recipients of<br />
<br />
SMS were unaware of .,s involvement and were not provided with<br />
contact details. Althoughthe content of the messages identified Global<br />
<br />
One and contained a link to their website, no address has been<br />
<br />
provided for the third party who sent the messages. As Global One<br />
were unaware that a third party was the sender of the messages<br />
<br />
duringthe SMS marketing campaign, individuals informing Global One<br />
<br />
that they objected to receiving such communications would have been<br />
reliant upon Global One relaying these to , and then in turn<br />
<br />
to the third party sender, and so in effect produced a convoluted,<br />
unreliable and therefore ineffectual remedy. As such the Commissioner<br />
<br />
considers that Global One are also in breach of Regulation 23.<br />
<br />
11 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
39. The Commissioner has gone on to consider whether the conditions<br />
<br />
under section SSA DPA are met.<br />
<br />
<br />
Seriousness of the contravention<br />
<br />
<br />
40. The Commissioner is satisfied that the contraventiidentified<br />
above was serious. This is because between 24 April 2020 and 23 May<br />
<br />
2020 Global One instigated a total of 573,000 unsolicited direct<br />
marketing messages, resulting in total of 548 complaints.<br />
<br />
<br />
<br />
41. In representationsto the Notice of Intent, Global One stated that it had<br />
been the subject of a social media campaign of harassment, and SMS<br />
<br />
recipients encouraged to make complaints against Global One. Details<br />
provided to the Commissioner by way of evidence demonstrated that<br />
<br />
any such campaign (in relation to which the Commissioner makes no<br />
finding) post-dated the contraventioperiod and so the Commissioner<br />
<br />
finds no good reasonto disregard the complaints as disingenuous.<br />
<br />
<br />
42. Global One has failed to provide evidence of valid consent for any of<br />
<br />
the 573,000 unsolicited direct marketing messages it instigated.<br />
<br />
43. Furthermore, the messages did not contain adequate instruction on<br />
<br />
how individualsmay opt-out of receiving further marketing.<br />
<br />
<br />
44. It is apparent that Global One adopted a targeted strategy in order<br />
both to raise their profile and increase their revenue stream during the<br />
<br />
Covid-19 pandemic.<br />
<br />
<br />
<br />
<br />
<br />
<br />
12 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
45. The Commissioner is therefore satisfied that condition (a) from<br />
section 55A(l)DPA is met.<br />
<br />
<br />
Deliberate or negligent contraventions<br />
<br />
<br />
46. The Commissioner has considered whether the contravention identified<br />
<br />
above was deliberate.<br />
<br />
<br />
47. The Commissioner considers that Global One did not deliberately set<br />
<br />
out to contravene PECRin this instance.<br />
<br />
<br />
48. The Commissioner has gone on to consider whether the contravention<br />
identified above was negligent. This consideration comprises two<br />
<br />
elements:<br />
<br />
<br />
49. Firstly, she has considered whether Global One knew or ought<br />
<br />
reasonably to have known that there was a risk that these<br />
contraventionswould occur. She is satisfied that this condition is met,<br />
<br />
not least since the issue of unsolicited text messages have been widely<br />
publicised by the media as being a problem.<br />
<br />
<br />
<br />
50. The Commissioner has published detailed guidance for those carrying<br />
out direct marketing explaining their legal obligations under PECR.<br />
<br />
This guidance gives clear advice regarding the requirements of consent<br />
for direct marketing and explains the circumstances under which<br />
<br />
organisations are able to carry out marketing over the phone, by text,<br />
by email, by post, or by fax. In particular it states that organisations<br />
<br />
can generally only send,r instigate, marketing messages to<br />
<br />
individuals if that person has specifically consented to receiving them.<br />
The guidance is also clear about the significant risks of relying on<br />
<br />
indirect consent, as Global One did in this instance.<br />
<br />
13 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
51. In 2018 the charity sector came under much scrutiny following<br />
investigations and penalties in respect of contraventiof PECR.<br />
<br />
These investigations were well publicised at the time, receiving much<br />
media attention and further engagement with the Charity Commission<br />
<br />
and the ICO, including conferences to the third sector to highlight the<br />
issues and promote compliance. The introduction of the Fund Raising<br />
Preference Service in 2016 also provides advice and support to<br />
<br />
charities with the aim of making it easier for them to understand the<br />
standards expected when fundraising.<br />
<br />
<br />
52. It is therefore reasonable to suppose that Global One should have been<br />
<br />
aware of its responsibilities in this area.<br />
<br />
53. Secondly, the Commissioner has gone on to consider whether Global<br />
One failed to take reasonable steps to prevent the contraventions.<br />
<br />
Again, she is satisfied that this condition is met.<br />
<br />
54. During the course of the Commissioner's investigationresponses<br />
provided by Global One indicated that they were aware that proper due<br />
<br />
diligence should have been undertaken prior to entering into the<br />
agreement with however due to time constraints no due diligence<br />
<br />
was conducted, stating:"under normal circumstances we would have<br />
had further meetings to fully review contractual terms and conduct<br />
proper due diligence with regards to databases and compliance,<br />
<br />
regrettably this was not the case". Global One instead relied on verbal<br />
assurances provided by <br />
<br />
55. Reasonable steps which the Commissioner might expect in these<br />
<br />
circumstances could have included ensuring a comprehensive contract<br />
was in place with • relating to the marketing campaign and the<br />
<br />
provision of the data to be relied upon, to ensure its reliability and<br />
<br />
14 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
validity. Global One failed to provide any evidence of communications<br />
<br />
between itself and regarding the SMS marketing campaign, other<br />
than to say the matter was discussed and concluded in two telephone<br />
meetings with •. Failure to formalise the obligation of due diligence<br />
<br />
also ledto conflicting evidence during the investigation and subsequent<br />
representations as to which party was thought to be responsible. There<br />
<br />
was a clear lack of control over a direct marketing campaign launched<br />
at their instruction o<br />
<br />
<br />
56. Global One did later ask. for evidence of consent, but only after<br />
<br />
commencement of the campaign, and after it had received complaints<br />
directly in early May 2020. At that point Global One took no action to<br />
<br />
pause or suspend the campaign whilst enquiries were made. Even then<br />
Global One continued to rely upon .,s assurances without any actual<br />
<br />
evidence of consent. Whilst Global One did attempt to undertake some<br />
due diligence in early June 2020, it was only after it became aware that<br />
<br />
the leads were supplied by a third party, and at the end of the<br />
campaign in question. It would have been reasonable for Global One<br />
<br />
to carry out its own checks as to how consent was being obtained prior<br />
to instigating the SMS campaign, notwithstanding any assurances by<br />
<br />
•· In short, simple reliance on assurances of indirect consent alone<br />
without undertaking proper due diligence is not acceptable.<br />
<br />
<br />
57. In the circumstances, the Commissioner is satisfied that Global One<br />
failed to take reasonable steps to prevent the contraventions.<br />
<br />
<br />
58. The Commissioner is therefore satisfied that condition (b) from section<br />
<br />
SSA (1) DPA is met.<br />
<br />
<br />
<br />
<br />
<br />
15 •<br />
<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
The Commissioner's decision to impose a monetary penalty<br />
<br />
<br />
59. The Commissioner finds that there are no aggravating features of<br />
<br />
this case.<br />
<br />
<br />
60. The Commissioner has taken into account the following mitigating<br />
<br />
features of this case:<br />
<br />
<br />
• Since the commencement of the Commissioner's investigation<br />
<br />
Global One has ceased all direct marketing activitiesand is<br />
<br />
undertaking a full review of its data protection compliance.<br />
<br />
<br />
61. Forthe reasons explained above, the Commissioner is satisfied that the<br />
<br />
conditions from section 55A(l)DPA have been met in this case. She is<br />
also satisfiedhat the procedural rights under section 55B have been<br />
<br />
complied with.<br />
<br />
<br />
62. This has included the issuing of a Notice of Intent, in which the<br />
<br />
Commissioner set out her preliminary thinking, and invited Global One<br />
2015 to make representations in response.<br />
<br />
<br />
<br />
63. The Commissioner has received and considered Representations in<br />
response to the Notice of Intent dated 30 April 2021.<br />
<br />
<br />
<br />
64. The Commissioner is accordingly entitledo issue a monetary penalty in<br />
this case.<br />
<br />
<br />
<br />
65. The Commissioner has considered whether, in the circumstances, she<br />
should exercise her discretion so as to issue a monetary penalty. She<br />
<br />
has decided that a monetary penalty is an appropriate and proportionate<br />
<br />
<br />
<br />
16 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
response to the finding of a serious contraventof regulations 22 and<br />
23 of PECRby Global One.<br />
<br />
<br />
66. The Commissioner's underlying objective in imposing a monetary<br />
<br />
penalty notice is to promote compliance with PECR. The instigation or<br />
<br />
making of unsolicited direct marketingtexts is a matter of significant<br />
public concern. A monetary penalty in this case should act as a general<br />
<br />
encouragement towards compliance with the law, or at least as a<br />
<br />
deterrent against non-compliance, on the part of all persons running<br />
businesses currently engaging in these practices. This is an opportunity<br />
<br />
to reinforce the need for businesses to ensure that they are only texting<br />
consumers who want to receive these messages.<br />
<br />
<br />
<br />
67. The Commissioner has also considered the likely impact of a monetary<br />
penalty on Global One and in doing so has reviewed financial evidence<br />
<br />
supplied alongside its representations.<br />
<br />
<br />
The amount of the penalty<br />
<br />
<br />
68. Taking into account all of the above, the Commissioner has decided that<br />
<br />
the amount of the penalty is £10,000(Ten thousand pounds).<br />
<br />
<br />
Conclusion<br />
<br />
<br />
69. The monetary penalty must be paid to the Commissioner's office by<br />
<br />
BACS transfer or cheque by 15 July 2021 at the latest. The monetary<br />
penalty is not kept by the Commissioner but will be paid into the<br />
<br />
Consolidated Fund which is the Government's general bank account at<br />
the Bank of England.<br />
<br />
<br />
<br />
<br />
<br />
17 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
70. If the Commissioner receives full payment of the monetary penalty by<br />
14 July 2021 the Commissioner will reduce the monetary penalty by<br />
<br />
20% to £8,000 (Eight thousand pounds). However, you should be<br />
aware that the early payment discount is not available if you decide to<br />
<br />
exercise your right of appeal.<br />
<br />
<br />
71. There is a right of appeal to the First-tier Tribunal (InformRights)<br />
<br />
against:<br />
<br />
<br />
a) the imposition of the monetary penalty<br />
and/or;<br />
<br />
<br />
<br />
b) the amount of the penalty specified in the monetary penalty<br />
notice.<br />
<br />
<br />
70. Any notice of appeal should be received by the Tribunal within 28 days<br />
<br />
of the date of this monetary penalty notice.<br />
<br />
<br />
71. Informationabout appeals is set out in Annex 1.<br />
<br />
<br />
72. The Commissioner will not take action to enforce a monetary penalty<br />
unless:<br />
<br />
<br />
• the period specified within the notice within which a monetary penalty<br />
<br />
must be paid has expired and all or any of the monetary penalty has<br />
not been paid;<br />
<br />
<br />
<br />
• all relevant appeals against the monetary penalty notice and any<br />
variation of it have either been decided or withdraand<br />
<br />
<br />
• period for appealing against the monetary penalty and any variation of<br />
it has expired.<br />
<br />
18 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
73. In England, Wales and Northern Ireland, the monetary penalty is<br />
recoverable by Order of the County Court or the High Court. In<br />
<br />
Scotland, the monetary penalty can be enforced in the same manner<br />
as an extract registered decree arbitral bearing a warrant for execution<br />
<br />
issued by the sheriff court of any sheriffdom in Scotland.<br />
<br />
<br />
Datedthe 14th day of June 2021<br />
<br />
<br />
Andy Curry<br />
Head of Investigations<br />
InformatioCommissioner's Office<br />
Wycliffe House<br />
Water Lane<br />
Wilmslow<br />
Cheshire<br />
SK9 SAF<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
19 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
<br />
<br />
ANNEX 1<br />
<br />
<br />
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998<br />
<br />
<br />
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER<br />
<br />
<br />
1. Section 48 of the Data Protection Act 1998 gives any person upon<br />
whom a monetary penalty notice or variation notice has been served a right<br />
of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal')<br />
<br />
against the notice.<br />
<br />
2. If you decide to appeal and if the Tribunal considers:-<br />
<br />
<br />
a) that the notice against which the appeal is brought is not in accordance<br />
with the law; or<br />
<br />
b) to the extent that the notice involved an exercise of discretion by the<br />
<br />
Commissioner, that she ought to have exercised her discretion differently,<br />
<br />
the Tribunal will allow the appeal or substitute such other decision as could<br />
have been made by the Commissioner. In any other case the Tribunal will<br />
<br />
dismiss the appeal.<br />
<br />
3. You may bring an appeal by serving a notice of appeal on the Tribunal<br />
at the following address:<br />
<br />
<br />
<br />
GRC & GRPTribunals<br />
PO Box 9300<br />
Arnhem House<br />
<br />
31 Waterloo Way<br />
Leicester<br />
LEl 8DJ<br />
<br />
<br />
a) The notice of appeal should be sent so it is received by the Tribunal<br />
within 28 days of the date of the notice.<br />
<br />
20 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
b) If your notice of appeal is late the Tribunal will not admit it unless the<br />
Tribunal has extended the time for complying with this rule.<br />
<br />
<br />
4. The notice of appeal should state:-<br />
<br />
a) your name and address/name and address of your representative<br />
(if any);<br />
<br />
<br />
b) an address where documents may be sent or delivered to you;<br />
<br />
c) the name and address of the Information Commissioner;<br />
<br />
<br />
d) details of the decision to which the proceedings relate;<br />
<br />
e) the result that you are seeking;<br />
<br />
<br />
f) the grounds on which you rely;<br />
<br />
g) you must provide with the notice of appeal a copy of the<br />
monetary penalty notice or variation notice;<br />
<br />
<br />
h) if you have exceeded the time limit mentioned above the notice<br />
of appeal must include a request for an extension of time and the<br />
reason why the notice of appeal was not provided in time.<br />
<br />
<br />
5. Before deciding whether or not to appeal you may wish to consult your<br />
solicitor or another adviser. At the hearing of an appeal a party may conduct<br />
his case himself or may be represented by any person whom he may<br />
appoint for that purpose.<br />
<br />
<br />
6. The statutory provisions concerning appeals to the First-tier Tribunal<br />
(Information Rights) are contained in sections 48 and 49 of, and Schedule 6<br />
to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal)<br />
<br />
(General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No.<br />
1976 (L.20)).<br />
<br />
<br />
<br />
<br />
<br />
<br />
21<br />
</pre></div>Mariam-hwthhttps://gdprhub.eu/index.php?title=ICO_(UK)_-_Papa_John%27s_(GB)_Limited&diff=16628ICO (UK) - Papa John's (GB) Limited2021-06-17T20:16:15Z<p>Mariam-hwth: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|DPA-BG-Color=background-color:#023868;<br />
|DPAlogo=LogoUK.png<br />
|DPA_Abbrevation=ICO (UK)<br />
|DPA_With_Country=ICO (UK)<br />
<br />
|Case_Number_Name=Papa John's (GB) Limited<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Information Commissioner's Office<br />
|Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/mpns/2619969/papa-johns-gb-limited-mpn.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=14.06.2021<br />
|Date_Published=15.06.2021<br />
|Year=2021<br />
|Fine=10000<br />
|Currency=GBP<br />
<br />
<br />
<br />
|National_Law_Name_1=Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
|National_Law_Link_1=https://www.legislation.gov.uk/uksi/2003/2426/contents<br />
|National_Law_Name_2=Regulation 22(3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
|National_Law_Link_2=https://www.legislation.gov.uk/uksi/2003/2426/contents<br />
<br />
|Party_Name_1=Papa John's (GB) Limited<br />
|Party_Link_1=https://www.papajohns.co.uk/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The UK DPA (ICO) imposed a fine of around €11600 on Papa John's (GB) Limited for sending unsolicited direct marketing messages to 168,022 individuals in breach of regulation 22 PECR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Papa John's, the pizza company, was the subject of various complaints to the Information Commssioner's Office (ICO). The ICO therefore initiated an investigation into Papa John's direct marketing practices. <br />
<br />
Papa John's provided details on the number of marketing messages sent between October 2019 and April 2020. It also outlined that it relies on soft opt in to send these messages to customers it has gotten data from directly. It was estimated at 168,022 text messages were received by individuals on that basis.<br />
<br />
However, the initial form filled in by individuals who ordered from Papa John's did not provide an option to opt out of receiving direct marketing messages. <br />
<br />
=== Dispute ===<br />
Is there a breach of regulation 22 PECR if individuals's whos information is collected by an organisation are not provided the option to opt out from direct marketing and subsequently sent direct marketing?<br />
<br />
=== Holding ===<br />
The Information Commissioner's Office (ICO) held that Papa John's was in contravention of regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR). Papa John's sent 168,022 direct marketing messages without valid consent. <br />
<br />
Papa John's gathered details from individuals that ordered on their sales channels. It then attempted to rely on the soft opt-in exemption under regulation 22(3) PECR. The exemption enables organisations to send marketing texts and eails to individuals who's details they have gathered "in the course or negotiation of a sale and in respect of similar products and services". However, the organisation must give individuals the opportunity to opt-out of direct marketing whilst gather their details in the first place. As Papa John's failed to do this, the ICO deemed it in breach of regulation 22(3)(c) PECR.<br />
<br />
The contravention was serious as a result of the quantity of messages sent without valid consent. It also considered that the action was negligent as Papa John's knew or ought reasonably to have known that there was a risk of contraventions and that Papa John's failed to take reasonable steps to prevent them. Therefore, the ICO imposed a fine of around €11600 on Papa John's (GB) Limited. This amount can be reduced by 20% should Papa John's pay the fine within a month of the decision.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
DATA PROTECTION ACT 1998<br />
<br />
<br />
<br />
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER<br />
<br />
<br />
<br />
MONETARY PENALTY NOTICE<br />
<br />
<br />
<br />
<br />
To: Papa John’s (GB) Limited<br />
<br />
<br />
<br />
Of: Papa John’s UK & European Campus, 11 Northfield Drive, Northfield,<br />
<br />
Milton Keynes, MK15 0DQ<br />
<br />
<br />
1. The Information Commissioner (“the Commissioner”) has decided to<br />
<br />
issue Papa John’s (GB) Limited(“Papa John’s”) with a monetary<br />
<br />
penalty under section 55A of the Data Protection Act 1998 (“DPA”). The<br />
<br />
penalty is in relation to a serious contravention of Regulation 22 of the<br />
<br />
Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
(“PECR”).<br />
<br />
<br />
<br />
2. This notice explains the Commissioner’s decision.<br />
<br />
<br />
<br />
Legal framework<br />
<br />
<br />
3. Papa John’s, whose registered office is given above (Companies House<br />
<br />
Registration Number:02569801) is the organisation stated in this<br />
<br />
notice to have transmitted unsolicited communications by means of<br />
<br />
electronic mail to individual subscribers for the purposes of direct<br />
<br />
marketing contrary to regulation 22 of PECR.<br />
<br />
<br />
4. Regulation 22 of PECR states:<br />
<br />
<br />
1“(1) This regulation applies to the transmission of unsolicited<br />
<br />
communications by means of electronic mail to individual<br />
<br />
subscribers.<br />
<br />
(2) Except in the circumstances referred to in paragraph (3), a person<br />
<br />
shall neither transmit, nor instigate the transmission of, unsolicited<br />
<br />
communications for the purposes of direct marketing by means of<br />
<br />
electronic mail unless the recipient of the electronic mail has<br />
<br />
previously notified the sender that he consents for the time being<br />
to such communications being sent by, or at the instigation of, the<br />
<br />
sender.<br />
<br />
<br />
(3) A person may send or instigate the sending of electronic mail for<br />
the purposes of direct marketing where—<br />
<br />
<br />
(a) that person has obtained the contact details of the recipient<br />
<br />
of that electronic mail in the course of the sale or<br />
negotiations for the sale of a product or service to that<br />
<br />
recipient;<br />
<br />
<br />
(b) the direct marketing is in respect of that person’s similar<br />
products and services only; and<br />
<br />
<br />
(c) the recipient has been given a simple means of refusing<br />
(free of charge except for the costs of the transmission of<br />
<br />
the refusal) the use of his contact details for the purposes<br />
<br />
of such direct marketing, at the time that the details were<br />
<br />
initially collected, and, where he did not initially refuse the<br />
<br />
use of the details, at the time of each subsequent<br />
<br />
communication.<br />
<br />
(4) A subscriber shall not permit his line to be used in contravention of<br />
<br />
paragraph (2).”<br />
<br />
<br />
<br />
<br />
25. Section 122(5) of the Data Protection Act 2018 (“DPA18”) defines<br />
<br />
direct marketing as “the communication (by whatever means) of any<br />
<br />
advertising material which is directed to particular individuals”. This<br />
<br />
definition also applies for the purposes of PECR (see r egulation 2(2)<br />
<br />
PECR and paragraphs 430 & 432(6) to Schedule 19 of the DPA18).<br />
<br />
<br />
6. Consent in PECR is now defined, from 29 March 2019, by reference to<br />
<br />
the concept of consent in Regulation 2016/679 (“the GDPR”):<br />
<br />
regulation 8(2) of the Data Protection, Privacy and Electronic<br />
<br />
Communications (Amendments etc) (EU Exit) Regulations 2019. Article<br />
<br />
4(11) of the GDPR sets out the following definition: “‘consent’ of the<br />
data subject means any freely given, specific, informed and<br />
<br />
unambiguous indication of the data subject's wishes by which he or<br />
<br />
she, by a statement or by a clear affirmative action, signifies<br />
<br />
agreement to the processing of personal data relating to him or her”.<br />
<br />
<br />
<br />
7. “Individual” is defined in regulation 2(1) of PECR as “a living individual<br />
and includes an unincorporated body of such individuals”.<br />
<br />
<br />
8. A “subscriber” is defined in regulation 2(1) of PECR as “a person who is<br />
<br />
a party to a contract with a provider of public electronic<br />
<br />
communications services for the supply of such services”.<br />
<br />
<br />
9. “Electronic mail” is defined in regulation 2(1) of PECR as “any text,<br />
<br />
voice, sound or image message sent over a public electronic<br />
<br />
communications network which can be stored in the network or in the<br />
recipient’s terminal equipment until it is collected by the recipient and<br />
<br />
includes messages sent using a short message service”.<br />
<br />
<br />
<br />
10. The term "soft opt-in" is used to describe the rule set out in in<br />
<br />
Regulation 22(3) of PECR. In essence, an organisation may be able to<br />
<br />
3 e-mail or message its existing customers even if they haven't<br />
specifically consented to electronic mail. The soft opt-in rule can only<br />
<br />
be relied upon by the organisation that collected the contact details .<br />
<br />
<br />
<br />
11. Section 55A of the DPA (as applied to PECR cases by Schedule 1 to<br />
<br />
PECR, as variously amended) states:<br />
<br />
<br />
“(1) The Commissioner may serve a person with a monetary penalty if<br />
<br />
the Commissioner is satisfied that –<br />
<br />
(a) there has been a serious contravention of therequirements<br />
<br />
of the Privacy and Electronic Communications (EC<br />
<br />
Directive) Regulations 2003 by the person,<br />
<br />
(b) subsection (2) or (3) applies.<br />
<br />
<br />
(2) This subsection applies if the contravention was deliberate.<br />
<br />
(3) This subsection applies if the person –<br />
<br />
(a) knew or ought to have known that there was a risk that the<br />
<br />
contravention would occur, but<br />
<br />
<br />
(b) failed to take reasonable steps to prevent the<br />
contravention.”<br />
<br />
<br />
<br />
12. The Commissioner has issued statutory guidance under section 55C (1)<br />
<br />
of the DPA about the issuing of monetary penalties that has been<br />
<br />
published on the ICO’s website. The Data Protection (Monetary<br />
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe<br />
<br />
that the amount of any penalty determined by the Commissioner must<br />
<br />
not exceed £500,000.<br />
<br />
<br />
<br />
13. PECR implements Directive 2002/58/EC, and Directive 2009/136/EC<br />
<br />
which amended the earlier Directive. Both the Directive and PECR are<br />
<br />
<br />
4 “designed to protect the privacy of electronic communications users:<br />
Leave.EU & Eldon Insurance Services v Information Commissioner<br />
<br />
[2021] UKUT 26 (AAC) at paragraph 26. The Commissioner seeks to<br />
<br />
interpret and apply PECR in a manner consistent with the purpose of<br />
<br />
the Directive and PECR of ensuring a high level of protection of the<br />
<br />
privacy of individuals, and in particular the protections provided from<br />
<br />
receiving unsolicited direct marketing communications which the<br />
individual has not consented to receive.<br />
<br />
<br />
<br />
14. The provisions of the DPA remain in force for the purposes of PECR<br />
<br />
notwithstanding the introduction of the DPA18: see paragraph 58(1) of<br />
<br />
Schedule 20 to the DPA18.<br />
<br />
<br />
<br />
Background to the case<br />
<br />
<br />
<br />
15. Papa John’s is a pizza company offering both delivery and take-out<br />
<br />
service. It first came to the attention of the Commissioner following a<br />
number of complaints being receive d.<br />
<br />
<br />
<br />
16. An initial investigation letter was sent to Papa John’s on 21 May 2020<br />
<br />
raising some preliminary concerns with its PECR compliance and<br />
<br />
providing details of the complaints received. The correspondence also<br />
<br />
requested information about the volume of messages sent to<br />
subscribers, the sources of data for the recipients of those messages<br />
<br />
and any evidence of consent it relied upon to send marketing<br />
<br />
messages. Papa John’s were warned that the Commissioner could issue<br />
<br />
civil monetary penalties of up to £500,000 for PECR breaches.<br />
<br />
<br />
17. In its response of 26 June 2020, Papa John’s provided the total number<br />
<br />
of marketing messages sent between 1 October 2019 and 30 April<br />
2020. It explained that it only obtains data from its own customers<br />
<br />
<br />
5 where orders are placed directly with the company. Itadvised that it<br />
does not obtain data from any other third-party sources.<br />
<br />
<br />
<br />
18. Papa John’s informed the Commissioner that it relied on the soft opt in<br />
<br />
and provided examples of its online consent statements . It also<br />
<br />
provided evidence to show that unsubscribe options are given in every<br />
<br />
e-mail and text message sent.<br />
<br />
<br />
19. In its correspondence Papa John’s advised that following an internal<br />
review of the complaints received by the Comm issioner, there were a<br />
<br />
number where the soft opt in was not available and a text message<br />
<br />
should not have been sent to the customer. It revealed that the<br />
<br />
individuals who had received these messages had placed an order over<br />
<br />
the telephone but were not presented with an option to opt out of<br />
receiving marketing messages. It explained that their privacy notice<br />
<br />
was displayed in stores, and online, and individuals could access the<br />
<br />
marketing preference centre on its website. It had suspended<br />
<br />
marketing to individuals who have placed an order over the telephone<br />
<br />
pending the outcome of the Commissioners enquiries. Further evidence<br />
<br />
was provided to show opt out messages and screenshots of online<br />
accounts showing individuals can unsubscribe.<br />
<br />
<br />
20. The Commissioner subsequently requested the total volume of<br />
<br />
messages sent to individuals where their data was obtained over the<br />
<br />
telephone during the relevant period. This was provided although Papa<br />
<br />
John’s were unable to confirm, of the 210,028 marketing messages<br />
<br />
sent, how many had been received by individuals. However, based on<br />
its success rate on delivery, it advised 168,022 text messages were<br />
<br />
received by individuals.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
621. The Commissioner has made the above findings of fact on the<br />
balance of probabilities.<br />
<br />
<br />
<br />
22. The Commissioner has considered whether those facts constitute<br />
<br />
a contravention of regulation 22 of PECR by Papa John’s and, if so,<br />
<br />
whether the conditions of section 55A DPA are satisfied.<br />
<br />
<br />
The contravention<br />
<br />
<br />
<br />
23. The Commissioner finds that Papa John’s contravened regulation 22 of<br />
<br />
PECR.<br />
<br />
<br />
24. The Commissioner finds that the contravention was as follows:<br />
<br />
<br />
<br />
25. The Commissioner finds that between 1 October 2019 to 30 April 2020<br />
<br />
there were 168,022 direct marketing messages received by<br />
<br />
subscribers. The Commissioner finds that Papa John’s transmitted the<br />
<br />
direct marketing messages sent, contrary to regulation 22 of PECR.<br />
<br />
<br />
26. Papa John’s, as the sender of the direct marketing, is required to<br />
ensure that it is acting in compliance with the requirements of<br />
<br />
regulation 22 of PECR, and to ensure that valid consent to send those<br />
<br />
messages had been acquired.<br />
<br />
<br />
27. Papa John’s collected information for marketing purposes through<br />
<br />
customers who order directly via sales channels in its direct control<br />
<br />
including its website, app and in store. It relies on the ‘soft opt -in’<br />
exemption provided by Regulation 22(3) PECR. This exemption means<br />
<br />
that organisations can send marketing messages by text and e-mail to<br />
<br />
individuals whose details had been obtained in the course or<br />
<br />
negotiation of a sale and in respect of similar products and services.<br />
<br />
The organisation must also give the person a simple opportunity to<br />
<br />
7 refuse or opt out of the marketing, both when first collectng the details<br />
and in every message after that.<br />
<br />
<br />
28. Papa John’s informed the Commissioner that for those customers<br />
<br />
ordering over the telephone its privacy notice is made available in store<br />
<br />
and on its website. It is the Commissioners view that those individuals<br />
<br />
would not reasonably expect to receive marketing. As a result, 15<br />
<br />
complaints were received regarding text messages sent by Papa John’s<br />
<br />
during the contravention period in respect of those customers.<br />
<br />
<br />
29. In this instance Papa John’s have been unable to evidence consent.<br />
From the evidence provided it is clear that the individuals had not, at<br />
<br />
the point their data was collected, been given a simple means of<br />
<br />
refusing the use of their contact details for direct marketing;<br />
<br />
accordingly, Papa John’s direct marketing messages failed to meet the<br />
<br />
criteria of Regulation 22(3)(c) PECR.<br />
<br />
<br />
30. The Commissioner is therefore satisfied from the evidence she has<br />
seen that Papa John’s did not have the necessary valid consent for the<br />
<br />
168,022 direct marketing messages received by subscribers.<br />
<br />
<br />
<br />
31. The Commissioner has gone on to consider whether the conditions<br />
<br />
under section 55A DPA are met.<br />
<br />
<br />
Seriousness of the contravention<br />
<br />
<br />
<br />
32. The Commissioner is satisfied that the contravention identified<br />
<br />
above was serious. This is because between 1 October 2019 and 30<br />
<br />
April 2020 a confirmed total of 168,022 direct marketing messages<br />
were sent by Papa John’s. These messages contained direct marketing<br />
<br />
material for which subscribers had not provided adequate consent.<br />
<br />
<br />
<br />
<br />
833. The rules for electronic marketing are clear in that organisations must<br />
present individuals with an opportunity to opt out of marketing at the<br />
<br />
time that their details are collected. Whilst Papa John’s does have<br />
<br />
consent for the majority of marketing messages it sends, it does not<br />
<br />
have consent to send marketing messages to individuals who have<br />
<br />
placed an order over the telephone for delivery. It is unable to rely on<br />
<br />
the soft opt in because those subscribers had not been given a simple<br />
means of refusing the use of their contact details for direct marketing .<br />
<br />
<br />
34. Papa John’s instead sought to rely upon the assumption that an<br />
<br />
individual could review its privacy notice , in store or on its website, and<br />
<br />
online marketing preference centre. This assumption is unfair as it puts<br />
<br />
the responsibility back on to the individual rather than on to the<br />
<br />
company. Customers may not have visited the company app or website<br />
to locate the branch telephone number when placing their order, these<br />
<br />
being widely available via online search engines. They may also not<br />
<br />
have visited a store to collect their order. Further, any information<br />
<br />
about any marketing communications should be provided to individuals<br />
<br />
rather than them having to seek it out for themselves. All individuals<br />
should be given the same choice in respect of these communications,<br />
<br />
regardless of how they choose to place an order with Papa John’s.<br />
<br />
<br />
<br />
35. The Commissioner is therefore satisfied that condition (a) from<br />
<br />
section 55A(1) DPA is met.<br />
<br />
<br />
Deliberate or negligent contraventions<br />
<br />
<br />
<br />
36. The Commissioner has considered whether the contravention identified<br />
<br />
above was deliberate. In the Commissioner’s view, this means that<br />
<br />
Papa John’s actions which constituted that contravention were<br />
<br />
<br />
<br />
<br />
9 deliberate actions (even if Papa John’s did not actually intend thereby<br />
to contravene PECR).<br />
<br />
<br />
<br />
37. The Commissioner does not consider that Papa John’s deliberately set<br />
<br />
out to contravene PECR in this instance.<br />
<br />
<br />
38. The Commissioner has gone on to consider whether the contravention<br />
<br />
identified above was negligent. This consideration comprises two<br />
<br />
elements:<br />
<br />
<br />
<br />
39. Firstly, she has considered whether Papa John’s knew or ought<br />
reasonably to have known that there was a risk that these<br />
<br />
contraventions would occur. She is satisfied that this condition is met,<br />
<br />
not least since the issue of unsolicited text messages has been widely<br />
<br />
publicised by the media as being a problem.<br />
<br />
<br />
<br />
40. The Commissioner has published detailed guidance for those carrying<br />
out direct marketing explaining their legal obligations under PECR.<br />
<br />
This guidance gives clear advice regarding the requirements of consent<br />
<br />
for direct marketing and explains the circumstances under which<br />
<br />
organisations are able to carry out marketing over the phone, by text,<br />
<br />
by email, by post, or by fax. In particular it states that organisations<br />
can generally only send, or instigate, marketing emails to individuals if<br />
<br />
that person has specifically consented to receiving them; and highlights<br />
<br />
the difficulties of relying on indirect consent for email marketing . The<br />
<br />
Commissioner has also published detailed guidance on consent under<br />
<br />
the GDPR. In case organisations remain unclear on their obligations,<br />
<br />
the ICO operates a telephone helpline. ICO communications about<br />
previous enforcement action where businesses have not complied with<br />
<br />
PECR are also readily available.<br />
<br />
<br />
<br />
<br />
1041. It is therefore reasonable to suppose that Papa John’sshould have<br />
been aware of its responsibilities in this area .<br />
<br />
<br />
42. Secondly, the Commissioner has gone on to consider whether Papa<br />
<br />
John’s failed to take reasonable steps to prevent the contraventions.<br />
<br />
Again, she is satisfied that this condition is m et.<br />
<br />
<br />
43. Such reasonable steps in these circumstances could have included<br />
<br />
putting in place appropriate systems, policies and procedures to ensure<br />
<br />
that it had the consent of all of its customers to whom it had sent<br />
<br />
marketing messages. Whilst it is evident that Papa John’s had policies<br />
in place to ensure a certain level of compliance its measures failed to<br />
<br />
capture all types of customer and methods of customer contact. In this<br />
<br />
case, a number of customers were not offered adequate means of<br />
<br />
opting out of marketing at the time their details were collected by<br />
<br />
telephone.<br />
<br />
<br />
44. In the circumstances, the Commissioner is satisfied that Papa John’s<br />
<br />
failed to take reasonable steps to prevent the contraventions.<br />
<br />
<br />
<br />
45. The Commissioner is therefore satisfied that co ndition (b) from section<br />
55A (1) DPA is met.<br />
<br />
<br />
<br />
The Commissioner’s decision to issue a monetary penalty<br />
<br />
<br />
<br />
46. The Commissioner has also taken into account the following<br />
aggravating features of this case:<br />
<br />
<br />
<br />
<br />
• The actions of Papa John’s were carried out to generate business and to<br />
<br />
increase profits, gaining an unfair advantage on those businesses<br />
<br />
complying with the PECR;<br />
<br />
<br />
1147. The Commissioner has also taken into account the following mitigating<br />
<br />
feature of this case:<br />
<br />
<br />
<br />
• Papa John’s have advised the Commissioner that it has temporarily<br />
<br />
suspended marketing to individuals placing orders by telephone, but<br />
<br />
otherwise has not yet taken steps to rectify its marketing practices to<br />
ensure overall compliance with PECR for this method of customer<br />
<br />
contact.<br />
<br />
<br />
<br />
48. For the reasons explained above, the Commissioner is satisfied that the<br />
<br />
conditions from section 55A (1) DPA have been met in this case. She is<br />
also satisfied that the procedural rights under section 55B have been<br />
<br />
complied with.<br />
<br />
<br />
<br />
49. The latter has included the issuing of a Notice of Intent, in which the<br />
<br />
Commissioner set out her preliminary thinking. In reaching her final<br />
<br />
view, the Commissioner received no representations from Papa John’s.<br />
<br />
<br />
50. The Commissioner is accordingly entitled to issue a monetary penalty<br />
<br />
in this case.<br />
<br />
<br />
<br />
51. The Commissioner has considered whether, in the circumstances, she<br />
should exercise her discretion so as to issue a monetary penalty.<br />
<br />
<br />
<br />
52. The Commissioner has considered the likely impact of a monetary<br />
<br />
penalty on Papa John’s. She has decided on the information that is<br />
<br />
available to her, that Papa John’s has access to sufficient financial<br />
<br />
resources to pay the proposed monetary penalty without causing<br />
undue financial hardship.<br />
<br />
<br />
<br />
<br />
1253. The Commissioner’s underlying objective in imposing a monetary<br />
penalty notice is to promote compliance with PECR. The sending of<br />
<br />
unsolicited marketing emails is a matter of significant public concern. A<br />
<br />
monetary penalty in this case should act as a general encouragement<br />
<br />
towards compliance with the law, or at least as a deterrent against<br />
<br />
non-compliance, on the part of all persons running businesses currently<br />
<br />
engaging in these practices. The issuing of a monetary penalty will<br />
reinforce the need for businesses to ensure that they are only<br />
<br />
messaging those who specifically consent to receive marketing.<br />
<br />
<br />
54. For these reasons, the Commissioner has decided to issue a monetary<br />
<br />
penalty in this case.<br />
<br />
<br />
The amount of the penalty<br />
<br />
55. Taking into account all of the above, the Commissioner has decided<br />
<br />
that a penalty in the sum of £10,000 (Ten thousand pounds) is<br />
<br />
reasonable and proportionate given the particular facts of the case and<br />
<br />
the underlying objective in imposing the penalty.<br />
<br />
<br />
<br />
Conclusion<br />
<br />
<br />
56. The monetary penalty must be paid to the Commissioner’s office by<br />
<br />
BACS transfer or cheque by 15 July 2021 at the latest. The monetary<br />
<br />
penalty is not kept by the Commissioner but will be paid into the<br />
<br />
Consolidated Fund which is the Government’s general bank account at<br />
the Bank of England.<br />
<br />
<br />
<br />
57. If the Commissioner receives full payment of the monetary penalty by<br />
<br />
14 July 2021 the Commissioner will reduce the monetary penalty by<br />
<br />
20% to £8,000 (Eight thousand pounds). However, you should be<br />
<br />
<br />
<br />
<br />
13 aware that the early payment discount is not available if you decide to<br />
exercise your right of appeal.<br />
<br />
<br />
<br />
58. There is a right of appeal to the First-tier Tribunal (Information Rights)<br />
<br />
against:<br />
<br />
<br />
<br />
(a) the imposition of the monetary penalty<br />
and/or;<br />
<br />
(b) the amount of the penalty specified in the monetary pena lty<br />
<br />
notice.<br />
<br />
<br />
<br />
59. Any notice of appeal should be received by the Tribunal within 28 days<br />
of the date of this monetary penalty notice.<br />
<br />
<br />
<br />
60. Information about appeals is set out in Annex 1.<br />
<br />
<br />
<br />
61. The Commissioner will not take action to enforce a monetary penalty<br />
<br />
unless:<br />
<br />
<br />
• the period specified within the notice within which a monetary<br />
<br />
penalty must be paid has expired and all or any of the monetary<br />
<br />
penalty has not been paid;<br />
<br />
• all relevant appeals against the monetary penalty notice and any<br />
<br />
variation of it have either been decided or withdrawn; and<br />
<br />
<br />
• the period for appealing against the monetary penalty and any<br />
<br />
variation of it has expired.<br />
<br />
62. In England, Wales and Northern Ireland, the monetary penalty is<br />
<br />
recoverable by Order of the County Court or the High Court. In<br />
<br />
Scotland, the monetary penalty can be enforced in the same manner as<br />
<br />
<br />
<br />
14 an extract registered decree arbitral bearing a warrant for execution<br />
<br />
issued by the sheriff court of any sheriffdom in Scotland.<br />
<br />
<br />
Dated the 14 thday of June 2021<br />
<br />
<br />
<br />
Andy Curry<br />
<br />
Head of Investigations<br />
Information Commissioner’s Office<br />
Wycliffe House<br />
Water Lane<br />
<br />
Wilmslow<br />
Cheshire<br />
SK9 5AF<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
15ANNEX 1<br />
<br />
<br />
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998<br />
<br />
<br />
<br />
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER<br />
<br />
<br />
<br />
1. Section 55B(5) of the Data Protection Act 1998 gives any person<br />
upon whom a monetary penalty notice has been served a right of<br />
<br />
appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’)<br />
<br />
against the notice.<br />
<br />
<br />
<br />
2. If you decide to appeal and if the Tribunal considers:-<br />
<br />
<br />
a) that the notice against which the appeal is brought is not in<br />
<br />
accordance with the law; or<br />
<br />
<br />
<br />
b) to the extent that the notice involved an exercise of<br />
<br />
discretion by the Commissioner, that she ought to have exercised<br />
her discretion differently,<br />
<br />
<br />
<br />
the Tribunal will allow the appeal or substitute such other decision as<br />
<br />
could have been made by the Commissioner. In any other case the<br />
<br />
Tribunal will dismiss the appeal.<br />
<br />
<br />
3. You may bring an appeal by serving a notice of appeal on the<br />
<br />
Tribunal at the following address:<br />
<br />
<br />
<br />
General Regulatory Chamber<br />
HM Courts & Tribunals Service<br />
PO Box 9300<br />
Leicester<br />
<br />
LE1 8DJ<br />
<br />
<br />
16 Telephone: 0203 936 8963<br />
Email: grc@justice.gov.uk<br />
<br />
<br />
a) The notice of appeal should be sent so it is received by the<br />
<br />
Tribunal within 28 days of the date of the notice.<br />
<br />
<br />
b) If your notice of appeal is late the Tribunal will not admit it<br />
<br />
unless the Tribunal has extended the time for complying with this<br />
<br />
rule.<br />
<br />
<br />
<br />
4. The notice of appeal should state:-<br />
<br />
<br />
a) your name and address/name and address of your<br />
<br />
representative (if any);<br />
<br />
<br />
<br />
b) an address where documents may be sent or delivered to<br />
<br />
you;<br />
<br />
<br />
c) the name and address of the Information Commissioner;<br />
<br />
<br />
<br />
d) details of the decision to which the proceedings relate;<br />
<br />
<br />
e) the result that you are seeking;<br />
<br />
<br />
<br />
f) the grounds on which you rely;<br />
<br />
<br />
<br />
g) you must provide with the notice of appeal a copy of the<br />
<br />
monetary penalty notice or variation notice;<br />
<br />
<br />
h) if you have exceeded the time limit mentioned above the<br />
<br />
notice of appeal must include a request for an extension of time<br />
<br />
<br />
<br />
17 and the reason why the notice of appeal was not provided in<br />
time.<br />
<br />
<br />
<br />
5. Before deciding whether or not to appeal you may wish to consult<br />
<br />
your solicitor or another adviser. At the hearing of an appeal a party<br />
<br />
may conduct his case himself or may be represented by any person<br />
<br />
whom he may appoint for that purpose.<br />
<br />
<br />
6. The statutory provisions concerning appeals to the First- tier<br />
<br />
Tribunal (Information Rights) are contained in section 55B(5) of, and<br />
<br />
Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure<br />
<br />
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009<br />
(Statutory Instrument 2009 No. 1976 (L.20)).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
18<br />
</pre></div>Mariam-hwthhttps://gdprhub.eu/index.php?title=ICO_(UK)_-_Papa_John%27s_(GB)_Limited&diff=16627ICO (UK) - Papa John's (GB) Limited2021-06-17T20:05:33Z<p>Mariam-hwth: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|DPA-BG-Color=background-color:#023868;<br />
|DPAlogo=LogoUK.png<br />
|DPA_Abbrevation=ICO (UK)<br />
|DPA_With_Country=ICO (UK)<br />
<br />
|Case_Number_Name=Papa John's (GB) Limited<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Information Commissioner's Office<br />
|Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/mpns/2619969/papa-johns-gb-limited-mpn.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=14.06.2021<br />
|Date_Published=15.06.2021<br />
|Year=2021<br />
|Fine=10000<br />
|Currency=GBP<br />
<br />
<br />
<br />
|National_Law_Name_1=Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
|National_Law_Link_1=https://www.legislation.gov.uk/uksi/2003/2426/contents<br />
|National_Law_Name_2=Regulation 22(3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
|National_Law_Link_2=https://www.legislation.gov.uk/uksi/2003/2426/contents<br />
<br />
|Party_Name_1=Papa John's (GB) Limited<br />
|Party_Link_1=https://www.papajohns.co.uk/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The UK DPA (ICO) imposed a fine of €11700 on Papa John's (GB) Limited for sending unsolicited direct marketing messages to 168,022 individuals in breach of regulation 22 PECR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Papa John's, the pizza company, was the subject of various complaints to the Information Commssioner's Office (ICO). The ICO therefore initiated an investigation into Papa John's direct marketing practices. <br />
<br />
Papa John's provided details on the number of marketing messages sent between October 2019 and April 2020. It also outlined that it relies on soft opt in to send these messages to customers it has gotten data from directly. It was estimated at 168,022 text messages were received by individuals on that basis.<br />
<br />
However, the initial form filled in by individuals who ordered from Papa John's did not provide an option to opt out of receiving direct marketing messages. <br />
<br />
=== Dispute ===<br />
Is there a breach of regulation 22 PECR if individuals's whos information is collected by an organisation are not provided the option to opt out from direct marketing and subsequently sent direct marketing?<br />
<br />
=== Holding ===<br />
The Information Commissioner's Office (ICO) held that Papa John's was in contravention of regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR). Papa John's sent 168,022 direct marketing messages without valid consent. <br />
<br />
Papa John's gathered details from individuals that ordered on their sales channels. It then attempted to rely on the soft opt-in exemption under regulation 22(3) PECR. The exemption enables organisations to send marketing texts and eails to individuals who's details they have gathered "in the course or negotiation of a sale and in respect of similar products and services". However, the organisation must give individuals the opportunity to opt-out of direct marketing whilst gather their details in the first place. As Papa John's failed to do this, the ICO deemed it in breach of regulation 22(3)(c) PECR.<br />
<br />
The contravention was serious as a result of the quantity of messages sent without valid consent. It also considered that the action was negligent as Papa John's knew or ought reasonably to have known that there was a risk of contraventions and that Papa John's failed to take reasonable steps to prevent them. Therefore, the ICO imposed a fine of around €11700 on Papa John's (GB) Limited. This amount can be reduced by 20% should Papa John's pay the fine within a month of the decision.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
DATA PROTECTION ACT 1998<br />
<br />
<br />
<br />
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER<br />
<br />
<br />
<br />
MONETARY PENALTY NOTICE<br />
<br />
<br />
<br />
<br />
To: Papa John’s (GB) Limited<br />
<br />
<br />
<br />
Of: Papa John’s UK & European Campus, 11 Northfield Drive, Northfield,<br />
<br />
Milton Keynes, MK15 0DQ<br />
<br />
<br />
1. The Information Commissioner (“the Commissioner”) has decided to<br />
<br />
issue Papa John’s (GB) Limited(“Papa John’s”) with a monetary<br />
<br />
penalty under section 55A of the Data Protection Act 1998 (“DPA”). The<br />
<br />
penalty is in relation to a serious contravention of Regulation 22 of the<br />
<br />
Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
(“PECR”).<br />
<br />
<br />
<br />
2. This notice explains the Commissioner’s decision.<br />
<br />
<br />
<br />
Legal framework<br />
<br />
<br />
3. Papa John’s, whose registered office is given above (Companies House<br />
<br />
Registration Number:02569801) is the organisation stated in this<br />
<br />
notice to have transmitted unsolicited communications by means of<br />
<br />
electronic mail to individual subscribers for the purposes of direct<br />
<br />
marketing contrary to regulation 22 of PECR.<br />
<br />
<br />
4. Regulation 22 of PECR states:<br />
<br />
<br />
1“(1) This regulation applies to the transmission of unsolicited<br />
<br />
communications by means of electronic mail to individual<br />
<br />
subscribers.<br />
<br />
(2) Except in the circumstances referred to in paragraph (3), a person<br />
<br />
shall neither transmit, nor instigate the transmission of, unsolicited<br />
<br />
communications for the purposes of direct marketing by means of<br />
<br />
electronic mail unless the recipient of the electronic mail has<br />
<br />
previously notified the sender that he consents for the time being<br />
to such communications being sent by, or at the instigation of, the<br />
<br />
sender.<br />
<br />
<br />
(3) A person may send or instigate the sending of electronic mail for<br />
the purposes of direct marketing where—<br />
<br />
<br />
(a) that person has obtained the contact details of the recipient<br />
<br />
of that electronic mail in the course of the sale or<br />
negotiations for the sale of a product or service to that<br />
<br />
recipient;<br />
<br />
<br />
(b) the direct marketing is in respect of that person’s similar<br />
products and services only; and<br />
<br />
<br />
(c) the recipient has been given a simple means of refusing<br />
(free of charge except for the costs of the transmission of<br />
<br />
the refusal) the use of his contact details for the purposes<br />
<br />
of such direct marketing, at the time that the details were<br />
<br />
initially collected, and, where he did not initially refuse the<br />
<br />
use of the details, at the time of each subsequent<br />
<br />
communication.<br />
<br />
(4) A subscriber shall not permit his line to be used in contravention of<br />
<br />
paragraph (2).”<br />
<br />
<br />
<br />
<br />
25. Section 122(5) of the Data Protection Act 2018 (“DPA18”) defines<br />
<br />
direct marketing as “the communication (by whatever means) of any<br />
<br />
advertising material which is directed to particular individuals”. This<br />
<br />
definition also applies for the purposes of PECR (see r egulation 2(2)<br />
<br />
PECR and paragraphs 430 & 432(6) to Schedule 19 of the DPA18).<br />
<br />
<br />
6. Consent in PECR is now defined, from 29 March 2019, by reference to<br />
<br />
the concept of consent in Regulation 2016/679 (“the GDPR”):<br />
<br />
regulation 8(2) of the Data Protection, Privacy and Electronic<br />
<br />
Communications (Amendments etc) (EU Exit) Regulations 2019. Article<br />
<br />
4(11) of the GDPR sets out the following definition: “‘consent’ of the<br />
data subject means any freely given, specific, informed and<br />
<br />
unambiguous indication of the data subject's wishes by which he or<br />
<br />
she, by a statement or by a clear affirmative action, signifies<br />
<br />
agreement to the processing of personal data relating to him or her”.<br />
<br />
<br />
<br />
7. “Individual” is defined in regulation 2(1) of PECR as “a living individual<br />
and includes an unincorporated body of such individuals”.<br />
<br />
<br />
8. A “subscriber” is defined in regulation 2(1) of PECR as “a person who is<br />
<br />
a party to a contract with a provider of public electronic<br />
<br />
communications services for the supply of such services”.<br />
<br />
<br />
9. “Electronic mail” is defined in regulation 2(1) of PECR as “any text,<br />
<br />
voice, sound or image message sent over a public electronic<br />
<br />
communications network which can be stored in the network or in the<br />
recipient’s terminal equipment until it is collected by the recipient and<br />
<br />
includes messages sent using a short message service”.<br />
<br />
<br />
<br />
10. The term "soft opt-in" is used to describe the rule set out in in<br />
<br />
Regulation 22(3) of PECR. In essence, an organisation may be able to<br />
<br />
3 e-mail or message its existing customers even if they haven't<br />
specifically consented to electronic mail. The soft opt-in rule can only<br />
<br />
be relied upon by the organisation that collected the contact details .<br />
<br />
<br />
<br />
11. Section 55A of the DPA (as applied to PECR cases by Schedule 1 to<br />
<br />
PECR, as variously amended) states:<br />
<br />
<br />
“(1) The Commissioner may serve a person with a monetary penalty if<br />
<br />
the Commissioner is satisfied that –<br />
<br />
(a) there has been a serious contravention of therequirements<br />
<br />
of the Privacy and Electronic Communications (EC<br />
<br />
Directive) Regulations 2003 by the person,<br />
<br />
(b) subsection (2) or (3) applies.<br />
<br />
<br />
(2) This subsection applies if the contravention was deliberate.<br />
<br />
(3) This subsection applies if the person –<br />
<br />
(a) knew or ought to have known that there was a risk that the<br />
<br />
contravention would occur, but<br />
<br />
<br />
(b) failed to take reasonable steps to prevent the<br />
contravention.”<br />
<br />
<br />
<br />
12. The Commissioner has issued statutory guidance under section 55C (1)<br />
<br />
of the DPA about the issuing of monetary penalties that has been<br />
<br />
published on the ICO’s website. The Data Protection (Monetary<br />
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe<br />
<br />
that the amount of any penalty determined by the Commissioner must<br />
<br />
not exceed £500,000.<br />
<br />
<br />
<br />
13. PECR implements Directive 2002/58/EC, and Directive 2009/136/EC<br />
<br />
which amended the earlier Directive. Both the Directive and PECR are<br />
<br />
<br />
4 “designed to protect the privacy of electronic communications users:<br />
Leave.EU & Eldon Insurance Services v Information Commissioner<br />
<br />
[2021] UKUT 26 (AAC) at paragraph 26. The Commissioner seeks to<br />
<br />
interpret and apply PECR in a manner consistent with the purpose of<br />
<br />
the Directive and PECR of ensuring a high level of protection of the<br />
<br />
privacy of individuals, and in particular the protections provided from<br />
<br />
receiving unsolicited direct marketing communications which the<br />
individual has not consented to receive.<br />
<br />
<br />
<br />
14. The provisions of the DPA remain in force for the purposes of PECR<br />
<br />
notwithstanding the introduction of the DPA18: see paragraph 58(1) of<br />
<br />
Schedule 20 to the DPA18.<br />
<br />
<br />
<br />
Background to the case<br />
<br />
<br />
<br />
15. Papa John’s is a pizza company offering both delivery and take-out<br />
<br />
service. It first came to the attention of the Commissioner following a<br />
number of complaints being receive d.<br />
<br />
<br />
<br />
16. An initial investigation letter was sent to Papa John’s on 21 May 2020<br />
<br />
raising some preliminary concerns with its PECR compliance and<br />
<br />
providing details of the complaints received. The correspondence also<br />
<br />
requested information about the volume of messages sent to<br />
subscribers, the sources of data for the recipients of those messages<br />
<br />
and any evidence of consent it relied upon to send marketing<br />
<br />
messages. Papa John’s were warned that the Commissioner could issue<br />
<br />
civil monetary penalties of up to £500,000 for PECR breaches.<br />
<br />
<br />
17. In its response of 26 June 2020, Papa John’s provided the total number<br />
<br />
of marketing messages sent between 1 October 2019 and 30 April<br />
2020. It explained that it only obtains data from its own customers<br />
<br />
<br />
5 where orders are placed directly with the company. Itadvised that it<br />
does not obtain data from any other third-party sources.<br />
<br />
<br />
<br />
18. Papa John’s informed the Commissioner that it relied on the soft opt in<br />
<br />
and provided examples of its online consent statements . It also<br />
<br />
provided evidence to show that unsubscribe options are given in every<br />
<br />
e-mail and text message sent.<br />
<br />
<br />
19. In its correspondence Papa John’s advised that following an internal<br />
review of the complaints received by the Comm issioner, there were a<br />
<br />
number where the soft opt in was not available and a text message<br />
<br />
should not have been sent to the customer. It revealed that the<br />
<br />
individuals who had received these messages had placed an order over<br />
<br />
the telephone but were not presented with an option to opt out of<br />
receiving marketing messages. It explained that their privacy notice<br />
<br />
was displayed in stores, and online, and individuals could access the<br />
<br />
marketing preference centre on its website. It had suspended<br />
<br />
marketing to individuals who have placed an order over the telephone<br />
<br />
pending the outcome of the Commissioners enquiries. Further evidence<br />
<br />
was provided to show opt out messages and screenshots of online<br />
accounts showing individuals can unsubscribe.<br />
<br />
<br />
20. The Commissioner subsequently requested the total volume of<br />
<br />
messages sent to individuals where their data was obtained over the<br />
<br />
telephone during the relevant period. This was provided although Papa<br />
<br />
John’s were unable to confirm, of the 210,028 marketing messages<br />
<br />
sent, how many had been received by individuals. However, based on<br />
its success rate on delivery, it advised 168,022 text messages were<br />
<br />
received by individuals.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
621. The Commissioner has made the above findings of fact on the<br />
balance of probabilities.<br />
<br />
<br />
<br />
22. The Commissioner has considered whether those facts constitute<br />
<br />
a contravention of regulation 22 of PECR by Papa John’s and, if so,<br />
<br />
whether the conditions of section 55A DPA are satisfied.<br />
<br />
<br />
The contravention<br />
<br />
<br />
<br />
23. The Commissioner finds that Papa John’s contravened regulation 22 of<br />
<br />
PECR.<br />
<br />
<br />
24. The Commissioner finds that the contravention was as follows:<br />
<br />
<br />
<br />
25. The Commissioner finds that between 1 October 2019 to 30 April 2020<br />
<br />
there were 168,022 direct marketing messages received by<br />
<br />
subscribers. The Commissioner finds that Papa John’s transmitted the<br />
<br />
direct marketing messages sent, contrary to regulation 22 of PECR.<br />
<br />
<br />
26. Papa John’s, as the sender of the direct marketing, is required to<br />
ensure that it is acting in compliance with the requirements of<br />
<br />
regulation 22 of PECR, and to ensure that valid consent to send those<br />
<br />
messages had been acquired.<br />
<br />
<br />
27. Papa John’s collected information for marketing purposes through<br />
<br />
customers who order directly via sales channels in its direct control<br />
<br />
including its website, app and in store. It relies on the ‘soft opt -in’<br />
exemption provided by Regulation 22(3) PECR. This exemption means<br />
<br />
that organisations can send marketing messages by text and e-mail to<br />
<br />
individuals whose details had been obtained in the course or<br />
<br />
negotiation of a sale and in respect of similar products and services.<br />
<br />
The organisation must also give the person a simple opportunity to<br />
<br />
7 refuse or opt out of the marketing, both when first collectng the details<br />
and in every message after that.<br />
<br />
<br />
28. Papa John’s informed the Commissioner that for those customers<br />
<br />
ordering over the telephone its privacy notice is made available in store<br />
<br />
and on its website. It is the Commissioners view that those individuals<br />
<br />
would not reasonably expect to receive marketing. As a result, 15<br />
<br />
complaints were received regarding text messages sent by Papa John’s<br />
<br />
during the contravention period in respect of those customers.<br />
<br />
<br />
29. In this instance Papa John’s have been unable to evidence consent.<br />
From the evidence provided it is clear that the individuals had not, at<br />
<br />
the point their data was collected, been given a simple means of<br />
<br />
refusing the use of their contact details for direct marketing;<br />
<br />
accordingly, Papa John’s direct marketing messages failed to meet the<br />
<br />
criteria of Regulation 22(3)(c) PECR.<br />
<br />
<br />
30. The Commissioner is therefore satisfied from the evidence she has<br />
seen that Papa John’s did not have the necessary valid consent for the<br />
<br />
168,022 direct marketing messages received by subscribers.<br />
<br />
<br />
<br />
31. The Commissioner has gone on to consider whether the conditions<br />
<br />
under section 55A DPA are met.<br />
<br />
<br />
Seriousness of the contravention<br />
<br />
<br />
<br />
32. The Commissioner is satisfied that the contravention identified<br />
<br />
above was serious. This is because between 1 October 2019 and 30<br />
<br />
April 2020 a confirmed total of 168,022 direct marketing messages<br />
were sent by Papa John’s. These messages contained direct marketing<br />
<br />
material for which subscribers had not provided adequate consent.<br />
<br />
<br />
<br />
<br />
833. The rules for electronic marketing are clear in that organisations must<br />
present individuals with an opportunity to opt out of marketing at the<br />
<br />
time that their details are collected. Whilst Papa John’s does have<br />
<br />
consent for the majority of marketing messages it sends, it does not<br />
<br />
have consent to send marketing messages to individuals who have<br />
<br />
placed an order over the telephone for delivery. It is unable to rely on<br />
<br />
the soft opt in because those subscribers had not been given a simple<br />
means of refusing the use of their contact details for direct marketing .<br />
<br />
<br />
34. Papa John’s instead sought to rely upon the assumption that an<br />
<br />
individual could review its privacy notice , in store or on its website, and<br />
<br />
online marketing preference centre. This assumption is unfair as it puts<br />
<br />
the responsibility back on to the individual rather than on to the<br />
<br />
company. Customers may not have visited the company app or website<br />
to locate the branch telephone number when placing their order, these<br />
<br />
being widely available via online search engines. They may also not<br />
<br />
have visited a store to collect their order. Further, any information<br />
<br />
about any marketing communications should be provided to individuals<br />
<br />
rather than them having to seek it out for themselves. All individuals<br />
should be given the same choice in respect of these communications,<br />
<br />
regardless of how they choose to place an order with Papa John’s.<br />
<br />
<br />
<br />
35. The Commissioner is therefore satisfied that condition (a) from<br />
<br />
section 55A(1) DPA is met.<br />
<br />
<br />
Deliberate or negligent contraventions<br />
<br />
<br />
<br />
36. The Commissioner has considered whether the contravention identified<br />
<br />
above was deliberate. In the Commissioner’s view, this means that<br />
<br />
Papa John’s actions which constituted that contravention were<br />
<br />
<br />
<br />
<br />
9 deliberate actions (even if Papa John’s did not actually intend thereby<br />
to contravene PECR).<br />
<br />
<br />
<br />
37. The Commissioner does not consider that Papa John’s deliberately set<br />
<br />
out to contravene PECR in this instance.<br />
<br />
<br />
38. The Commissioner has gone on to consider whether the contravention<br />
<br />
identified above was negligent. This consideration comprises two<br />
<br />
elements:<br />
<br />
<br />
<br />
39. Firstly, she has considered whether Papa John’s knew or ought<br />
reasonably to have known that there was a risk that these<br />
<br />
contraventions would occur. She is satisfied that this condition is met,<br />
<br />
not least since the issue of unsolicited text messages has been widely<br />
<br />
publicised by the media as being a problem.<br />
<br />
<br />
<br />
40. The Commissioner has published detailed guidance for those carrying<br />
out direct marketing explaining their legal obligations under PECR.<br />
<br />
This guidance gives clear advice regarding the requirements of consent<br />
<br />
for direct marketing and explains the circumstances under which<br />
<br />
organisations are able to carry out marketing over the phone, by text,<br />
<br />
by email, by post, or by fax. In particular it states that organisations<br />
can generally only send, or instigate, marketing emails to individuals if<br />
<br />
that person has specifically consented to receiving them; and highlights<br />
<br />
the difficulties of relying on indirect consent for email marketing . The<br />
<br />
Commissioner has also published detailed guidance on consent under<br />
<br />
the GDPR. In case organisations remain unclear on their obligations,<br />
<br />
the ICO operates a telephone helpline. ICO communications about<br />
previous enforcement action where businesses have not complied with<br />
<br />
PECR are also readily available.<br />
<br />
<br />
<br />
<br />
1041. It is therefore reasonable to suppose that Papa John’sshould have<br />
been aware of its responsibilities in this area .<br />
<br />
<br />
42. Secondly, the Commissioner has gone on to consider whether Papa<br />
<br />
John’s failed to take reasonable steps to prevent the contraventions.<br />
<br />
Again, she is satisfied that this condition is m et.<br />
<br />
<br />
43. Such reasonable steps in these circumstances could have included<br />
<br />
putting in place appropriate systems, policies and procedures to ensure<br />
<br />
that it had the consent of all of its customers to whom it had sent<br />
<br />
marketing messages. Whilst it is evident that Papa John’s had policies<br />
in place to ensure a certain level of compliance its measures failed to<br />
<br />
capture all types of customer and methods of customer contact. In this<br />
<br />
case, a number of customers were not offered adequate means of<br />
<br />
opting out of marketing at the time their details were collected by<br />
<br />
telephone.<br />
<br />
<br />
44. In the circumstances, the Commissioner is satisfied that Papa John’s<br />
<br />
failed to take reasonable steps to prevent the contraventions.<br />
<br />
<br />
<br />
45. The Commissioner is therefore satisfied that co ndition (b) from section<br />
55A (1) DPA is met.<br />
<br />
<br />
<br />
The Commissioner’s decision to issue a monetary penalty<br />
<br />
<br />
<br />
46. The Commissioner has also taken into account the following<br />
aggravating features of this case:<br />
<br />
<br />
<br />
<br />
• The actions of Papa John’s were carried out to generate business and to<br />
<br />
increase profits, gaining an unfair advantage on those businesses<br />
<br />
complying with the PECR;<br />
<br />
<br />
1147. The Commissioner has also taken into account the following mitigating<br />
<br />
feature of this case:<br />
<br />
<br />
<br />
• Papa John’s have advised the Commissioner that it has temporarily<br />
<br />
suspended marketing to individuals placing orders by telephone, but<br />
<br />
otherwise has not yet taken steps to rectify its marketing practices to<br />
ensure overall compliance with PECR for this method of customer<br />
<br />
contact.<br />
<br />
<br />
<br />
48. For the reasons explained above, the Commissioner is satisfied that the<br />
<br />
conditions from section 55A (1) DPA have been met in this case. She is<br />
also satisfied that the procedural rights under section 55B have been<br />
<br />
complied with.<br />
<br />
<br />
<br />
49. The latter has included the issuing of a Notice of Intent, in which the<br />
<br />
Commissioner set out her preliminary thinking. In reaching her final<br />
<br />
view, the Commissioner received no representations from Papa John’s.<br />
<br />
<br />
50. The Commissioner is accordingly entitled to issue a monetary penalty<br />
<br />
in this case.<br />
<br />
<br />
<br />
51. The Commissioner has considered whether, in the circumstances, she<br />
should exercise her discretion so as to issue a monetary penalty.<br />
<br />
<br />
<br />
52. The Commissioner has considered the likely impact of a monetary<br />
<br />
penalty on Papa John’s. She has decided on the information that is<br />
<br />
available to her, that Papa John’s has access to sufficient financial<br />
<br />
resources to pay the proposed monetary penalty without causing<br />
undue financial hardship.<br />
<br />
<br />
<br />
<br />
1253. The Commissioner’s underlying objective in imposing a monetary<br />
penalty notice is to promote compliance with PECR. The sending of<br />
<br />
unsolicited marketing emails is a matter of significant public concern. A<br />
<br />
monetary penalty in this case should act as a general encouragement<br />
<br />
towards compliance with the law, or at least as a deterrent against<br />
<br />
non-compliance, on the part of all persons running businesses currently<br />
<br />
engaging in these practices. The issuing of a monetary penalty will<br />
reinforce the need for businesses to ensure that they are only<br />
<br />
messaging those who specifically consent to receive marketing.<br />
<br />
<br />
54. For these reasons, the Commissioner has decided to issue a monetary<br />
<br />
penalty in this case.<br />
<br />
<br />
The amount of the penalty<br />
<br />
55. Taking into account all of the above, the Commissioner has decided<br />
<br />
that a penalty in the sum of £10,000 (Ten thousand pounds) is<br />
<br />
reasonable and proportionate given the particular facts of the case and<br />
<br />
the underlying objective in imposing the penalty.<br />
<br />
<br />
<br />
Conclusion<br />
<br />
<br />
56. The monetary penalty must be paid to the Commissioner’s office by<br />
<br />
BACS transfer or cheque by 15 July 2021 at the latest. The monetary<br />
<br />
penalty is not kept by the Commissioner but will be paid into the<br />
<br />
Consolidated Fund which is the Government’s general bank account at<br />
the Bank of England.<br />
<br />
<br />
<br />
57. If the Commissioner receives full payment of the monetary penalty by<br />
<br />
14 July 2021 the Commissioner will reduce the monetary penalty by<br />
<br />
20% to £8,000 (Eight thousand pounds). However, you should be<br />
<br />
<br />
<br />
<br />
13 aware that the early payment discount is not available if you decide to<br />
exercise your right of appeal.<br />
<br />
<br />
<br />
58. There is a right of appeal to the First-tier Tribunal (Information Rights)<br />
<br />
against:<br />
<br />
<br />
<br />
(a) the imposition of the monetary penalty<br />
and/or;<br />
<br />
(b) the amount of the penalty specified in the monetary pena lty<br />
<br />
notice.<br />
<br />
<br />
<br />
59. Any notice of appeal should be received by the Tribunal within 28 days<br />
of the date of this monetary penalty notice.<br />
<br />
<br />
<br />
60. Information about appeals is set out in Annex 1.<br />
<br />
<br />
<br />
61. The Commissioner will not take action to enforce a monetary penalty<br />
<br />
unless:<br />
<br />
<br />
• the period specified within the notice within which a monetary<br />
<br />
penalty must be paid has expired and all or any of the monetary<br />
<br />
penalty has not been paid;<br />
<br />
• all relevant appeals against the monetary penalty notice and any<br />
<br />
variation of it have either been decided or withdrawn; and<br />
<br />
<br />
• the period for appealing against the monetary penalty and any<br />
<br />
variation of it has expired.<br />
<br />
62. In England, Wales and Northern Ireland, the monetary penalty is<br />
<br />
recoverable by Order of the County Court or the High Court. In<br />
<br />
Scotland, the monetary penalty can be enforced in the same manner as<br />
<br />
<br />
<br />
14 an extract registered decree arbitral bearing a warrant for execution<br />
<br />
issued by the sheriff court of any sheriffdom in Scotland.<br />
<br />
<br />
Dated the 14 thday of June 2021<br />
<br />
<br />
<br />
Andy Curry<br />
<br />
Head of Investigations<br />
Information Commissioner’s Office<br />
Wycliffe House<br />
Water Lane<br />
<br />
Wilmslow<br />
Cheshire<br />
SK9 5AF<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
15ANNEX 1<br />
<br />
<br />
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998<br />
<br />
<br />
<br />
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER<br />
<br />
<br />
<br />
1. Section 55B(5) of the Data Protection Act 1998 gives any person<br />
upon whom a monetary penalty notice has been served a right of<br />
<br />
appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’)<br />
<br />
against the notice.<br />
<br />
<br />
<br />
2. If you decide to appeal and if the Tribunal considers:-<br />
<br />
<br />
a) that the notice against which the appeal is brought is not in<br />
<br />
accordance with the law; or<br />
<br />
<br />
<br />
b) to the extent that the notice involved an exercise of<br />
<br />
discretion by the Commissioner, that she ought to have exercised<br />
her discretion differently,<br />
<br />
<br />
<br />
the Tribunal will allow the appeal or substitute such other decision as<br />
<br />
could have been made by the Commissioner. In any other case the<br />
<br />
Tribunal will dismiss the appeal.<br />
<br />
<br />
3. You may bring an appeal by serving a notice of appeal on the<br />
<br />
Tribunal at the following address:<br />
<br />
<br />
<br />
General Regulatory Chamber<br />
HM Courts & Tribunals Service<br />
PO Box 9300<br />
Leicester<br />
<br />
LE1 8DJ<br />
<br />
<br />
16 Telephone: 0203 936 8963<br />
Email: grc@justice.gov.uk<br />
<br />
<br />
a) The notice of appeal should be sent so it is received by the<br />
<br />
Tribunal within 28 days of the date of the notice.<br />
<br />
<br />
b) If your notice of appeal is late the Tribunal will not admit it<br />
<br />
unless the Tribunal has extended the time for complying with this<br />
<br />
rule.<br />
<br />
<br />
<br />
4. The notice of appeal should state:-<br />
<br />
<br />
a) your name and address/name and address of your<br />
<br />
representative (if any);<br />
<br />
<br />
<br />
b) an address where documents may be sent or delivered to<br />
<br />
you;<br />
<br />
<br />
c) the name and address of the Information Commissioner;<br />
<br />
<br />
<br />
d) details of the decision to which the proceedings relate;<br />
<br />
<br />
e) the result that you are seeking;<br />
<br />
<br />
<br />
f) the grounds on which you rely;<br />
<br />
<br />
<br />
g) you must provide with the notice of appeal a copy of the<br />
<br />
monetary penalty notice or variation notice;<br />
<br />
<br />
h) if you have exceeded the time limit mentioned above the<br />
<br />
notice of appeal must include a request for an extension of time<br />
<br />
<br />
<br />
17 and the reason why the notice of appeal was not provided in<br />
time.<br />
<br />
<br />
<br />
5. Before deciding whether or not to appeal you may wish to consult<br />
<br />
your solicitor or another adviser. At the hearing of an appeal a party<br />
<br />
may conduct his case himself or may be represented by any person<br />
<br />
whom he may appoint for that purpose.<br />
<br />
<br />
6. The statutory provisions concerning appeals to the First- tier<br />
<br />
Tribunal (Information Rights) are contained in section 55B(5) of, and<br />
<br />
Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure<br />
<br />
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009<br />
(Statutory Instrument 2009 No. 1976 (L.20)).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
18<br />
</pre></div>Mariam-hwthhttps://gdprhub.eu/index.php?title=ICO_(UK)_-_Papa_John%27s_(GB)_Limited&diff=16626ICO (UK) - Papa John's (GB) Limited2021-06-17T20:04:54Z<p>Mariam-hwth: Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO (UK) |DPA_With_Country=ICO (UK) |Case_Number_N..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|DPA-BG-Color=background-color:#023868;<br />
|DPAlogo=LogoUK.png<br />
|DPA_Abbrevation=ICO (UK)<br />
|DPA_With_Country=ICO (UK)<br />
<br />
|Case_Number_Name=Papa John's (GB) Limited<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Information Commissioner's Office<br />
|Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/mpns/2619969/papa-johns-gb-limited-mpn.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=14.06.2021<br />
|Date_Published=15.06.2021<br />
|Year=2021<br />
|Fine=10000<br />
|Currency=GBP<br />
<br />
<br />
<br />
|National_Law_Name_1=Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
|National_Law_Link_1=https://www.legislation.gov.uk/uksi/2003/2426/contents<br />
|National_Law_Name_2=Regulation 22(3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
|National_Law_Link_2=https://www.legislation.gov.uk/uksi/2003/2426/contents<br />
<br />
|Party_Name_1=Papa John's (GB) Limited<br />
|Party_Link_1=https://www.papajohns.co.uk/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The UK DPA (ICO) imposed a fine of €11700 on Papa John's (GB) Limited for sending unsolicited direct marketing messages in breach of regulation 22 PECR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Papa John's, the pizza company, was the subject of various complaints to the Information Commssioner's Office (ICO). The ICO therefore initiated an investigation into Papa John's direct marketing practices. <br />
<br />
Papa John's provided details on the number of marketing messages sent between October 2019 and April 2020. It also outlined that it relies on soft opt in to send these messages to customers it has gotten data from directly. It was estimated at 168,022 text messages were received by individuals on that basis.<br />
<br />
However, the initial form filled in by individuals who ordered from Papa John's did not provide an option to opt out of receiving direct marketing messages. <br />
<br />
=== Dispute ===<br />
Is there a breach of regulation 22 PECR if individuals's whos information is collected by an organisation are not provided the option to opt out from direct marketing and subsequently sent direct marketing?<br />
<br />
=== Holding ===<br />
The Information Commissioner's Office (ICO) held that Papa John's was in contravention of regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR). Papa John's sent 168,022 direct marketing messages without valid consent. <br />
<br />
Papa John's gathered details from individuals that ordered on their sales channels. It then attempted to rely on the soft opt-in exemption under regulation 22(3) PECR. The exemption enables organisations to send marketing texts and eails to individuals who's details they have gathered "in the course or negotiation of a sale and in respect of similar products and services". However, the organisation must give individuals the opportunity to opt-out of direct marketing whilst gather their details in the first place. As Papa John's failed to do this, the ICO deemed it in breach of regulation 22(3)(c) PECR.<br />
<br />
The contravention was serious as a result of the quantity of messages sent without valid consent. It also considered that the action was negligent as Papa John's knew or ought reasonably to have known that there was a risk of contraventions and that Papa John's failed to take reasonable steps to prevent them. Therefore, the ICO imposed a fine of around €11700 on Papa John's (GB) Limited. This amount can be reduced by 20% should Papa John's pay the fine within a month of the decision.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
DATA PROTECTION ACT 1998<br />
<br />
<br />
<br />
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER<br />
<br />
<br />
<br />
MONETARY PENALTY NOTICE<br />
<br />
<br />
<br />
<br />
To: Papa John’s (GB) Limited<br />
<br />
<br />
<br />
Of: Papa John’s UK & European Campus, 11 Northfield Drive, Northfield,<br />
<br />
Milton Keynes, MK15 0DQ<br />
<br />
<br />
1. The Information Commissioner (“the Commissioner”) has decided to<br />
<br />
issue Papa John’s (GB) Limited(“Papa John’s”) with a monetary<br />
<br />
penalty under section 55A of the Data Protection Act 1998 (“DPA”). The<br />
<br />
penalty is in relation to a serious contravention of Regulation 22 of the<br />
<br />
Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
(“PECR”).<br />
<br />
<br />
<br />
2. This notice explains the Commissioner’s decision.<br />
<br />
<br />
<br />
Legal framework<br />
<br />
<br />
3. Papa John’s, whose registered office is given above (Companies House<br />
<br />
Registration Number:02569801) is the organisation stated in this<br />
<br />
notice to have transmitted unsolicited communications by means of<br />
<br />
electronic mail to individual subscribers for the purposes of direct<br />
<br />
marketing contrary to regulation 22 of PECR.<br />
<br />
<br />
4. Regulation 22 of PECR states:<br />
<br />
<br />
1“(1) This regulation applies to the transmission of unsolicited<br />
<br />
communications by means of electronic mail to individual<br />
<br />
subscribers.<br />
<br />
(2) Except in the circumstances referred to in paragraph (3), a person<br />
<br />
shall neither transmit, nor instigate the transmission of, unsolicited<br />
<br />
communications for the purposes of direct marketing by means of<br />
<br />
electronic mail unless the recipient of the electronic mail has<br />
<br />
previously notified the sender that he consents for the time being<br />
to such communications being sent by, or at the instigation of, the<br />
<br />
sender.<br />
<br />
<br />
(3) A person may send or instigate the sending of electronic mail for<br />
the purposes of direct marketing where—<br />
<br />
<br />
(a) that person has obtained the contact details of the recipient<br />
<br />
of that electronic mail in the course of the sale or<br />
negotiations for the sale of a product or service to that<br />
<br />
recipient;<br />
<br />
<br />
(b) the direct marketing is in respect of that person’s similar<br />
products and services only; and<br />
<br />
<br />
(c) the recipient has been given a simple means of refusing<br />
(free of charge except for the costs of the transmission of<br />
<br />
the refusal) the use of his contact details for the purposes<br />
<br />
of such direct marketing, at the time that the details were<br />
<br />
initially collected, and, where he did not initially refuse the<br />
<br />
use of the details, at the time of each subsequent<br />
<br />
communication.<br />
<br />
(4) A subscriber shall not permit his line to be used in contravention of<br />
<br />
paragraph (2).”<br />
<br />
<br />
<br />
<br />
25. Section 122(5) of the Data Protection Act 2018 (“DPA18”) defines<br />
<br />
direct marketing as “the communication (by whatever means) of any<br />
<br />
advertising material which is directed to particular individuals”. This<br />
<br />
definition also applies for the purposes of PECR (see r egulation 2(2)<br />
<br />
PECR and paragraphs 430 & 432(6) to Schedule 19 of the DPA18).<br />
<br />
<br />
6. Consent in PECR is now defined, from 29 March 2019, by reference to<br />
<br />
the concept of consent in Regulation 2016/679 (“the GDPR”):<br />
<br />
regulation 8(2) of the Data Protection, Privacy and Electronic<br />
<br />
Communications (Amendments etc) (EU Exit) Regulations 2019. Article<br />
<br />
4(11) of the GDPR sets out the following definition: “‘consent’ of the<br />
data subject means any freely given, specific, informed and<br />
<br />
unambiguous indication of the data subject's wishes by which he or<br />
<br />
she, by a statement or by a clear affirmative action, signifies<br />
<br />
agreement to the processing of personal data relating to him or her”.<br />
<br />
<br />
<br />
7. “Individual” is defined in regulation 2(1) of PECR as “a living individual<br />
and includes an unincorporated body of such individuals”.<br />
<br />
<br />
8. A “subscriber” is defined in regulation 2(1) of PECR as “a person who is<br />
<br />
a party to a contract with a provider of public electronic<br />
<br />
communications services for the supply of such services”.<br />
<br />
<br />
9. “Electronic mail” is defined in regulation 2(1) of PECR as “any text,<br />
<br />
voice, sound or image message sent over a public electronic<br />
<br />
communications network which can be stored in the network or in the<br />
recipient’s terminal equipment until it is collected by the recipient and<br />
<br />
includes messages sent using a short message service”.<br />
<br />
<br />
<br />
10. The term "soft opt-in" is used to describe the rule set out in in<br />
<br />
Regulation 22(3) of PECR. In essence, an organisation may be able to<br />
<br />
3 e-mail or message its existing customers even if they haven't<br />
specifically consented to electronic mail. The soft opt-in rule can only<br />
<br />
be relied upon by the organisation that collected the contact details .<br />
<br />
<br />
<br />
11. Section 55A of the DPA (as applied to PECR cases by Schedule 1 to<br />
<br />
PECR, as variously amended) states:<br />
<br />
<br />
“(1) The Commissioner may serve a person with a monetary penalty if<br />
<br />
the Commissioner is satisfied that –<br />
<br />
(a) there has been a serious contravention of therequirements<br />
<br />
of the Privacy and Electronic Communications (EC<br />
<br />
Directive) Regulations 2003 by the person,<br />
<br />
(b) subsection (2) or (3) applies.<br />
<br />
<br />
(2) This subsection applies if the contravention was deliberate.<br />
<br />
(3) This subsection applies if the person –<br />
<br />
(a) knew or ought to have known that there was a risk that the<br />
<br />
contravention would occur, but<br />
<br />
<br />
(b) failed to take reasonable steps to prevent the<br />
contravention.”<br />
<br />
<br />
<br />
12. The Commissioner has issued statutory guidance under section 55C (1)<br />
<br />
of the DPA about the issuing of monetary penalties that has been<br />
<br />
published on the ICO’s website. The Data Protection (Monetary<br />
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe<br />
<br />
that the amount of any penalty determined by the Commissioner must<br />
<br />
not exceed £500,000.<br />
<br />
<br />
<br />
13. PECR implements Directive 2002/58/EC, and Directive 2009/136/EC<br />
<br />
which amended the earlier Directive. Both the Directive and PECR are<br />
<br />
<br />
4 “designed to protect the privacy of electronic communications users:<br />
Leave.EU & Eldon Insurance Services v Information Commissioner<br />
<br />
[2021] UKUT 26 (AAC) at paragraph 26. The Commissioner seeks to<br />
<br />
interpret and apply PECR in a manner consistent with the purpose of<br />
<br />
the Directive and PECR of ensuring a high level of protection of the<br />
<br />
privacy of individuals, and in particular the protections provided from<br />
<br />
receiving unsolicited direct marketing communications which the<br />
individual has not consented to receive.<br />
<br />
<br />
<br />
14. The provisions of the DPA remain in force for the purposes of PECR<br />
<br />
notwithstanding the introduction of the DPA18: see paragraph 58(1) of<br />
<br />
Schedule 20 to the DPA18.<br />
<br />
<br />
<br />
Background to the case<br />
<br />
<br />
<br />
15. Papa John’s is a pizza company offering both delivery and take-out<br />
<br />
service. It first came to the attention of the Commissioner following a<br />
number of complaints being receive d.<br />
<br />
<br />
<br />
16. An initial investigation letter was sent to Papa John’s on 21 May 2020<br />
<br />
raising some preliminary concerns with its PECR compliance and<br />
<br />
providing details of the complaints received. The correspondence also<br />
<br />
requested information about the volume of messages sent to<br />
subscribers, the sources of data for the recipients of those messages<br />
<br />
and any evidence of consent it relied upon to send marketing<br />
<br />
messages. Papa John’s were warned that the Commissioner could issue<br />
<br />
civil monetary penalties of up to £500,000 for PECR breaches.<br />
<br />
<br />
17. In its response of 26 June 2020, Papa John’s provided the total number<br />
<br />
of marketing messages sent between 1 October 2019 and 30 April<br />
2020. It explained that it only obtains data from its own customers<br />
<br />
<br />
5 where orders are placed directly with the company. Itadvised that it<br />
does not obtain data from any other third-party sources.<br />
<br />
<br />
<br />
18. Papa John’s informed the Commissioner that it relied on the soft opt in<br />
<br />
and provided examples of its online consent statements . It also<br />
<br />
provided evidence to show that unsubscribe options are given in every<br />
<br />
e-mail and text message sent.<br />
<br />
<br />
19. In its correspondence Papa John’s advised that following an internal<br />
review of the complaints received by the Comm issioner, there were a<br />
<br />
number where the soft opt in was not available and a text message<br />
<br />
should not have been sent to the customer. It revealed that the<br />
<br />
individuals who had received these messages had placed an order over<br />
<br />
the telephone but were not presented with an option to opt out of<br />
receiving marketing messages. It explained that their privacy notice<br />
<br />
was displayed in stores, and online, and individuals could access the<br />
<br />
marketing preference centre on its website. It had suspended<br />
<br />
marketing to individuals who have placed an order over the telephone<br />
<br />
pending the outcome of the Commissioners enquiries. Further evidence<br />
<br />
was provided to show opt out messages and screenshots of online<br />
accounts showing individuals can unsubscribe.<br />
<br />
<br />
20. The Commissioner subsequently requested the total volume of<br />
<br />
messages sent to individuals where their data was obtained over the<br />
<br />
telephone during the relevant period. This was provided although Papa<br />
<br />
John’s were unable to confirm, of the 210,028 marketing messages<br />
<br />
sent, how many had been received by individuals. However, based on<br />
its success rate on delivery, it advised 168,022 text messages were<br />
<br />
received by individuals.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
621. The Commissioner has made the above findings of fact on the<br />
balance of probabilities.<br />
<br />
<br />
<br />
22. The Commissioner has considered whether those facts constitute<br />
<br />
a contravention of regulation 22 of PECR by Papa John’s and, if so,<br />
<br />
whether the conditions of section 55A DPA are satisfied.<br />
<br />
<br />
The contravention<br />
<br />
<br />
<br />
23. The Commissioner finds that Papa John’s contravened regulation 22 of<br />
<br />
PECR.<br />
<br />
<br />
24. The Commissioner finds that the contravention was as follows:<br />
<br />
<br />
<br />
25. The Commissioner finds that between 1 October 2019 to 30 April 2020<br />
<br />
there were 168,022 direct marketing messages received by<br />
<br />
subscribers. The Commissioner finds that Papa John’s transmitted the<br />
<br />
direct marketing messages sent, contrary to regulation 22 of PECR.<br />
<br />
<br />
26. Papa John’s, as the sender of the direct marketing, is required to<br />
ensure that it is acting in compliance with the requirements of<br />
<br />
regulation 22 of PECR, and to ensure that valid consent to send those<br />
<br />
messages had been acquired.<br />
<br />
<br />
27. Papa John’s collected information for marketing purposes through<br />
<br />
customers who order directly via sales channels in its direct control<br />
<br />
including its website, app and in store. It relies on the ‘soft opt -in’<br />
exemption provided by Regulation 22(3) PECR. This exemption means<br />
<br />
that organisations can send marketing messages by text and e-mail to<br />
<br />
individuals whose details had been obtained in the course or<br />
<br />
negotiation of a sale and in respect of similar products and services.<br />
<br />
The organisation must also give the person a simple opportunity to<br />
<br />
7 refuse or opt out of the marketing, both when first collectng the details<br />
and in every message after that.<br />
<br />
<br />
28. Papa John’s informed the Commissioner that for those customers<br />
<br />
ordering over the telephone its privacy notice is made available in store<br />
<br />
and on its website. It is the Commissioners view that those individuals<br />
<br />
would not reasonably expect to receive marketing. As a result, 15<br />
<br />
complaints were received regarding text messages sent by Papa John’s<br />
<br />
during the contravention period in respect of those customers.<br />
<br />
<br />
29. In this instance Papa John’s have been unable to evidence consent.<br />
From the evidence provided it is clear that the individuals had not, at<br />
<br />
the point their data was collected, been given a simple means of<br />
<br />
refusing the use of their contact details for direct marketing;<br />
<br />
accordingly, Papa John’s direct marketing messages failed to meet the<br />
<br />
criteria of Regulation 22(3)(c) PECR.<br />
<br />
<br />
30. The Commissioner is therefore satisfied from the evidence she has<br />
seen that Papa John’s did not have the necessary valid consent for the<br />
<br />
168,022 direct marketing messages received by subscribers.<br />
<br />
<br />
<br />
31. The Commissioner has gone on to consider whether the conditions<br />
<br />
under section 55A DPA are met.<br />
<br />
<br />
Seriousness of the contravention<br />
<br />
<br />
<br />
32. The Commissioner is satisfied that the contravention identified<br />
<br />
above was serious. This is because between 1 October 2019 and 30<br />
<br />
April 2020 a confirmed total of 168,022 direct marketing messages<br />
were sent by Papa John’s. These messages contained direct marketing<br />
<br />
material for which subscribers had not provided adequate consent.<br />
<br />
<br />
<br />
<br />
833. The rules for electronic marketing are clear in that organisations must<br />
present individuals with an opportunity to opt out of marketing at the<br />
<br />
time that their details are collected. Whilst Papa John’s does have<br />
<br />
consent for the majority of marketing messages it sends, it does not<br />
<br />
have consent to send marketing messages to individuals who have<br />
<br />
placed an order over the telephone for delivery. It is unable to rely on<br />
<br />
the soft opt in because those subscribers had not been given a simple<br />
means of refusing the use of their contact details for direct marketing .<br />
<br />
<br />
34. Papa John’s instead sought to rely upon the assumption that an<br />
<br />
individual could review its privacy notice , in store or on its website, and<br />
<br />
online marketing preference centre. This assumption is unfair as it puts<br />
<br />
the responsibility back on to the individual rather than on to the<br />
<br />
company. Customers may not have visited the company app or website<br />
to locate the branch telephone number when placing their order, these<br />
<br />
being widely available via online search engines. They may also not<br />
<br />
have visited a store to collect their order. Further, any information<br />
<br />
about any marketing communications should be provided to individuals<br />
<br />
rather than them having to seek it out for themselves. All individuals<br />
should be given the same choice in respect of these communications,<br />
<br />
regardless of how they choose to place an order with Papa John’s.<br />
<br />
<br />
<br />
35. The Commissioner is therefore satisfied that condition (a) from<br />
<br />
section 55A(1) DPA is met.<br />
<br />
<br />
Deliberate or negligent contraventions<br />
<br />
<br />
<br />
36. The Commissioner has considered whether the contravention identified<br />
<br />
above was deliberate. In the Commissioner’s view, this means that<br />
<br />
Papa John’s actions which constituted that contravention were<br />
<br />
<br />
<br />
<br />
9 deliberate actions (even if Papa John’s did not actually intend thereby<br />
to contravene PECR).<br />
<br />
<br />
<br />
37. The Commissioner does not consider that Papa John’s deliberately set<br />
<br />
out to contravene PECR in this instance.<br />
<br />
<br />
38. The Commissioner has gone on to consider whether the contravention<br />
<br />
identified above was negligent. This consideration comprises two<br />
<br />
elements:<br />
<br />
<br />
<br />
39. Firstly, she has considered whether Papa John’s knew or ought<br />
reasonably to have known that there was a risk that these<br />
<br />
contraventions would occur. She is satisfied that this condition is met,<br />
<br />
not least since the issue of unsolicited text messages has been widely<br />
<br />
publicised by the media as being a problem.<br />
<br />
<br />
<br />
40. The Commissioner has published detailed guidance for those carrying<br />
out direct marketing explaining their legal obligations under PECR.<br />
<br />
This guidance gives clear advice regarding the requirements of consent<br />
<br />
for direct marketing and explains the circumstances under which<br />
<br />
organisations are able to carry out marketing over the phone, by text,<br />
<br />
by email, by post, or by fax. In particular it states that organisations<br />
can generally only send, or instigate, marketing emails to individuals if<br />
<br />
that person has specifically consented to receiving them; and highlights<br />
<br />
the difficulties of relying on indirect consent for email marketing . The<br />
<br />
Commissioner has also published detailed guidance on consent under<br />
<br />
the GDPR. In case organisations remain unclear on their obligations,<br />
<br />
the ICO operates a telephone helpline. ICO communications about<br />
previous enforcement action where businesses have not complied with<br />
<br />
PECR are also readily available.<br />
<br />
<br />
<br />
<br />
1041. It is therefore reasonable to suppose that Papa John’sshould have<br />
been aware of its responsibilities in this area .<br />
<br />
<br />
42. Secondly, the Commissioner has gone on to consider whether Papa<br />
<br />
John’s failed to take reasonable steps to prevent the contraventions.<br />
<br />
Again, she is satisfied that this condition is m et.<br />
<br />
<br />
43. Such reasonable steps in these circumstances could have included<br />
<br />
putting in place appropriate systems, policies and procedures to ensure<br />
<br />
that it had the consent of all of its customers to whom it had sent<br />
<br />
marketing messages. Whilst it is evident that Papa John’s had policies<br />
in place to ensure a certain level of compliance its measures failed to<br />
<br />
capture all types of customer and methods of customer contact. In this<br />
<br />
case, a number of customers were not offered adequate means of<br />
<br />
opting out of marketing at the time their details were collected by<br />
<br />
telephone.<br />
<br />
<br />
44. In the circumstances, the Commissioner is satisfied that Papa John’s<br />
<br />
failed to take reasonable steps to prevent the contraventions.<br />
<br />
<br />
<br />
45. The Commissioner is therefore satisfied that co ndition (b) from section<br />
55A (1) DPA is met.<br />
<br />
<br />
<br />
The Commissioner’s decision to issue a monetary penalty<br />
<br />
<br />
<br />
46. The Commissioner has also taken into account the following<br />
aggravating features of this case:<br />
<br />
<br />
<br />
<br />
• The actions of Papa John’s were carried out to generate business and to<br />
<br />
increase profits, gaining an unfair advantage on those businesses<br />
<br />
complying with the PECR;<br />
<br />
<br />
1147. The Commissioner has also taken into account the following mitigating<br />
<br />
feature of this case:<br />
<br />
<br />
<br />
• Papa John’s have advised the Commissioner that it has temporarily<br />
<br />
suspended marketing to individuals placing orders by telephone, but<br />
<br />
otherwise has not yet taken steps to rectify its marketing practices to<br />
ensure overall compliance with PECR for this method of customer<br />
<br />
contact.<br />
<br />
<br />
<br />
48. For the reasons explained above, the Commissioner is satisfied that the<br />
<br />
conditions from section 55A (1) DPA have been met in this case. She is<br />
also satisfied that the procedural rights under section 55B have been<br />
<br />
complied with.<br />
<br />
<br />
<br />
49. The latter has included the issuing of a Notice of Intent, in which the<br />
<br />
Commissioner set out her preliminary thinking. In reaching her final<br />
<br />
view, the Commissioner received no representations from Papa John’s.<br />
<br />
<br />
50. The Commissioner is accordingly entitled to issue a monetary penalty<br />
<br />
in this case.<br />
<br />
<br />
<br />
51. The Commissioner has considered whether, in the circumstances, she<br />
should exercise her discretion so as to issue a monetary penalty.<br />
<br />
<br />
<br />
52. The Commissioner has considered the likely impact of a monetary<br />
<br />
penalty on Papa John’s. She has decided on the information that is<br />
<br />
available to her, that Papa John’s has access to sufficient financial<br />
<br />
resources to pay the proposed monetary penalty without causing<br />
undue financial hardship.<br />
<br />
<br />
<br />
<br />
1253. The Commissioner’s underlying objective in imposing a monetary<br />
penalty notice is to promote compliance with PECR. The sending of<br />
<br />
unsolicited marketing emails is a matter of significant public concern. A<br />
<br />
monetary penalty in this case should act as a general encouragement<br />
<br />
towards compliance with the law, or at least as a deterrent against<br />
<br />
non-compliance, on the part of all persons running businesses currently<br />
<br />
engaging in these practices. The issuing of a monetary penalty will<br />
reinforce the need for businesses to ensure that they are only<br />
<br />
messaging those who specifically consent to receive marketing.<br />
<br />
<br />
54. For these reasons, the Commissioner has decided to issue a monetary<br />
<br />
penalty in this case.<br />
<br />
<br />
The amount of the penalty<br />
<br />
55. Taking into account all of the above, the Commissioner has decided<br />
<br />
that a penalty in the sum of £10,000 (Ten thousand pounds) is<br />
<br />
reasonable and proportionate given the particular facts of the case and<br />
<br />
the underlying objective in imposing the penalty.<br />
<br />
<br />
<br />
Conclusion<br />
<br />
<br />
56. The monetary penalty must be paid to the Commissioner’s office by<br />
<br />
BACS transfer or cheque by 15 July 2021 at the latest. The monetary<br />
<br />
penalty is not kept by the Commissioner but will be paid into the<br />
<br />
Consolidated Fund which is the Government’s general bank account at<br />
the Bank of England.<br />
<br />
<br />
<br />
57. If the Commissioner receives full payment of the monetary penalty by<br />
<br />
14 July 2021 the Commissioner will reduce the monetary penalty by<br />
<br />
20% to £8,000 (Eight thousand pounds). However, you should be<br />
<br />
<br />
<br />
<br />
13 aware that the early payment discount is not available if you decide to<br />
exercise your right of appeal.<br />
<br />
<br />
<br />
58. There is a right of appeal to the First-tier Tribunal (Information Rights)<br />
<br />
against:<br />
<br />
<br />
<br />
(a) the imposition of the monetary penalty<br />
and/or;<br />
<br />
(b) the amount of the penalty specified in the monetary pena lty<br />
<br />
notice.<br />
<br />
<br />
<br />
59. Any notice of appeal should be received by the Tribunal within 28 days<br />
of the date of this monetary penalty notice.<br />
<br />
<br />
<br />
60. Information about appeals is set out in Annex 1.<br />
<br />
<br />
<br />
61. The Commissioner will not take action to enforce a monetary penalty<br />
<br />
unless:<br />
<br />
<br />
• the period specified within the notice within which a monetary<br />
<br />
penalty must be paid has expired and all or any of the monetary<br />
<br />
penalty has not been paid;<br />
<br />
• all relevant appeals against the monetary penalty notice and any<br />
<br />
variation of it have either been decided or withdrawn; and<br />
<br />
<br />
• the period for appealing against the monetary penalty and any<br />
<br />
variation of it has expired.<br />
<br />
62. In England, Wales and Northern Ireland, the monetary penalty is<br />
<br />
recoverable by Order of the County Court or the High Court. In<br />
<br />
Scotland, the monetary penalty can be enforced in the same manner as<br />
<br />
<br />
<br />
14 an extract registered decree arbitral bearing a warrant for execution<br />
<br />
issued by the sheriff court of any sheriffdom in Scotland.<br />
<br />
<br />
Dated the 14 thday of June 2021<br />
<br />
<br />
<br />
Andy Curry<br />
<br />
Head of Investigations<br />
Information Commissioner’s Office<br />
Wycliffe House<br />
Water Lane<br />
<br />
Wilmslow<br />
Cheshire<br />
SK9 5AF<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
15ANNEX 1<br />
<br />
<br />
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998<br />
<br />
<br />
<br />
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER<br />
<br />
<br />
<br />
1. Section 55B(5) of the Data Protection Act 1998 gives any person<br />
upon whom a monetary penalty notice has been served a right of<br />
<br />
appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’)<br />
<br />
against the notice.<br />
<br />
<br />
<br />
2. If you decide to appeal and if the Tribunal considers:-<br />
<br />
<br />
a) that the notice against which the appeal is brought is not in<br />
<br />
accordance with the law; or<br />
<br />
<br />
<br />
b) to the extent that the notice involved an exercise of<br />
<br />
discretion by the Commissioner, that she ought to have exercised<br />
her discretion differently,<br />
<br />
<br />
<br />
the Tribunal will allow the appeal or substitute such other decision as<br />
<br />
could have been made by the Commissioner. In any other case the<br />
<br />
Tribunal will dismiss the appeal.<br />
<br />
<br />
3. You may bring an appeal by serving a notice of appeal on the<br />
<br />
Tribunal at the following address:<br />
<br />
<br />
<br />
General Regulatory Chamber<br />
HM Courts & Tribunals Service<br />
PO Box 9300<br />
Leicester<br />
<br />
LE1 8DJ<br />
<br />
<br />
16 Telephone: 0203 936 8963<br />
Email: grc@justice.gov.uk<br />
<br />
<br />
a) The notice of appeal should be sent so it is received by the<br />
<br />
Tribunal within 28 days of the date of the notice.<br />
<br />
<br />
b) If your notice of appeal is late the Tribunal will not admit it<br />
<br />
unless the Tribunal has extended the time for complying with this<br />
<br />
rule.<br />
<br />
<br />
<br />
4. The notice of appeal should state:-<br />
<br />
<br />
a) your name and address/name and address of your<br />
<br />
representative (if any);<br />
<br />
<br />
<br />
b) an address where documents may be sent or delivered to<br />
<br />
you;<br />
<br />
<br />
c) the name and address of the Information Commissioner;<br />
<br />
<br />
<br />
d) details of the decision to which the proceedings relate;<br />
<br />
<br />
e) the result that you are seeking;<br />
<br />
<br />
<br />
f) the grounds on which you rely;<br />
<br />
<br />
<br />
g) you must provide with the notice of appeal a copy of the<br />
<br />
monetary penalty notice or variation notice;<br />
<br />
<br />
h) if you have exceeded the time limit mentioned above the<br />
<br />
notice of appeal must include a request for an extension of time<br />
<br />
<br />
<br />
17 and the reason why the notice of appeal was not provided in<br />
time.<br />
<br />
<br />
<br />
5. Before deciding whether or not to appeal you may wish to consult<br />
<br />
your solicitor or another adviser. At the hearing of an appeal a party<br />
<br />
may conduct his case himself or may be represented by any person<br />
<br />
whom he may appoint for that purpose.<br />
<br />
<br />
6. The statutory provisions concerning appeals to the First- tier<br />
<br />
Tribunal (Information Rights) are contained in section 55B(5) of, and<br />
<br />
Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure<br />
<br />
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009<br />
(Statutory Instrument 2009 No. 1976 (L.20)).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
18<br />
</pre></div>Mariam-hwthhttps://gdprhub.eu/index.php?title=ICO_(UK)_-_Colour_Car_Sales_Limited&diff=16469ICO (UK) - Colour Car Sales Limited2021-06-14T18:00:24Z<p>Mariam-hwth: Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO (UK) |DPA_With_Country=ICO (UK) |Case_Number_N..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|DPA-BG-Color=background-color:#023868;<br />
|DPAlogo=LogoUK.png<br />
|DPA_Abbrevation=ICO (UK)<br />
|DPA_With_Country=ICO (UK)<br />
<br />
|Case_Number_Name=Colour Car Sales Limited<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Information Commissioner's Office<br />
|Original_Source_Link_1=https://cy.ico.org.uk/media/action-weve-taken/enforcement-notices/2619915/colour-car-sales-ltd-en-20210524.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=24.05.2021<br />
|Date_Published=08.06.2021<br />
|Year=2021<br />
|Fine=170000<br />
|Currency=GBP<br />
<br />
|GDPR_Article_1=Article 4(11) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#11<br />
<br />
<br />
|National_Law_Name_1=Regulation 2(1) of the Privacy and Electronic Communications (EC Directive)<br />
|National_Law_Link_1=https://www.legislation.gov.uk/uksi/2003/2426<br />
|National_Law_Name_2=Regulation 2(1) of the Privacy and Electronic Communications (EC Directive) Reguations 2003<br />
|National_Law_Link_2=https://www.legislation.gov.uk/uksi/2003/2426<br />
|National_Law_Name_3=Regulation 22 of the Privacy and Electronic Communications (EC Directive)<br />
|National_Law_Link_3=https://www.legislation.gov.uk/uksi/2003/2426<br />
|National_Law_Name_4=Regulation 22 of the Privacy and Electronic Communications (EC Directive) Reguations 2003<br />
|National_Law_Link_4=https://www.legislation.gov.uk/uksi/2003/2426<br />
<br />
|Party_Name_1=Colour Car Sales Limited<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The UK DPA (Information Commissioner's Office) fined a credit intermediary for finance on used cars, Colour Car Sales Limited (CCSL), approximately €198,000. CCSL breached Regulation 22 of PECR by sending unsolicited direct marketing messages without valid consent. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Colour Car Sales Limited (CCSL) is a company acting as a credit intermediary for finance on used cars. It traded under serveral names, including 'immediatecarfinance.co.uk'; 'carfinancetoday.net'; 'achillesuk.com'; 'taxifinancetoday.com'<br />
<br />
Between 2018 and 2019, the UK DPA (Information Commissioner's Office; ICO) received nearly 200 complaints over unsolicited electronic direct marketing text messages. The ICO started a preliminary investigation and contacted CCSL for further evidence. The letter sent was returned undelivered. The company director was then contacted who provided an alternative contact address.<br />
<br />
CCSL confirmed it had sent over 3 million direct marketing messages between 2018 and 2019. CCSL claimed to have gathered consent through an application form with the following statement:<br />
"By starting an application you agree that immediatecarfinance may/will pass your details on to a third party lender or broker, and they may wish to contact you by phone, post, SMS or other electronic means". CCSL explained that an opt-out would be possible by calling the CCSL office. <br />
<br />
<br />
The ICO investigated the privacy notice available and found that the privacy notice stated that marketing communication was only send where there was consent of a "legitimate business interest"<br />
<br />
Following initial cooperation, CCSL did not respond to the ICO any further. <br />
<br />
=== Dispute ===<br />
What classifies as valid consent to send direct marketing messages?<br />
<br />
=== Holding ===<br />
The UK DPA first outlined the definition of consent asdefined by Article 4(11) of the GDPR. It also outlined the rules under Regulation 22 PECR which address.<br />
<br />
Analysing the application form, the ICO considered that there was no specific reference to direct marketing nor purposes of contact from third parties. Additionally, the UK DPA found that there was no method for the individual to send an application without consenting to being contacted, nor any option for them to select who may contact them. <br />
<br />
The ICO therefore found CCSL in contravention of Regulation 22 of PECR for instigating unsolicited direct marketing messages. Individuals did not have the option other than agreeing to receiving direct marketing. Consent was therefore not freely given. Similarly, it was not specific as individuals could not select which party they agreed to receive marketing from. Finally, it was not informed (the information provided was too vague). <br />
<br />
The ICO found that the "soft opt-in", where organisations can send marketing messages by text and e-mail to individuals whose details had been obtained in the course or negotiation of a sale and in respect of similar products and services, was also not available to CCSL. This is because individuals were not given the opportunity to refuse or opt-out in the first place.<br />
<br />
The UK DPA took into account the seriousness and the deliberate or negligent nature of the infraction, as well as the lack of cooperation by CCSL. It therefore imposed a fine of approximately €198,000 on CCSL.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
•<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
DATA PROTECTION ACT 1998<br />
<br />
<br />
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER<br />
<br />
<br />
<br />
ENFORCEMENT NOTICE<br />
<br />
<br />
<br />
<br />
To: Colour Car Sales Limited<br />
<br />
Of: Unit 1 & 2 Mossfield Road, Stoke-on-TrenEngland ST3 SBW<br />
<br />
1. The Information Commissioner ("the Commissioner")has decided to<br />
<br />
issue Colour Car Sales Limited ("CCSL") with an enforcement notice<br />
<br />
under section 40 of the Data Protection Act 1998 ("DPA"). The notice is<br />
in relation to a serious contravenof Regulation 22 of the Privacy<br />
<br />
and Electronic Communications(EC Directive) Regulations 2003<br />
("PECR").<br />
<br />
<br />
<br />
2. This notice explains the Commissioner's decision.<br />
<br />
<br />
Legal framework<br />
<br />
<br />
3. CCSL, whose registered office is given above (Companies House<br />
<br />
Registration Number: 10382413) is the organisation stated in this<br />
notice to have instigated the transmissof unsolicited<br />
<br />
communications by means of electronic mail to individual subscribers<br />
<br />
for the purposes of direct marketing contrary to regulation 22 of PECR.<br />
<br />
<br />
4. Regulation 22 of PECRstates:<br />
<br />
<br />
<br />
<br />
1 •<br />
<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
"(1) This regulation applies to the transmission of unsolicited<br />
communications by means of electronic mail to individual<br />
<br />
subscribers.<br />
<br />
(2) Except in the circumstances referred to in paragraph (3), a person<br />
<br />
shall neither transmit, nor instigate the transmission of, unsolicited<br />
communications for the purposes of direct marketing by means of<br />
<br />
electronic mail unless the recipient of the electronic mail has<br />
<br />
previously notified the sender that he consents for the time being<br />
to such communications being sent by, or at the instigation of, the<br />
<br />
sender.<br />
<br />
(3) A person may send or instigate the sending of electronic mail for<br />
<br />
the purposes of direct marketing where-<br />
<br />
(a) that person has obtained the contact details of the recipient<br />
of that electronic mail in the course of the sale or<br />
<br />
negotiations for the sale of a product or service to that<br />
<br />
recipient;<br />
<br />
(b) the direct marketing is in respect of that person's similar<br />
products and services only; and<br />
<br />
(c) the recipient has been given a simple means of refusing<br />
<br />
(free of charge except for the costs of the transmission of<br />
<br />
the refusal) the use of his contact details for the purposes<br />
of such direct marketing, at the time that the details were<br />
<br />
initially collected, and, where he did not initially refuse the<br />
<br />
use of the details, at the time of each subsequent<br />
communication.<br />
<br />
(4) A subscriber shall not permit his line to be used in contraventioof<br />
<br />
paragraph (2)."<br />
<br />
<br />
<br />
<br />
<br />
2 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
5. Section 122(5) of the DPA18 defines direct marketing as "the<br />
communication (by whatever means) of any advertising material which<br />
<br />
isdirected to particular individuals". This definition also applies for the<br />
purposes of PECR(see regulation 2(2) PECR& Schedule 19 paragraphs<br />
<br />
430 & 432(6) DPA18).<br />
<br />
<br />
6. Priorto 29 March 2019, the European Directive 95/46/EC defined<br />
<br />
'consent' as "any freely given specific and informed indication of his<br />
<br />
wishes by which the data subject signifies his agreement to personal<br />
data relating to him being processed".<br />
<br />
<br />
7. Consent in PECRis now defined, from 29 March 2019, by reference to<br />
the concept of consent in Regulation 2016/679 ("the GDPR"):<br />
<br />
regulation 8(2) of the Data Protection, Privacy and Electronic<br />
<br />
Communications (Amendments etc) (EU Exit) Regulations 2019. Article<br />
4(11) of the GDPR sets out the following definition: "'consent' of the<br />
<br />
data subject means any freely given, specific, informed and<br />
unambiguous indication of the data subject's wishes by which he or<br />
<br />
she, by a statement or by a clear affirmative action, signifies<br />
<br />
agreement to the processing of personal data relating to him or her".<br />
<br />
8. Recital 32 of the GDPR materially states that "When the processing has<br />
<br />
multiple purposes, consent should be given for all of them". Recital 42<br />
<br />
materiallyprovides that "For consent to be informed, the data subject<br />
should be aware at least of the identity of the controllRecital 43<br />
<br />
materially states that "Consent is presumed not to be freely given if it<br />
does not allow separate consent to be given to different personal data<br />
<br />
processing operations despite it being appropriate in the individual<br />
<br />
case".<br />
<br />
<br />
9. "Individual"is defined in regulation 2(1) of PECRas "a living individual<br />
and includes an unincorporated body of such individuals".<br />
<br />
3 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
10. A "subscriber"is defined in regulation 2(1) of PECRas "a person who is<br />
a party to a contract with a provider of public electronic<br />
<br />
communications services for the supply of such services".<br />
<br />
11. "Electronic mail' is defined in regulation 2(1) of PECRas "any text,<br />
<br />
voice, sound or image message sent over a public electronic<br />
<br />
communications network which can be stored in the network or in the<br />
recipient's terminal equipment until it is collected by the recipient and<br />
<br />
includes messages sent using a short message service".<br />
<br />
<br />
12. The term "soft opt-in" is used to describe the rule set out in in<br />
<br />
Regulation 22(3) of PECR.In essence, an organisation may be able to<br />
e-mail its existing customers even if they haven't specifically consented<br />
<br />
to electronic mail. The soft opt-in rule can only be relied upon by the<br />
<br />
organisation that collected the contact details.<br />
<br />
<br />
13. The DPA contains enforcement provisions at Part V which are<br />
exercisable bythe Commissioner. Those provisions are modified and<br />
<br />
extended for the purposes of PECRby Schedule 1 PECR.<br />
<br />
<br />
14. Section 40(1)(a) of the DPA (as extended and modified by PECR)<br />
provides that if the Commissioner is satisfied that a person has<br />
<br />
contravened or is contravening any of the requirementof the<br />
<br />
Regulations, she may serve him with an Enforcement Notice requiring<br />
him to take within such time as may be specified in the Notice, or to<br />
<br />
refrain from taking after such time as may be so specified, such steps<br />
as are so specified.<br />
<br />
<br />
<br />
15. PECRwere enacted to protect the individual's fundamental right to<br />
privacy in the electronic communicationssector. PECRwere<br />
<br />
subsequently amended and strengthened. The Commissioner will<br />
<br />
4 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
interpret PECRin a way which is consistent with the Regulations'<br />
overall aim of ensuring high levels of protection for individuals' privacy<br />
<br />
rights.<br />
<br />
<br />
16. The provisions of the DPA remain in force for the purposes of PECR<br />
<br />
notwithstandingthe introductionof the Data Protection Act 2018 (see<br />
paragraph 58(1) of Part 9, Schedule 20 of that Act).<br />
<br />
<br />
<br />
The contravention<br />
<br />
<br />
17. The Commissioner finds that CCSL contravened regulation 22 of PECR.<br />
<br />
<br />
18. The Commissioner finds that the contravention was as follows:<br />
<br />
<br />
19. The Commissioner finds that between 1 October 2018 and 21 January<br />
<br />
2020 there were 274 direct marketing text messages received by<br />
subscribers which are capable of being evidenced by complaintsThe<br />
<br />
Commissioner finds that CCSL instigated the transmissioof the direct<br />
<br />
marketing messages sent, contrary to regulation 22 of PECR.<br />
<br />
20. The Commissioner is not assisted by CCSL's failure to engage with her<br />
<br />
during this investigatito explain the relationship between CCSL and<br />
However she is satisfied that for the purposes<br />
<br />
of the direct marketing messages sent from<br />
<br />
Text Local account, CCSL positively encouraged the sending of those<br />
messages. She makes this finding in light of the informatprovided<br />
<br />
by Text Local in response to the Commissioner's 3PIN, and in view of<br />
<br />
the content of the unsolicited direct marketing messages sent which<br />
resulted in 274 complaints.<br />
<br />
<br />
21. CCSL, as the instigator of the direct marketiis required to ensure<br />
that it is acting in compliance with the requiremenof regulation 22 of<br />
<br />
5 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
PECR,and to ensure that valid consent to send those messages had<br />
been acquired.<br />
<br />
<br />
22. In this instance, individuals applying for finance via one of CCSL's sites<br />
<br />
were given no option but to agree to receive direct marketing from<br />
CCSL and its unnamed third parties. Indeed, the statement that would<br />
<br />
accompany the applications did not indicate in any manner that the<br />
individual's personal details would be used for direct marketing<br />
<br />
purposes. Furthermore, individuals could not specify the type of direct<br />
<br />
marketing that they might be willing to receive, rather they were<br />
requiredto agree to a suite of contact methods, from an unknown<br />
<br />
number of third parties.<br />
<br />
23. For consent to be valid it is required to be "freely given", by which it<br />
<br />
follows that if consent to marketing is a condition of subscribing to a<br />
<br />
service, the organisation will have to demonstrate how the consent can<br />
be saidto have been given freely. In this instance, CCSL has failed to<br />
<br />
explain how its consent could be said to be freely given.<br />
<br />
24. Consent is also required to be "specific" as to the type of marketing<br />
<br />
communication to be received, and the organisation, or specific type of<br />
<br />
organisation, that will be sending it. Again, this requirement does not<br />
appear to be met in CCSL's case.<br />
<br />
<br />
25. Consent will not be "informed"if individuals do not understand what<br />
<br />
they are consenting to. Organisations should therefore always ensure<br />
that the language used is clear, easy to understand, and not hidden<br />
<br />
away in a privacy policyr small print.Consent will not be valid if<br />
individuals are asked to agree to receive marketing from "similar<br />
<br />
organisations","partners","selected third parties" or other similar<br />
<br />
generic description.<br />
<br />
<br />
<br />
6 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
26. The Commissioner is satisfied that CCSL cannot avail itself to the "solt<br />
opt-in" exemption provided by regulation 22(3) PECR. This exemption<br />
<br />
means that organisations can send marketing messages by text and e<br />
mail to individuals whose details had been obtained in the course or<br />
<br />
negotiation of a sale and in respect of similar products and services.<br />
<br />
The organisation must also give the person a simple opportunity to<br />
refuse or opt out of the marketing, both when first collecting the details<br />
<br />
and in every message alter that.It is apparent from the sign-up page<br />
<br />
on CCSL's websites that individuals were not provided a simple<br />
opportunity to refuse or opt out of the marketing, nor were they<br />
<br />
offered an opt-out in the subsequent direct marketing messages that<br />
they received. The Commissioner therefore finds that CCSL is unable to<br />
<br />
rely on this exemption.<br />
<br />
<br />
27. The Commissioner is satisfied that this contravention could have been<br />
far greater, since there is evidence that a total of 3,650,194 direct<br />
<br />
marketing messages were sent to individuals at the instigation of CCSL<br />
over the contraventionperiod. However, because of CCSL's lack of<br />
<br />
engagement, and the Communications Service Provider's failure to<br />
<br />
retain such records, it has not been possible to determine the exact<br />
number of those messages which were received by subscribers. The<br />
<br />
full extent of the contraventiis therefore unknown.<br />
<br />
<br />
28. The Commissioner is satisfied fromthe evidence she has seen that<br />
CCSL did not have the necessary valid consent for the 274 direct<br />
<br />
marketing messages received by subscribers.<br />
<br />
<br />
29. The Commissioner has considered, as she is required to do under<br />
<br />
section 40(2) of the DPA (as extended and modified by PECR)when<br />
deciding whether to serve an Enforcement Notice, whether any<br />
<br />
contravention has caused or is likely to cause any person damage or<br />
distress. The Commissioner has decided that it is likely that damage or<br />
<br />
7 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
distress has been caused in this instance, not least because of the<br />
<br />
sheer number of complaints.<br />
<br />
30. In view of the matters referred to above the Commissioner<br />
<br />
hereby gives notice that, in exercise of her powers under<br />
section 40 of the DPA, she requires CCSL to take the steps<br />
<br />
specified in Annex 1 of this Notice.<br />
<br />
Right of Appeal<br />
<br />
<br />
31. There is a right of appeal against this Notice to the First-tier Tribunal<br />
(InformationRights), part of the General Regulatory Chamber.<br />
<br />
Informationabout appeals is set out in the attached Annex 2.<br />
<br />
<br />
Dated the 24tday of May 2021<br />
<br />
Andy Curry<br />
Head of Investigations<br />
InformationCommissioner's Office<br />
Wycliffe House<br />
Water Lane<br />
Wilmslow<br />
Cheshire<br />
SK9 SAF<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
8 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
ANNEX 1<br />
<br />
TERMS OF THE ENFORCEMENT NOTICE<br />
<br />
<br />
CCSL shall within 30 days of the date of this notice:<br />
<br />
<br />
• Except in the circumstances referred to in paragraph (3) of<br />
regulation 22 of PECR, neither trnor instigate the<br />
<br />
transmission of, unsolicited communicfor the purposes of<br />
direct marketing by means of electronic mail unless the recipient of<br />
<br />
the electronic mail has previously notified CCSL that he clearly and<br />
specifically consentsthe time being to such communications<br />
being sent by, or at the instigation of, CCSL.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
9 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
ANNEX 2<br />
<br />
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER<br />
<br />
<br />
<br />
1. Section 48 of the Data Protection Act 1998 gives any person upon<br />
<br />
whom an enforcement notice has been served a right of appeal to the<br />
First-tier Tribunal (InformaRights) (the "Tribunalagainst the<br />
<br />
notice.<br />
<br />
<br />
2. If you decide to appeal and if the Tribunal considers: -<br />
<br />
<br />
<br />
a) that the notice against which the appeal is brought is not in<br />
accordance with the law; or<br />
<br />
<br />
b) to the extent that the notice involved an exercise of discretion by<br />
<br />
the Commissioner, that she ought to have exercised her<br />
<br />
discretion differently,<br />
<br />
<br />
the Tribunal will allow the appeal or substitute such other decision as<br />
could have been made by the Commissioner. In any other case the<br />
<br />
Tribunal will dismiss the appeal.<br />
<br />
<br />
3. You may bring an appeal by serving a notice of appeal on the Tribunal<br />
<br />
at the following address:<br />
<br />
<br />
General Regulatory Chamber<br />
HM Courts &Tribunals Service<br />
PO Box 9300<br />
Leicester<br />
LEl 8DJ<br />
<br />
Telephone: 0300 123 4504<br />
Email: grc@justice.gov.uk<br />
<br />
<br />
10 •<br />
ICO.<br />
Information Commissioner's Office<br />
• The notice of appeal should be served on the Tribunal within 28<br />
<br />
days of the date on which the enforcement notice was sent<br />
<br />
4. The statutory provisions concerning appeals to the First-tier Tribunal<br />
<br />
(General Regulatory Chamber) are contained in sections 48 and 49 of,<br />
and Schedule 6 to, the Data Protection Act 1998, and Tribunal<br />
Procedure(First-tier Tribunal) (General Regulatory Chamber) Rules<br />
<br />
2009 (StatutoInstrument2009 No. 1976 (L.20)).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
11<br />
</pre></div>Mariam-hwthhttps://gdprhub.eu/index.php?title=ICO_-_Leads_Work_Limited_(Monetary_Penalty)&diff=14900ICO - Leads Work Limited (Monetary Penalty)2021-04-14T18:44:49Z<p>Mariam-hwth: Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO |DPA_With_Country=ICO (UK) |Case_Number_Name=L..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=United Kingdom<br />
|DPA-BG-Color=background-color:#023868;<br />
|DPAlogo=LogoUK.png<br />
|DPA_Abbrevation=ICO<br />
|DPA_With_Country=ICO (UK)<br />
<br />
|Case_Number_Name=Leads Work Limited (Monetary Penalty)<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=ICO<br />
|Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/mpns/2619378/leads-work-limited-mpn.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=01.03.2021<br />
|Date_Published=05.03.2021<br />
|Year=2021<br />
|Fine=250000<br />
|Currency=GBP<br />
<br />
|GDPR_Article_1=Article 4(11) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#11<br />
<br />
<br />
|National_Law_Name_1=Regulation 22 Privacy and Electronic Communications (EC Directive) Regulations 2003<br />
|National_Law_Link_1=https://www.legislation.gov.uk/uksi/2003/2426<br />
<br />
|Party_Name_1=Leads Work Limited<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The UK DPA fined Leads Work Limited approximately €288,000 for sending unsolicitated direct marketing communication to individual subscribers. This breached Regulation 22 of the PECR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Leads Work Limited (LWL) operates within the "multi-level marketing" sector. It enlists downstream recruits under the Avon band name. <br />
<br />
The UK DPA (Information Commissioner's Office or ICO) received various complaints from individuals concerning text messages/SMS sent under the Avon name. During the Covid-19 pandemic, individuals complained again about Avon sending them unsolicited text messages. Between April 2020 and May 2020, 835 complaints of this nature were recorded by the ICO.<br />
<br />
Upon investigating further, the ICO identified LWL as the sender of these messages. The ICO notified LWL of the growing complaints concerning these texts. LWL responded to the investigation with information on how they acquired the individuals' data: by purchasing this from third parties and through a website (avon.leadsword.co.uk). <br />
<br />
The ICO identified that the core data supplier was from an organisation who's website had an opti-in , a privacy notice and an option to unsubscribe. LWL was included as one of the third parties with who data was shared. However, LWL was not included within the list of organisations from whom individuals could expect marketing from. Additionally, it was not possible for individuals to submit details without selecting a marketing channel. The website was also vague, confusing and lengthy. <br />
<br />
The ICO also identified other websites that contributed to collecting personal data used by LWL to send direct marketing SMS. LWL stated that lawyers had create the website's legal framework and believed it to be compliant with the legal requirements. <br />
<br />
LWL estimated that between May 2019 and May 2020, around 25 million texts were sent to individuals whose personal data was collected from the above websites. <br />
<br />
=== Dispute ===<br />
Is sending direct marketing texts to individuals without their consent in breach of Regulation 22 PECR?<br />
<br />
=== Holding ===<br />
The UK DPA recalled the wording of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as well as the definition of consent under Article 4(11) GDPR. <br />
<br />
It then went on to clarify that consent to direct marketing was not freely given, specific or informed because the website indicating LWL as a recipient of personal data was vague, confusing and lengthy. <br />
<br />
Similar conclusions were reached regarding other websites used to collect personal data used for direct marketing purposes by LWL. These websites had vague consent statements and did not refer to LWL in their policies (listing Avon instead in certain cases). Even where Avon was listed, the ICO highlighted that individuals could not be reasonably expected to know that Avon was linked to LWL. Therefore, consent was not informed and specific.<br />
<br />
The ICO therefore concluded that LWL relied on invalid consent to send direct marketing texts to individuals. It found that LWL was in breach of Regulation 22 of the PECR. The UK DPA highlighted the gravity of the contravention due to the amount of messaged sent without the recipients' consent. It also noted LWL's deliberate or foreseeable infringement of the law without taking reasonable steps to prevent them. <br />
<br />
As a result of this infringement, the ICO imposed a fine of £250,000 (approx. €288,000) on Leads Work Limited.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
•<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
DATA PROTECTION ACT 1998<br />
<br />
<br />
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER<br />
<br />
<br />
MONETARY PENALTY NOTICE<br />
<br />
<br />
<br />
To: Leads Work Limited<br />
<br />
<br />
Of: Suite C Underwood House, 235 Three Bridges Road, Crawley,<br />
West Sussex RH10 1LU<br />
<br />
<br />
<br />
<br />
1. The InformationCommissioner ("Commissioner")has decided to issue<br />
<br />
Leads Work Limited ("LWL") with a monetary penalty under section<br />
SSA of the Data Protection Act 1998 ("DPA"). The penalty is in relation<br />
<br />
to a serious contravention of regulation 22 of the Privacy and Electronic<br />
<br />
Communications (EC Directive) Regulations 2003 ("PECR").<br />
<br />
<br />
2. This notice explains the Commissioner's decision.<br />
<br />
<br />
Legal framework<br />
<br />
<br />
3. LWL, whose registered office is given above (companies house<br />
<br />
registration number: 10853169), is the organisation (person) stated in<br />
this notice to have transmitunsolicited communicatioby means<br />
<br />
of electronic mail to individual subscribers for the purposes of direct<br />
marketing contrary to regulation 22 of PECR.<br />
<br />
<br />
<br />
4. Regulation 22 of PECRprovides that:<br />
<br />
<br />
1 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
"(l)This regulation applies to the transmission of unsolicited<br />
communications by means of electronic mail to individual subscribers.<br />
<br />
<br />
(2) Except in the circumstances referred to in paragraph (3), a person<br />
shall neither transmitnor instigate the transmission of, unsolicited<br />
<br />
communications for the purposes of direct marketing by means of<br />
electronic mail unless the recipient of the electronic mail has previously<br />
<br />
notified the sender that he consents for the time being to such<br />
<br />
communications being sent by, or at the instigation of, the sender.<br />
<br />
<br />
(3) A person may send or instigate the sending of electronic mail for<br />
the purposes of direct marketing where -<br />
<br />
<br />
<br />
(a) That person has obtained the contact details of the recipient of<br />
that electronic mail in the course of the sale or negotiations for<br />
<br />
the sale of a product or device to that recipient;<br />
(b) The direct marketing is in respect of that person's similar<br />
<br />
products and services only; and<br />
(c) The recipient has been given a simple means of refusing (free of<br />
<br />
charge except for the costs of transmission of the refusal) the<br />
<br />
use of his contact details for the purposes of such direct<br />
marketing, at the time that the details were initially collected,<br />
<br />
and, where he did not initially refuse the use of the details, at the<br />
time of each subsequent communication.<br />
<br />
<br />
(4) A subscriber shall not permit his line to be used in contraventofn<br />
<br />
paragraph (2)."<br />
<br />
<br />
5. Section 122(5) of the DPA 2018 defines "direct marketing" as "the<br />
<br />
communication (by whatever means) of any advertising material which<br />
<br />
<br />
<br />
2 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
is directed to particular individualThis definition also applies for the<br />
purposes of PECR.<br />
<br />
<br />
6. "Electronic mail" is defined in regulation 2(1) PECRas" any text, voice,<br />
<br />
sound or image sent over a public electronic communications network<br />
<br />
which can be stored in the network or in the recipient's terminal<br />
equipment until it is collected by the recipient and includes messages<br />
<br />
sent using a short message service".<br />
<br />
<br />
7. Consent is defined in Article 4(11) the General Data Protection<br />
<br />
Regulation 2016/679 as "any freely given, specific, informed and<br />
unambiguous indication of the data subject's wishes by which he or<br />
<br />
she, by a statement or by a clear affirmativaction, signifies<br />
<br />
agreement to the processing of personal data relating to him or her".<br />
<br />
8. Section SSA of the DPA (as amended by the Privacy and Electronic<br />
<br />
Communications (EC Directive)(Amendment) Regulations 2011 and the<br />
<br />
Privacy and Electronic Communications (EC Directive) (Amendment)<br />
Regulations 2015) states:<br />
<br />
<br />
"(l) The Commissioner may serve a person with a monetary penalty if<br />
<br />
the Commissioner is satisfied that -<br />
<br />
(a) there has been a serious contraventionof the requirements<br />
<br />
of the Privacy and Electronic Communications (EC<br />
Directive) Regulations 2003 by the person, and<br />
<br />
(b) subsection (2) or (3) applies.<br />
<br />
(2) This subsection applies if the contraventiwas deliberate.<br />
<br />
(3) This subsection applies if the person -<br />
<br />
(a) knew or ought to have known that there was a risk that<br />
<br />
the contravention would occur, but<br />
<br />
3 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
(b) failed to take reasonable steps to prevent the<br />
contravention."<br />
<br />
<br />
9. The Commissioner has issued statutory guidance under section SSC (1)<br />
<br />
of the DPA about the issuing of monetary penalties that has been<br />
published on the ICO's website. The Data Protection (Monetary<br />
<br />
Penalties)(Maximum Penalty and Notices) Regulations 2010 prescribe<br />
<br />
that the amount of any penalty determined by the Commissioner must<br />
not exceed £500,000.<br />
<br />
<br />
10. PECRimplements European legislation (Directive 2002/58/EC) aimed at<br />
<br />
the protection of the individual's fundamentright to privacy in the<br />
<br />
electronic communications sector. PECRwas amended for the purpose<br />
of giving effect to Directive 2009/136/which amended and<br />
<br />
strengthened the 2002 provisions. The Commissioner approaches PECR<br />
so as to give effect to the Directives.<br />
<br />
<br />
<br />
11. The provisionsof the DPA remain in force for the purposes of PECR<br />
notwithstanding the introductioof the Data Protection Act 2018 (see<br />
<br />
paragraph 58(1) of part 9, Schedule 20 of that Act).<br />
<br />
<br />
<br />
Background to the case<br />
<br />
<br />
<br />
12. LWL is a lead generation company which operates primarily in the<br />
<br />
'multi-levemarketing' sector. It generates leads under the Avon brand<br />
for the purpose of enlisting downstream recruits, and which are passed<br />
<br />
directly to independent Avon sales representatives.<br />
<br />
<br />
<br />
<br />
<br />
4 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
13. LWL first came to the attention of the Commissioner in connection with<br />
<br />
complaints about text messages seemingly sent by Avon Cosmetics<br />
<br />
Limited ("Avon"). The investigatifound that Avon did not send or<br />
instigate the texts. LWL were contacted, but not investigated at that<br />
<br />
time.<br />
<br />
<br />
14. LWL came to the attention of the Commissioner again during the Covid-<br />
19 pandemic, when a significant number of complaints were received<br />
<br />
about the following text message:<br />
<br />
<br />
In lockdown and want to earn extra cash? Avon is now FULLY ONLINE,<br />
<br />
FREE to do and paid weekly. Reply with your name for info. 18+ only.<br />
Text STOP to opt out.<br />
<br />
<br />
15. Between 14 April 2020 and 14 May 2020, 835 complaints were received<br />
<br />
by the 7726 SPAM reporting tool. Significant daily totals of complaints<br />
were also seen, including 329 on 13 May 2020, 345 on 14 May 2020<br />
<br />
and 370 on 15 May 2020.<br />
<br />
<br />
16. Given the rapid rise in complaint volumes, and as LWL were known to<br />
<br />
send messages of this type, the Commissioner contacted LWL by<br />
telephone on 13 May 2020, who confirmed that the messages had been<br />
<br />
sent by LWL. This was subsequently supported by evidence from LWL's<br />
mobile network provider.<br />
<br />
<br />
17. On 15 May 2020, the ICO sent an investigatioletter to LWL detailing<br />
<br />
the Commissioner's concerns regarding LWL's compliance with PECR,<br />
and containing a number of enquiries. The letter attached an index of<br />
<br />
complaints received both by the 7726 SPAM reporting service, and by<br />
<br />
the ICO.<br />
<br />
<br />
5 •<br />
<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
18. On 4 June 2020, the ICO received a response from LWL. This provided<br />
a list of CLI's used by LWL and text volumes, identified the bodies of 19<br />
<br />
different texts sent, and confirmation that texts were sent internally<br />
<br />
through a platform operated by LWL. LWL explained that data was both<br />
purchased from third parties and driven to websites such as<br />
<br />
'Avon.leadswork.co.uk'. The third parties from whom data was<br />
<br />
purchased were said to be' , - -<br />
- and _,_ Advertising was also operated extensively on<br />
<br />
'-,--and--'·<br />
<br />
<br />
19. In response to enquiries about contractual agreements, LWL stated that<br />
<br />
before working with a partner they 'review their terms and conditions<br />
and see the URL where the opt-in will occur', later adding that they also<br />
<br />
go through the registration process on a test basis to ensure necessary<br />
<br />
opt-ins were present. No contractual agreements were said to be in<br />
place or provided. LWL said that they had generated leads for Avon<br />
<br />
representatives for a 'very long time'.<br />
<br />
<br />
20. A review by the Commissioner of the information provided by LWL<br />
<br />
revealed that its dominant data supplier was - - whose data<br />
<br />
capture website was' '. This website consists of a<br />
landing page to opt-in, a privacy notice, and an option to unsubscribe.<br />
<br />
The website states that it is 'part of the - • - _',<br />
<br />
which is a company quite distinct from - -· LWL is named in<br />
the consent statement; by clicking the 'partners' link in the consent<br />
<br />
statement, individuals are directed to the privacy policy in which LWL<br />
are named in the 'marketing service providers' section.A further link<br />
<br />
to 'direct clients' presents individuals with a further list of 457 distinct<br />
<br />
organisations from whom individuals may expect to receive marketing,<br />
in which LWL is not included. The website does not allow individuals to<br />
<br />
submit their details without checking 'at least one' marketing channel.<br />
<br />
6 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
Furthermore, the website is vague and confusing given the discursive<br />
<br />
and lengthy nature of the consent statement and the extensive list of<br />
<br />
sectors and companies contained within both it and the privacy policy.<br />
For these reasons the Commissioner concluded that consent was not<br />
<br />
freely given, specific and informed.<br />
<br />
<br />
21. In response to a request by the Commissioner for evidence of consent,<br />
LWL explained that a suppression list was in place should anyone reply<br />
<br />
'Stop' to a message. In respect of the customer journey LWL explained<br />
that should a customer consent to be contacted by LWL then they are<br />
<br />
sent an initial message asking whether they want to be contacted by a<br />
local Avon representativeIf they respond positively then their data is<br />
<br />
shared with the local representative.<br />
<br />
<br />
22. LWL provided the Commissioner with a 'GDPR pack' containing a Data<br />
<br />
Protection Impact Assessment ("DPIA") and a 'company compliance<br />
document'. The latter discusses LWL's data protection obligations as a<br />
<br />
company, and whilst robust for the purpose it sets out to achieve, at no<br />
point is PECRreferenced. The DPIA, dated 20 October 2019, explicitly<br />
<br />
refersto PECRand consent, acknowledges that there is a 'degree of<br />
public concern over personal data sales', and refers to regulatory action<br />
<br />
by the ICO.<br />
<br />
<br />
23. LWL proclaimed their membership of 'S.H.I.E.L.D.' as an indicator of<br />
<br />
their compliance. This is a scheme operated by a law firm who appear<br />
to audit companies' GDPR compliance, and if deemed compliant, they<br />
<br />
are entered into the scheme. No evidence of due diligence conducted<br />
by this law firm on behalf of the company has been provided by LWL.<br />
<br />
<br />
<br />
24. Having reviewed LWL's response, the Commissioner sent a further set<br />
of detailed enquiries to LWL on 9 June 2020, attaching evidence of an<br />
<br />
7 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
additional 8,089 complaints identified through the 7726 SPAM reporting<br />
system since the initial enquiries were sent.<br />
<br />
<br />
25. A substantive response was provided by LWL on 19 June 2020. This<br />
<br />
included the body of 64 distinct texts sent during the investigation<br />
<br />
period (over three times the amount identified in LWL's initial<br />
response). As was seen from those messages, LWL did not identify<br />
<br />
itself as the sender. LWL also provided volumes of data purchased since<br />
<br />
1 May 2019. Further capture domains were identified. In particular,<br />
was identified as also capturing the data that -<br />
<br />
- supplied. LWL prefaced this by stating that they were previously<br />
unaware of this website being a capture domain, and so had<br />
<br />
immediately enquired as to the compliance and opt-in of this website.<br />
<br />
It was explained that this website directs individuals to a registration<br />
page where their details are inputted, and agreement to the privacy<br />
<br />
policy obtained.LWL stated that lawyers had been involved in creation<br />
of the website's legal framework on behalf of another client, and so<br />
<br />
were confident it would be compliant.<br />
<br />
<br />
26. The Commissioner reviewed the privacy policy on '<br />
<br />
which has granular opt-ins for each channel and a third party opt-in.<br />
The policy states that the website is owned and operated by a<br />
<br />
differentlynamed company than - ., who sold the data to<br />
<br />
LWL. The third party opt-in on the registratiopage contains a link to<br />
'partners' where 16 companies are listed, in which LWL does not<br />
<br />
appear. LWL does appear in the privacy policy, in a list of 7 'marketing<br />
<br />
service providers'. A further 442 companies are then listed under 'direct<br />
clients' followed by the following statement"at registration you have<br />
<br />
the option to opt-in to sponsors of our website". The Commissioner<br />
found the consent statements to be vague and confusing. Further, LWL<br />
<br />
are not named at the point of consent and in view of the extensive list<br />
<br />
8 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
of companies in the privacy policy, the Commissioner considered that<br />
<br />
consent was not specific or informed.<br />
<br />
<br />
27. Data was also stated to be purchased by LWL from ,. -<br />
_, ('-"), the second largest of LWL's data suppliers, through<br />
<br />
websites' 'and' '. These sites<br />
share the same vague consent statement, which contains a link to<br />
<br />
identical privacy policies. The privacy policies contain no distinguishable<br />
<br />
'third party policy' and lists approximat40 companies with whom<br />
data may be shared. LWL are not listed in the privacy policy, instead<br />
<br />
'UK - Avon' are listed; this listing is hyperlinked to LWL's privacy policy.<br />
In representationsmade to the Commissioner in response to the Notice<br />
<br />
of Intent, LWL provided a letter from - which stated that LWL<br />
should be considered to fall within the category of 'health and beauty<br />
<br />
tips'.Given that LWL are not directly named in any list, and the<br />
policies are convoluted, individuals could not reasonably be expected to<br />
<br />
know that LWL were linked to Avon. For the reasons above the<br />
Commissioner found that the consent statements did not constitute<br />
<br />
informed and specific consent.<br />
<br />
<br />
28. In relation to the volume of texts sent to each data source, LWL stated<br />
it was not possible to produce an entirely accurate figure, however<br />
<br />
provided an approximation of volumes in a further email to the<br />
<br />
Commissioner dated 24 June 2020. Between 1 May 2019 and 15 May<br />
2020 LWL approximated that it sent in excess of 25 million texts to<br />
<br />
data sourced from __ , --- and•••· The vast<br />
majority of the texts, as well as the complaints evidenced in the<br />
<br />
Commissioner's second investigation letter, were related to data<br />
<br />
supplied by --·<br />
<br />
<br />
<br />
9 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
29. A further request for information was sent by the Commissioner to LWL<br />
<br />
on 26 June 2020 seeking evidence of consent in relation to another<br />
4,703 complaints received through the 7726 SPAM reporting service,<br />
<br />
information regarding data supplier'••• ,and an accurate<br />
number of texts sent though each source between 16 May 2020 and 26<br />
<br />
June 2020.<br />
<br />
<br />
30. LWL's director responded on 3 July 2020, providing further opt-ins. In<br />
relation to he said the use of this data preceded his time as<br />
<br />
director, and so would need to contact directly or his<br />
predecessors for information.<br />
<br />
<br />
31. LWL went onto verify that between 16 May 2020 and 26 June 2020, a<br />
<br />
total of 3,486,716 messages were sent, of which 3,327,573 were<br />
received. Of these,3,013,096 texts were sent, and 2,670,140<br />
<br />
connected, to data sourced by -- and ---<br />
(comprising 1,911,493 to -- data and 758,647 to'- <br />
<br />
-'data).<br />
<br />
<br />
32. On 10 July 2020 LWL supplied the Commissioner with information<br />
regarding the ' ' data source. LWL identified the domains used<br />
<br />
by '(also used by -- and<br />
previously reviewed by the Commissioner - see para. 20 above) and<br />
<br />
'. Thelatter is operated by - - and its<br />
consent statement lists 240 companies who may contact individuals.<br />
<br />
LWL are not included in the list. The privacy policy does name LWL, but<br />
within a list of hundreds of other sponsors. The Commissioner found<br />
<br />
that consent in those circumstances was not specific and informed.<br />
<br />
<br />
33. In conclusion the Commissioner considers that LWL relied upon invalid<br />
consents to send direct marketing texts to individuals whose data was<br />
<br />
10 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
sourced by __ , ___ , and<br />
LWL's business<br />
model is inextricably linked to direct marketing, and whilst it did make<br />
<br />
some attempt to comply with data protection legislation, it had no<br />
discernible policiesr procedures relevant to PECRcompliance, and any<br />
<br />
due diligence was insufficient.<br />
<br />
<br />
34. During the period 16 May 2020 to 26 June 2020, a total of 12,281<br />
<br />
complaints from 11,733 individuals about unsolicited texts from LWL<br />
<br />
were received via the 7726 reporting service. 4 complaints were<br />
received though the Commissioner's online reporting tool. The vast<br />
<br />
majority of complaints (10,570) relate to data sourced by - -·<br />
It is also noteworthy that LWL began receiving a significant number of<br />
<br />
complaints from May 2020 onwards, shortly after the UK entered<br />
<br />
lockdown in response to the pandemic.<br />
<br />
<br />
35. The Commissioner has made the above findings of fact on the balance<br />
of probabilities.<br />
<br />
<br />
36. The Commissioner has considered whether those facts constitute a<br />
<br />
contravention of regulation 22 of PECRby LWL and, if so, whether the<br />
conditions of section SSA DPA are satisfied.<br />
<br />
<br />
The contravention<br />
<br />
<br />
<br />
37. The Commissioner finds that LWL has contravened Regulation 22 of<br />
PECR.The Commissioner finds that the contravention was as follows:<br />
<br />
<br />
38. Between 16 May 2020 and 26 June 2020 LWL transmitted 2,670,140<br />
texts over a public electronic communicationnetwork by means of<br />
<br />
electronic mail to individual subscribers for the purposes of direct<br />
<br />
marketing contrary to regulation 22 of PECR.<br />
<br />
<br />
11 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
39. Organisations cannot generally send marketing texts unless the<br />
recipient has notified the sender that they consent to such texts being<br />
<br />
sent by, or at the instigation of, that sender.<br />
<br />
40. The Commissioner is satisfied that the consent relied on by<br />
<br />
LWL did not amount to valid consent for the purposes of regulation 22<br />
<br />
PECR.<br />
<br />
41. The Commissioner is satisfied that LWL was responsible for this<br />
<br />
contravention.<br />
<br />
42. The Commissioner has gone on to consider whether the conditions<br />
<br />
under section SSA DPA were met.<br />
<br />
<br />
Seriousness of the contravention<br />
<br />
<br />
<br />
43. The Commissioner is satisfied that the contraventioidentified above<br />
was serious.<br />
<br />
<br />
44. This is because LWL sent 2,670,140 marketing text messages to<br />
<br />
individuals without their consent, resulting in excess of 10,000<br />
<br />
complaints, over a period of 41 days. The volume of texts and<br />
complaints over such a short period is substantial. Indeed, the<br />
<br />
Commissioner would go so far as to say that the ratio of complaints to<br />
the volume of data subjects in receipt of unlawful texts far exceeds any<br />
<br />
contravention she has witnessed to date.<br />
<br />
<br />
45. It is reasonable to suppose that the volume of contraventionis<br />
<br />
actually significantly higher, and spanned a broader period of time. LWL<br />
<br />
approximated that during the period 1 May 2019 and 15 May 2020, it<br />
sent 17.23 million texts to--data, 6.43 million texts to.<br />
<br />
-- data and 1.37 million texts to data. All these data<br />
<br />
12 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
sources have been deemed non-compliant, however as LWL's system<br />
overwrites data after a period of time, LWL have been unable to verify<br />
<br />
these figures.<br />
<br />
<br />
46. The Commissioner's Direct Marketing Guidance available on the ICO's<br />
<br />
website states that: "Organisations can generally only send marketing<br />
texts or emails to individuals (including sole traders and some<br />
<br />
partnerships) if that person has specifically consented to receiving<br />
<br />
them". Point 60 of the Guidance refers to the fact that freely given<br />
consent should be demonstrated where it is the "condition of<br />
<br />
subscribing to a service", however it is apparent that consent is not<br />
freely given in the case of data sourced by - - (LWL's largest<br />
<br />
provider of data) through ' ', because individuals are<br />
<br />
not able to register without subscribing to at least one marketing<br />
channel.<br />
<br />
<br />
47. Furthermore, the Commissioner's guidance in relation to PECRstates<br />
<br />
that "making a large number of marketing calls based on recorded<br />
<br />
messages or sending large numbers of marketing text messages to<br />
individuals who have not consented to receive them [...] is likely to<br />
<br />
constitute a serious contraventioof the Regulations".<br />
<br />
<br />
48. The Commissioner is therefore satisfied that condition (a) from section<br />
<br />
SSA (1) DPA is met.<br />
<br />
<br />
Deliberate or foreseeable contravention<br />
<br />
<br />
49. The Commissioner has considered whether the contravention identified<br />
<br />
above was deliberate. In the Commissioner's view, this means that<br />
LWL's actions which constituted that contraventionwere deliberate<br />
<br />
<br />
<br />
13 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
actions (even if LWL did not actually intethereby to contravene<br />
PECR).<br />
<br />
<br />
50. The Commissioner considers that in this case that LWL's actions were<br />
<br />
deliberate, as despite having been notified that it was under<br />
<br />
investigatioby the Commissioner, and given her concerns about<br />
LWL's compliance with PECR, LWL has continued its marketing<br />
<br />
campaign without making any adjustments to its business model. LWL<br />
<br />
continues to send unlawful text messages even after the investigation<br />
was completed, and a Notice of Intent served upon LWL in which it's<br />
<br />
practices were deemed non-compliant.<br />
<br />
<br />
51. Further, and in the alternatithe Commissioner has gone on to<br />
<br />
consider whether the contraventionidentified above was negligent.<br />
<br />
<br />
52. First, she has considered whether LWL knew or ought reasonably to<br />
have known that there was a risk that this contraventiowould occur.<br />
<br />
She is satisfiedhat this condition is met, given that LWL's business<br />
<br />
model relied heavily on direct marketing.<br />
<br />
<br />
53. LWL is registered with the ICO as a data controller and as such should<br />
be aware of the Regulations.As the sender of the texts it was the<br />
<br />
responsibility of LWL to ensure valid consent had been obtained prior to<br />
<br />
their transmission.<br />
<br />
<br />
54. The Commissioner has published detailed guidance for those carrying<br />
<br />
out direct marketing explaining their legal obligations under PECR.This<br />
guidance explains the circumstances under which organisations are<br />
<br />
able to carry out marketing over the phone, by text, by email, by post,<br />
or by fax.<br />
<br />
<br />
<br />
14 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
55. Furthermore, the issue of unsolicited marketing has been widely<br />
publicised by the media as being a problem.<br />
<br />
<br />
56. LWL had a DPIA in place dated 20 October 2019 which demonstrates<br />
<br />
awareness on the part of LWL as to its statutory obligatioIt.contains<br />
<br />
the following statement:<br />
<br />
LW have considered the fact that there is a degree of public concern<br />
over the sales of personal data. The legislation is clear on the point of<br />
consent and the subsequent enforcement action brought by the<br />
<br />
Regulator (ICO) has reinforced the legislation and demonstrated a clear<br />
pathway to take for businesses engaged in the sale of personal data<br />
<br />
This unambiguously references public concern regarding data sales,<br />
<br />
and an awareness of enforcement action taken by the ICO.<br />
<br />
<br />
57. It is therefore reasonable to suppose that LWL knew or ought<br />
<br />
reasonably to have known that there was a risk that these<br />
contraventions would occur.<br />
<br />
<br />
<br />
58. The Commissioner has also considered whether LWL failed to take<br />
reasonable steps to prevent the contraventions.<br />
<br />
<br />
59. Reasonable steps could have included seeking appropriate guidance on<br />
the rules in relation to electronic direct marketing and ensuring the<br />
<br />
consent on which it sought to rely on was valid, putting in place<br />
<br />
contractual arrangements to ensure the veracity of the data, and<br />
conducting sufficient due diligence in relation to its data providers.<br />
<br />
<br />
60. In this case, LWL failed to put in place contractual arrangements with<br />
data suppliers despite sourcing significant volumes of data from these<br />
<br />
suppliers. Any due diligence appears to be minimal and there is a lack<br />
<br />
of evidence in relation to thisBy their own admission, LWL conducted<br />
most of their due diligence checks on ' ', by looking<br />
<br />
15 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
at the website and testing the registration pages, however had these<br />
checks been sufficient LWL should have known that the website was<br />
<br />
non-compliant. In fact, LWL only became aware of a page that sourced<br />
<br />
a significantmount of-- data when the ICO investigation<br />
commenced. LWL purports to rely on their entry to the S.H.I.E.L.D.<br />
<br />
scheme as reassurance of compliance, however no evidence in relation<br />
to this has been provided.<br />
<br />
<br />
<br />
61. LWL appear to have placed great reliance upon due diligence<br />
conducted by third parties in relation to data capture websites, and the<br />
<br />
fact that there had been legal input from lawyers engaged by other<br />
organisations who also utilised those same websites. LWL have<br />
<br />
provided minimal evidence in relation to any due diligence provided by<br />
<br />
others and appear to have assumed that as others were reliant upon it,<br />
then their own business model must also have been compliant. It would<br />
<br />
have been reasonable for LWL to carry out its own checks as to<br />
how consent was being obtained via the websites, notwithstandingany<br />
<br />
assurances by its third-partdata providers - such checks would have<br />
<br />
alerted LWL to the inadequacy of the consents being obtained via the<br />
sites for the purposes of third-pardirect marketing. In short, simple<br />
<br />
reliance on assurances of indirect consent alone without undertaking<br />
proper due diligence is not acceptable.<br />
<br />
<br />
<br />
62. Furthermore, LWL has continued to send significant numbers of<br />
marketing texts to individuals throughoutand since, the course of the<br />
<br />
Commissioner's investigation,incurring a substantial amount of<br />
<br />
complaints. This would suggest that no remedial measures have been<br />
taken to prevent further contraventionsand an apparent continuing<br />
<br />
disregard for its obligations under PECR. Indeed, since August 2020 to<br />
the date of this Notice, a further 28,350 complaints about marketing<br />
<br />
texts from LWL have been received by the 7726 reporting service.<br />
<br />
16 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
63. In representations made to the Commissioner, LWL states that at no<br />
<br />
time was it made aware that its practices were non-compliant.The<br />
Commissioner views the fact that an organisation is under investigation<br />
<br />
should be sufficient impetus for that organisation to review its own<br />
<br />
practices in lineith the Regulations. Irrespective of the timing of any<br />
awareness on LWL's part, it is apparent that LWL has not heeded the<br />
<br />
Commissioner's concerns and has continued its campaign in blatant<br />
<br />
disregard for the Regulations.<br />
<br />
<br />
64. The Commissioner is therefore satisfied that condition (b) from section<br />
SSA (1) DPA is met.<br />
<br />
<br />
The Commissioner's decision to impose a monetary penalty<br />
<br />
<br />
65. The Commissioner has taken into account the following aggravating<br />
<br />
features of this case:<br />
<br />
<br />
• The texts misleadingly appeared to be sent by Avon. LWL accepts that<br />
<br />
it deliberately did not identify itself in the body of the texts as the<br />
sender so as to not "confuse" recipients, and as such were in breach of<br />
<br />
regulation 23 of PECR.<br />
<br />
<br />
• LWL has continued to run the marketing campaign both during, and<br />
<br />
since,the Commissioner's investigation and despite the ICO's<br />
concerns,without attempting to amend or review its practices. Indeed,<br />
<br />
all the contraventionwhich are the subject of this Notice occurred<br />
<br />
after LWL were notified it was under investigatioFurthermore, LWL<br />
has continued to send unlawful marketing texts after the Commissioner<br />
<br />
completed her investigationon 26 June 2020, and issued a Notice of<br />
Intent in which LWL's practices were deemed non-compliant.<br />
<br />
<br />
17 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
• Since August 2020 to the present time, an additional 28,350<br />
complaints have been received by the 7726 SPAM reporting tool about<br />
<br />
texts sent by LWL.<br />
<br />
<br />
• LWL sought to capitalise on the pandemic by sending a significant<br />
<br />
number of text messages relating to, and directly referencing, the<br />
ensuant lockdown when the population was at its most vulnerable and<br />
<br />
advertising the potential financial gains by becoming an Avon<br />
<br />
representative.1,698 complaints were received regarding this<br />
particular message.<br />
<br />
<br />
• LWL repeatedly indicated long standing compliance with PECRin its<br />
<br />
communications with the Commissioner which was blatantly untrue.<br />
<br />
LWL also failed to be completely transparentduring the course of the<br />
investigation.For example, when asked to provide details of the body<br />
<br />
of texts sent by LWL, it initially provided only 19, when it later<br />
<br />
transpired 65 separate texts were utilised. In representatioto the<br />
Commissioner, LWL stated that those omitted were simply variants of<br />
<br />
the original texts however the Commissioner's view remains that LWL<br />
were not completely open and transparent in relation to her enquiry.<br />
<br />
<br />
• Furthermore, LWL failed to inform the Commissioner in its response to<br />
<br />
enquiries about marketing methods that it also conducted email<br />
<br />
marketing. The Commissioner has since been made aware that·<br />
- conducted hosted marketing for LWL, and that over a 12 month<br />
<br />
period had sent 7.5 million emails on LWL's behalf, including activity<br />
<br />
during the contravention period. Between the contravention period 16<br />
May 2020 - 26 June 2020 the number of emails transmitted was<br />
<br />
1,006,000.<br />
<br />
<br />
<br />
18 •<br />
<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
66. The Commissioner considers there are no mitigating factors to be<br />
<br />
considered in this case.<br />
<br />
<br />
67. For the reasons explained above, the Commissioner is satisfied that the<br />
<br />
conditions from section SSA(l) DPA have been met in this case. She is<br />
also satisfiedthat the procedural rights under section 55B have been<br />
<br />
complied with.<br />
<br />
<br />
68. This has included the issuing of a Notice of Intent, in which the<br />
<br />
Commissioner set out her preliminary thinking, and invited LWL to make<br />
representations in response.<br />
<br />
<br />
<br />
69. The Commissioner has received and considered Representations in<br />
response to the Notice of Intent dated 9th & 22nd December 2020, and<br />
<br />
5th, 13th & 20th January 2021.<br />
<br />
<br />
70. The Commissioner is accordingly entitled to issue a monetary penalty in<br />
<br />
this case.<br />
<br />
<br />
71. The Commissioner has considered whether, in the circumstances, she<br />
<br />
should exercise her discretion so as to issue a monetary penalty. She<br />
<br />
has decided that a monetary penalty is an appropriate and proportionate<br />
response to the finding of a serious contraventionof regulation22 of<br />
<br />
PECRby LWL.<br />
<br />
<br />
72. The Commissioner's underlying objective in imposing a monetary<br />
<br />
penalty notice is to promote compliance with PECR. The making of<br />
<br />
unsolicited direct marketing calls is a matter of significant public concern.<br />
A monetary penalty in this case should act as a general encouragement<br />
<br />
towards compliance with the law, or at least as a deterrent against non<br />
<br />
compliance, on the part of all persons running businesses currently<br />
<br />
19 •<br />
<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
engaging in these practices. This is an opportuto reinforce the need<br />
for businesses to ensure that they are only telephoning consumers who<br />
<br />
want to receive these calls.<br />
<br />
<br />
73. The Commissioner has also considered the likely impact of a monetary<br />
<br />
penalty on LWL and in doing so has reviewed financial evidence supplied<br />
<br />
by LWL.<br />
<br />
<br />
The amount of the penalty<br />
<br />
<br />
74. Taking into account all of the above, the Commissioner has decided that<br />
<br />
the amount of the penalty is £250,000 (Two hundred and fifty<br />
thousand pounds).<br />
<br />
<br />
Conclusion<br />
<br />
<br />
<br />
75. The monetary penalty must be paid to the Commissioner's office by<br />
BACS transfer or cheque by 1 April 2021 at the latest. The monetary<br />
<br />
penalty is not kept by the Commissioner but will be paid into the<br />
Consolidated Fund which is the Government'sgeneral bank account at<br />
<br />
the Bank of England.<br />
<br />
<br />
76. If the Commissioner receives full payment of the monetary penalty by<br />
<br />
31 March 2021 the Commissioner will reduce the monetary penalty by<br />
<br />
20% to £200,000 (Two hundred thousand pounds). However, you<br />
should be aware that the early payment discount is not available if you<br />
<br />
decide to exercise your right of appeal.<br />
<br />
<br />
77. There is a right of appeal to the First-tier Tribunal (InfoRights)<br />
<br />
against:<br />
<br />
<br />
<br />
20 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
a) the imposition of the monetary penalty<br />
<br />
and/or;<br />
<br />
<br />
b) the amount of the penalty specified in the monetary penalty<br />
notice.<br />
<br />
<br />
70. Any notice of appeal should be received by the Tribunal within 28 days<br />
<br />
of the date of this monetary penalty notice.<br />
<br />
<br />
71. Informationabout appeals is set out in Annex 1.<br />
<br />
72. The Commissioner will not take action to enforce a monetary penalty<br />
<br />
unless:<br />
<br />
<br />
• the period specified within the notice within which a monetary penalty<br />
<br />
must be paid has expired and all or any of the monetary penalty has<br />
not been paid;<br />
<br />
<br />
• all relevant appeals against the monetary penalty notice and any<br />
<br />
variation of it have either been decided or withdraand<br />
<br />
• period for appealing against the monetary penalty and any variation of<br />
<br />
it has expired.<br />
<br />
73. In England, Wales and Northern Ireland, the monetary penalty is<br />
<br />
recoverable by Order of the County Court or the High Court. In<br />
Scotland, the monetary penalty can be enforced in the same manner<br />
<br />
as an extract registered decree arbitral bearing a warrant for execution<br />
issued by the sheriff court of any sheriffdom in Scotland.<br />
<br />
<br />
<br />
<br />
<br />
<br />
21 •<br />
<br />
Information Commissioner's Office<br />
<br />
<br />
Dated the 1 day of March 2021<br />
<br />
<br />
Andy Curry<br />
Head of Investigations<br />
InformatioCommissioner's Office<br />
Wycliffe House<br />
Water Lane<br />
Wilmslow<br />
Cheshire<br />
SK9 SAF<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
22 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
<br />
<br />
ANNEX 1<br />
<br />
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998<br />
<br />
<br />
<br />
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER<br />
<br />
<br />
1. Section 48 of the Data Protection Act 1998 gives any person upon<br />
whom a monetary penalty notice or variation notice has been served a right<br />
of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal')<br />
<br />
against the notice.<br />
<br />
2. If you decide to appeal and if the Tribunal considers:-<br />
<br />
<br />
a) that the notice against which the appeal is brought is not in accordance<br />
with the law; or<br />
<br />
b) to the extent that the notice involved an exercise of discretion by the<br />
<br />
Commissioner, that she ought to have exercised her discretion differently,<br />
<br />
the Tribunal will allow the appeal or substitute such other decision as could<br />
have been made by the Commissioner. In any other case the Tribunal will<br />
dismiss the appeal.<br />
<br />
<br />
3. You may bring an appeal by serving a notice of appeal on the Tribunal<br />
at the following address:<br />
<br />
<br />
<br />
GRC & GRPTribunals<br />
PO Box 9300<br />
Arnhem House<br />
<br />
31 Waterloo Way<br />
Leicester<br />
LEl 8DJ<br />
<br />
<br />
a) The notice of appeal should be sent so it is received by the Tribunal<br />
within 28 days of the date of the notice.<br />
<br />
<br />
23 •<br />
<br />
ICO.<br />
Information Commissioner's Office<br />
<br />
b) If your notice of appeal is late the Tribunal will not admit it unless the<br />
Tribunal has extended the time for complying with this rule.<br />
<br />
4. The notice of appeal should state:-<br />
<br />
<br />
a) your name and address/name and address of your representative<br />
(if any);<br />
<br />
<br />
b) an address where documents may be sent or delivered to you;<br />
<br />
c) the name and address of the Information Commissioner;<br />
<br />
d) detailsof the decision to which the proceedings relate;<br />
<br />
<br />
e) the result that you are seeking;<br />
<br />
f) the grounds on which you rely;<br />
<br />
<br />
g) you must provide with the notice of appeal a copy of the<br />
monetary penalty notice or variation notice;<br />
<br />
<br />
h) if you have exceeded the time limit mentioned above the notice<br />
of appeal must include a request for an extension of time and the<br />
reason why the notice of appeal was not provided in time.<br />
<br />
<br />
5. Before deciding whether or not to appeal you may wish to consult your<br />
solicitor or another adviser. At the hearing of an appeal a party may conduct<br />
his case himself or may be represented by any person whom he may<br />
appoint for that purpose.<br />
<br />
<br />
6. The statutory provisions concerning appeals to the First-tier Tribunal<br />
(Information Rights) are contained in sections 48 and 49 of, and Schedule 6<br />
to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal)<br />
(General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No.<br />
<br />
1976 (L.20)).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
24<br />
</pre></div>Mariam-hwth