Head of Data Breach, Kingsley Hayes, explores the future of PECR regulations following the Supreme Court’s decision in Lloyd v Google, in Global Data Review.
Kingsley’s article was published in Global Data Review, 1 December 2021, and can be found here.
Some journalists may have trailed it as a David and Goliath struggle, but Lloyd v Google was more complex than this hackneyed phrase suggests.
Although Google can certainly be characterised as a gargantuan tech giant which is well accustomed to fighting huge courtroom battles on both sides of the Atlantic, Richard Lloyd was not just fighting for himself. Instead, this former director of consumer rights group Which? was also arguing on behalf of 4.4 million iPhone owners in a representative action. Backed by very significant litigation funding, he was seeking compensation for these affected users whose privacy, he argued, had been damaged under the old Data Protection Act 1998 (DPA98). Had Lloyd won the day, each individual iPhone user would have only received a relatively small payout – but he lost in the Supreme Court.
Many questions arise from the judgment – not least what the decision means for the Privacy and Electronic Communications 2003 (PECR), UK legislation which derives from the EU’s law ePrivacy Directive. Before examining the impact on them, it is important to summarise the Supreme Court’s judgment in Lloyd v Google and its immediate implications.
The Supreme Court had heard a Google appeal against a 2019 Court of Appeal judgment which had granted Lloyd permission to serve a representative claim on Google in the US. Lloyd’s case centred on a claim which alleged that Google had breached its duties as a data controller under the DPA98 to 4.4m Apple iPhone users for several months in 2011 and 2012. During this time, Google was able to collect and use their browser generated information. Lloyd sued, both on his own behalf and on behalf of 4.4m other residents in England and Wales whose data was affected.
At the heart of Lloyd’s case was the Safari Workaround – Google’s use of a technical device to bypass cookie settings on the Safari web browser that allowed it to place tracking cookies without users’ knowledge or consent. US courts had already found this to be a breach of privacy laws, and the US Federal Trade Commission fined Google $22.5 million in a 2012 settlement.
In dismissing Lloyd’s opt-out representative action against Google, the Supreme Court addressed two key questions: can compensation for loss of control be awarded under the DPA98 without any evidence of damage or distress, and is a representative action a suitable vehicle for such claims?
The answer to the first question was no. The court determined that interpreting damage to include a pure loss of control claim was untenable.
The answer to the second question was more nuanced. In principle, the court broadly supported the idea of representative actions in seeking, for example, declaratory relief concerning liability, and for their use in pursuit of damages where certain types of uniform per claimant damages are sought. But the court determined that this was not possible in situations such as the Lloyd case, where individualised assessments of damages are required.
Finally, the court considered the proposal of bringing claims on a “lowest common denominator” basis. It decided that the facts which Lloyd aimed to prove in each individual case were insufficient to “surmount any threshold of seriousness.”
Many businesses will, no doubt, welcome this judgment since it will significantly limit the potential scope for opt-out claims in a range of data breach cases. Had the Supreme Court sided with Lloyd, 4.4 million iPhone users would have been able to claim for loss of control of personal data, without having to identify any specific financial loss suffered. Other significant group claims would undoubtedly have followed relating to big cybersecurity breaches and the improper use of cookies, for example.
So where does PECR fit into the data privacy equation?
As a UK law that implements the EU’s ePrivacy Directive, PECR sets out privacy rights relating to electronic communications. In essence, PECR operates in parallel with the Data Protection Act 2018 (DPA18) and the UK GDPR. Since it was first adopted, PECR has been amended multiple times – in 2004, 2011, 2015, 2016 and twice in 2018. The latest amendment came into effect in December 2018.
Giving people their privacy rights in relation to electronic communications is achieved through a PECR framework which provides specific rules on marketing calls, emails, texts and faxes; cookies and “other such technologies”; keeping communications services secure; and customer privacy relating to traffic and location data, itemised billing, line identification, and directory listings.
The rules are determined by the Information Commissioner’s Office (ICO). The ICO describes its role as “aiming to help organisations comply with PECR and promote good practice by offering advice and guidance. We will take enforcement action against organisations that persistently ignore their obligations, starting with those that generate the most complaints.”
As an independent regulator, the ICO operates as the national data protection authority dealing with DPA18 and the GDPR, in addition to PECR. Since PECR is affected by the GDPR’s rules on consent, organisations must comply with both laws when they send electronic marketing messages, use cookies or provide electronic communications services.
In the aftermath of Lloyd v Google case, cookies and “other such technologies” that apply to any interaction that collects data from data subjects that is then used for tracking purposes may come under renewed focus. Applications can extend into the marketing and ad serving practices of web providers and those undertaking online marketing.
To date, litigation has been primarily focused on tech companies in relation to alleged breaches of data protection, either under the DPA98 (as in Lloyd v Google) or, more recently, the DPA18. PECR can provide a useful further avenue: the onus of a positive act for the collection of consents from individuals to marketing and the collection of data are detailed and have been much of the subject of ICO regulatory action in the past few years.
Following Lloyd v Google, there is likely to be a greater evaluation of the activities of tech companies and advertisers outside of the “cookie regime”. There may also be a shift towards a more detailed examination of consent being obtained, or not. One example may be in the use of technologies such as digital fingerprinting, which is invariably marketed as a “fraud prevention tool” but also appears to have significant data collection capabilities for adtech.
In September 2021, the Department for Digital, Culture, Media & Sport (DCMS) published Data: a new direction, a consultation on reforms “to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data.” The DCMS rationale in publishing the consultation is that the data landscape has changed significantly since 2018, suggesting further reform is needed.
In addressing reform of the cookie regime under PECR, the ICO supports the consultation proposal to remove the need to obtain consent for analytics cookies, so long as appropriate safeguards are retained. The ICO also supports its proposal to increase the level of fines which can be imposed under PECR to match those of the UK GDPR and DPA18 – a maximum fine of the greater of £17.5 million or 4% of annual global turnover. On cookie banners, the ICO cautions against another consultation proposal to remove them completely, and has urged the department to consider the pros and cons of legislating against the use of cookie walls.
As the PECR regime seems set to get more teeth, another notable aspect is that it provides access to damages being claimed on an account of profits basis. A damages claim brought on this basis could provide a powerful additional tool in the armoury of the claimants, potentially striking fear into the tech companies who may, or indeed may not, be being less than transparent about their data collection activities.
Ultimately, everyone’s personal data belongs to them as individuals. While the public perception of the real value of this data remains limited, a gradual recognition is emerging that personal data is one of the most valuable assets that an individual can own.
