Held:

1. If the court decided that the infringement of the Directive and the DPA was trivial or de minimis it would be entitled to refuse to make an award of loss of control damages.A domestic approach to statutory construction would point towards the conclusion that section 13 of DPA on compensation for suffering damage by reason of any contravention by a data controller and article 23 of the Directive on receiving compensation from the controller for the damage suffered required proof of both a contravention and consequent damage, whether pecuniary or non-pecuniary. That was not a circular to plead that the alleged infringement of the class members’ data protection rights caused a loss of control over their personal data. The key to those claims was the characterisation of the class members’ loss as the loss of control or loss of autonomy over their personal data.
2. The first question that arose was whether control over data was an asset that had value. As a matter of English law, an electronic database was not a form of property capable of possession and that, therefore, it could not be subject to a possessory lien. Even if data was not technically regarded as property in English law, its protection under European Union (EU) law was clear. It was also clear that a person’s BGI had economic value: for example, it could be sold. It was commonplace for EU citizens to obtain free wi-fi at an airport in exchange for providing their personal data. If they declined to do so, they had to pay for their wi-fi usage. The underlying reality of that case was that the defendant was able to sell BGI collected from numerous individuals to advertisers who wished to target them with their advertising. That confirmed that such data, and consent to its use, had an economic value.
3. A person’s control over data or over their BGI did have a value, so that the loss of that control had to also have a value. In one sense, if that was right, it was sufficient to answer the question of whether, in theory, a person could recover compensation under section 13 of DPA and article 23 of the Directive. But it was necessary first to consider whether that kind of loss of control over data could properly be considered damage in the legal sense in which the term damage was used in article 23 of the Directive and section 13 of DPA.
4. Damages in consequence of a breach of a person’s private rights were not the same as vindicatory damages to vindicate some constitutional right. In the present context, the damages were an award to compensate for the loss or diminution of a right to control formerly private information and for the distress that the respondents could justifiably have felt because their private information had been exploited, and were assessed by reference to that loss.
5. The underlying rights on which misuse of private information and infringements of the DPA were based were themselves founded on the same principle: namely, that privacy be protected. The EU law principles of equivalence and effectiveness should also not be forgotten. The principle of equivalence particularly provided that the detailed procedural rules governing actions for safeguarding an individual’s rights under EU law had to be no less favourable than those governing similar domestic actions. Since the torts of MPI and breach of the DPA were undoubtedly similar domestic actions, it would be prima facie inappropriate for the court to apply differing approaches to the meaning of damage. The principle of effectiveness provided that a member state had to not render it practically impossible or excessively difficult to exercise rights conferred by EU law. The protection of data was such a right, so that principle too was engaged.
6. The award of compensatory damages, whether substantial or nominal, served a vindicatory purpose: in addition to compensating a claimant’s loss, it vindicated the right that had been infringed, but that it was another to award a claimant an additional award, not in order to punish the wrongdoer, but to reflect the special nature of the wrong. Whilst discretionary vindicatory damages might be awarded for breach of a constitutional right in order to reflect the sense of public outrage, it was a big leap to apply that reasoning to any private claim against the executive.
7. Damages were in principle capable of being awarded for loss of control of data under article 23 of the Directive and section 13 of the DPA, even if there was no pecuniary loss and no distress. The words in section 13 “an individual who suffered damage by reason of a breach was entitled to compensation” justified such an interpretation. Only by construing the legislation in that way could individuals be provided with an effective remedy for the infringement of such rights.
8. Other remedies, apart from damages were theoretically available. Injunctive and declaratory relief could be sought, and rectification, blocking and erasure of data were available under article 12 of the Directive and section 14 of the DPA. The breaches alleged would go unremedied in the absence of damages being available. It was not necessary under that heading to decide whether uniform per capita damages were the appropriate remedy, since that was more relevant to the next question, namely whether the members of the class that the claimant purported to represent had the same interest.
9. The fundamental requirement for a representative action was that those represented in the action had the same interest in it. At all stages of the proceedings, and not just at the date of judgment at the end, it had to be possible to say of any particular person whether or not they qualified for membership of the represented class of persons by virtue of having the same interest.
10. Having the same interest a representative action did not mean that the membership of the group had to remain constant and closed throughout. It could indeed fluctuate. It did not have to be possible to compile a complete list when the litigation began as to who was in the class or group represented. The problem in the case was not with changing membership. It was a prior question how to determine whether or not a person was a member of the represented class at all. Judgment in the action for a declaration would have to be obtained before it could be said of any person that they would qualify as someone entitled to damages against based adverts. A second difficulty was that the members of the represented class did not have the same interest in recovering damages for breach of competition law if a defence was available in answer to the claims of some of them, but not to the claims of others.
11. The essential point was that the requirement of identity of interest of the members of the represented class for the proper constitution of the action meant that it had to be representative at every stage, not just at the end point of judgment. If represented persons were to be bound by a judgment that judgment had to have been obtained in proceedings that were properly constituted as a representative action before the judgment was obtained. The rule to be treated as being not a rigid matter of principle but a flexible tool of convenience in the administration of justice could not mean that the same interest test could be abrogated.
12. The only applicable test was that it had to be possible to say of any particular person whether or not they qualified for membership of the represented class of persons by virtue of having the same interest as the claimant at all stages of the proceedings, and not just at the date of judgment. Every affected person would, in theory, know whether they satisfied the conditions that the claimant had specified. Also, the data in possession of the defendant would be able to identify who was, and who was not, in the class. Both exercises could be undertaken at any time. It was true that some persons’ memories could be at fault, and that there could, in theory, be abuse, but those factors were practical ones, not ones that affected the formal ability to identify the class. It had repeatedly been said that the number of claimants could not itself affect the ability to use the representative procedure.
13. The representative action was in practice the only way in which those claims could be pursued. The case, quite properly if the allegations were proved, sought to call the defendant to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit. It was not disproportionate to pursue such litigation in circumstances where, as was common ground, there would be no other remedy. The case could be costly and could use valuable court resources, but it would ensure that there was a civil compensatory remedy for what appeared, at first sight, to be clear, repeated and widespread breaches of the defendant’s data processing obligations and violations of the European Convention for the Protection of Human Rights and Fundamental Freedoms and the Charter of Fundamental Rights of the European Union.
14. A claimant could recover damages for loss of control of their data under section 13 of DPA, without proving pecuniary loss or distress, and the members of the class that the claimant sought to represent did have the same interest under the Civil Procedure Rules part 19.6(1) on more than one person having the same interest in a claim and beginning it and were identifiable.

Appeal allowed: the claimant could serve the proceedings on the defendant outside the jurisdiction of the court.