Much of the commentary about Lloyd v Google has identified that the UK Supreme Court’s decision early next year will be seminal in confirming whether Rule 19.6 of the Civil Procedure Rules 1998 (CPR 19.6) can be used as an opt-out class action vehicle for mass data privacy claims. But why does this matter? Emily Cox, a partner in our Media Disputes department, considers here the national and international context in which the Lloyd v Google match is being fought, and its implications.
In October 2019, the English and Welsh Court of Appeal overturned Mr Justice Warby’s High Court judgment and granted the repreasentative claimant, Richard Lloyd, permission to serve out of jurisdiction a CPR 19.6 representative claim against Google in relation to the so-called ‘Safari Workaround’. (The Safari Workaround allowed Google to bypass default privacy settings in iPhones and track browser-generated information to sell this for advertising purposes.) The Court of Appeal confirmed that the CPR 19.6 procedural vehicle could be used for this ‘class action’ on the basis that all four million members of the class had the “same interest” in the claim (as required by CPR 19.6(1)) by virtue of the “loss of control” of their data, taken at the level of the lowest common denominator data.
This ruling was ground-breaking for two main reasons. First, the “same interest” requirement in CPR 19.6 had been interpreted in a highly restrictive manner by the courts until that point. There had been an attempt to style CPR 19.6 into a general class action tool in the Air Cargo litigation in 2010, but this was rejected explicitly for lack of “same interest” and implicitly as an attempt to introduce class actions via the back door.
Secondly, there was heavy lobbying to introduce a statutory basis for opt-out representative actions for data privacy claims by derogable Article 80(2) of the General Data Protection Regulation (GDPR) in the run-up to that regulation being implemented. Late in the day, the Government pulled the article from the draft of the Data Protection Bill. Baroness Kidron attempted to lay a similar procedure in January of this year with the Data Protection (Independent Complaint) Bill covering the same ground. However, absent progress, there are obvious policy arguments that could be made about the courts providing a means of redress for data privacy claims on which the executive and legislature have not agreed.
At this point, it is worth adding the side note that the only area where the executive and legislature have so far agreed that opt-out collective redress should be permitted is for breaches of competition law. That procedure was introduced via the Consumer Rights Act 2015 as something of a pilot and without ruling out its extension to other areas of law in the future. However, no competition case has as yet passed the certification stage, though this may change post the Supreme Court judgment in Merricks v MasterCard.
So, why does this matter?
In a nutshell, because neighbouring nations and countries are taking steps to embed class actions in their procedural toolkits. So, if England and Wales wishes to remain an attractive legal centre (particularly post-Brexit), it needs not only to embrace class actions but to be at the forefront of developments.
The Civil Litigation (Expenses and Group Proceedings) (Scotland) Act 2018 comes into force on 31 July 2020. It has passed without much fanfare on this side of the border. And yet, it is highly significant because the Act introduces group proceedings across the board in Scotland, including for data privacy claims. On 8 July 2020, amendments to the Rules of the Court of Session confirmed that the procedure will be introduced on an opt-in basis only at the outset. An opt-out option is also embedded in the Act. Nonetheless, it is a significant development. It would be highly unattractive if the Scots could obtain redress for a data incident through a group procedure that was not available in England and Wales, despite the substantive legislation (the GDPR) being the same.
The EU parliament and council negotiators reached agreement on the ‘New Deal for Consumers’ harmonised representative actions model for mass consumer harms on 23 June 2020, and this agreement was endorsed by the Legal Affairs Committee on 7 July 2020. Much is left to the member states to determine, including as to which organisations will be able to bring claims (a restriction that aims to avoid the perceived excesses of the US model). Implementing directive will, nonetheless, be a significant step forwards for class actions in the EU for breaches of consumer law.
The Scottish and EU developments are not specifically directed at data privacy claims. But they show a general direction of travel towards functioning class action regimes; one not as yet fully replicated in England and Wales. Data privacy claims are an ideal place to start in this jurisdiction, given that data incidents are the paradigm example of harms affecting large numbers of individuals but with low potential damages (thus making individually-issued claims far from worthwhile). Group litigation orders (GLOs), a court management device for individually-issued claims, are not always an attractive option for mass data breach claims. This is something that the BA and EasyJet data breach GLO claimants may quickly find out.
What are the legal and policy arguments in favour?
Pragmatism about retaining the legal relevance of England and Wales aside, the endorsement of CPR 19.6 as a more widely used vehicle would not be extraordinary or inconsistent from a jurisprudential perspective. Indeed, the pre-CPR equivalent was in use in the nineteenth century. It was only a judgment in Markt & Co Ltd v Knight Steamship  AC 426 that drastically constrained the commonality requirement to a “same interest” test and so use of the vehicle.
So far as policy arguments are concerned, if there is no effective, collective means of redress available to victims of mass data incidents then because these claims are typically low value for each individual affected (absent specific financial loss or distress, which would be the remit of an individual claim), it is unlikely that victims will go to the effort of seeking compensation. The fact that a company may potentially face a penal, regulatory fine (which could be a significant sum of up to 4% of turnover in a GDPR world), does not fill this policy gap. And it means that practically speaking, Article 82 of the GDPR and implementing section 168 of the Data Protection Act 2018 cannot be satisfied. Article 82 gives any person who has suffered “material or non-material damage as a result of an infringement of this Regulation” the right to receive compensation and envisages court proceedings to exercise that right.
All of which goes to affirm the English and Welsh Court of Appeal’s decision in Lloyd v Google. The UK Supreme Court’s decision on the Lloyd case will be seminal, and it is hoped that the Supreme Court will adopt an approach that allows consistency across the UK. The implications of its decision are not limited to Richard Lloyd’s case or data privacy class actions in England and Wales. The judgment will impact on any foothold the English and Welsh jurisdiction may wish to have in the development of class actions within the UK and Europe.