On 10 November 2021, the UK Supreme Court ruled in favour of Google in a landmark judgment against an attempt by a single claimant, Mr Richard Lloyd, to bring a representative action on behalf of a class of 4 million iPhone users relating to Google’s alleged contraventions of data protection law. Although the Supreme Court shut the door on Mr Lloyd’s claim, it lowered the bar for representative actions across the board, potentially breathing new life into the regime for all forms of future consumer claims. We can now expect to see consumers, backed by deep-pocketed funders and claimant firms, seek to identify, and pursue, such claims in the near future. As for data privacy claims specifically, although the Court may have raised practical challenges to bringing representative claims based on breaches of the Data Protection Act 1998 in the near term, we are likely to see claimants attempt to bring actions either on alternative grounds (e.g., based on the tort of misuse of private information or pursuant to the UK’s General Data Protection Regulation and Data Protection Act 2018) or using alternative methods (e.g., bifurcated actions or group litigation orders).

Mr Lloyd alleged that during several months between 2011-2012, Google secretly tracked the internet activity of 4 million UK iPhone users without their consent, and used their personal data for the purposes of targeted advertising. Mr Lloyd argued that, as a consequence, each individual iPhone user had suffered harm, and such harm was the same harm because they had all experienced “loss of control” of their personal data in contravention of the UK’s Data Protection Act 1998 (“DPA 1998”), the predecessor law to the EU’s General Data Protection Regulation 2016/679 (“GDPR” – or “UK GDPR”) and the UK’s Data Protection Act 2018 (“DPA 2018”). On that basis, they all had the “same interest” (a condition that has to be met in order to bring a representative action) in bringing a claim against Google. Mr Lloyd therefore sought to bring the claim as a representative action, which would have allowed him to lead the claim as the representative of all 4 million users, who would automatically be part of the class without needing to consent or ‘opt in’ (making it an ‘opt-out’ class). Mr Lloyd proposed that each claimant would be entitled to a uniform damages award for loss of control of their data - estimated at £750 per person - meaning a total potential liability for Google in the sum of £3 billion.

The case arose following an application by Mr Lloyd to serve Google in the U.S., for which he needed the Court’s permission. That application served as a litmus test of whether the claim had any real prospects of success. The High Court (first instance) judge had initially refused Mr Lloyd permission - finding that the claimant class (i) did not necessarily suffer damage by reason of loss of control of their personal data; and (ii) did not have the “same interest” for the purposes of the representative action regime. The Court of Appeal allowed Mr Lloyd’s claim to proceed as a representative action on behalf of the entire claimant class because it felt that it was arguable that they had all suffered damage, and had the “same interest”. Our commentary on the earlier Court of Appeal decision in the case, which the Supreme Court has reversed, can be found here.

The Supreme Court unanimously allowed Google’s appeal, refusing Mr Lloyd permission to serve Google outside of the jurisdiction, and thereby dismissing Mr Lloyd’s claim.

The refusal was based on the Supreme Court’s decision that it is not possible for individuals to claim compensation – as Mr Lloyd was attempting to do – for a contravention of the DPA 1998 without also proving that they have suffered material damage (i.e., financial loss) or distress. The basis of Mr Lloyd’s claim, that it was enough that the claimants had experienced “loss of control” of their data, was tantamount to saying that any non-trivial contravention of the DPA 1998 constitutes damage in and of itself, which is not the case.

The issue was not only that the particularised damage was stated as being loss of control of personal data without attempting to prove that the claimants had suffered financial loss or distress. The Supreme Court also rejected Mr Lloyd’s argument that the claimants could all claim a uniform damages award, ruling instead that any assessment of damages necessarily required consideration of Google’s alleged misuse on a case-by-case basis in respect of each individual claimant. The Supreme Court clarified that an individualised assessment of damages is not compatible with the representative action regime.

We take a closer look below at what this means for future class action claims and claims for breach of data protection laws in the UK.

Future Claims under the Representative Action Regime

The representative action regime (found within Rule 19.6 of the Civil Procedure Rules (“CPR”)) is a long-standing procedure in England and Wales. Prior to Lloyd v Google it was thought to be largely ineffective for bringing substantial consumer collective claims for damages. By this latest judgment, however, the Supreme Court may have breathed new life into the old regime, encouraging it to be used by consumers going forward as a flexible tool.

Under the representative action regime, a single “representative” claimant (such as Mr Lloyd) may bring an action on behalf of a class of other potential claimants (such as the other iPhone users) who all have the “same interest” in the claim without requiring potential claimants to opt-in, or consent, to the proceedings. It therefore operates, in practice, as an opt-out class action regime - although the Supreme Court noted (i) that no mechanism is provided by which a party can choose to opt-out, but considered that this could be done by applying for a direction, and (ii) that a representative action could be ordered on an opt-in basis, which is a radical departure from prior understanding of the regime. Until Lloyd, the “same interest” requirement had been interpreted very narrowly by the Courts, such that where class members suffered harm that was in any way dissimilar, they could not be part of the same class.

However, the Supreme Court clarified the circumstances in which a representative action may effectively be used, adopting a purposive and pragmatic interpretation of the phrase “same interest”, i.e., to mean “no conflict”. In other words, claimants who have suffered different damage may form part of the same class, as long as there is no conflict between them, such that: “the representative can be relied on to conduct the litigation in a way which will effectively promote and protect the interests of all the members of the represented class.” This significantly lowers the bar to establish a class and, according to the Court, meets the objective of the representative action regime by giving consumers a means of redress in low-value claims.

However, alongside this, the Supreme Court also found that representative actions cannot be used to pursue a collection of different damages claims, as there is no provision within the regime for the compensatory principle (which requires the court to assess individual loss) to be dispensed with.

In light of these statements, when might a representative action be brought successfully?

1. Representative claims may be brought for a truly common sum of damages

The first type of representative claims that we may see in the future centres on the class having suffered the same damage. Rather than requiring an individualised assessment of damage, claimants in these claims would be entitled to compensation on the basis that the damage is (truly) common to all of the members of the class.

The Court gave the examples of a class who were all wrongly charged a fixed fee or acquired the same product with the same defect or compliance failure, which reduced its value by the same amount (perhaps extending the regime to some product liability claims). The Court indicated that such claims could also be pursued where the loss suffered by the class as a whole can be calculated without reference to the losses suffered by individual class members, on a ‘top down’ approach, such as in an insurance syndicate context or a claim for breach of copyright concerning the sale of pirated sound recordings.

These types of cases will involve claims for actual financial loss, which is typically fixed; as opposed to damages for physical harm or distress, which are inherently fact-specific and require an individualised assessment of damage for each individual claimant.

In addition to the examples the Court gave, we will no doubt see claimants exploring the limits of this opportunity. It may be argued to extend, for example, to a class that suffered the same percentage loss but not a fixed sum (such as in a securities claim); or that paid for the same service which they never received (as in some consumer law claims); or where the loss can be calculated on a uniform basis (perhaps extending to some ESG claims). We expect this to be a key area for further litigation.

2. Representative claims may be used to establish liability

The second way in which we can expect to see a rise in the number of representative claims is as part of a bifurcated process. This would, as the name suggests, consist of two steps: (i) an opt-out representative action seeking a declaration on matters of law or fact (such as the existence of a breach of the law); followed by (ii) claims to calculate damage on an individual or opt-in basis. This would be an option for claims that require an individualised assessment of damages.

At stage one, a representative would bring an action on behalf of a class of people who all have the same interest in a claim, in order to establish a defendant’s liability to compensate the class. According to the Supreme Court in Lloyd, there was “no legitimate objection to a representative claim brought to establish whether Google was in breach of the DPA 1998 and, if so, seeking a declaration that any member of the represented class who had suffered damage by reason of [Google’s] breach is entitled to be paid compensation”.

Once armed with a declaration confirming their entitlement to compensation, individual claimants could opt-in to the second stage of the process and bring separate claims to calculate the amount of damages owed to them. In suitable cases, assuming the claims give rise to common or related issues, those claims could be joined under a Group Litigation Order (available under Rule 19.11 of the CPR) and proceed as a collective (opt-in) action.

It seems unlikely that claimant firms and funders will be interested in pursuing these types of bifurcated cases, given that the first stage of the process would not generate any financial return for funders or claimants and the size of the class would not be known until stage two. Moreover, the Supreme Court noted that questions of “considerable difficulty” arise as to whether there would be any legal basis for paying part of the damages to funders without the consent of each class member.

Representative claims in the data protection context: is there a future for data protection-based class actions in the UK?

Mr Lloyd’s representative action failed from a data protection law perspective primarily because the Supreme Court held that, under section 13 of the DPA 1998, the claimants were not entitled to compensation merely for “loss of control” of their personal data. Mr Lloyd brought a representative claim for loss of control to demonstrate that all claimants in the class had the “same interest” in the claim and thus were entitled to a uniform sum of damages from Google, as a result of its breaches of the DPA 1998. The Supreme Court rejected this interpretation and stated that an individualised assessment of damage suffered was necessary, meaning that the “same interest” test could not be met. This requirement obviously raised a practical barrier to liability, which will no doubt apply to other data protection-related claims.

While the Supreme Court rejected Mr Lloyd’s particular case, alternative avenues to class actions remain open, including in the data protection space. For example:

(1) Claims for compensation in cases where damage suffered is common to all of the members of the class. As noted above, the Supreme Court ruled out representative actions in cases where the claimants have suffered damage that requires individualised assessment. Many data protection cases – both under the old DPA 1998 and under current law (the UK GDPR and DPA 2018) – will typically fit this description. For example, the harm caused to data subjects by data controllers often will require looking at factors such as: how much personal data the controller processed about each data subject; for how long that data was processed and for what purposes; whether the data processed about the data subject was sensitive data (or not); whether the data controller had an appropriate legal basis for processing some, even if not all, of each data subject’s data; and what uses the data controller made of the data in each case. The facts will rarely be the same for each individual, even when their data is processed by the same data controller.

It cannot be ruled out, however, that circumstances may exist in future, where the damage suffered by each data subject is uniform or can be calculated on a basis that is common to each individual in a class. Take, as an example, a data controller that uses algorithms to make automated decisions about a certain category of data subjects, and they all suffer the same damage as a result, e.g., the same type of discrimination, denial of a service or denial of access to a benefit.

(2) Bifurcated actions, where issues common to each member of the class are decided in a representative action, which may be followed by individual claims for compensation. Even if representative actions seeking damages in the data protection space are not imminent, we may see bifurcated claims rising in popularity – for example, as a means to obtain a declaration from the court that a data controller breached the law, followed by individual claims for redress. This could arise in cases concerning losses caused by a data security incident, for example.

Although this bifurcated process is more time-consuming and costly (and may thus be less attractive to litigation funders), once claimants obtain a declaration proving a defendant’s liability, they may be able to use this to seek a settlement from the defendant.

(3) Group litigation orders. As explained above, claims that give rise to common or related issues may be joined under a Group Litigation Order and proceed as a collective action. This route comes with greater administrative burdens (including costs), since it requires claimants to proactively ‘opt in’ in order to join the group. It nonetheless remains a route open to a group of claimants in data protection cases. This mechanism was recently used to bring a claim in the case of Various Claimants v Wm Morrisons Supermarkets plc [2020] UKSC 12; [2020] AC 989.Our note on that case can be found here.

In terms of the substance of future data protection-related class actions, claimants in the United Kingdom would have at least two grounds on which they may bring a claim:

(1) Breach of the UK GDPR and the UK DPA 2018. The Supreme Court in Lloyd was clear that its judgment was limited to the facts, which were to be decided in light of the DPA 1998 (and the old Data Protection Directive 95/46/EU) and expressly said that it did not address the GDPR. That said, Mr Lloyd likely would have faced similar hurdles with respect to the “loss of control” argument under the UK GDPR and the DPA 2018.Article 82(1) of the UK GDPR, which sets out when a data subject may claim compensation, states that a person who suffers “material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” The text appears to suggest that a contravention of the law, alone, is not sufficient to claim compensation, without also proving that (i) there has been an infringement; and (ii) that the infringement has caused material or non-material damage to one or more individuals. Similarly, Recital 146 states that “The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation” (emphasis added).

That said, the law is not settled, and three points merit further consideration:

(a) The meaning of Article 82 GDPR is currently the subject of a question referred to the EU Court of Justice (“CJEU”).In Case C-300/21, UI v Österreichische Post AG the Austrian Oberster Gerichtshof is asking the CJEU to determine whether “the award of compensation under Article 82 of Regulation (EU) 2016/679 (1) (the GDPR) also require[s], in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?” Although any answer given by the CJEU will not bind English courts, it is likely to be influential.It will be interesting to see how the CJEU tackles this question, and whether it determines that any infringement of the GDPR’s provisions can lead to a claim for compensation, even when no harm is proven.

(b) A recent decision by the Irish Data Protection Commissioner (“IDPC”) has determined that “the right to exercise control over one’s personal data is a key tenet of the GDPR.” In a decision published on 20 August 2021, the IDPC imposed a fine of €225 million on WhatsApp for breaches of the GDPR, largely focused on its obligations to provide information to users of one of its services as well as “non-users”, whose data WhatsApp processed without their knowledge.The IDPC found that WhatsApp’s actions prevented individuals from exercising control over their personal data. The IDPC noted that the GDPR “seeks to ensure the effective protection of the fundamental right to protection of one’s personal data” by providing for, among other measures: “A robust range of rights for the data subject, designed to empower the data subject to exercise control over his/her personal data and to hold the data controller accountable for compliance with the core principles” (paragraph 171.b.). The IDPC found that WhatsApp’s processing activities resulted in non-users suffering “loss of control” over their personal data (paragraph 730), and categorised this as a form of non-material damage (paragraphs 719 and 753). Again, this regulatory decision is not binding on English courts, but it may have an impact in future data protection litigation that explores the meaning of “damage” under the UK GDPR.

(c) Article 80(2) of the GDPR gives Member States discretion to introduce a collective redress mechanism (although the UK Government has chosen not to exercise this discretion for the time being). The Supreme Court in Lloyd observed that Parliament has not yet legislated to establish a class action regime specific to the field of data protection, in the absence of which, the courts are left to fill the gap.In principle, however, Article 80(2) of the GDPR (and sections 187-188 of the DPA 2018) allows for Member States to give a mandate to a not-for-profit body, organisation or association, which meets certain conditions, to bring a claim on behalf of a data subject (or subjects). The UK Government has, for the time being, chosen not to introduce this scheme (in part because it was awaiting the outcome of the decision in Lloyd), but we may see a legislative response in future, perhaps adopting a regime equivalent to the opt-out or opt-in regimes available for competition claims.

(2) Misuse of private information. The Supreme Court considered in Lloyd the prospects of success of a claim in the tort of misuse of private information, which was not pursued by the claimants in this case. The Court confirmed that, unlike a claim for breach under the DPA 1998, it is possible to seek damages in a misuse of private information case for loss of control of data; in such cases, the damages award is designed “to compensate for the loss or diminution of a right to control formerly private information” (Gulati v MGN Ltd [2015] EWHC 1482 (Ch); [2015] EWCA Civ 1291). Moreover, unlike in claims for breach of the DPA 1998, the Supreme Court confirmed that claimants may be able to seek “user damages” as a form of relief for misuse of private information – that is, damages that compensate the claimant by identifying a hypothetical fee a claimant would have agreed for the defendant to use their private information (effectively, a licence fee). A claim for misuse of private information may appear to be an attractive basis to bring a representative action, but claimants will still face some obstacles – at least on the facts in Lloyd. These include that:

(a) To bring a successful claim for misuse of private information, it is necessary to demonstrate that each of the claimants has a reasonable expectation of privacy in the information that is subject to wrongful use by the defendant. Determining whether or not an individual has a reasonable expectation of privacy requires taking into account a number of factors, including (but not limited to): the attributes of the claimant; the nature and purpose of the intrusion; the absence of consent (or whether consent can be inferred); the effect on the claimant; and how the information came into the defendant’s hands (Murray v Express Newspapers plc [2008] EWCA Civ 446; [2009] Ch 481, para 36). Whether it is possible to demonstrate a reasonable expectation of privacy on a sufficiently uniform basis across a cohort of individuals such that it could meet the “same interest” test for a representative class action would be highly dependent on the facts.

(b) To claim user damages, a claim must exceed a certain triviality threshold.The Supreme Court confirmed in Lloyd that, to mount a successful claim for user damages, it is necessary to demonstrate what unlawful use was made of the claimant’s data. The Court noted in this respect that: “The starting point for the valuation exercise is thus to identify what the extent of such wrongful use actually was: only then can an estimate be made of what sum of money could reasonably have been charged for that use” (at paragraph 156). In a claim for misuse of private information, it would therefore only be possible to seek user damages as a remedy once it can be demonstrated that the defendant has committed the tort.The claimants must be able to prove, moreover, that this has caused them to suffer damage that is “more than trivial” and thus has a possible commercial value to be awarded in damages (at paragraph 153).

The Supreme Court firmly rejected Mr Lloyd’s claim, but clarified important points about representative actions in general and damages awards in data protection cases. Following the decision, claimants and funders will be reassessing potential claims and considering how best to structure claims in order to increase their chances of damages awards.