We are yet to see the floodgates open for English group actions based on infringements of data privacy law following the General Data Protection Regulation (GDPR) coming into force. Could the Supreme Court's decision in the case of Lloyd v Google LLC[1] change this?

Lloyd v Google LLC is scheduled for a two day hearing before the Supreme Court from 28 April 2021. The outcome of this appeal will likely have far reaching implications both for the availability of damages for the loss of control of personal data, and for the viability of 'opt-out' style group litigations. This article considers the potential impact the Supreme Court's decision may have on group litigations in England and Wales.

Lloyd v Google LLC: factual background

In 2017, consumer rights advocate Richard Lloyd issued a claim in which it was alleged that Google LLC (Google) had acted in breach of its duties as a data controller under the Data Protection Act 1998 (DPA 1998). The basis of Mr Lloyd's claim is the assertion that Google secretly tracked the internet activity of millions of Apple iPhone users for commercial purposes between 9 August 2011 and 15 February 2012. More specifically:

  • Google was able to place its DoubleClick Ad cookie on users' devices. As a result, Google was able to collect substantial amounts of information about users' internet browsing activities which allowed it to identify or deduce a wide range of factors including users' interests, gender, race, sexuality, social class, political and religious affiliations and financial circumstances.
  • It is alleged that Google was able to aggregate this information to create groups whose constituents each had a similar browsing history.
  • These groups were given labels such as 'football lovers', or 'current affairs enthusiasts', and groups could be selected by advertisers, using Google's DoubleClick service, to refine their targeting of potential customers.

Lloyd v Google LLC: current status

The claim was brought as a representative action under Rule 19.6 of the Civil Procedure Rules (CPR). Under this procedure, the action is brought on behalf of a defined class of individuals who share the same interest in the claim. The process is akin to opt-out class actions in the USA, but has rarely been used in the UK due to the courts' narrow interpretation of what constitutes a 'shared interest'.

The defined class identified by Mr Lloyd is made up of more than 4 million iPhone users resident in England and Wales, each of whom was allegedly affected by Google's use of the workaround. The claim seeks the same damages for each person for the infringement of data protection rights.

On 29 November 2017, Mr Lloyd applied to the High Court[2] for permission to serve the proceedings on Google in the USA, outside the jurisdiction of the court. Warby J dismissed the application, reasoning that (a) none of the class had suffered damage under section 13 of the DPA 1998, (b) the class members did not have the same interest, as required for a representative action under CPR 19.6(1), and (c) the judge exercised his discretion under CPR 19.6(2) that, in any case, the court would not have permitted the claim to continue as a representative action.

The Court of Appeal considered these three points,[3] concluding that:

  • Damages were, in principle, capable of being awarded for loss of control of data, even where there is no pecuniary loss or distress suffered by an individual.
  • Having established that damages are, in principle, claimable, the court determined that "it is impossible to imagine that Google could raise any defence to one represented claimant that did not apply to all others. The wrong is the same, and the loss claimed is the same. The represented parties do, therefore, in the relevant sense have the same interest".
  • Disagreeing with Warby J's justification for exercising his discretion under CPR 19.6(2), the court held that it was open to the court to "exercise its discretion afresh", so as to allow Mr Lloyd's action to proceed.

In conclusion, Mr Lloyd was granted permission to serve proceedings on Google outside the jurisdiction of the court. Google's appeal to the Supreme Court is due to be heard at the end of this month (on 28 April 2021).

What next?

If the Supreme Court backs this new form of damages and class action litigation, it could open up the door to substantial claims in a variety of areas:

  • Large scale cybersecurity incidents will often involve the compromise of data relating to hundreds, thousands and even millions of individuals
  • Improper use of cookies, meaning all visitors to a website may have a potential claim. Oracle and Salesforce are currently facing a group action in both the High Court and the Dutch Courts relating to the collection of data via cookies for real-time bidding/ advertising. The High Court proceedings have been stayed pending the outcome of the Lloyd v Google case this year
  • Where an organisation has improperly sent marketing communications in breach of the Privacy and Electronic Communications Regulations to a marketing list, all recipients may have a potential claim
  • Sharing personal data without an appropriate lawful basis. We have already seen a group action filed against Facebook, relating to claims that Facebook permitted a third party application to access users' personal information without either their knowledge or consent.

In all cases, it is important to remember that there are a number of hurdles that individuals must overcome before pursuing a group action. These include (1) the coordination of multiple claimants who will typically not know each other to pursue a claim collectively; (2) persuading a law firm to represent the group collectively, normally on some sort of conditional fee arrangement basis, meaning the lawyers won't typically be paid unless a successful outcome is achieved; and (3) the challenge of securing litigation funding. While collective rights are a real risk to organisations, it is not immediately straightforward that each and every issue will be likely to result in a group action.

Practical recommendations

The risk for businesses is that seemingly minor data privacy infractions could now be met with large group claims, with a significant aggregate value. There are a number of practical steps that organisations can take now to mitigate against the risk of potential data privacy claims culminating in a group action, including:

  1. Review your privacy compliance generally, including ensuring privacy policies are comprehensive and up to date.
  2. Review your use of cookies and consider if there are ways to improve the transparency of any opt-ins or cookie notices.
  3. Upskill customer complaints teams to identify potential data privacy complaints and escalate them to the appropriate teams in the business. This will give you the best possible opportunity of resolving individuals' concerns at the initial stages, before claimant law firms are engaged.
  4. Ensure you have a robust incident response policy and procedure in place to prepare for potential cyber security incidents. By having a clear plan in place for the 'worst-case-scenario', you'll be better placed to shut down incidents as soon as possible and minimise any impact on the individuals involved.