The Supreme Court has unanimously rejected Mr Lloyd and his team’s attempt to bring a class action claim against Google LLC under section 13 of the Data Protection Act 1998 (DPA 1998) for damages allegedly suffered by Apple iPhone users by misuse of their personal data in breach of the requirements of DPA 1998. Adam Rose, partner at Mischon de Reya, Hamish Corner, partner at Shoosmiths, Danielle Carr, partner at Rosenblatt, Lauren Godfrey, barrister at Gatehouse Chambers, and Imran Benson, barrister and mediator at Hailsham Chambers, comment on the significance of this judgment in relation to issues of representative actions and the data protection aspects of the case.

Lloyd (Respondent) v Google LLC (Appellant) [2021] UKSC 50

Background

The question raised by this appeal is whether the claimant, Mr Richard Lloyd (backed by a commercial litigation funder), can bring a claim against Google in a representative capacity seeking compensation under DPA 1998, s 13 for damage allegedly suffered by a class of Apple iPhone users as a result of unlawful processing by Google of their personal data in breach of the requirements of the DPA 1998. The claim is based on the factual allegation that, for several months in late 2011 and early 2012, Google secretly tracked the internet activity of some four million Apple iPhone users in England and Wales, and used the data collected without the users’ knowledge or consent for commercial purposes (by enabling advertisers to target advertisements at users based on their browsing history). The DPA 1998 has since been replaced by the United Kingdom General Data Protection Regulation, Retained Regulation (EU) 2016/679 (UK GDPR), supplemented by the Data Protection Act 2018, but it was in force at the time of the alleged breaches and applies to this claim.

Except in the field of competition law, Parliament has not enacted legislation providing for class actions, in which a single person can claim redress on behalf of a class of people similarly affected by alleged wrongdoing. Mr Lloyd seeks to rely, however, on a procedure of very long standing in England and Wales, and now embodied in CPR 19.6, which allows a claim to be brought by (or against) one or more persons as representatives of others who have the ‘same interest’ in the claim. Mr Lloyd argues that the ‘same interest’ requirement is satisfied in the present case and that this representative procedure can be used to recover a uniform sum of damages for each person whose data protection rights have been infringed, without having to investigate their individual circumstances. A sum of £750 per person has been suggested which, multiplied by the number of people whom Mr Lloyd claims to represent, would produce an award of damages of the order of £3bn.

Because Google is a Delaware corporation, the claimant needs the court’s permission to serve the claim form on Google outside the jurisdiction. Google has opposed the application on the grounds that:

  • damages cannot be awarded under the DPA 1998 without proof that a breach of the requirements of the DPA 1998 caused an individual to suffer financial damage or distress, and
  • the claim in any event is not suitable to proceed as a representative action

In the High Court, Warby J decided both issues in Google’s favour and therefore refused permission to serve the proceedings on Google. The Court of Appeal reversed that decision. Google now appeals to the Supreme Court.

Judgment

The Supreme Court unanimously allowed the appeal and restored the order made by the judge. Lord Leggatt gives the judgment, with which the other Justices agree.

Lord Leggatt first analyses the history and scope of the representative procedure and endorses the view, found in the old case law, that it is a ‘flexible tool of convenience in the administration of justice’. This broad and adaptable approach has been adopted by the highest courts of Australia, Canada and New Zealand. It is even more appropriate now in modern conditions including the development of digital technologies which have greatly increased the potential for mass harm for which legal redress may be sought [33]–[68].

Lord Leggatt considers that the ‘same interest’ requirement must be interpreted purposively and pragmatically in light of its rationale and the overriding objective of the CPR of dealing with cases justly [69]–[75]. It is not a bar to a representative claim that each represented person has in law a separate cause of action nor that the relief claimed consists of or includes damages. Damages may be claimed in a representative action if they can be calculated on a basis common to all persons represented. Alternatively, issues of liability may be decided in a representative action which can then form the basis for individual claims for compensation [80]–[83].

In this case a representative claim could have been brought to establish whether Google was in breach of the DPA 1998 as a basis for pursuing individual claims for compensation. However, the claimant has not proposed such a two-stage procedure, doubtless because the proceedings would not be economic if it is necessary to prove loss on an individual basis. Instead, the claimant argues that a uniform sum of damages can be awarded to each member of the represented class without the need to prove any facts particular to that individual [84]–[89]. In particular, he argues, supported by the Information Commissioner, that compensation can be awarded under the DPA 1998 for ‘loss of control’ of personal data constituted by any non–trivial contravention by a data controller of any of the requirements of the DPA 1998.

Lord Leggatt rejects these arguments and concludes that the claim advanced cannot succeed for two reasons:

  • first, the claim is founded solely on DPA 1998, s 13, which provides that ‘an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage’. On the proper interpretation of this section the term ‘damage’ refers to material damage (such as financial loss) or mental distress distinct from, and caused by, unlawful processing of personal data in contravention of the Act, and not to such unlawful processing itself [90]–[143]
  • second, it is on any view necessary, in order to recover compensation under DPA 1998, s 13, to prove what unlawful processing by Google of personal data relating to a given individual occurred. The attempt to recover damages without proving either what, if any, unlawful processing of personal data occurred in the case of any individual or that the individual suffered material damage or mental distress as a result of such unlawful processing is therefore unsustainable [144]–[157]. In these circumstances the claim cannot succeed and permission to serve the proceedings on Google outside the jurisdiction was rightly refused by the judge [158]–[159]

Comment

Adam Rose, partner at Mischon de Reya LLP

Commenting on the judgment Rose notes that ‘[a]lthough the defendant prevailed, it would be entirely precipitous to read the ruling as sounding the death knell for compensation claims for data protection breaches.

This is of course a landmark judgment for data protection claims, but also more generally for consumer actions brought on an “opt-out” basis. The claimant, Mr Lloyd, represented a group of more than 4 million iPhone users, and alleged, on their behalf, that Google’s historic deployment of cookies on the Safari browser had been not just unlawful, but that it meant that Google should pay compensation to everyone who had received cookies on that basis.

Although the Supreme Court found in favour of Google, this was a case primarily about the legal mechanisms to bring such claims under the now-repealed DPA 1998, and not about the overarching rights and principles of data protection law. This means that there will undoubtedly still be good arguments, particularly under the new UK GDPR framework, that will permit certain group actions to proceed, and cases where an infringement of data protection law is such that compensation will be appropriate.

The judgment also passes the baton both to Parliament and to the Information Commissioner. For Parliament, it may be the case that legislation is required to enable opt-out claims under data protection law to be made more easily. For the Information Commissioner, there is now a pressing need for more robust enforcement action for wilful and mass-scale infringements of the law and to ensure that data subjects are afforded the effective judicial remedy, which is the promise of UK GDPR and the present data protection framework.’

Hamish Corner, partner at Shoosmiths

Corner considers the judgment handed down in Lloyd v Google: ‘The Supreme Court’s landmark judgment today will be a huge relief for many businesses. The court unanimously held that claimants cannot claim for the mere fact of breach of their rights under data protection legislation without proving financial harm or distress, nor can they bring US-style “opt out” class actions (potentially on behalf of millions) for fixed amounts of compensation…

Although the court held that a class action could be brought in theory, the problem was that the class action process and the Data Protection Act 1998 (on which the claim was brought) require an individual assessment of the evidence of the damage suffered by each data subject. As different users suffered different levels of damage (depending on the nature and extent of their use of the Safari browser), the class action procedure could not be used. Likewise, unlike claims for misuse of private information, there was no viable claim under the Data Protection Act 1998 (and by analogy its successors) for the mere contravention of the laws or ‘loss of control’ of data in itself.

Whilst a great relief for businesses, the story is not yet over. The court had no objection to claimants bringing claims in a two-stage process: first, seeking a declaration of liability and that compensation should be awarded in principle, and, second, a hearing to make an individual assessment of damage and compensation. There has been initial speculation that the requirement for claims to be brought in two stages will make them less attractive to ligation funders – however this remains to be seen, and claims of this sort have been successfully pursued in other jurisdictions.

The attention of claimant lawyers may also now switch back to the viability of claims in the tort of ‘misuse of private information’. Whilst the threshold for such claims is higher in some respects (requiring proof, on an individual basis, of a reasonable expectation of privacy and a positive act of misuse by the defendant), compensation is available in these types of cases without damage (and the Supreme Court’s judgment suggests that, in cases of this sort, user damages would be recoverable).’

Danielle Carr, partner at Rosenblatt

Carr considers that: ‘In its much anticipated decision, the Supreme Court has upheld Google’s appeal, finding a £3 billion data protection claim against it has no realistic prospect of success. The Court rejected the claimant’s attempt (framing the claim as a representative action under CPR 19.6) to seek damages under section 13 of the Data Protection Act 1998 without demonstrating what wrongful use of personal data occurred in respect of, or material damage or distress was suffered by, the concerned individuals. Rather, the Court confirmed that compensation under s.13 may be awarded only where the breach has caused material damage or distress to the individual. While closing the door on this significant representative action, the Court’s analysis of the representative procedure (and indeed broader endorsement of it as a ‘flexible tool of convenience in the administration of justice’) will be considered with much interest by practitioners and funders with an eye on the broader mass redress landscape.’

Lauren Godfrey, barrister at Gatehouse Chambers

Godfrey notes that ‘[t]hose concerned about the growth of so-called Big Data and the effect on informational rights will be disappointed that the Supreme Court has confirmed that a damages claim pursuant to section 13 of the Data Protection Act 1998 is not actionable without proof of loss or distress. Significantly, the Supreme Court was not convinced that EU law or the European Convention on Human Rights were apt to support an interpretation of section 13 that allowed a claim without specific proof of individual loss or distress. Restoring the robust decision of Mr Justice Warby, on this point, the Supreme Court found that the claims were misconceived as the limited damage or harm done to the claimants, meant that they could not overcome the threshold requirement of seriousness. The claims were struck out.

Notwithstanding, in a detailed review of history of representative claims, the Supreme Court confirmed that the Court’s discretion to allow ‘same interest’ representative claims is extremely broad and the jurisdiction is a flexible one to allow a just determination of the issues in dispute. The jurisdiction has always been understood to extend to declaratory relief; damages have been more controversial.

The Supreme Court confirmed that the jurisdiction also extends to claims for damages but where the assessment of damages was not uniform among claimants or there was not some other mechanism to assess damages among the class then while liability could be established on a class basis, the damages must be determined on a case-by-case basis, against individual evidence. The scope for class based representative actions has undoubtedly increased in general but the scope for such claims in respect of misuse of information by Big Data has significantly narrowed.’

Imran Benson, barrister and mediator at Hailsham Chambers

Benson considers that: ‘[t]he decision is obviously very disappointing for Mr Lloyd and his team. But on analysis the Court is clearly encouraging of representative actions. The Court recognised that to make legal rights enforceable civil procedure needs to support mass claims in a single proceeding. The “same interest” test in a representative action is there to make sure the representative can be relied on to promote and protect the interests of all of the class rather than to get in the way. This is all pragmatic and positive stuff for Claimants. The difficulty Mr Lloyd faced was that the Court took the view that under the DPA 1998 the claim for damages could not be sustained without proving individual injury which was not possible within the confines of an all-in-one action. But this is a finding limited to the DPA 1998, and is not necessarily an issue under the GDPR or other claims. The Court explained how differently pleaded or structured the larger group claim might have survived. Overall it might be said that Google has won this battle but the war is turning in favour of claimant groups.’

The background and judgment sections of this content are based on the case summary published by the UK Supreme Court and is published with permission. The original summary can be found here.

This analysis was first published on Lexis®PSL on 10 November 2021 and can be found here