Supreme Court rejects £3bn data protection claim against Google in landmark decision for data privacy litigants and representative actions

On 10 November 2021, the Supreme Court handed down the long-anticipated judgment in Lloyd (Respondent) -v- Google LLC (Appellant) [2021] UKSC 50.

Tate Chakrabarti (Global Senior Privacy Counsel of Reckitt Benckiser Group plc), Alex Smith (Legal Director of Hill Dickinson) and Laura Scott (Senior Associate of Hill Dickinson) consider the implications of this far-reaching decision for cyber and privacy litigation as well as exploring the impact on representative actions.

Background

The dispute dates back to 2017, when former executive director of consumer watchdog ‘Which?’, Mr Richard Lloyd, backed by a litigation funder, issued a claim against Google LLC alleging breach of its duties as a data controller under section 4(4) of the Data Protection Act 1998 (the DPA).

The DPA has subsequently been replaced with the UK General Data Protection Regulation and the Data Protection Act 2018 but was in force at the time of the matters complained of. The following two provisions of the DPA were of particular relevance to the dispute:

  1. Section 4(4), which confirmed that it would be the duty of a data controller to comply with the data protection principles in relation to all personal data of which it was the data controller; and
  2. Section 13, which stated that an individual suffering damage or distress by reason of any contravention by a data controller of the requirements of the DPA would be entitled to compensation for that damage or distress.

Mr Lloyd alleged that, in late 2011 and early 2012, Google had been secretly tracking the online activity of millions of Apple iPhone users and used the data collected through this method for commercial purposes without the users’ knowledge or consent. The technical background to the issues relates to allegations that data collected was used for the purposes of enabling advertisers to target advertisements at individual users based on their internet browsing history.

Mr Lloyd sought to bring the claim through the unusual method of acting as representative for all of the individuals affected by the issue, pursuant to Rule 19.6 of the Civil Procedure Rules (the CPR), arguing for a decision to be made by the court in principle as a matter of law without assessing the circumstances of each of those individuals. Rule 19.6 of the CPR provides that, in circumstances where more than one person has the ‘same interest’ in a claim, a claim may be brought ‘by or against one or more of the persons who have the same interest as representatives of any other persons who have that interest’.

A compensatory figure of £750 was advanced in respect of each individual, which would result in a total damages order of £3 billion if successful.

Judgments of the lower courts

As Google is a Delaware corporation, Mr Lloyd required the permission of the court to serve the claim form on Google outside of the jurisdiction.

The matter was first considered by the High Court in 2017, when the court found in favour of Google. The High Court held that the suggestion that compensation should be awarded simply in view of mere infringement of the rights of a class of claimants was insufficient: it was unfair for claimants to be able to pursue litigation on behalf of others who have not authorised the claim or indicated any concern about the matters in dispute.

However, this decision was overturned by the Court of Appeal in 2019. Following this decision, Google was granted permission to appeal to the Supreme Court, and the hearing took place in April 2021.

The Supreme Court was asked to consider the application for permission to serve the claim on Google outside of the jurisdiction. Google opposed the application on the grounds that:

  1. the class members had not suffered ‘damage’ within the meaning of section 13 of the DPA; and/or
  2. Mr Lloyd was not entitled to bring a representative claim in this manner in any event, given that the class members in question did not have the same interest in the claim as Mr Lloyd and were not identifiable.

Judgment of the Supreme Court

The Supreme Court allowed the appeal and found in Google’s favour.

Lord Legatt handed down the unanimous judgment of the Supreme Court on 10 November 2021 (which can be found here).

The key findings of the Supreme Court are as follows:

Contravention of the DPA

In considering the extent to which compensation could be claimed under section 13 of the DPA, Lord Legatt concluded that a proper interpretation of section 13 of the DPA and the term ‘damage’ would refer to material damage (for example, financial loss) or mental distress that is distinct from, and caused by, unlawful processing of personal data in contravention of the DPA.

It would also be necessary, in establishing an entitlement to compensation under section 13, to provide evidence of what unlawful processing of personal data relating to a given individual had occurred.

Lord Legatt commented that:

‘section 13 of the DPA 1998 cannot reasonably be interpreted as conferring on a data subject a right to compensation for any (non-trivial) contravention by a data controller of any of the requirements of the Act without the need to prove that the contravention has caused material damage or distress to the individual concerned’.

On this basis, it was held that the claim advanced by Mr Lloyd could not succeed – and, in fact, was ‘doomed to fail’. In order to be awarded compensation under Section 13, Mr Lloyd would be required to demonstrate both that Google made some unlawful use of personal data relating to each individual and that the individual suffered some damage as a result.

Representative claims under CPR 19.6 and ‘same interest’ requirement

The judgment also explored the scope of the ‘same interest’ requirement for representative claims under CPR 19.6. Lord Legatt commented that this requirement ought to be interpreted in light of the overriding objective of the CPR of dealing with cases justly.

Although it is possible for a representative action to include a claim for damages where the represented class members had all suffered the same loss (for example, if all class members had been overcharged the same sum), the general position is that cases will require an individualised assessment of what has happened to each individual class member. Lord Legatt commented that a representative action is not a suitable vehicle for this on the basis that individual class members would not be participating in the action.

Lord Legatt therefore confirmed that there were two ways in which issues of this nature could be decided by a court. Either damages could be claimed in a representative action if they can be calculated on a basis that is common to all persons represented or, if this is not the case, it would be possible for issues of liability to be decided in a representative action, with the individuals in question then bringing separate claims for compensation thereafter.

In this case, this meant that Mr Lloyd would have been entitled to bring a representative claim to establish whether a breach of the DPA had taken place, before then pursuing individual claims for compensation. However, Mr Lloyd had ultimately not pursued this procedure.

Wide ranging impact of the Supreme Court’s judgment

The judgment has been held as a resounding victory for business across the UK in the wake of recent concerns as to the potential emergence of a ‘compensation culture’ surrounding low value and/or minor infringements of data protection law. On the flip side of the coin, it has disappointed privacy activists and consumer rights groups.

The judgment elucidates circumstances in which damages for data protection breaches under the DPA can be obtained and also clarifies situations in which ‘opt-out’ class action legal proceedings may be brought under the CPR. The clear requirement for specific proof of the ‘damage’ said to have been suffered by individual claimants in instances of data protection breaches makes it clear that the courts will be adopting a strict approach in determining damages in data protection claims. However, the court gave guidance on aspects in connection with necessary common interest and class definition. This may be of assistance in future cases.

The judgment is also of note to all those interested in the wider class action landscape. Although the court hinted at a degree of flexibility by making it clear that the representative claim procedure under CPR 19.6 could still be used in future, the bar for potential claimants through this procedure is now set higher given that individual damage must now be proved. The judgment further gives rise to questions as to whether litigation funders will consider the pursuance of any future claims under CPR 19.6 to be attractive.

What companies should consider moving forward

Implications for class actions

It is important to note that the judgment does not prevent group actions entirely moving forward, but rather adds some interesting clarity on the restrictive approach that will be adopted by the courts. The position in damages will be key to this analysis.

The court did not state that Google (or by extension other data controllers) could not be liable for damage caused to groups of consumers, but the combination of the terms of the DPA and the CPR in this instance did not align with the circumstances of the case. Whereas the damage was presented by Mr Lloyd as being uniform, this was not the case in circumstances where the workaround itself was not uniform: the breach sustained by each user (or category of user) would differ.

Alternate future methods to a representative claim may potentially include bringing a class action. Claimants bringing class actions have tended to rely on group litigation orders to pursue their claims. As they are ‘opt-in’ (ie where individuals have to take active steps to join the claimant group) they can be a less favourable option for claimants as the economics and administrative burden are far less advantageous. This was the method by which a group action (subject to a group litigation order) was brought against British Airways pursuant to the cyber-attack suffered by the airline in 2018.

In the context of ‘opt-out’ class actions (such as in this case), as there are fewer hurdles for claimants to overcome and the group of people represented may be far wider, this makes them a greater financial risk for businesses both in terms of the potential frequency with which such class actions may be commenced and their scale. However, this judgment highlights the potentially very significant difficulties that claimants face in bringing such an action.

Representative claims remain an option for litigants, but in view of this judgment, it is difficult to see how damages claims of this nature can easily avoid the individualised assessment discussed in this case. Even if the two-stage representative procedure suggested by Lord Legatt is followed (ie.dealing first with liability and then bringing individual claims for compensation), in many instances it is unlikely to be financially viable for individual claimants to pursue the second limb of this procedure either due to personal financial circumstances or the possible deep pockets of their opponents. Litigation funders are unlikely to be attracted by the prospect of this procedure given that stage one itself will not generate revenue.

Some litigants will no doubt overcome the hurdles presented. The judgment provides the example of a product liability claim, where an argument could be raised that all class members received the same product, with the same defect which diminished its value. This is a helpful example of the types of circumstances in which the principles outlined in this case could be distinguished.

Future class actions will therefore likely seek to focus on an alternative framing of the damages position. Litigants may seek to find creative damages alternatives to render ‘opt out’ claims more financially effective, such as seeking to bring claims for certain sub-classes of claimants. We would expect to see the emergence of a further body of case law over the coming years determining some of the potential means of falling within the scope of a successful representative action. However, whether litigation funders will be prepared to fund these claims may be another matter entirely.

The cyber-insurance market

Further to the court’s judgment, if the proverbial floodgates had been opened to opt-out data class actions, the impact to the cyber-insurance market would likely have been for insurers to increase the value of premiums and vary the terms of future coverage (potential examples of which could be the exclusion of class actions, limiting cover to transfers of personal data between certain jurisdictions further to the fallout associated with the Schrems II judgment of the European Court of Justice in July 2020 or simply declining to provide cover) in an already challenging market. The reasonable hope is that the cyber insurance market will enter a period of stability at least until the next such claim arises. The importance of this cannot be overestimated for data controllers who in the modern world genuinely rely on their cyber-insurance policies to transfer personal data globally and manage a never-ending onslaught of cybersecurity risks. Without such policies, many would not be able to cover the financial costs associated with failing to comply with modern data privacy laws.

Future actions brought under modern data protection laws

Lord Leggatt specifically contained the judgment’s reach, stating that it referred only to the DPA 1998. The judgment did not provide confirmation as to whether any precedents from this case will be carried across to cases brought under the Data Protection Act 2018 (the DPA 2018). The court’s decision focused on the DPA, which has been replaced by the General Data Protection Regulation (the GDPR) and Data Protection Act 2018. This is likely to be a consideration in any future group consumer data protection actions which are likely to increase in frequency. Also to be considered is that GDPR 82 and Section 168 of the DPA 2018 allow for an individual to seek compensation for material or non-material damage (including financial loss and distress) from organisations breaching the data protection laws.

It is worth noting that case law for assessing damages in data protection claims for distress are currently few and far between. A degree of uncertainty at this moment in time does remain for claimants and any third parties funding or insuring them.

There is much more to come in this arena. On the horizon are the legal proceedings launched by former Children's Commissioner for England (Anne Longfield) on behalf of 3.5 million children under 13 against TikTok. She has alleged that since May 2018 - when the GDPR came into force - the social media platform illegally collected children's personal information (including phone numbers, videos, location data and biometric data), without warning, transparency, the necessary consents required by law and without children or parents being informed of how such personal data is processed. No doubt data controllers will await the outcome of this litigation with interest.