The much-awaited Supreme Court hearing in the case of Lloyd v Google LLC took place at the end of April 2021.

This was an appeal by Google against the Court of Appeal judgment of 2 October 2019, which granted Mr Lloyd permission to serve a representative claim on Google, out of the jurisdiction, in the United States.

Background

Mr Lloyd brought a representative action against Google, on behalf of around 4.4 million iPhone users alleging that Google acted in breach of its duties as a data controller under section 4 of the Data Protection Act 1998 (DPA), by using a ‘workaround’ on Apple’s Safari browser, which permitted Google to bypass Safari’s blocking of third party cookies and collect and use the browser generated information.

Issues

Following the two-day hearing, the Supreme Court will now decide whether the Court of Appeal was correct in permitting Mr Lloyd to serve his representative claim against Google out of the jurisdiction. It will consider:

  • Whether, under the DPA, damages are recoverable for ‘loss of control’ of data, without needing to identify any specific financial loss;
  • Whether Mr Lloyd can bring the representative action against Google on the basis that the group have the ‘same interest’ in the claim and are identifiable. The claim was brought as a representative action under Rule 19.6 of the Civil Procedure Rules, meaning that the action is brought on behalf of a defined class of individuals who share the same interest in the claim. Such representative actions are rare in the UK, due to the Courts’ narrow interpretation of what will constitute a ‘same interest’; and
  • Whether the Court should exercise its discretion to direct that the respondent should not act as a representative.

The Hearing

At the Supreme Court hearing, Antony White QC for Google suggested that the decision to effectively open the flood gates to opt-out class actions in the UK was not a decision for the courts, but something that should be left to parliament. Mr White acknowledged that Article 80(1) of the GDPR allows for collective proceedings for compensation by not-for-profits, but noted that to date both the EU and UK parliaments have held back on introducing a collection action opt-out procedure in data protection. Additionally, the claim by Mr Lloyd involved litigation funders rather than the not-for-profits contemplated in the context of the GDPR. Mr White also suggested that there was a real problem with being able to identify class members and that the Court of Appeal judges failed to use their discretion in considering the relevant factor of impracticality of the class.

Hugh Tomlinson QC for Mr Lloyd argued that the Court of Appeal decision demonstrates a requirement for a solution to an access to justice problem and that this is the only way in which a remedy is available for Mr Lloyd and those he represents. The Supreme Court judges raised questions regarding the potential issue of those who were automatically joined to the class being effectively estopped from seeking their own claim and being bound by a judgment where damages are claimed. Mr Tomlinson noted that individuals can apply to be removed from the class and that any potential issues are outweighed by the benefit of millions of people getting a reward.

On the second day of the hearing, the Judges were keen to explore the issue of proof of loss and whether the claim should be actionable without any proof of harm. Mr Tomlinson pointed to the difference between a claim in negligence (which this is not) and the failure of the data controller (in this case Google) to obey a set of complex rules, including the DPA and the GDPR.

Submissions were also made by Gerry Facenna QC for the UK Information Commissioner, who said that the right to control one's own personal data is an intrinsic right and that, like other fundamental rights, it is important for society to preserve data protection. Mr Facenna noted that points had been made that no actual harm was suffered, however, in his submission the loss of control presents intrinsic harm and harm has been suffered where data controllers breach their obligations to keep data safe. Although he also noted that the loss of control needs to be of a certain seriousness, which the Court could reflect in a quantum assessment. Mr Facenna stated that the Information Commissioner’s Office was not intervening to “cheer on the claimant” but that it has a statutory duty to monitor and promote the importance of data protection rights.

Comment

The decision is likely to have wide ranging implications. If the Supreme Court agrees with the Court of Appeal and permits Mr Lloyd to serve the representative action on Google, on behalf of the over four million iPhone users, this could open the doors to “opt-out” representative actions (as often seen in the US).

However, if the Supreme Court were to allow for ‘opt-out’ representative actions in the case of Mr Lloyd, it would seem to run contrary to the conclusions of the UK Government who in February 2021 concluded as part of a statutory review and consultation that an opt-out procedure in data protection cases was not necessary:

There is insufficient evidence of systemic failings in the current regime to warrant new opt-out proceedings in the courts for infringements of data protection legislation, or to conclude that any consequent benefits for data subjects would outweigh the potential impacts on businesses and other organisations, the ICO and the judicial system.

A representative action on behalf of the over four million iPhone users would also allow for claims to be made for loss of control of personal data, without the data subject arguably identifying any specific financial loss suffered. This could lead to substantial group claims, including in relation to large cybersecurity breaches and claims regarding the improper use of cookies.

In the absence of a wealth of case law on the appropriate quantum for data subject claimants, this could also open the door to a tariff eventually being set for damages as a result of distress, in the absence of any financial loss. At a time when the litigation landscape in the field of data protection is evolving at rapid pace, this decision is likely to have significant ramifications.