We have previously written and spoken about the Lloyd v Google representative action, a case which progressed through the English courts before the Supreme Court unanimously decided that representative actions for 'damage' caused by the data controller cannot be decided in a group basis using a representative action. In this blog we look back at the Supreme Court's decision in Lloyd and what has happened since then in relation to group claims for large scale data breaches.

Lloyd v Google – a recap

Lloyd v Google was an action brought under the Data Protection Act 1998 (DPA 1998). The procedure used was a representative action on behalf of an estimated 4m iPhone users. Representative actions can be used where all claimants have the same interest in the claim and are seeking uniform damages.

To seek compensation under section 13 of the DPA 1998 each individual must prove what material damage (such as financial loss) or mental distress was caused to them personally by the breach of the data controller's statutory obligations. Similar provisions apply under UK GDPR and the Data Protection Act 2018.

The Supreme Court rejected the use of a representative action to claim damages as it said that there was no uniform loss among all the individuals covered by the representative action. The fact that the data controller undertook unlawful data processing did not in itself avail a right for each member of the group to the same damages simply because there had been a loss of control of their personal data. Damages for simple loss of control of personal data are not recoverable under the DPA 1998. The damages suffered would be fact specific to each individual.

The Court therefore said that while a representative action could be used to establish liability for a breach, the damages due to any individual would need to be considered on a case by case basis. This could either be by way of an individual action or a group action and, as a consequence, less attractive to litigation funders.

What has happened since Lloyd v Google?

Group proceedings north and south of the border in other areas of law have been picking up momentum (for example Campbell v James Finlay (Kenya) Limited in the Scottish courts relating to injury claims by employees in Kenya, and Port Talbot Steelworks Group Litigation and in the English courts relating to dust and odour emissions, respectively. However, there hasn’t been much movement on the data protection front, reflecting some of the challenges for claimants and litigation funders arising out of Lloyd v Google.

A representative action against TikTok in 2020 under the General Data Protection Regulation also failed to proceed, despite the claimant group arguably having a more common interest than that in Lloyd v Google. During a hearing at the Queen's Bench Division in March 2022, the case was stymied due to procedural failures by the claimant's solicitors to serve the claim form on time upon all of the relevant defenders.

Had the case proceeded to a substantive hearing, the action (on behalf of all child users of TikTok and Musical.ly who are under the age of 16) would have required the court to decide on whether Article 82 GDPR permitted a claim for damages for "loss of control of personal data" since it referred to 'material or non-material damage' (in contrast to section 13 DPA 1998 which required 'material' damage). Another part of the claim also sought to distinguish from Lloyd on the point around individual assessments of damage. Funded by the claimant's solicitor, this case may yet come back to life.

While the group litigation order pursuing damages relating to the BA hacking breach was settled in summer 2021, we await progress in a claim relating to the Marriott hotels data breach. This claim consists of a representative action filed in pursuit of damages on behalf of the individuals whose data was compromised in hacking incidents between 2014 and 2018. With the claim representing all individuals in England and Wales on an opt-out basis, the implications for Marriott financially are expected to be substantial.

Otherwise, the group pursuing damages as a result of the cyberattack on easyJet could expose easyJet to a claim of up to £18billion, or £2000 per customer affected.

We eagerly await a court decision under GDPR to understand fully what the approach will be with regards 'damage', and therefore the possibilities for class actions going forward, under the new legislation.