The Supreme Court's judgment in Lloyd v Google in November 2021 (see our briefing) significantly curbed "opt-out" representative actions brought under CPR 19.6, but it left a number of unanswered questions - a trail of crumbs for claimant law firms to pick over. One such question was whether a different conclusion would be reached under the Data Protection Act 2018 (and UK GDPR) as the claim for loss of control of data in Lloyd was made under the Data Protection Act 1998. The High Court has recently considered this argument in its decision of SMO (a child) v TikTok Inc  EWHC 489.
The Claimant applied, amongst other things, for permission to serve the claim form on TikTok entities out of the jurisdiction. One of the factors that the Court had to consider in that context was whether the Claimant could demonstrate that there was a serious issue to be tried or whether, in light of the Supreme Court's decision in Lloyd, the representative claim was no better than fanciful.
Mr Justice Nicklin held that there was a serious issue to be tried but did so with caution, relying on the fact that he had only heard submissions from the Claimant on the issue and that, to reach an alternative conclusion, he would effectively have had to make the defendants' case for them.
This briefing looks at the Claimant's applications and how she seeks to distinguish Lloyd. A teaser, perhaps: for more definitive answers, we shall look to the summary judgment this summer.
1. The Claim
The claim was brought by Anne Longfield, the former Children's Commissioner for England on behalf of all children in the UK and EEA that used the TikTok app after May 2018.
The claim alleged that the six defendant TikTok entities had violated the GDPR and the Data Protection Act 2018 for processing the personal data of children and for invading their privacy and misusing the children's private information. In particular, the Claimant argued that TikTok had failed to be transparent as to the extent of the children's data it processed and the purposes for which the children's private information was collected.
The Claimant made the following applications:
(1) as in Lloyd v Google, permission to serve the claim form on various TikTok entities outside of the jurisdiction;
(2) an extension of time for doing so, pointing to the impending expiry of the claim form; and
(3) permission to serve the claim form by alternative means on the out of jurisdiction defendants by service on Hogan Lovells.
We consider the three applications in more detail below.
(1) Permission to serve out
On an application for permission to serve a foreign defendant out of the jurisdiction, the claimant must satisfy three requirements:1
i) First, the claimant must demonstrate that there is a serious issue to be tried on the merits – this is the same test as for summary judgment, i.e., whether there is a real (as opposed to fanciful) prospect of success.
ii) Second, the claimant must demonstrate that there is a good arguable case that the claim falls within one of the categories identified in CPR PD 6B §3.1, the so-called "gateways".
iii) Finally, the claimant must satisfy the Court that, in all the circumstances, England & Wales is clearly or distinctly the appropriate forum for the trial of the dispute and that the Court ought to exercise its discretion to permit service of the proceedings out of the jurisdiction.
In this case, the "real issue" was whether the impact of Lloyd v Google meant that the Claimant could not demonstrate a serious issue to be tried in respect of a representative claim.
Lloyd v Google – a brief recap
Mr Lloyd, a consumer rights activist, sought to bring his claim against Google on behalf of 4 million iPhone users for breach of the Data Protection Act 1998. The alleged breach arose out of Google's use of a Safari workaround between August 2011 and February 2012, which allowed it to collect and process iPhone users' data via third-party cookies, without their consent or knowledge. Mr Lloyd argued that this loss of control of data meant that the iPhone users were entitled to be compensated under section 13 of the Data Protection Act 1998. Mr Lloyd sought permission to serve Google with proceedings outside of the jurisdiction and was refused at first instance by the High Court. The High Court's decision was reversed by the Court of Appeal, whose decision was in turn reversed by the Supreme Court.
The Supreme Court held that whilst it was, in theory, possible for a representative action to be brought in the English Courts to determine common issues on liability on behalf of a class, it would not be appropriate to award a uniform sum of damages to each class member. Damages in a representative action may only be recovered on a compensatory basis, and this will inevitably involve an assessment of damages for each individual within the class – making a representative action unworkable. Furthermore, the Court held that the mere fact of loss of control of an individual's data is not sufficient to warrant an award of damages under section 13 of the Data Protection Act 1998 – it is necessary to prove that material damage or distress has been suffered as a result of the breach.
How did the Claimant in TikTok seek to distinguish Lloyd?
The Claimant argued that the remedy under Article 82(1) of the GDPR was materially different from the remedy under section 13 of the Data Protection Act 1998 that was applicable in Lloyd. The Claimant pointed to the specific reference to “non-material damage” in Article 82(1) and Recital 85 – where "loss of control over a subject’s personal data" is cited as an example of non-material damage – as giving rise to a right to compensation. This wording is different from the equivalent under section 13 of the Data Protection Act 1998, which only refers to "damage" without further qualification. The Claimant therefore argued that the reference in Article 82 to "non-material" damage was key, and that "loss of control" would in this case be enough to trigger a right to compensation.
The Claimant also sought to distinguish Lloyd on the grounds that this case involved the actual use of the TikTok platform by children and consequently (unlike Lloyd), each claimant in the representative class would readily pass any de minimis threshold that may be applied because of the scale of data processing undertaken by TikTok in respect of each of its users.
Nicklin J granted the Claimant permission to serve the claim form out of the jurisdiction, finding there was a "serious issue to be tried". The Judge also held that England was "clearly" the most appropriate forum for the claim.
(2) Extension of time for service
Nicklin J refused to grant any extension of time for serving the claim form on the out of jurisdiction defendants.
He criticised the Claimant's delay in bringing the application to serve the claim form on the out of jurisdiction defendants, noting that one particular period of delay was "barely explained in the evidence and [was] not justified" and that "the Claimant's side [was] entirely at fault for the position the Claimant now finds herself in [having to bring the application at issue]".
The Claimant had tried to gain a tactical advantage by issuing the claim form before the end of the Brexit transition period, but that had set the clock ticking on the deadline for service. As Nicklin J noted, "the claimant was perfectly entitled to seek that [Brexit-related] benefit, but it came with an unavoidable downside. Once the claim form was issued, the period within which it had to be served on the service out defendants began to count down".
(3) Alternative service
The Claimant sought permission to serve the claim form on the out of jurisdiction defendants by service on Hogan Lovells (who acted for the defendants but who had confirmed that they were not authorised to accept service of the claim form).
Nicklin J concluded that there were no exceptional or special circumstances to justify service by alternative means and that the Claimant had simply failed properly to attend to service of the claim form until about a week before the time for doing so was due to expire. In that respect, the Claimant was "no different from the host of other litigants who have failed properly to prioritise service of a claim form and who have unwisely left matters to the last minute".
And beyond the courts?
An EU data protection investigation of TikTok’s handling of children’s information remains ongoing, with Ireland's Data Protection Commission now the lead authority for that investigation. The DPC will examine alleged breach of GDPR data protection by design and default requirements for children's data and investigate claims of unlawful data transfers to China.
2. Concluding remarks
Certain large representative actions over alleged data breaches have been discontinued in the wake of Lloyd (e.g., those against YouTube in relation to alleged targeting of underage audiences and against Google/DeepMind in relation to access to confidential medical records). This is the first data breach case where a claimant has sought to maintain a representative action post-Lloyd. Although the judge decided that there was a serious issue to be tried, it is possible that a different outcome would have been reached had the defendants had an opportunity to make submissions and this TikTok decision has not determined whether loss of control can constitute "non-material damage" equating to a potential remedy under the UK GDPR. For the answer to that question, we will need to wait for the summary judgment hearing in the summer, when TikTok's counsel will have an opportunity to set out their arguments for the first time. Even if the court were to find that GDPR offers a remedy for loss of control of data, where the Data Protection Act 1998 did not, it will be interesting to see how the Claimant in TikTok seeks to satisfy the "same interest" test for a representative action, when class members will have arguably suffered differing degrees of loss dependant on their use of the platform (as in Lloyd). Nevertheless, the court may be more open to a "lowest common denominator" of damage argument, given the alleged scale of processing and that the claim concerns children's data.
Might we see a resurgence of opt-in style class actions for data privacy breaches in the future, particularly if TikTok is successful at the summary judgment hearing (thereby again shutting the door on representative, opt-out, claims)? Claimant law firms and litigation funders may still pursue group litigation claims under CPR 19.11, where class members need only show that their claims give rise to common or related issues of fact or law, avoiding the "same interest" test under CPR 19.6. However, such claims can only be brought on an "opt-in" basis, where class members must affirmatively choose to participate. Absent a large class opting in (which, to date, has been rare), these may not be commercially viable. The "bifurcated approach" outlined by Lord Leggatt in Lloyd as a workable alternative option, where a representative action is used to establish liability as a first step only, followed by individual claims for damages, is likely commercially to be equally unattractive for litigation funders and claimant law firms.
The full judgment is available here: SMO (a child) v TikTok Inc  EWHC 489.