The Supreme Court has closed the door to ‘opt out’ style class action claims for breaches of data protection legislation, in a unanimous judgment that rejected an attempt to make Google liable for ‘loss of control’ over users’ personal data without having to prove any loss.
The Lloyd v Google saga has, at last, reached its conclusion. Reversing the Court of Appeal’s surprise decision from October 2019, the Supreme Court has unanimously decided that loss of control is not a sound basis for a claim for a non-trivial breach of the Data Protection Act 1998 (“DPA 1998”). The Court also found that the claim could not be brought as a representative action as it would still have been necessary to show damage for each individual claimant. Data controllers large and small, who were staring down the barrel of brewing class actions that had the potential to spell their end, can breathe a sigh of relief.
At its core, the case concerned Google’s ‘DoubleClick Ad Cookie’ technology, which was used between April 2011 and February 2012 to track the internet activity of Apple iPhone users; something which was not normally possible on the Safari browser (known as the “Safari Workaround”). Essentially, whenever a user visited a website which contained DoubleClick Ad content, Google could then collect data on the pages the user visited, how long they spent on them, which adverts were viewed, and so on. The data was collated, labelled (with users being categorised as, for example, ‘football lovers’), and then sold to advertisers, allowing them to target certain people with their advertisements.
The claim was brought by Richard Lloyd, former executive director of Which?, in a representative action on behalf of individuals who had used devices that were affected by the Safari Workaround without their knowledge or consent; an estimated 4.4 million iPhone users. Lloyd attempted to utilise an ‘opt-out’ style of class action, relying on Civil Procedure Rule 19.6 which allows an individual to bring a claim on behalf of a wider class where all members of the class have the ‘same interest’ in the claim.
The claim was also unique in that Lloyd did not allege any financial loss or distress; instead, he argued that compensation was due because of the users’ loss of control of their personal data. A successful claim would, therefore, have meant a widening of the scope of data protection claims to include awards of compensation with no requirement to establish distress or material damage.
It should be noted that this case was ultimately concerned with the technical issue as to whether Lloyd should be permitted to pursue his case against Google LLC, a US company out of the jurisdiction of England & Wales. In order to do so, Lloyd had to convince the Court that his claim had sufficient merit and odds of success. In the High Court, Mr Justice Warby was outspoken in his disapproval of a case that he considered to be, “an officious litigation, embarked upon on behalf of individuals who have not authorised it.” He said that the case should not “…be permitted to consume substantial resources…”, where those who principally stood to benefit were the lawyers and litigation funders.
Conversely, the Court of Appeal arrived at the conclusion that this lack of authorisation from the individuals affected was irrelevant. Instead, the fundamental importance of the claim was to provide a civil compensatory remedy for a practice that (had Lloyd ultimately been successful at a full trial) would, in the Court of Appeal’s words, have been characterised as a “wholesale and deliberate misuse of personal data without consent, undertaken with a view to commercial profit.” It is against this backdrop of conflicting viewpoints that the Supreme Court made its final decision.
The two key questions that the Supreme Court had to consider were:
- whether a damages claim under the DPA 1998 was permissible where the action was solely concerned with a claimant’s ‘loss of control’ over their data, but where no directly quantifiable loss, damage or distress had been suffered; and,
- whether, in pursuing a representative action, the ‘same interest’ test can be satisfied where damages are variable (for instance, by adopting a ‘lowest common denominator’ approach instead of assessing damages on an individual basis).
‘Loss of control’
Lord Leggatt, giving the judgment on behalf of all five judges, roundly dismissed the suggestion that the wording of the DPA 1998 accommodated the idea of a ‘loss of control’ in place of material damage. Lloyd’s argument had leant heavily on the Court of Appeal’s judgment in Gulati v MGN, which addressed phone hacking through the lens of misuse of private information (not data protection legislation). Essentially, Lloyd argued that the fundamental issue at stake was an individual’s right to privacy. In this, Lloyd said that his claim and the Gulati case shared common ground and the Court of Appeal’s approach in Gulati (awarding substantial damages for loss of control) should be transplanted into data protection cases like this.
Section 13(1) of the DPA 1998 provides that an individual has a right to claim compensation where they have suffered damage as a result of a breach of the DPA 1998 by a data controller. Section 13(2) supplements this by allowing for compensation for distress arising from the data controller’s breach, in circumstances where the individual has also suffered damage (so, satisfying section 13(1)).
On the ordinary interpretation of the DPA 1998, Lord Leggatt concluded that the term ‘damage’ in section 13(1) must mean material damage (such as financial loss), as something flowing from the data controller’s breach and upon which a claim for compensation for distress might then be founded. Simply suffering the breach itself – i.e. the loss of control – is not sufficient to satisfy the requirement to show damage. Thus, the language in section 13 barred Lloyd’s attempt to sidestep this requirement to quantify loss.
Also, addressing Lloyd’s policy argument (invoking Gulati) more generally, the Court differentiated data protection claims from misuse of private information claims, not least on the obvious basis that the latter is always concerned with information which is actually private, whereas this is not a prerequisite for data protection cases.
‘Same interest’ test
Stressing the fact that, under English law, damages are concerned with compensating an individual to make them whole as if the wrong had not occurred, the Court concluded that the representative action regime was incapable of functioning as Lloyd envisaged.
Other than in rare instances where all members of a class did indeed suffer identical losses (e.g. being overcharged by a fixed amount), Lord Leggatt stated that representative actions are not appropriate vehicles. This is because members of the class pursuing the representative action do not actually participate in it, and so the Court would be unable to carry out an individualised assessment of the level of damages to which each member would be entitled.
One way that Lloyd sought to use to circumvent this problem was to suggest a ‘lowest common denominator’ approach, whereby all members of the class should be nominally treated as having suffered the same amount – which, in this case, was £750 due to all 4.4 million iPhone owners in the relevant time period (a total of £3 billion in damages, as calculated by Lord Leggatt). Relatedly, all that was required to qualify as a member of the class was to meet the basic criteria (e.g. to have owned an iPhone in the relevant time period). This would have led to a situation where an individual became entitled to damages but where there was no need to demonstrate that they had actually suffered the unlawful processing. These arguments were rejected by the Court.
End of the Road?
Whilst this case was concerned with the legislation then in force at the time of the breach, the DPA 1998, and did not consider the updated regime, this is no comfort to those who would seek to bring equivalent claims under the GDPR and Data Protection Act 2018. The wording in the GDPR and Data Protection Act 2018 is broadly similar to that in the DPA 1998, and what differences there are seem very unlikely to mean that the Supreme Court’s reasoning can be meaningfully distinguished.
Lord Leggatt did observe that the representative action mechanism could offer a route to offering compensation for breaches of data protection legislation - but not on its own. The representative action mechanism could be used, on behalf of all members of the class, to obtain a declaration that a breach had occurred for which the data controller was liable, as the first stage. Individual members of the class would then be able to rely on this declaration to seek to obtain a damages award separately, on the basis of a specific assessment of their entitlement.
The principal issue with this is that, once past the representative action stage in the High Court, establishing damages on an individual basis for every member of the class would potentially carry a high evidential burden for individual claimants - e.g. advancing evidence demonstrating that the claimant suffered meaningful distress – and would be far from cost-effective for lawyers to pursue, nor for litigation funders to finance.
The Supreme Court declined to encourage a change to the law in this area, and any further change seems unlikely given that the Department of Culture, Media and Sport concluded, earlier this year, that there was insufficient justification to warrant the creation of a bespoke regime that would achieve what Lloyd was attempting to for breaches of data protection legislation. Thus, class actions are not likely to become a mainstay of UK data protection litigation, as they are in the US. It may have played on the judges’ minds that allowing this claim to proceed might have inundated the courts, leaving data controllers open to very substantial claims. Whilst Google might be able to shoulder a £3 billion payout, comparable claims on behalf of customers could have been a mortal blow for smaller businesses. Therefore, data controllers will now be able to relax, leaving lawyers to pore over the Supreme Court’s decision - not least because it provides a very helpful survey of the case law on representative actions.
Whilst this claim was an innovative attempt to engineer an avenue for securing damages for large-scale breaches of data protection legislation, this judgment brings hunting season for data controller big game to a close.