A Representative opt-out claim brought against various TikTok entities has been allowed to proceed by the English High Court. This means that the question of whether the mere loss of control over personal data can lead to compensation is set to be re-considered, but this time by reference to the GDPR regime.
This gives a slight glimmer of hope to Claimants, as well as to their lawyers and funders, that claims of this nature might be viable despite the earlier decision in Lloyd -v- Google which effectively put an end to such claims for breaches which occurred prior to the introduction of GDPR. Accordingly, Defendants cannot be certain that they are safe from Representative claims in the UK and should keep a careful watch on the outcome of this case.
Our earlier article on the UK Supreme Court ruling in Lloyd -v- Google is here. In rejecting the idea that compensation can be awarded for mere loss of control over personal data, the Supreme Court explained that it was only deciding this issue by reference to the case before it. That claim related to allegations of misuse of personal data by Google between 2011 and 2012, when the relevant law was the Data Protection Act 1998. This left open an argument about whether the position would be different where a claim is brought under the more recent UK Data Protection Act 2018 (“the 2018 Act”) which implemented GDPR.
In SMO -v- TikTok, the English High Court has allowed the case to proceed so that this argument can be fully tested. Though the case is being brought under the same procedural mechanism used in Lloyd -v- Google (a Representative opt-out claim under Rule 19.6 of the Civil Procedure Rules), it is somewhat unusual. The Claimant is a child (anonymized as SMO) representing millions of other children based in the UK and other parts of Europe. The allegations are that TikTok has breached the data protection rights of these children and misused their private information. In turn, Anne Longfield (the former Children’s Commissioner for England) is acting as the Litigation Friend for the Claimant.
The recent hearing before the Judge was to determine whether the case was sufficiently arguable to allow proceedings to be served on some of the Defendants who are based outside the UK. As part of this, the Judge had to be satisfied by the Claimant that there was a serious issue to be tried. In order to do so, the Claimant sought to distinguish the decision in Lloyd -v- Google on the basis that a claim under the 2018 Act and UK GDPR allows the recovery of mere loss of control damages. Though expressing some hesitation about whether a distinction can be made with Lloyd -v- Google, the Judge decided to allow the claim to proceed so that the points raised by the Claimant (including on the recoverability of loss of control damages) can be more fully argued. This first opportunity to do so will be at the hearing of a Summary Judgment application made by the UK based TikTok defendant. This is due to be heard in the next few months.
A further point to note is that the question about whether mere loss of control damages can be claimed under GDPR is also due to be considered by the Court of Justice of the European Union. Though the English court is no longer bound by the CJEU’s views, a ruling from the CJEU may serve to influence the English court in its interpretation of the 2018 Act and the UK version of GDPR.
So, the use in England of Representative claims for breaches of data protection laws lives to fight another day, though the clock is now ticking down to a determination of this issue.
The full case report in SMO -v- TikTok is here.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, March 2022