After a hearing earlier this year, on 10 November 2021 the Supreme Court handed down its judgment in Lloyd v Google. There has been a very significant amount of commentary since the judgment and rightly so given the potential consequences a judgment in favour of Mr Lloyd might have had. The fact the Court of Appeal's decision was overturned and the case was decided in Google's favour is undoubtedly important and a positive outcome for data controllers. Nevertheless, there remains at least a degree of uncertainty as to whether this really spells the end for class actions (claims brought by groups of affected individuals) in the data protection sphere.
What was the case about?
Mr Lloyd brought a representative action (under Rule 19.6 of the Civil Procedure Rules) against Google. He acted as the representative of a class of four million Apple iPhone users in England and Wales. As is the nature of representative actions, this was an "opt-out" case, meaning none of the other four million users signed up to take part. The claim related to Google's use of a third-party cookie (the DoubleClick Ad cookie) to track internet users' activities without their knowledge or consent, collect information and then use that information to enable third-party advertisers to target their advertising. Mr Lloyd's case was that this collection and use of personal data was in breach of the principles that applied to the processing of personal data; importantly, the statute that applied to the period of Google's activities (in 2011 and 2012) was the Data Protection Act 1998, rather than the regime that has applied since May 2018 based, first, on the EU version of GDPR and then, more recently, the near identical UK version of GDPR. The same actions by Google had been the subject of a fine by the US Federal Trade Commission, and Google had also settled earlier litigation in the United States and in England.
What was new about this case was the use of the representative action procedure. Mr Lloyd suggested a figure in damages of £750 per individual in pre-action correspondence, which would have equated to £3 billion across the entire class. The legal costs of bringing the claim were funded by a third-party litigation funder in return for a share in the compensation that might be derived from the claim.
The Supreme Court's decision was on the question of whether Mr Lloyd should be permitted to serve the proceedings on Google in the United States, enabling it to continue. However, in considering this issue, the Court was required to assess the merits of bringing the claim as a representative action and the way that Mr Lloyd’s legal team has structured the case in order to do so. Google argued that the way the claim had been brought meant it had no real prospect of success and so permission should be refused. The High Court had refused Mr Lloyd permission, but this was overturned on appeal by the Court of Appeal. The Supreme Court reversed that decision.
"Loss of control" and "same interest"
In order for Mr Lloyd's claim to proceed, he needed to show that all the individuals in the class had the "same interest" in the claim. This is the central test which determines whether a representative action can proceed. It is a tightly controlled test, because the general position is that a judgment in a representative action is binding on all members of the represented class. Any need for individualised assessment of those in the class is fundamentally inconsistent with the representative action procedure.
Mr Lloyd sought to meet this tightly controlled test, by arguing that (a) all members of the class had the same interest in respect of the "loss of control" of their personal data and, furthermore, that (b) the damage inherent in this loss of control could be reduced down to what he described as the "lowest common denominator". Put another way, it was argued that there was a minimum level of harm that could be attributed in the same way to each user, and which could be used to satisfy the same interest requirement. Mr Lloyd was therefore only seeking part of the compensation to which individuals might be entitled if they had brought proceedings against Google themselves.
The Supreme Court's decision
The Supreme Court rejected Mr Lloyd's arguments.
First, it reviewed the relevant provision of the legislation relating to compensation in data protection claims which applied at the time (section 13 of the Data Protection Act 1998). The Court held that the term "damage" in that provision must involve financial loss or distress. It did not extend to the mere loss of control over one's personal data.
Mr Lloyd had sought to draw an analogy between damages under the data protection framework and damages in a separate cause of action, misuse of private information (MPI). In the case of Gulati & Others v MGN Ltd, which related to the now infamous phone hacking scandal, damages had been awarded for loss of control in relation to the private information contained in voicemail messages.
While the Court of Appeal was attracted by the analogy with Gulati, the Supreme Court dismissed the argument. It drew a clear distinction between the data protection regime, which is governed by statute, and the framework for MPI, which is a tort governed by common law. The Court also noted that, while MPI related to information that was inherently private, the personal data that data protection law applies to do not have to be of a private or confidential nature.
The Supreme Court therefore dismissed the notion that "loss of control" was a viable basis for damages under section 13 of the Data Protection Act 1998.
Second, and in any event, the Supreme Court also rejected the suggestion that the claim for damages could be based on the (novel) concept of the lowest common denominator. The essence of this argument was that damages could, for all class members, be based on their mere membership of the class. Mr Lloyd's argument was that damages should be awarded for the mere fact that they accessed a website participating in Google’s Double Click advertising service on a single occasion and thereby had the cookie placed on their device. Mr Lloyd did not rely upon any individual usage of personal data by Google since this would have been fatal to the same interest requirement.
The Supreme Court found that this very limited concept of harm was insufficient to meet the required "threshold of seriousness" that the parties agreed applied to the claim. The essence of this decision was that compensation should not be recoverable for trivial damage. The Court's view was that the very limited way in which the case for compensation was argued could only involve trivial damage (even if the type of damage, ie loss of control, had been permitted by the Data Protection Act 1998).
In essence, in structuring his claim to meet the same interest test, Mr Lloyd had ignored that he needed to demonstrate not only that there had been an infringement of the data protection rights of the class he was representing, but also that this class had suffered a type of loss that was recognised by the data protection law applying at the time. That loss required an individual assessment based on the circumstances in each case – eg how long had Google been monitoring the individual’s activity, what had the individual been viewing, and what had Google done with that information? This individualised assessment of loss was incompatible with the same interest test for representative claims. Mr Lloyd’s claim was therefore fatally flawed.
For the same reasons, the Court also dismissed an argument by Mr Lloyd that user damages could be recovered. User damages refers to the amount a reasonable person would have expected to be paid for the right to use their data in the way alleged. The difficulty with putting the case on this basis is that it again ignores the fact that what each individual might accept by way of compensation would require an individualised assessment. Some infringements by Google could have been trivial, whereas other infringements might have been much more serious. And any trivial infringements by way of Google merely setting the cookies without doing anything more would have been of no value to Google, so they would have not been prepared to pay a fee for that in any event.
The death of data class actions?
While this is clearly a favourable ruling for data controllers, and should put the brakes on a deluge of opt-out claims for mass infringements of data protection law, it may not be the end of the story.
The Supreme Court was at pains to point out that the representative action model could have worked if it had only been deployed to establish liability for the infringements of data protection law. It was the attempt to construct a "same interest" in respect of the loss that flowed from the breach that was fatal for Mr Lloyd’s claim. So, this does not rule out split actions, in which a representative is used to establish liability, before an opt-in Group Litigation Order model might be used to address the quantum of damages.
The key question is whether this split process is economically viable. The obvious attraction of Mr Lloyd's case for the third party funder was that it did not to have to go through the process of having claimants sign up to the claim or conduct any individual assessment of circumstances; all this while there were potentially very significant damages in play if the claim had been allowed to proceed, which the funder would have taken a share of. Of course, opt-in Group Litigation Orders remain available, but there do seem to be questions about their economic viability for funders unless they are fairly certain of signing up large numbers of claimants on an opt-in basis.
The other issue is that Lloyd -v- Google was determined under the old statutory regime. The applicable law in England is now the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Article 82 of the UK GDPR provides for compensation in circumstances involving "material and non-material damage" but does not define those terms. Meanwhile, Recital 85 of the UK GDPR (which is an explanatory note rather than part of the legislation itself) gives "loss of control over personal data" as an example of non-material damage in the context of a data security breach.
The question of whether damages are recoverable for loss of control under the identical wording of Article 82 of the EU GDPR (from which the UK GDPR derives) is currently being litigated in other countries in Europe and a case is proceeding from the Austrian courts to the Court of Justice of the EU on just this point. Decisions of the CJEU are no longer binding on the English courts, but they may well be highly persuasive. As it stands, the question of "loss of control" remains (at least theoretically) open under the new legislative framework of UK GDPR and the Data Protection Act 2018.
We can be fairly confident that there will not be a flood of representative actions in the near future. However, it will be interesting to monitor what happens in the existing representative actions that were commenced before the decision in Lloyd and which fall under the new legislative framework. Similarly, we will have to see whether any funders (or individual litigants) are prepared to take on the split process mentioned above. Only time will tell.
Finally, it is worth noting that the Supreme Court's decision sits alongside two other recent decisions in which claims were dismissed at an early stage (see here and here). These cases all point towards the courts being unwilling to allow data privacy laws to be used in a speculative or misconceived way. All three cases certainly add to the armoury of data controllers who are facing claims based on breaches of data protection and related laws.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, November 2021