Lloyd v Google: good news for data controllers?

It is fair to say that the highly anticipated judgment of the Supreme Court in Lloyd v Google^[1] which arrived on 10 November, was not the huge game-changer (for both litigators and funders, and data controllers) that some had predicted. The Court unanimously allowed Google's appeal, restoring the order made by the first instance judge that the representative action should not proceed.

Google's win represents a coup for data controllers because the Supreme Court's ruling will almost certainly put the brakes on the momentum that class actions in respect of breaches of data protection laws had been gathering. It now stands as the leading decision on representative actions brought under the Civil Procedure Rules ("CPR") 19.6, and no doubt will have prompted claimant lawyers to reassess the viability of future claims under both the Data Protection Act 1998 (the "DPA 1998") and the UK GDPR.

The judgment is significant in its examination of two key issues:

from a litigation perspective: the circumstances in which a class action can be brought as a representative action pursuant to CPR 19.6 on an opt-out basis. If the Supreme Court had allowed the claim to proceed, it would have made the class action regime in the UK much more simple, practical and attractive to claimants and litigation funders (please see text box for further details); and
from a data protection perspective: the circumstances in which damages for 'loss of control' can be awarded for breach of data protection laws (specifically the DPA 1998, which was the main data protection law in force at the time of the alleged breach, and which has since been superseded by UK GDPR).

Collective proceedings and representative actions

Collective proceedings, which the Supreme Court dubbed a "recent phenomenon in English law", are often associated with mass/class actions which are particularly common in the US. Representative actions under CPR 19.6 are a type of collective proceeding, however they are not new; they have existed for hundreds of years (their legislative basis arising out of the Judicature Act of 1873). In essence, representative actions under CPR 19.6 relax the requirement for all persons materially interested in the subject-matter of an action to be a party to it, by allowing a party (claimant or defendant) to represent all others who have the same interest as them in that action. Historically representative actions were used by communal groups, company and union members. For a rather quaint example, see Duke of Bedford v Ellis [1901] AC 1 in which six individuals sued the Duke of Bedford, who owned Covent Garden Market, on behalf of themselves and all other growers of fruit, flowers, vegetables, roots and herbs, to enforce certain preferential rights claimed under the Covent Garden Market Act 1828 to stands in the market.

Today, CPR 19.6 provides that:

(1) Where more than one person has the same interest in a claim –

(a) the claim may be begun; or

(b) the court may order that the claim be continued,

by or against one or more of the persons who have the same interest as representatives of any other persons who have that interest.

(2) The court may direct that a person may not act as a representative.

(3) Any party may apply to the court for an order under paragraph (2).

(4) Unless the court otherwise directs any judgment or order given in a claim in which a party is acting as a representative under this rule –
(a) is binding on all persons represented in the claim; but

(b) may only be enforced by or against a person who is not a party to the claim with the permission of the court.

Opt-out / Opt-in

Notably, there is no requirement to obtain the consent of represented parties under CPR 19.6, only a requirement for individuals to share the "same interest" in an action. The action can then proceed on an "opt-out" basis. CPR 19.6 is sufficiently flexible to allow the Court to require individuals to be notified of the action, but this is not a precondition.

There are two principal additional ways in which collective proceedings may be brought in England & Wales. First, in certain circumstances a class representative may bring collective proceedings, on an opt-in or opt-out basis, in the Competition Appeal Tribunal in respect of competition claims that raise the same, similar or related issues of fact or law. Second, collective proceedings may be brought by way of a Group Litigation Order ("GLO"). However, the GLO procedure requires claimants to take active steps to join the action, i.e. individuals must "opt-in".

"Opt-out" proceedings offer significant advantages when compared to "opt-in" proceedings. In practice, claimants are often reluctant to take active steps to pursue claims, particularly if the loss suffered by each individual is small. Opt-out proceedings allow for large numbers of low-value claims to be pursued on a collective basis by a single class representative, without the need for any active participation by the affected individuals. As a result, small claims that would not otherwise be viable may be pursued, often with the assistance of third-party litigation funding.

For further information on mass claims procedures in England and Wales please see the Travers Smith Dispute Resolution Yearbook 2021.

We set out below a recap of the facts and our key takeaways for data controllers from the Supreme Court's judgment.

Now Reading

Fact recap

A "blip" in the Safari workaround that Google implemented on Apple iPhones between August 2011 and February 2012, to permit the use of certain web functions, led to the alleged bypassing of privacy settings on the Apple iPhones of approximately 4 million users. As a result, personal data about internet use and browser history relating to these users was allegedly collected and processed via third-party cookies dropped by Google, without the consent or knowledge of such users.

Mr Lloyd brought his claim against Google under CPR 19.6 as a representative of the 4 million allegedly affected users. He claimed that in processing personal data via the Safari workaround - without transparency or consent from users - Google had breached the DPA 1998 and, as a result, users were entitled to be compensated for the loss of control of their personal data.

Since Google is based in the US, Mr Lloyd required the permission of the English Court to serve his claim outside of the jurisdiction. The two issues were therefore examined in this context (in effect, an objection by Google to the jurisdiction of the English Courts) rather than at full trial: first, by the High Court, which refused Mr Lloyd permission to serve and pursue his claim; secondly, by the Court of Appeal, which reversed the decision at first instance; and, now, by the Supreme Court.

Takeaway points for data controllers

The Supreme Court noted that a representative action could be brought in respect of a group of claims raising the same issues. However, it concluded that in this case damages could be assessed only by way of an individualised factual inquiry into the particular circumstances of each claimant. In other words, the claims for damages did not raise the "same issues" and were not suitable for representative proceedings. Nonetheless, Lord Leggatt did suggest that such claims could be brought using a "bifurcated process", the first stage of which would involve the establishment of liability only.

In practice, what is meant by a "bifurcated process"? A two-stage procedure is envisaged:
1. A representative action could be brought pursuant to CPR 19.6 to determine common issues on liability, such as whether there is an actionable breach of the DPA or UK GDPR. At this stage, the claimants would collectively be seeking a declaration from the Court that would benefit them all.
2. If the claimants are successful at stage one and the Court confirms that the class members are entitled to seek compensation, individuals could then pursue follow-on claims for damages, on an individual basis.
The difficulty with stage one of the "bifurcated process" is that it does not generate any financial return for the represented parties and litigation funders and in Lord Leggatt's view this was "doubtless" why Mr Lloyd chose not to proceed on this basis. Funding stage one would therefore only be economically viable if the second stage was expected to generate a return in excess of the costs of bringing the litigation (and this could not be the case for individual claims worth only a few hundred pounds).

The claimant argued that a uniform sum of damages could be awarded to each class member, without the need to prove any facts specific to that individual. However, the Supreme Court held that damages in a representative action can be recovered only on a compensatory basis, i.e. they must put the claimant – as an individual – in the same position as if the wrong had not occurred. And this hits the crux of the problem for representative actions pursuant to CPR 19.6 in relation to data protection law breaches, as they will almost always involve an assessment of damages on an individual basis: the requirement to compensate claimants in this way makes it very difficult to establish that each claimant has the same interest.

Lord Leggatt concluded that any award of damages in this case would require a factual inquiry into the particular circumstances of each individual claimant. This is because the effect of the Safari workaround was not uniform across the represented groups. As the Judge at first instance pointed out, some users were "super users – heavy internet users" compared to others who used the internet very little, and therefore different individuals would have had different quantities and types of information collected and processed (see the text box below which details some of the factors that would need to be taken into consideration when making the assessment). In other words, damages for the proposed class members could not be assessed on a collective basis. As a result, Lord Leggatt concluded that Mr Lloyd's claim was "doomed to fail".

The mere fact of a non-trivial breach amounting to a 'loss of control' is not enough to warrant an award of compensation under section 13 of the DPA 1998 - it is necessary to prove that material damage or distress has been suffered as a result of the breach.

Under section 13, DPA 1998, compensation can only be awarded if:
- there was a contravention by a data controller of the DPA; and
- the individual concerned suffered damage as a result of such contravention.
The Supreme Court found that "damage" must be interpreted to mean "material damage", such as financial loss. It also found that under section 13, compensation could only be awarded for distress suffered by an individual who had also suffered financial loss as a result. The Court could not see how "damage" could be interpreted to include "loss of control" of personal data, which it viewed as a conflation of cause and effect: there had to be a breach of the DPA which then caused the claimant to suffer damage. Incidentally, the Information Commissioner's Office (an interested party in the case) took the opposite view: in its written submissions, it thought that "damage" as set out in the DPA 1998 should be interpreted to include a "loss of control" of personal data.

If 'loss of control' is taken out of the picture, and some sort of material damage has to be shown, it makes it much more difficult to establish that all the members of a represented class have the same interest in the case (which, as set out above, is necessary in order to bring the action), since the type and extent of damage suffered by each individual will be different. Deciding the amount of damages (if any) would involve an assessment of the extent of the unlawful processing in each case. Lord Leggatt helpfully listed out a number of factors to consider as part of this assessment, namely (i) over what time period was the browsing history tracked, (ii) what quantity of data was unlawfully processed, (iii) was any of the unlawfully processed information sensitive or private in nature (or both), (iv) what use was made of the information and (v) what commercial benefit was derived from such use. The Supreme Court pointed out that in any event, even if loss of control damages were available, an individual assessment would still be required to establish the extent of such loss for each claimant, which again makes it difficult to establish same interest.

Loss of control damages for breach of data protection law, should not be available simply on the basis that such damages are available for the tort of misuse of private information.

The Supreme Court did not agree with Mr Lloyd that the two causes of action stem fundamentally from the same right to privacy and should therefore be treated in a similar way. Lord Leggatt drew a distinction between the misuse of private information (which requires the involvement of information which is private in nature, and which for this reason, can give rise to a claim for the loss of the control that the claimant had in respect of such information when it is misused), and breach of data protection law claims (which often do not involve personal data which is inherently private). It followed that, given the distinctions between the two causes of action, they shouldn't necessarily share the same remedies.

Another distinction which Lord Leggatt identified between the two causes of action, is that the tort of misuse of private information imposes strict liability for deliberate acts but not in respect of a lack of care or negligence. In contrast, many data protection breaches, in particular data security breaches, do not involve a deliberate act; rather the data controller is the target of a cyber-attack. This is helpful for data controllers when faced with claims of misuse of private information following a data breach and is consistent with the judgment in the case of Darren Lee Warren v DSG^[2] earlier this year, in which the High Court threw out the claim for misuse of private information following a data breach, partly because on the facts of the case the data controller had not carried out any positive wrongful act in relation to the information. It also impacts on the claimant's ability to recover the costs of their ATE premium: recovery of such costs is not permitted in data protection claims, whereas the premium can be recovered in claims for misuse of private information.
Although the case was brought under the DPA 1998, it is unlikely that a different result would have been reached under the current regime due to the similarities of the underlying principles.

However, it is worth noting that the UK (and EU) GDPR is worded differently: it not only expressly recognises the right for a person to receive compensation in instances where they have suffered non-material damage as a result of the infringement, but it also recognises in its recitals, that "a personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data…". The reference to loss of control in the legislation is, though, made specifically in relation to personal data breaches rather than any breach of UK GDPR, and individuals will suffer differing degrees of loss of control in respect of their personal data, depending on how much is taken and the nature of the data, which again makes it difficult to establish a common interest.

Conclusion

Whilst the decision is generally good news for data controllers, the Supreme Court's comments regarding a "bifurcated process" are interesting and perhaps leave the door slightly ajar for representative actions to proceed in this context.

However, whilst this may sound promising to claimant groups, it remains to be seen whether lawyers, and crucially the funders of the claims, would have the appetite to launch such an action, particularly if any follow-on claims for damages would have to be brought on an individual and opt-in basis.

Despite the difference in wording between UK GDPR and the DPA 1998, it is also difficult to see how breaches of UK GDPR might lend themselves more readily to bringing representative actions, in particular given the Supreme Court's view on the need for individual assessment, even if loss of control damages had been available.

What does the Government think?

From a policy perspective, it does not look like the UK Government has any plans to step in to help claimants in the near future either. The DCMS consultation conducted in February 2021, concluded that it would not adopt Article 80(2) of the UK GDPR which would allow an "opt-out" collective proceedings mechanism for non-profit-organisations to bring an action on behalf of people who may be unable to represent themselves in the data protection sector. The DCMS concluded that "there is insufficient evidence of systemic failings in the current regime to warrant new opt-out proceedings in the courts for infringements of data protection legislation, or to conclude that any consequent benefits for data subjects would outweigh the potential impacts on businesses and other organisations, the ICO and the judicial system." In reaching this conclusion, much reliance was placed on the fact that the ICO is one of the largest data protection regulators in Europe and already has a wide range of investigatory and enforcement powers – so the government views this (together with legislation such as UK GDPR) very much as the most effective way to keep data controllers compliant, rather than via the courts necessarily.

This approach is in contrast to the regime for bringing collective proceedings before the Competition Appeal Tribunal. The Supreme Court's decision in Merricks v Mastercard ^[3] looked at the difficulties of calculating damages in collective proceedings in a competition context, and found that the Competition Appeal Tribunal was wrong in law to regard respect for the compensatory principle as an essential element in the distribution of aggregate damages. This is because the Competition Act 1998 effectively dispenses with the compensatory principle as it empowers the Competition Appeal Tribunal to make an award of damages without undertaking an assessment of the amount of damages recoverable in respect of the claim of each represented person.

It would appear that a similar legislative approach would be required in order to circumvent the problems highlighted in Lloyd v Google when it comes to assessing damages in actions brought on a representative basis, in data protection cases. Or, a re-examination by the Government of the conclusion it reached in its February consultation on Article 80 (2), in which it noted the Lloyd v Google case and the fact that at that point, the outcome of Supreme Court proceedings was still unknown. However, in the absence of either of these avenues being followed, it looks like the Government is content, for now, to rely on the ICO's powers of enforcement and fining to keep data controllers in check, and that they are relatively safe for the time being from an 'opt-out' collective proceedings mechanism.