This morning, the Supreme Court handed down judgment in Lloyd v Google LLC  UKSC 50, undoubtedly one of the most important and eagerly awaited data privacy judgments to date.
Putting the Court’s decision in two sentences:
- A representative action could be brought in a claim of this sort to establish liability for a breach of data protection legislation; but damages would have to be dealt with through a group action or individual claims;
- That is so because (i) loss of control damages are not available for breach of the Data Protection Act 1998 (“DPA 1998”), even if they are in misuse of private information (“MPI”); and (ii) even if they had been available, it would still have been necessary to embark on an individualised assessment of Google’s alleged misuse in each case, which would have been incompatible with a representative procedure.
This decision is likely to be a considerable relief to controllers. 11KBW is running a webinar (details here) on the broader implications of the judgment, and you are all invited…
The facts will be well-known by all but the newest readers of this blog, and are available here. In brief, between August 2011 and February 2012, Google is alleged to have installed software on Apple iPhones (described as the ‘Safari Workaround’). The Safari Workaround allegedly had the effect of bypassing protections in Apple’s Safari browser, a third party marketing cookie on those devices, whenever the user visited a website which contained DoubleClick Ad content. The DoubleClick Ad Cookie enabled Google to track those users across websites, and to harvest considerable amounts of information about their Internet usage and advertisement viewing habits. That, in turn, allegedly facilitated Google’s distribution of targeted advertising to those users, for Google’s ultimate profit.
Claims were brought against Google by individuals once this was discovered, both in the UK and US. Those were settled. Much more recently, however, Mr Lloyd (backed by very significant litigation funding) issued a representative claim under CPR 19.6 for damages for breach of the Data Protection Act 1998, on behalf of himself and all those allegedly affected by the Safari Workaround (the “Class”). A representative action is a procedure of very long standing, by which a claim can be brought by or against persons as representatives of others who have “the same interest” in the claim. Mr Lloyd argued that that requirement was satisfied, since all the Class could claim damages for ‘loss of autonomy’ or ‘loss of control’ over their data, in a uniform amount, without the need for individual assessment of damages. The Class was estimated to number more than 4m; the damages (though not quantified) running into the billions.
Mr Lloyd required permission to serve the claim form outside the jurisdiction, as Google is based in the US. Google resisted the permission application on the basis that the conditions for a representative action were not established: in particular, because the class had (ex hypothesi) differing entitlements to damages, and ‘loss of control’ damages were unavailable in English law.
Mr Lloyd lost in the High Court; succeeded in the Court of Appeal; and has now lost in the Supreme Court.
The Court’s reasoning
The key points in Lord Leggatt’s judgment (with which the rest of the Court agreed) are that:
- A representative action was a legitimate vehicle for the vindication of consumer rights in low-value claims, which should be approached in a practical and purposive manner. There was no principled objection to a common law representative action being used in such a fashion, despite Parliament’s decision not to put in place a statutory procedure.
- However, the scope for claiming damages in representative proceedings is limited: not by any special feature of such proceedings, but rather by the compensatory nature of the damages remedy, which generally (but not always) requires “an individualised assessment which raises no common issue and cannot fairly or effectively be carried out without the participation in the proceedings of the individuals concerned” (§80), which could not operate in a representative action.
- Accordingly, in a case such as Lloyd, there could be “no legitimate objection to a representative claim brought to establish whether Google was in breach of the DPA 1998 and, if so, seeking a declaration that any member of the represented class who has suffered damage by reason of the breach is entitled to be paid compensation” (§84), with damages then being determined by way of individualised assessment (the “Bifurcated Approach”). However, Mr Lloyd had not proposed such an approach, presumably because it would not lead to a return for the funders.
- Mr Lloyd’s alternative attempts to locate a uniform loss which the Class could claim, by reason of ‘loss of control’, fell down on the wording of s. 13 DPA 1998. Even as read down in Vidal-Hall v Google Inc  QB 1003, the Court considered it clear that the DPA 1998 required damage or distress as an ingredient of the cause of action. While accepting that ‘loss of control’ damages were available in misuse of private information (following Gulati v MGN Ltd  QB 149), no such damages were available under the DPA 1998. S. 13 “cannot reasonably be interpreted as giving an individual a right to compensation without proof of material damage or distress whenever a data controller commits a non-trivial breach of any requirement of the Act in relation to any personal data of which that individual is the subject” (§115). Nor was there any requirement of EU law that required the legislation to be read in that way.
- Had a case of this sort been brought in MPI, user damages would have been an appropriate way to quantify the value of the loss: but no such case had been brought (in Lord Leggatt’s inference, because such a claim would potentially have required individual evidence and assessment in order to establish whether or not each member of the class had a reasonable expectation of privacy in the relevant information: §106).
- Nor, even if loss of control damages had been available, would a representative action have been permissible: “[e]ven if … it were unnecessary in order to recover compensation under this provision to show that an individual has suffered material damage or distress as a result of unlawful processing of his or her personal data, it would still be necessary for this purpose to establish the extent of the unlawful processing in his or her individual case” (§144). That would have required individualised assessment, which again would have precluded a representative action.
A few thoughts
A significant victory for Google, a considerable relief for controllers, and a potential blow to the firms and funders behind the recent spate of data protection mass claims.
A few immediate thoughts. First, the Court focused heavily on s. 13 DPA 1998, and pointedly refused to discuss the GDPR (§16). There is an obvious question as to whether the Court’s conclusions are directly transferrable to the GDPR/Data Protection Act 2018; though s. 13 DPA 1998 and art. 82 GDPR are similar in substance and approach.
Second, is anything left of the representative action in data claims? The Supreme Court appears to have acted on the basis of both a desire to ensure that the representative action remained a valuable and ‘live’ procedural tool in an appropriate case; and on an assumption that the Court’s conclusions rendered its use in a Lloyd-type case economically impossible. That may well be right, but it is worth considering whether it is: or whether, from a claimant perspective, the Bifurcated Approach might still have advantages over and above the existing GLO procedure.
Third, what wider implications does the ruling on ‘loss of control’ have for the data claims market more generally? Many readers will be familiar with the spectre of the low-value data claim, with little or no particularisation of distress damages, and a confident assertion that damages are recoverable simply for the fact of breach. That assertion can no longer be made, at least under the data protection legislation. Does MPI (with its more generous damages regime) offer a way round this? Probable answer: in some cases but not all, given the limited situations in which MPI is relevant to data breaches (see here).
Robin Hopkins and Rupert Paines acted for the Third Interveners, the Association of the British Pharmaceutical Industry and Association of British HealthTech Industries, instructed by Kenny Henderson of CMS Cameron McKenna Nabarro Olswang LLP and led by Lord Anderson of Ipswich KBE QC.
Christopher Knight acted for the Fifth Intervener, the Internet Association, instructed by Linklaters LLP.