Closing the Door but Opening a Window – What Happens Next After Lloyd V Google?

Last week, the UK Supreme Court (the “Court”) issued its much-anticipated and unanimous decision in the case of Lloyd v Google LLC [2021] UKSC 50 and dealt a blow to claimants (and, perhaps more significantly, litigation funders) seeking to use representative action claims to recover compensation for breaches of data protection laws on behalf of large classes of affected individuals. 

The Court provided a general endorsement of the representative action procedure under CPR 19.6 and noted that that procedure is intended to be flexible and advance the overriding objectives of dealing with claims efficiently and providing access to justice. 

In a potentially fatal blow for representative actions for data protection breaches, the Court rejected Lloyd’s argument that: (i) violations of the DP Act 1998 by a controller automatically create an entitlement to financial compensation without needing to prove financial loss or distress; and (ii) such compensation can be assessed on a uniform “per capita” basis without the need for an individual assessment of harm.

This will no doubt make representative claims for data protection breaches very difficult, if not impossible, to pursue.  Crucially, it will also make them less attractive to litigation funders due to the uncertain return and potential adverse costs risk. Potential claimants motivated to punish data controllers for alleged data protection breaches may therefore be forced to look for relief elsewhere.

Background to the claim

Lloyd sought compensation from Google on behalf of a class of four million iPhone users in the UK, claiming approximately £3 billion for breaches of the UK's Data Protection Act 1998 (“DP Act 1998”) (based on an estimate damage of £750 per affected user). 

The claim arose from the so-called “Safari workaround”, which allegedly enabled Google to track the internet activity of Apple iPhone users in 2011– 2012 using third-party cookies. Lloyd claimed that Google was able to use personal information without the individual’s knowledge or consent, in breach of the DP Act 1998, resulting in a commercial gain for Google as it could allow its advertisers to target users based on their browser history. This activity has already been the source of action in other jurisdictions, including the United States, where Google entered into a civil settlement with the U.S. Federal Trade Commission.

Lloyd, a consumer rights activist, brought the claim against Google under section 13(1) of the DP Act 1998.  Section 13(1) provided that “[a]n individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”. Lloyd argued that this clause gave an individual the right to compensation for any (non-trivial) breach of the DP Act 1998 by a controller without the need to prove the harm or distress caused to each individual. 

Lloyd asserted that he was able to represent four million iPhone users in England and Wales in a claim for financial compensation:

• Without requiring the individuals to actively ‘opt-in’ to the claim; and
• Without proving any facts relevant to each individual user other than the fact that the user had an appropriate iPhone during the relevant period and visited a website that was participating in Google’s DoubleClick advertising service. 

Lloyd argued the case on a “lowest common denominator” basis by assuming that each user only visited the website once and that the user received no targeted advertisements as a result (so that the facts of individual users did not need to be proved).  

In the High Court, the Claimant’s application for permission to serve the proceedings on Google was refused on the grounds that: (i) section 13 of the DP Act 1998 required proof of financial damage or distress; and (ii) the claim was not suitable as a representative action as the members of the class of claimants did not share the same interest. The Court of Appeal reversed this in a controversial decision finding that ‘loss of control’ of personal information was sufficient to recover damages and that the members of the claimant class did share the same interest (see our alert on the Court of Appeal decision). 

Google appealed the decision of the Court of Appeal.  

The decision of the Court

The Court (in a unanimous judgment delivered by Lord Leggatt) allowed the appeal, refusing the Claimant permission to serve the proceedings out of the jurisdiction on Google. This marks the end of the litigation, there being no further right of appeal.

The key findings made by the Court are:

• The wording of section 13 of the DP Act 1998 did not allow a claimant to recover compensation without demonstrating that the breach of the DP Act 1998 caused material damage or distress to the individual concerned. 
• ‘Loss of control’ of personal information by an affected member was not sufficient damage for the award of compensation under section 13 of the DP Act 1998. 
• Even if damages for ‘loss of control’ were available, it would be necessary to assess those damages on an individual basis on behalf of each member of the class of claimants. 
  
  • It is not possible to claim a uniform amount of compensation for an entire group without assessing the facts and circumstances of each individual member’s claim. 
  • Lloyd’s attempt to calculate the damages by estimating a fee that each member of the class could reasonably have charged to release Google from its duties similarly failed because his case was based upon the “lowest common denominator” (i.e., that the user had the infringing cookie placed on their device but did not receive targeted advertisements). As a result, the hypothetical licence obtained by Google would only have covered placing the infringing cookie on a user’s device but not collecting or using any personal information.  The Court concluded that such a licence would be valueless.

Implications for UK mass data protection claims

1. It will be far less attractive for litigation funders to bring opt-out class action data protection claims in the UK.

The Court ruled that the UK’s opt-out class action procedure is flexible and, in principle, may be used to bring data protection claims. However, as set out above, there would need be a bifurcated process, with damages only determined individually at a second stage.

This is an uneconomic prospect for litigation funders. They would have to fund the first stage of the litigation without any prospect of financial return and the potential risk of an adverse costs order. In respect of the second stage, as the Supreme Court itself acknowledged, claims that individually are only worth a few hundred pounds will not be economic to pursue, as the ultimate number of claimants would be uncertain and the initial costs alone may easily exceed the potential value of the claim.

Future claims may be more successful if it is possible to prove that the damage suffered by members of the represented class, or certain sub-groups of that class, is homogeneous. Examples provided by the Court included a situation where all affected members of a class had been wrongly charged a fixed fee or had bought a defective product and the defect caused an identical reduction in value of the product in each case. However, it is difficult to imagine such a scenario in the context of claims for breaches of data protection or misuse of private information in light of their inherently personal/individualized nature.   

2. The current UK legislation was not considered by the Court.

The Court expressly did not consider the current data protection regime and offered no analysis of the UK GDPR (the GDPR as enshrined in the laws of the UK) or the Data Protection Act 2018 (“DP Act 2018”). The Court’s construction of section 13 of the DP Act 1998 (i.e., that it does not confer a right to compensation for any contravention without the need to prove damage or distress to the individual concerned) arguably applies equally to Article 82 of the UK GDPR, which similarly permits compensation to be claimed where a data subject suffers damage by reason of a contravention of the relevant legislation.

3. A route may open for similar claims for “misuse of private information” instead.

The Court observed that, in contrast to the DP Act 1998, there is no need to show material damage or distress to claim compensation for a claim for “misuse of private information”. The Court speculated that Lloyd may have elected not to pursue his representative claim for misuse of private information as, in order to establish a reasonable expectation of privacy, it would be necessary to adduce evidence of facts particular to each individual claimant. Such claims may be more suitable where the breach relates to inherently private information (e.g., in a misuse involving particularly sensitive information, such as health records). However, even in those cases, the breach is likely to impact individuals differently, requiring an individualized assessment of damage.

What happens next?

The Lloyd v Google litigation is now over. This decision is a clear and significant hurdle for future claimants seeking to bring a representative action for breaches of data protection law in the UK, especially as litigation funders are likely to be discouraged from supporting similar claims.

However, the door has not yet been shut for mass data protection claims in the UK. Claimants may use the guidance in this decision to reformulate their claims. The UK may even choose to create a specific regime for opt-out data protection proceedings (as it has done in respect of UK competition law claims). The UK Government has said that it will be closely reviewing the decision in Lloyd v Google as part of its review of the representative action provisions under the Data Protection Act 2018, and we will be monitoring any future developments on this issue closely. 

See the full judgment of Lloyd v Google [2021] UKSC 50 and the Court's corresponding press release.