Lloyd v Google – Supreme Court Judgment – report and impacts on data protection and mass claims in the UK

On 10 November 2021, the UK Supreme Court in a unanimous judgment allowed Google’s appeal against the Court of Appeal decision granting Mr Lloyd permission to continue his representative claim (i.e. a US-style opt-out “class action”) against Google. The judgment brings very welcome clarification in a rapidly evolving area of English law relating to representative “class” actions in general, and in the context of data protection regimes specifically.

The Supreme Court held that:

• a data subject will not have a right to compensation for any contravention by a data controller of any of the requirements of the Data Protection Act 1998 (DPA) unless it can prove that the contravention has caused material damage (i.e. mental distress or financial loss) to the individual concerned.
• The ‘novel’ representative action was doomed to fail – Mr Lloyd failed to show that there was either (1) an unlawful use of personal data relating to each individual, or (2) that the individual had suffered damage as a result.

Background

Mr Lloyd brought an opt-out “class action” against Google in the English Courts, relying on the representative action procedure set out in Civil Procedure Rule (CPR) 19.6. He brought his claim on behalf of more than 4 million iPhone users, allegedly affected by a Safari Workaround that Google had deployed during a 10-month period ending February 2012. The workaround had facilitated Google harvesting browser data from iPhone users without their consent - defined as “browser generated information” (BGI) - which it was able to aggregate so as to create target audiences, in turn generating significant profits by enabling advertisers to target their adverts at these audiences.

Mr Lloyd sought a uniform amount on behalf of the 4 million users without seeking to prove damage for each individual, estimated at GBP750 per user, giving a total of up to GBP3 billion. This was on the basis that each and every user had lost control of their BGI and that, as that BGI had a value, the users should receive damages as a result.

Earlier decisions in the case

To proceed with his claim in the English Courts, Mr Lloyd required permission to serve his claim out of the jurisdiction, on Google in the US. In October 2018, the High Court refused permission, finding that (1) Mr Lloyd’s claim failed to identify a basis for the members of the represented class to claim compensation under the DPA; and (2) the claim had no real prospect of success and should not be permitted to continue as a representative action.

Mr Lloyd appealed that decision and, on 2 October 2019, his appeal was allowed (see our report here) - permission to serve out of the jurisdiction (and continue the claim) was granted. Google appealed that decision to the Supreme Court, at which stage the UK Information Commissioner’s Office (ICO), and a number of other interested parties, intervened. The issues before the Court and respective arguments are summarised in our report here.

Three key questions for the Supreme Court

The three issues for determination by the Supreme Court were:

1. Are damages recoverable under section 13 of the DPA for loss of control of data in and of itself (i.e. where the underlying breach does not result in any pecuniary loss or distress)?
2. Did the class (some 4 million individuals) share the “same interest”, which is a requirement for a representative action to proceed in England and Wales?
3. If the “same interest” test is satisfied, should the Court exercise its discretion to disallow the representative action proceeding in any event?

Damages for non-pecuniary loss and distress

Reversing the decision of the Court of Appeal, the Supreme Court unanimously held that damages are not awardable for a mere loss of control of personal data under the old DPA regime: it held that “[Section 13 of the DPA] cannot reasonably be interpreted as giving an individual a right to compensation without proof of material damage or distress whenever a data controller commits a non-trivial breach of any requirement of the [DPA]....”. Two reasons were given for this:

1. The wording of section 13(1) of the DPA is inconsistent with an entitlement to compensation based solely on proof of a contravention of the DPA (i.e. an underlying breach in and of itself does not automatically entitle an individual to damages).
2. Whilst the Court of Appeal in Vidal-Hall¹ held that damages were capable of being awarded for an infringement of section 13(1) of the DPA for distress where the distress suffered was more than de minimis, to interpret section 13(1) even wider than this - as entitling individuals to damages for a mere infringement of their data rights which causes no material damage nor even distress – would require an extension to the rights conferred by the DPA. On a purely domestic interpretation of the DPA, such a reading is untenable. Neither is there any basis for such a proposition in EU law.

Representative action

CPR 19.6 provides that a claim can only be pursued on a representative basis if the Claimant (or Defendant) class has the “same interest” in the claim. In its decision, the Court considered that Mr Lloyd’s claim could, theoretically, have been brought on behalf of each affected iPhone user, as the individual claims would all raise common issues. Indeed, the “same interest” requirement would have been satisfied even if only a minority of class members were ultimately able to obtain compensation on the basis of, for example, a declaratory judgment. However, Mr Lloyd had not chosen to pursue his representative action on such a bifurcated basis.

Rather, Mr Lloyd’s claim was formulated as an action in which each class member was said to have suffered the same damage on what was described as a “uniform per capita basis”. This approach was flawed as the impact of the Safari Workaround was not uniform across the represented class. In the event that liability was established, therefore, English law would seek to compensate the individual class members by reference to the harm or loss sustained. This harm or loss would obviously vary on a case-by-case basis and, in any event, could only be established by Mr Lloyd adducing evidence for each member of the represented class. On this analysis, there was no means for Mr Lloyd to circumvent the evidential burden required for an individualised assessment of damages. A representative action was accordingly held to be untenable on the facts on this case.

Discretion

The Supreme Court held that it was unnecessary to decide whether the Court of Appeal was entitled to interfere with the first instance judge’s discretionary ruling or whether it would be desirable for a commercially funded class action to be available on the facts alleged. This was because, regardless of what view of it is taken, the claim had no real prospect of success. However, the judgment reinforces that English Courts will continue to consider the best means of dealing with cases justly and proportionately.

What does all of this mean?²

The decision is undoubtedly a welcome one for any business that handles personal data. Had Mr Lloyd’s claim succeeded, the financial consequences for any business affected by a data breach resulting in the loss of control of personal data would have been potentially very significant. Indeed, it may have opened up an avenue for other compensable claims for other misuse of personal data, or perceived misuse.

The Lloyd case is in the vanguard of, and is widely seen as a test case in, a fast developing area of English law in which Claimant law firms are increasingly advancing claims seeking hundreds of pounds in compensation for classes of Claimants without having to prove any damage, where they are merely able to evidence a loss of control of personal data. Coupled with the “opt-out” representative action regime in the CPR, this has raised the spectre of potentially ruinous claims against organisations, brought without the need to incur the significant costs of proving individual damage. The UK Supreme Court put an end to that this morning, ruling that “the claimant’s attempt to recover compensation … without proving [damage] [was] doomed to fail”.

Distress based claims have also received recent criticism in the High Court³  and these, together with the Supreme Court’s ruling in Lloyd, reset the balance. The message from the judiciary is clear: not every data breach or unlawful processing of personal data is capable of giving rise to compensation.

The judgment is not the end of representative actions. Indeed, the Supreme Court reiterated their purpose and procedural advantages. However, to be able to bring a representative action the Claimants will have establish that their claims all satisfy the “same interest test”. That is likely to be costly and complicated for most data protection claims. Even if a database holding identical classes of information for one thousand individuals was comprised, it does not follow that each individual would suffer the same harm. Distress is inherently subjective. It may be simpler to bring an opt-out representative claim to establish common liability and then switch to individual claims or opt-in group claims to prove damage – and the Court did acknowledge the potential for a bifurcated approach (as outlined above)- - but the time and cost involved may well deter previously buoyant Claimant firms.

 

The judgment will almost certainly result in a reduction of opt-out “class” action claims for alleged infringements of data protection laws and will be welcomed with a sigh of relief by many organisations. Questions will now be raised (in particular by claimant law firms and litigation funders) whether English law provides a sufficient deterrent to organisations who break data protection laws if representative actions are not permitted for potentially serious breaches of law where there is only nominal damage caused to individuals. The answer under the UK GDPR is arguably yes there is sufficient deterrent with the power for the ICO to impose fines of up to 4% of worldwide annual turnover (although the facts of this particular case pre-dated the introduction of the UK GDPR).

Claimant law firms will no doubt describe the case as a loss for consumers but again the position is more nuanced. For starters, the experience in other jurisdictions with more mature class action regimes is that a very small percentage of compensation is ever paid out to the putative class. According to a recent US Federal Trade Commission report, the median claim rate in consumer class action is just 9%. Claimant lawyers and their funders on the other hand get paid very handsomely if they win or from settlements with businesses not wanting to run the risk of potentially ruinous damages awards even where the merits of claims are dubious. The decision will be welcomed by the UK Government which is currently consulting on the future of UK data protection laws post Brexit including clarifications to help enable and facilitate investment in innovative technologies such as AI. Had Lloyd won in the Supreme Court, this would certainly have presented another headwind to innovation and inward investment to UK PLC.

---

¹ [2015] EWHC 1482 (Ch)
² Whilst the case related to claims brought under the old DPA regime, civil claims arising from data incidents that are brought under the GDPR and Data Protection Act 2018 are likely to be interpreted in the same way.
³ See, for example, Warren v DSG [2021] EWHC 2168 (QB), and Rolfe v Veale [2021] EWHC 2809 (QB)