Lloyd v Google: closing floodgates and opening doors?

Summary

Last week, the Supreme Court handed down judgment in the highly anticipated case of Lloyd v Google LLC [2021] UKSC 50. The Supreme Court rejected the claimant’s attempt to use an opt-out representative action to represent a class of approximately four million iPhone users in England and Wales in a claim for compensation under the Data Protection Act (DPA) 1998 on the basis that: (i) a breach of the DPA 1998 was not actionable per se and, as such, it was necessary to establish individual damage or distress, mere loss of control was not sufficient; and (ii) given the need to establish individual damage or distress, it was not appropriate for Lloyds’ case to be brought as an opt-out representative action.

It was alleged that for several months in late 2011 and early 2012 Google secretly tracked the internet activity of, potentially, millions of Apple iPhone users and used the data collected in this way for commercial purposes without the users’ knowledge or consent contrary to the Data Protection Act 1998 (DPA 1998) in force at the time. Mr Richard Lloyd, a consumer law activist, acting with financial backing from a litigation funder, brought a claim to represent everyone resident in England and Wales who owned an Apple iPhone at the relevant time (around four million people). Since Google is a US company this also required an application to serve out of the jurisdiction.

Key Legal Issues discussed

1. Representative Actions

Mr Lloyd’s case was brought as a representative action. Doing so was novel, and the approach appeared to mimic the process of US-style opt-out class actions. In UK collective proceedings, members of a potential class may be brought into a claim on an “opt-in” or “opt-out” basis. The opt-in model is far more established, for instance by the use of ‘Group Litigation Orders’ (or GLOs). Statutory opt-out proceedings have to date only been permitted in relation to competition claims. Representative actions are long established in English law and, per rule 19.6 of the Civil Procedures Rules, allow for a claim to be brought by (or against) one or more persons as representative of others without their consent (i.e. it is an ‘opt-out’ procedure) where those persons have “the same interest” in the claim.

As the claim was brought as a representative action, it was necessary for Mr Lloyd to establish that the class of four million individual iPhone users shared the “same interest” in relation to Google’s alleged breach of the DPA 1998, either in respect of the impact of the breach or in damages incurred.

It was accepted that individuals would have suffered different levels of harm and that it would, in practice, not have been possible to carry out the factual exercise of identifying who had suffered what particular levels of harm in order to define the appropriate class of claimants (e.g. by gathering evidence that each individual had an iPhone of the appropriate model with the relevant version of Safari, excluding those who opted out of the tracking mechanism and defining the level of distress or actual damage suffered by individuals). As such, the claimant sought to argue that it was possible to identify an “irreducible minimum harm” that was suffered by every member of the class as a mere result of having lost control over their data on account of Google’s breach. This “irreducible minimum harm” would be a uniform sum that was effectively the “lowest common denominator”, and it was Mr Lloyds’ argument that it could therefore be claimed as part of a representative action and it was not necessary to factually identify the actual harm or distress suffered by each member of the class.

The Court of Appeal accepted this argument. However, Leggatt LJ, giving judgment for the Supreme Court, held that the fundamental issue was that the facts provided by Mr Lloyd were insufficient to even establish that any individual member of the representative class was, in fact, entitled to damages.

Interestingly, Leggatt LJ did not reject the possibility that representative action could have been brought in this type of case. In particular, he suggested that a bifurcated approach might be appropriate. First, a representative action could have been brought to establish liability, i.e. whether Google was actually in breach of the DPA 1998. Each member of the opt-out class would have the same interest in relation to the issue of liability. Second, if breach was found, a claim for damages could be brought (assuming that the claims were still within the limitation period, which was not the case here) on an opt-in basis (for instance using a GLO) for any member of the representative class who had suffered damage and would therefore be entitled to damages. As Leggatt LJ flagged, such a process was unlikely to be economic for a litigation funder as the first stage of the process would not yield a financial return (either for the class or its funders). The economic return would only occur in the second stage for individuals who opted into the damages process.

2. Damages for loss of control of data

As set out above, Mr Lloyd argued that the class was entitled to a minimum level of damages on account of the mere loss of control over their data. In other words, Google’s breach of the DPA 1998 was actionable per se regardless of any loss or damage. The Court of Appeal accepted that an individual was entitled to recover compensation under section 13 of the DPA 1998 without proof of material damage or distress for mere loss of control of their data.

By contrast, the Supreme Court held (applying the decision in Vidall-Hall v Google Inc [2016] QB 1003, which related to the same technical breach by Google but where the individual claimants concerned had alleged particular damage and distress) that, under the DPA 1998, compensation could only be made if the data subject had suffered some material damage or distress. Leggatt LJ was of the view that the proper interpretation of section 13 DPA 1998 was that compensation was not available for ‘loss of control’ alone.

Closing floodgates

This judgment has been described as closing the floodgates on what could have been an entire industry of mass data breach litigation. The judgment also closely scrutinises case law on the use of representative actions, the tort of misuse of private information and claiming compensation under the DPA 1998.

Opening doors?

There are many interesting takeaways that have potential for further related claims:

• Leggatt LJ considered that there was a potentially permissible option to use representative actions as part of mass data breach litigation that would avoid initial involvement of individuals (in the typical opt-out fashion) when considering issues of liability. This would involve a two-stage process whereby issues common to the claim of a class of persons may be decided in a representative action, which, if successful, can then form a basis for individual claims for redress. The second stage would be necessary as it was impractical to assess damage on a common basis without the individual’s participation in proceedings. Such a bifurcated approach is likely to present issues to litigation funders, but these may not be insurmountable.

• Moreover, it is notable that the representative action in this case was framed on the “bare minimum” of evidence put forward by the claimant – the judgment did not deny that there were several avenues where the claimant could have succeeded if time was taken to define an appropriate class of individuals for the representative action and gather factual evidence around the circumstances of breach and damages as required by section 13 of the DPA 1998, or even under a separate claim for misuse of private information if evidence was provided to show a “reasonable expectation of privacy”.

• An opt-in class action brought through a GLO remains an option for victims of mass data breach under CPR rule 19.11 and 19.12. In July of this year, British Airways settled a class action brought by thousands of customers impacted by a major 2018 cyber-attack and resultant personal data breach (please read more in our article here). GLOs suffer the drawback (that the claimants in this case took every opportunity to avoid) of high administrative costs in determining who is eligible for the use of this type of action and gathering evidence to prove the quantum of loss in each case in comparison to the opt-out mechanism Mr Lloyd attempted to use. Administrative costs also tend to act as a deterrent to each individual user, whose actual claim amount could be quite small.

• The Supreme Court’s judgment expressly limited itself to considering the issue in the context of the DPA 1998. There is no commentary on DPA 2018 and the General Data Protection Regulations (GDPR). While it is not clear that the corresponding provisions in the DPA 2018 would lead to a different result it would not be surprising if claimants sought to test that prospect.

• This case has been tested through the lens of an application to serve out of the jurisdiction. This means that Google has never been required to serve a defence in this case and that, in itself, may be a possible pathway to a related claim as much of Mr Lloyd’s case remains untested.

Scope for parliamentary involvement?

Mr Lloyd’s claim was brought as a representative action in the absence of any statutory framework allowing for opt-out data breach claims. Following this judgment it will be interesting to see whether a legislative framework for data litigation mass claims may emerge aligning with the approach taken under competition law. In competition mass claims proceedings can be brought on an “opt-out” basis, without the need to prove members of the class have individually suffered loss, as long as the set statutory criteria are satisfied and there is proof of loss suffered by the class as a whole. Earlier this year, the UK government concluded that there were insufficient failings in the current regime to warrant new opt-out proceedings for infringements of data protection legislation as “there are mechanisms elsewhere in the law which allow collective action proceedings against data controllers for breaches of data protection legislation”. The Court of Appeal’s now defunct decision in Lloyd v Google was cited as one such mechanism. Another consultation is currently ongoing and considering similar issues. Given the Supreme Court’s judgment there may be some pressure on the Government to change course.

In the meantime, the Supreme Court’s decision is a boon for data controllers but bad news for consumer activists. The Court of Appeal had allowed for the representative action and noted that it was relevant that the limitation period for individual claims had passed and, as such, the action was the only opportunity for individuals to receive compensation. The judgment noted that the allegations were broad and involved Google collecting information far beyond a user’s internet surfing habits, including their interests, pastimes, race, ethnicity, social class, political or religious beliefs or affiliations, health, sexual interests, age, gender and financial situation – all without the user’s consent. The Supreme Court also recognised that in the absence of a mechanism akin to that which Mr Lloyd sought, the economics of litigation together with the very low value of damages on a per person basis meant that there might be no effective remedy for the breach.