Lloyd v Google – the Supreme Court decision and its impact on data litigation
09 December 2021
Now that the dust is settling on the long-awaited judgment of the Supreme Court in Lloyd v Google, it is worth reflecting how we ended up here, as well as what it means for the future of data litigation. After all, Lloyd v Google [1] was the case that was set to determine whether floodgates would open in the UK when it comes to ‘opt-out’ data & privacy class actions.
Following much anticipation and conflicting decisions as the case progressed through the courts, the final result is in: it’s the end of the road for Mr Lloyd and his representative action. The Supreme Court unanimously allowed Google’s appeal and restored the order made by Mr Justice Warby at first instance. It means that the claim failed at the first hurdle, with permission to serve outside the jurisdiction being refused.
How did we get here?
If we cast our minds back to the heady days of 2018 when the GDPR was coming into force, there was a lot of talk of the spectre of large-scale data litigation. The rationale was that the GDPR’s increased emphasis on transparency would increase awareness among data subjects which, in turn, would prompt them to seek to enforce their rights – including to compensation under Article 82. It was reasoned that the mandatory breach notification regime would only aggravate the situation by giving those affected a heads up about an incident. An ability for not-for-profits to bring representative claims on behalf of data subjects under Article 80 GDPR raised concerns further, especially with the launch of the likes of Max Schrem’s NOYB, a very active not for profit organisation, set up by the notorious privacy activist.
“Opt-in”
Before the GDPR, data & privacy claims could be, and were, brought by large numbers of claimants. Claims related to trade union black-listing, phone-hacking and the data breach at Morrisons are all well-publicised pre-GDPR examples. Different procedural mechanisms could be used to bring such claims. Some were ‘informal’ in nature, as the court rules allow for any number of claimants and defendants to be joined as parties to a claim, and for persons to be added or substituted to an existing claim. Others were based on a more formal procedure using group litigation orders (GLO). A GLO is an ‘opt-in’ procedure which provides a case management framework for managing individual claims that “give rise to common or related issues of fact or law”.
Both mechanisms are, however, challenging to implement on the basis it is logistically difficult to bring ‘opt-in’ claims on behalf of large numbers of claimants. Such claims invariably require a lot of administration (and therefore expense); and most data subjects don’t really seem to care enough to take positive steps to opt-in. By way of example, in the Morrisons litigation less than 10% of those affected signed up. Importantly, opt-in claims also need to be economically viable in their own right, with the result that low-value claims are rarely worth bringing.
“Opt-out”
But what if a claim could be brought by a representative claimant on behalf of a defined class of data subjects unless they ‘opted-out’? If that were possible, then those difficulties might be avoided; and in a digital world where a single issue can affect millions of people, a large collection of low-value claims could be rolled into a single, substantial one.
The appeal to claimant lawyers and litigation funders was clear. Donning their creative hats, they blew the dust off a relatively little-used but longstanding ‘opt-out’ mechanism called a ‘representative action’ found at r.19.6 of the Civil Procedure Rules (‘CPR’). This enables a representative claimant to bring a claim on behalf of members of a class who have the ‘same interest’. It makes it possible to automatically include a claimant if they are part of a defined class without having to obtain their authorisation.
The difficulty, however, is that data & privacy claims are inherently personal. This means that interests vary from one person to another, so bringing an action based on a cohort of people all of whom are said to have the same interest is problematic. As Warby J famously put it at first instance: “Some people enjoy a surprise party.”
What’s the claim about?
So what is all the fuss about and why did this case make it all the way to the Supreme Court? This was essentially a test case brought to try and establish an “opt-out” class action procedure for data & privacy claims in England and Wales.
Mr Lloyd is a former director of Which? and the representative claimant in an opt-out representative action brought by him on behalf of a class of more than 4 million iPhone users in the UK. The claim alleged that over a period in 2011 - 2012 Google breached its statutory duty under the Data Protection Act 1998 (‘DPA’) by secretly tracking some of the internet activity of those users for commercial purposes in what is referred to as the ‘Safari Workaround’.
The underlying facts had previously been the subject of litigation (see Vidal-Hall v Google). But this time round the stakes were higher given a crucial difference. In 2014, there were 3 claimants each claiming damages for distress based on facts specific to their individual claims. Now, there were more than 4 million class members and Mr Lloyd was claiming a uniform amount by way of damages (i.e. an equal, standard ‘tariff’) on behalf of each member without seeking to rely on any personal circumstances affecting those members, such as distress.
Instead of alleging distress, the damages claimed this time round were generic and did not depend on any individual characteristics or individual experiences. Rather, damages claimed were to reflect:
(1) loss of control over personal data. Here Mr Lloyd sought to read across to data protection claims reasoning from a phone-hacking claim for misuse of private information where simply losing control of private information was recognised as a harm. His view was essentially that ‘loss of control’ meant that a person was entitled to compensation for a breach of data protection law without having to prove damage or distress; or
(2) alternatively, the value of the use to which the data were said to have been put by Google.
Whilst no specific figure was put on the ‘tariff’, a figure of £750 was advanced in the claim letter. Multiply the tariff by the number of class members, and you start to get a sense as to why all eyes in the data community (and many beyond) have focused on this case. A potential liability here in the £ billions makes the ICO’s £20 million BA fine (its biggest to date) look like chump change.
The litigation journey
The High Court – “officious litigation”
At first instance, Mr Justice Warby refused Mr Lloyd permission to serve a representative claim out of the jurisdiction on the Delaware-registered corporation. This prevented the claim from getting underway. He essentially saw the claim as officious litigation where the only beneficiaries would be the lawyers and litigation funder.
For permission to be granted, a claimant needs to establish various matters, including that the claim has a reasonable prospect of success and falls within a jurisdictional ‘gateway’. DPA contraventions are torts and there is a tort gateway. But to have a reasonable prospect of success, the claim needs to disclose a reasonable basis for seeking compensation under the DPA (the DPA issue); and that there is a real prospect that the Court would permit the claim to continue as a representative action (the representative action issue).
On the DPA issue, Warby J’s approach is best encapsulated in the following passage of his judgment:
“I do not believe that the authorities show that a person whose information has been acquired or used without consent invariably suffers compensatable harm, either by virtue of the wrong itself, or the interference with autonomy that it involves. Not everything that happens to a person without their prior consent causes significant or any distress. Not all such events are even objectionable, or unwelcome. Some people enjoy a surprise party. Not everybody objects to every non-consensual disclosure or use of private information about them. … In short, the question of whether or not damage has been sustained by an individual as a result of the non-consensual use of personal data about them must depend on the facts of the case. The bare facts pleaded in this case, which are in no way individualised, do not in my judgment assert any case of harm to the value of any claimant’s right of autonomy that amounts to “damage” …”.
On the representative action issue, he concluded that:
(1) Mr Lloyd and the class do not all have the ‘same interest’ because the nature and extent of the breach and impact on individual class members will have varied greatly;
(2) it is impossible to identify all class members because unaffected users cannot be identified and excluded – the problem being one of verification; and
(3) the Court’s discretion would in any event be exercised against the continuation of the action as a representative action because of the costs generated, court time consumed, modest levels of damage sustained and recoverable, funders and lawyers being the main beneficiaries of any award, absence of complainants coming forward over the years, lack of authorisation by class members, and difficulties in identifying members of the class.
The Court of Appeal – “access to justice”
On appeal, the Court of Appeal (CA) unanimously overturned Warby J’s decision. It saw the case as an access to justice issue.
Here’s a summary reminder of the 3 issues determined by the CA and its reasoning on each:
1. Can a claimant recover uniform damages without proving pecuniary loss or distress?
Yes. That’s because the loss was characterised in terms of a loss of control or autonomy over personal data. Since a person’s control over data has a value, the loss of that control must also have a value.
2. Do the class members have the ‘same interest’ and are they identifiable?
Yes. They all have the ‘same interest’ – a requirement to bring a representative claim under CPR r.19.6(1) – because all the claimants will have had their browsing data, something of value, taken without consent in the same circumstances in the same period. No personal circumstances of individual claimants were being relied on, though this would reduce damages to the lowest common denominator. Further, all members were identifiable by reference to the ‘same interest’ test – identification not being the same problem as verification.
3. Could Warby J’s exercise of discretion be vitiated?
Yes. The Judge could take into account matters such as his view that the main beneficiaries of the claim would be the funders and the lawyers, that the litigation would generate significant costs, that the amount recovered by each class member would be modest, and that none of the millions of affected individuals had complained. However, the inability to identify members of the class and that members of the class had not authorised the claim were irrelevant matters – the class was identifiable and authorisation not required.
Unsurprisingly perhaps given what was at stake, Google appealed and the case was referred to the Supreme Court.
The Supreme Court’s decision – the decider
On appeal, the two key issues before the Supreme Court (SC) were as follows:
1. Loss of control of data and damages
The SC held that compensation cannot be awarded for a contravention of the DPA in and of itself. It is necessary to establish an individual has suffered damage, i.e. material loss or mental distress, as a result of the contravention by the data controller.
Secondly, in order to assess compensation, it would be necessary to establish the extent of the unlawful processing on an individual basis, rather than awarding a uniform sum as proposed by Mr Lloyd. Leggatt LJ set out a list of relevant factors to consider at paragraph 144 of the judgment:
“over what period of time did Google track the individual’s internet browsing history? What quantity of data was unlawfully processed? Was any of the information unlawfully processed of a sensitive or private nature? What use did Google make of the information and what commercial benefit, if any, did Google obtain from such use?”
In other words it is necessary to show that an individual has (i) suffered a breach of their rights and (ii) suffered damage, i.e. material loss or mental distress, as a result of that breach. This was not the case here. While a breach of their rights under the DPA may have occurred, no evidence was presented to demonstrate damage on an individual basis.
2. Whether the claim is suitable to proceed as a representative claim.
In short, while such a claim could theoretically proceed as a representative claim it could do so only for the purposes of establishing liability and not to quantify any damages as evidence of an individual’s own circumstances would need to be brought before the court. There would need to be a two-stage or “bifurcated process” where liability could be established by representative claim without seeking damages and then used as the basis for individual claims for compensation. The SC held that there was “no legitimate objection” to a two-stage or bifurcated process However, Leggatt LJ acknowledged this was unlikely to be cost effective. No two-stage process was proposed in this claim and therefore Mr Lloyd’s claim failed.
In light of this, the SC unanimously allowed the appeal and restored the order made by Mr Justice Warby. In other words, the claim could not succeed and permission to serve outside the jurisdiction was refused. It was the end of the road for Mr Lloyd and his representative action.
Commentary
The SC judgment is something of a double whammy when it comes to data & privacy litigation in the UK in that it delivers blows to:
1. Loss of control damages under the DPA, by reiterating that a claimant must prove damage in order to successfully bring a claim. But what about claims brought under the UK GDPR? Whilst this case was decided under the historic regime, section 13 of the DPA and Article 82 UK GDPR are similar in both substance and approach: the wording of each provision distinguishes between the breach giving rise to the damage, and the damage itself. This leads many to speculate that the outcome is unlikely to be different under the UK GDPR. Meanwhile, the question of whether a mere breach of the GDPR is, in and of itself, sufficient for the award of damages has been referred to the CJEU in the Austria Post case. Whether that will, in due course, influence the courts on this side of the Channel is another matter.
2. Representative actions, by requiring an individualised assessment of what happened to each individual class member, something which goes against the very reason for being of such actions; i.e. to avoid the need for individual class members to participate. That requirement is likely to affect claims not just under the DPA, but also for misuse of private information: although loss of control damages are still available under that cause of action, an individual assessment based on evidence of the facts particular to each individual would still be required. Whilst Leggatt LJ made it clear that representative actions still have a role to play, that role is just to determine the issue of liability. As such, with the issue of damages to be resolved separately, at first blush they are unlikely to be economically viable to bring using this bifurcated approach, though claimant lawyers and litigation funders will doubtless be pondering over a way to make them work (e.g. using GLOs for the second stage), and re-evaluating the various other representative actions which were stayed pending the outcome in this case.
Whether those blows are knock-outs, therefore, remains to be seen.
Meanwhile, what of the types of data & privacy claims most clients will at some point receive through their letterboxes? You know, the template cut and paste jobs by armies of paralegals of low-to-no value claims relating to the most minor of incidents or alleged transgressions. Those claims are founded not so much on loss of control, but on the distress claimants say they have suffered.
In those instances, whilst there are some helpful passages in this decision, it is to a number of other decisions coming out of the High Court that practitioners will turn. In a data breach context, we’ve previously written about how Warren v DSG (read our article here) affects claimants’ ability to recover ATE insurance premia following attacks by external threat actors.
But it is three cases – Rolfe v VWV, Johnson v Eastlight and Ashley v Amplifon – which are providing increasingly helpful insights on determining whether the requisite but hitherto obscure minimum threshold of seriousness has been met. Interestingly all three relate to misdirected emails. In those cases, the High Court either struck out the claim (with an award of indemnity costs); or allocated it to the Small Claims Track where, much to the claimant lawyers’ chagrin, costs cannot be recovered. Since those cases are, in reality, only about the claimant lawyers’ costs, it is hoped that the direction of travel will be to render them economically unviable. Watch this space.
[1] Lloyd v Google