Lloyd v Google LLC Decision - Can data privacy claims be subject to class actions?1

The UK Supreme Court unanimously refused to give permission to serve a claim form outside of the jurisdiction in respect of a representative action brought against Google by Lloyd ("Claimant") in United Kingdom with its judgement Lloyd v Google ("Decision") on November 10, 2021. The Decision provides important considerations regarding compensation claims within the scope of personal data disputes. In terms of compensation claims with respect to personal data, the court evaluated that the damage had to be proven. Accordingly, the Decision is of great importance for data controllers. The Decision is also significant in terms of its assessments on class actions regarding personal data claims, as it leads to the court deciding that the compensation claims with respect to personal data cannot be subject to class action.

Background to the case

Between 2011 and 2012, before GDPR and the UK Data Protection Act 2018 were passed, Google had issues in the roll-out of its new advertising features on Apple's browser Safari.

In implementing a workaround so that the roll out would operate on Safari browsers, Google was able to bypass certain protections against third party marketing in the browser and place "DoubleClick" ad cookies without the consent or knowledge of Safari users.

Having placed these cookies, Google was able to collect Safari users' data without their knowledge or consent for commercial purposes, which enabled advertisers to target advertisements at users based on their browsing history.

Regulatory action in respect of these allegations had already concluded in the US, and the UK courts had already heard a claim in respect of the same series of events brought by different data subjects (Vidal-Hall v Google Inc). The claim in Vidal-Hall, however, was not brought on behalf of a class and was more widely pleaded than the instant claim (e.g. it alleged that Google had tortiously misused the Claimants' private information).

The Claimant, a consumer rights activist, sought compensation under the Data Protection Act 1998 ("DPA 1998") from Google, arguing that the workaround allowed Google to secretly track the activities and collect data without the consent and that the group should be compensated.

What was the claim?

The Claimant was attempting to bring this case on behalf of the entire population of iPhone users in the UK during the period while Google was using the Safari workaround - this numbered approximately 4 million individuals. "Class actions" of the style prevalent in the US are much more limited under UK law. However, the Civil Procedure Rules do allow claims to be brought by an individual representing a group of people who have the "same interest" in the claim.

The Claimant argued that the "same interest" requirement was satisfied because all individuals affected by the Safari workaround had suffered from the "loss of control" of their data. The Claimant further argued that since the same interest requirement is satisfied, there was no need to investigate individual circumstances to determine the compensation case by case. The damages claimed for each individual were £750 and with 4 million users affected, this meant Google's potential pay out would reach the £3 billion mark.

As Google was incorporated in the US, the Claimant needed permission from the court to serve the claim form outside of the jurisdiction. Google contested the application made by the Claimant for permission to serve, on the basis that "loss of control" damages were not permissible under the DPA 1998 without proof of financial damage or distress, and that the claim was in any case not suitable for a representative action.

At first instance, the court decided in Google's favour and refused permission to serve. This was reversed in the Court of Appeal, and then appealed to the Supreme Court.

What does the Decision say?

The Supreme Court unanimously agreed that the claim for damages had no prospect of success, and therefore upheld the trial judge's ruling refusing the Claimant permission to serve the claim on Google.

Representative Actions in General

The court began its evaluations with a detailed analysis on representative procedure and stated there were six key principles which had to be taken into consideration when deciding whether to allow a representative action to proceed:

  1. The representative has to have the "same interest" in the claim as the persons represented.
  2. The court has a wide discretion about whether to allow a representative action to proceed.
  3. The representative does not need the consent of other class members in order to act as the representative. Indeed, it is possible for the class members to be entirely unaware that the representative action has been brought on their behalf.
  4. There is some degree of flexibility in how the class may be defined.
  5. The represented persons that are non-party to the representative action are generally not liable to pay any costs incurred in the claim.
  6. The scope for claiming damages can change in different circumstances. For some cases individual assessment may be needed. Where there is a common issue between the class, then the damages may be claimed by a representative action.

Lord Leggatt (Judge of the Supreme Court) outlined that in principle a representative action could be used to establish the data controller's liability and whether it had acted in breach of the DPA 1998. Further to establishment of the data controller's liability, the Claimants could have claimed compensation with separate proceedings. Accordingly, the award of damages could be evaluated particular to their circumstances by evaluating how long they were affected by the Safari workaround, what type of data was lawfully processed, how much data was unlawfully processed, etc. However, this approach was not used in the relevant case and the compensation was claimed with a representative action.

Damages under the DPA 1998

The Claimant made two arguments.

The first argument is that data subjects were entitled to compensation under s.13 of the DPA 1998. The Claimant argued that when a data controller failed to comply with any of the requirements of the DPA 1998, it would constitute a loss of control and compensation could be claimed. The court rejected this argument and held that a claim for loss of control of personal data in the sense argued for by the Claimant was not "damage" within the meaning of the DPA 1998. Contravention of the regime itself was not the same thing as damage, and the damage an individual had to suffer was material damage (i.e. financial loss, physical or psychological harm) or, in certain cases, distress caused by the unlawful processing of data. On that basis, the alleged loss of control of the users' data was not enough and the Claimant instead had to prove damage resulting from that breach, which could only have been done on an individualised basis.

The second argument was that each member of the class was entitled to claim "user damages (a type of damages readily awarded in tort)". The court determined that the principles on which these "user damages" are awarded do not apply to compensation claims under the DPA 1998. This is because compensation for breaches of the DPA 1998 could only be awarded in accordance with s.13 where material damage or distress has been suffered.

Having emphatically decided that the claim was not sustainable in the absence of evidence that the individual had suffered material damage or distress, the court considered whether the claim would proceed without this evidence. It concluded that the representative claim would nevertheless have failed. The extent of the unlawful processing would still need to have been determined in each individual case in order to establish the level of damages to be awarded because there would be been differences between users in the period for which they were affected, the quantity and sensitivity of data unlawfully processed, and the commercial benefits derived from this by Google.

Key takeaways:

The Decision has provided some welcome further clarification of how the UK courts will approach data protection compensation claims and attempts to bring actions in respect of a representative class.

The key result of this Supreme Court ruling is the major implications it has on representative actions. Indeed, it seems highly unlikely now that any claimants wishing to make use of this type of representative action will be able to do so in the context of a data misuse claim, except perhaps to obtain declarations of liability against a controller.

As regards the data protection implications of the Decision, the case is undoubtedly another very welcome development for data controllers. Although the Decision is not applicable to GDPR because it has decided under the old UK law, a number of the principles set out in the Decision seem to be highly relevant to the current UK laws. In particular, contravention of data protection laws alone is not sufficient to launch a successful claim, and individuals must be able to demonstrate damage to a court's satisfaction. Furthermore, claims in respect of loss of control of personal data based purely on GDPR breaches seem to be unsustainable going forward.

Footnote

1. This article has been co-authored by Paul Glass, James Parker and Natasha Denton to be published at bakermckenzie.com and has been amended for the purposes of this Digest. To see full text please refer to: https://viewpoints.bakermckenzie.com/post/102hbq2/lloyd-v-google-llc-what-limits-are-there-on-data-protection-class-actions

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.