Headnote: Whilst the scope for bringing such data-related class actions may have been largely reduced, this article suggests that the Supreme Court decision may have left some potential routes open and that the logic around the 'same interest' requirement could be tested by other claims in the future.
November 2021 saw the Supreme Court give judgment in Lloyd v Google, the representative action brought on behalf of around 4 million Apple iPhone users whose personal data Google allegedly obtained without consent in the period 2011-12. The judgment has significant implications for the UK data breach class action landscape, not least because it reduces the attractiveness - from a legal, practical and economic perspective - of bringing such group claims. This article discusses, in light of the Supreme Court's judgment, what the future might look like for data class actions.
In Lloyd v Google, the sole claimant acting for millions of Apple iPhone users sought compensation under s.13 of (the old) Data Protection Act 1998 ('DPA 1998') for alleged damage suffered by the class members through Google's unlawful processing of their data. It was alleged that Google secretly, and without consent, tracked the users' data through their 'DoubleClick Ad' third-party cookie.
UK Class Actions:
The representative action procedure in Lloyd v Google has its basis in Rule 19.6 of the Civil Procedure Rules ('CPR'), which specifies that a claim may be brought by a representative who has the 'same interest' in the claim as the persons represented. Since there is no requirement that the represented class members consent to the proceedings, claims brought via this means are effectively of an 'opt-out' nature; they enable the representative(s) to bring their claim on behalf of all class members with the 'same interest' unless any of those class members obtain, through their own initiative, a court order which excludes them from being represented or from being bound by any judgment. Such a claim is clearly attractive for litigation funders, who often spearhead these class actions, because it saves them time, money and resources compared to an 'opt-in' claim.
A well-known example of an 'opt-in' regime is a 'Group Litigation Order' made under CPR Rule 19.11, allowing the court to manage together individual claims which give rise to 'common or related issues of fact or law'. Since this procedure is an opt-in one, it requires litigation funders to publicise widely the proceedings and to obtain evidence from prospective members of the class to verify their eligibility. Opt-in claims can be high-risk for litigation funders because, if, ultimately, not enough class members opt in, and those that do opt in have low-value claims, the class action for damages is no longer financially viable. As the Supreme Court indicated in Lloyd, it was these pragmatic, commercial reasons that probably led the claimant to pursue a representative action under CPR Rule 19.6, the opt-out style claim. However, this latter claim, as mentioned above, has a 'same interest' requirement, and the Supreme Court's interpretation of that requirement in Lloyd is likely to make the representative action route less attractive in future data breach group claims.
The Issue of Damages:
The Supreme Court in Lloyd held that the scope of claiming damages in a representative action is limited by the compensatory nature of damages at common law, which aim to put the claimant in a position as if no wrong had taken place. This typically requires an individualised assessment of damage caused to each class member in order to determine the scope and extent of any damages award. This, the Supreme Court held, was inconsistent with the 'same interest' requirement in Rule 19.6. The claimant had attempted to circumvent this problem by arguing that s.13 DPA 1998 allows damages awards for mere 'loss of control' of data (beyond just trivial loss), and therefore no individualised assessment of damage would be necessary. The claimant argued instead that a uniform per capita sum of damages could be awarded of around £750 per class member, which would be the 'lowest common denominator' of individualised damage. The Supreme Court rejected this analysis: (1) first, it held that s.13 DPA 1998 must be interpreted as requiring financial loss or mental distress, as opposed to mere loss of control; (2) second, it held that even if this was incorrect, the loss of control analysis would still require proof of the extent of Google's unlawful processing in each individual case so as to determine what damages should be awarded. Although the claimant had wished to avoid any inconsistency with the 'same interest' requirement by advocating a 'lowest common denominator' approach, on the particular facts of Lloyd such an approach would only give rise to de minimis damage which could not be recovered.
The Overall Result:
The Supreme Court more or less confined the representative action for data breach claims to the first stage of what they referred to as a two-stage 'bifurcated approach'. They opined that the claimant in Lloyd would have been entitled to bring a representative action against Google to establish whether they were in breach of the DPA 1998 and, if so, seeking a declaration that any class member who sustained damage as a result of Google's breach is entitled to compensation. This is because the class members' claims raise common issues for the purposes of establishing liability.
After obtaining such a declaration, the Supreme Court observed that the representative claimant could then initiate a second group claim, the aforementioned 'Group Litigation Order' made under CPR Rule 19.11, which is an opt-in claim allowing several individual damages claims to be heard together. However, for the reasons listed earlier, it will not always be financially viable for litigation funders to bring group data claims using this bifurcated approach, since there is a high risk that they will not get enough class members to subscribe to the class for the purposes of the Group Litigation Order, and even if they did, the risk and expense of having to successfully prove a host of damages claims on an individual basis is rather high. Therefore, the Supreme Court's judgment may dissuade litigation funders from pursuing class action data claims.
It might be argued that a declaration of Google's liability would be enough of a victory for the claimant, insofar as it would put pressure on Google to settle with each individual class member. However, this may be too much of a risk for litigation funders to take. Indeed, the Supreme Court's emphasis on individualised assessment being fatal to a representative action claim may even prevent some representative actions being brought at the first stage of the bifurcated approach - seeking a declaration establishing Google's liability. Whether data has been processed fairly in relation to the data subject in accordance with Article 5(1)(a) GDPR is one example of a liability matter which might depend on the individual circumstances of the class members.
It should, however, be noted that the Supreme Court did leave the representative action route open in two circumstances where damages were being claimed. Firstly, where the damage was calculated on a basis common to all the class members, as where the members acquired the same product with the same defect which lowered its value by the same amount. Secondly, where loss sustained by the class as a whole can be calculated without reference to the losses sustained by individual class members, as in EMI Records v Riley where members of a music industry trade association had a common interest in claiming damages for breach of copyright in selling pirated recordings. One might ponder which examples in the data privacy sphere would be analogous to one of these two scenarios, and whether these carve-outs provide a possible basis for representative actions for damages in data claims in the future (particularly in relation to the somewhat broader second scenario). However, in order to remain faithful to the tone of the Supreme Court's judgment, future courts would need to be careful not to open any litigation floodgates.
Future Avenues for Data Breach Class Actions:
A big question mark is whether the legal position will be the same under the GDPR or UK Data Protection Act 2018 - the latest set of privacy laws. The Supreme Court limited its judgment in Lloyd to construing the DPA 1998, since that was the legislation in force at the time of Google's alleged breach.
On the one hand, it is arguable that Recital 85 GDPR, referring to loss of control as a form of non-material damage, may militate in favour of a different interpretation of damage under the GDPR. On the other hand, Article 82 GDPR is materially similar to the earlier (now repealed) Article 23 of the Data Protection Directive, referring to 'any person who has suffered... damage as a result of an infringement of this Regulation', thereby establishing a distinction between the data controller's breach and the damage suffered, which is what prompted the Supreme Court to decide in Lloyd that mere loss of control was not sufficient damage under s.13 DPA 1998. The interpretation of Article 82 GDPR is being tested before the European Court of Justice, and English courts might take that outcome into account. Though, as far as representative actions are concerned, even if the position were to be different under the GDPR, loss of control may still entail an individualised assessment of damage. The Supreme Court in Lloyd was prepared to assume, without deciding, that a court could in its discretion allow for a 'lowest common denominator' approach to damages in a representative action, thereby avoiding the problem of not satisfying the 'same interest' requirement, but on the facts of Lloyd this would have meant the damage was de minimis. One is left wondering whether, if this approach to damages were to be accepted, and if a class were to be defined more narrowly in the future such that the 'lowest common denominator' of individualised damage is substantial, a representative action might succeed.
Following Lloyd, what satisfactory avenues do claimants have to bring data breach class actions? Leaving aside the potential carve-outs mentioned in this piece, the representative action procedure has been somewhat sidelined for data breach damages claims. The opt-in Group Litigation Order, although possibly effective for high-value or high-volume claims, is unlikely to be viable in many cases. Looking beyond those two claims, unlike the US, the UK does not have a generally applicable opt-out class action regime. Instead, the UK Parliament legislates for opt-out class actions in specific areas, as it has done so far for competition law cases - importantly, in competition cases, liability can be established and damages awarded without individualised assessment. However, in February 2021, the UK government concluded that there were not strong enough grounds to introduce an opt-out class action regime under the GDPR. Against this background, it is unlikely that we will see the introduction of a specific legislative regime for bringing opt-out data breach actions any time soon. It is also doubtful whether any such regime would be beneficial, given that it could result in excessive litigation and be a substantial burden on companies and in turn the wider UK economy.
Overall, the Supreme Court's judgment in Lloyd will have increased the risk for litigation funders in conducting data breach group actions in the UK. This will come as a relief to data controllers, but it does not remove the prospect of such actions entirely, and it by no means enables them to infringe data subjects' rights with impunity - they also need to consider their exposure to ICO enforcement and to consider whether litigation in other jurisdictions such as the US will confront them.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
