Lloyd v Google
In a long-awaited decision, the Supreme Court has rejected the attempt to bring a class action against Google relating to the unauthorised tracking of iPhone users. The Court upheld Google's appeal against the decision of the Court of Appeal, and decided that the claim had no prospect of success.
The decision has significant implications for group claims for breach of data protection legislation, and effectively shuts the door on the prospect of US-style class actions for data breaches.
Background
Richard Lloyd, a former director of Which?, issued a representative claim against Google on behalf of 4.4 million iPhone users in England and Wales, alleging that Google breached its duties as a data controller during 2011-2012, through its use of the so-called Safari Workaround. This allowed Google to collect the personal information (such as age, location and browsing activity) of iPhone users running Apple's Safari browser, without their consent, through a third party cookie known as the "DoubleClick Ad cookie".
The story so far
Although class actions are common in the USA, in the UK there is no statutory framework permitting "opt-out" class actions seeking compensation on behalf of a group of people affected by the same issue, except in the specialist field of competition law.
Mr Lloyd therefore sought to bring a claim under the "representative action" procedure. This is a long-standing procedure whereby a claim can be brought by one person as a representative of others who have the "same interest" in the claim. A damages sum of £750 per person has been suggested which would have produce an award of damages of around £3 billion.
In 2018, Mr Lloyd applied for permission to serve proceedings on Google outside the jurisdiction in the USA. This was dismissed by the High Court on the basis that the represented group had not suffered the same loss and so did not have the same interest in the claim. This decision was reversed by the Court of Appeal in October 2019. The Court of Appeal held that the represented claimants did have the same interest as they were all entitled to compensation for loss of control over their personal data.
The Supreme Court has now restored the High Court's decision.
The decision
Mr Lloyd accepted that, in order for his claim to succeed, he would need to show that all of the affected individuals suffered the same loss. The representative procedure could not be used if compensation needed to be assessed individually for each person.
To overcome this difficulty, he argued that individuals are entitled to damages for any non-trivial breach of the Data Protection Act 1998 (the "DPA") without needing to prove financial loss or distress i.e. they were entitled to damages for the mere loss of control of their data. Alternatively, he argued that each individual was entitled to damages equivalent to the amount they could have charged Google to permit it to do what it did with their data (so called "user damages").
The Supreme Court comprehensively rejected these propositions.
It examined the wording of the relevant provisions of the DPA and concluded that damages were only available for financial loss or distress There was no basis for an entitlement to compensation based solely on the fact of contravention of the DPA by the data controller. The Court refused to carry over principles from the tort of misuse of private information (where claimants can be compensated for the loss of their right to control the use of private information) into the sphere of data protection legislation. The two regimes were distinct and the factors which supported compensation for loss of control in misuse of private information would not necessarily apply in data protection claims.
For the same reason, "user damages" were not available, as without an assessment of each individual's circumstances, they would also equate to damages for the infringement itself, which is not permitted under the DPA.
The Court acknowledged the long-standing principle that a threshold of seriousness applies to claims under data protection legislation and that damages will not be available in trivial cases which do not meet this threshold.
Implications
The decision will have two major implications:
1. In practice, representative claims for data protection breaches will now be very difficult, because an individual assessment of damages would always need to be undertaken, so claimants would not have the "same interest". This will be welcome news for organisations which have suffered large scale data breaches and are concerned about follow-on damages claims. While it remains possible for group claims to be pursued under a Group Litigation Order (where individual claimants' claims are managed together), this procedure is much more complex and costly, as it requires each claimant to prove their own case on damage.
The Supreme Court acknowledged that claimant groups could follow a bifurcated process, whereby a representative claim is pursued to establish liability, with individual claims dealing with the damages element to follow. However, in the context of data protection claims, where individual damages awards are often very low, this may not be economically viable and is unlikely to be appealing to the litigation funders on whom class actions rely.
2. The question of whether individuals can recover damages for loss of control of data has been decisively answered – they cannot. In recent years, claims for breach of data protection legislation have proliferated, with claimants relying on the principle that damages are recoverable for the mere fact of the breach. The Supreme Court has made clear that damages are only available under data protection legislation to compensate for financial loss or distress. This raises the evidential bar for claimants and is likely to result in fewer claims being asserted for minor data breaches
While this claim was brought under the pre-GDPR legislative framework, the principles should apply equally to claims under the GDPR and Data Protection Act 2018.
The judgment can be read here.