In the high-profile case of Lloyd v Google LLC [2021] UKSC 50, the Supreme Court handed down its final judgment in November 2021.
Following a two-day hearing, the judgment overturned the Court of Appeal’s decision to allow Mr Lloyd to continue his representative action against Google.
The case attracted a great deal of interest from lawyers and consumer rights groups as it could have allowed a group action to be brought on behalf of many claimants for loss of control of personal data, without each claimant needing to be individually identified but still entitling them to compensation.
Background of the Lloyd v Google case
The claim was bought by Richard Lloyd, a former executive director of the UK Consumers’ Association, alleging Google LLC breached its duty as a data controller under section 4(4) of the Data Protection Act 1998 (‘DPA 1998’) to comply with the data protection principles set out in Schedule 1 of the DPA 1998.
The claim alleged that between 9 August 2011 and 15 February 2012, Google secretly tracked the internet activity of millions of Apple iPhone users and used the data collected in this way for commercial purposes without the users’ knowledge or consent.
Google did this through the Safari internet browser developed by Apple and installed on its iPhones.
At the relevant time, and unlike most other internet browsers, Safari was set by default to block third-party cookies.
Cookies are small blocks of data placed on a device when the user visits a particular webpage. Third-party cookies are not placed on the device by the visited website, but rather a third party whose content is included on the website. Over time, third-party cookies can gather information about the user’s internet use and then enable the delivery of advertisements targeted to that particular user in accordance with their browsing history.
In this case, Google’s DoubleClick Ad Cookie would be placed on a device if the user visited a website that included DoubleClick Ad content.
The DoubleClick Ad cookie enabled Google to identify visits by the device to any website displaying an advertisement from its vast advertising network.
Although Safari’s default settings blocked third-party cookies, Apple devised various exceptions to allow the use of certain popular web functions. These exceptions allowed Google to immediately put the DoubleClick Ad Cookie on the user’s device without their knowledge or consent whenever the user visited a website that contained DoubleClick Ad content.
Google was then able to accumulate significant personal data on the user, which could then be passed on to the advertisers looking to target specified groups of prospective clients.
Appellate history
The claim was brought using the representative action procedure under CPR r 19.6. This mechanism allows a person(s) to bring a claim on behalf of a large class of claimants provided that they share the ‘same interest’.
To have the ‘same interest’, claimants must have a common interest and grievance and the main remedy sought must be beneficial to all of them.
A representative action works on an ‘opt-out’ basis, whereby the individual class members do not need to be identified proactively. This differs from other collective redress procedures such as Group Litigation Orders, whereby individual claimants have to ‘opt-in’ and take active steps to be included in a group register for their claim to progress as part of a wider group action.
The claim relied on section 13(1) of the DPA 1998 (the law applicable at the time of the alleged breach), which provides a right of compensation where an individual ‘suffers damage by reason of any contravention by a data controller of any of the requirements of this Act’. The DPA 1998 has since been replaced by the General Data Protection Regulation (‘GDPR’) and the Data Protection Act 2018 (‘DPA 2018’).
High Court
In the first instance, Mr Justice Warby dismissed Mr Lloyd’s application for permission to serve Google LLC outside the jurisdiction. He held that there was no basis of seeking compensation because the members of the class had not suffered ‘damage’ within the meaning of section 13 DPA 1998, nor was the same interest test satisfied as the members were likely to have suffered different types of damage (or no damage at all).
Mr Justice Warby also declined to use his discretion to allow the claim to proceed as a representative action in accordance with CPR r 19.6(2).
Court of Appeal
The Court of Appeal unanimously allowed Mr Lloyd’s appeal and granted permission to serve out of jurisdiction.
The Court concluded that damages were, in principle, capable of being awarded for loss of control of data under section 13 DPA 1998, even if there was no financial loss or distress. It also held the same interest test was satisfied as all members had suffered the same loss, namely the loss of control of their browser generated data (having disavowed any reliance on facts specific to individuals).
The Court of Appeal exercised its discretion under CPR 19.6(2) afresh and held that the claim was permitted to proceed as a representative action.
Issues for the Supreme Court to consider
In light of the above, the three issues the Supreme Court broadly needed to consider were:
- Are damages recoverable under section 13 of the DPA 1998 for loss of control of data in and of itself (i.e., where the underlying breach does not result in any pecuniary loss or distress)?
- Did the class of claimants (some 4 million individuals) share the ‘same interest’, as required for a representative action to proceed in England and Wales?
- If the ‘same interest’ test is satisfied, should the Court exercise its discretion to disallow the representative action to proceed in any event?
What did the Court find?
The First Issue
The Supreme Court unanimously held damages were not awardable for a mere loss of control of personal data under the DPA 1998; the claimant must suffer some ‘damage’.
On a proper interpretation (compatibly with article 23 of the Data Protection Directive), the term ‘damage’ in section 13 of the DPA 1998 refers to material damage (such as financial loss) or mental distress. The ‘damage’ cannot be the unlawful processing of data itself.
Further, the Court ruled that even if it was not necessary to show an individual had suffered damage or distress as a result of the unlawful processing, the extent of such unlawful processing would depend on the individual case.
However, given the generic facts alleged by the claimant, it was not possible to determine the damage suffered by individual claimants and therefore get over the ‘seriousness’ threshold which entitled individuals to compensation under the DPA 1998.
The Court gave examples of relevant factors which should be considered when deciding individual damages, including:
- Over what period of time the browsing history was tracked
- What quantity of data was unlawfully processed
- Whether any of the information was of a sensitive or private nature
- What use was made of the information
- What commercial benefit, if any, obtained from such use.
These factors would clearly vary on a case-by-case basis when determining the extent of damage suffered.
The Second Issue
The Court held that the ‘same interest’ test required by a representative action was satisfied in this case. Common issues clearly arose where an individual claim could theoretically have been brought by each iPhone user who was affected by the DoubleClick Ad Cookie.
The Court also stated that even if only a few individuals were ultimately able to obtain compensation on the basis of a declaratory judgment, that should not be a reason for refusing to allow a representative claim to proceed for the purpose of establishing liability.
The Court suggested a ‘bifurcated process’ might have been a suitable way to handle claims of this nature. In such circumstances, the representative action procedure would be used to determine common issues, leaving any issues which require individual determination – whether they relate to liability or the amount of damages – to be dealt with at a subsequent stage of the proceedings.
The Third Issue
The Court held it was unnecessary to decide whether the Court of Appeal was entitled to interfere with the first instance judge’s discretionary ruling or whether it would be desirable for a commercially funded class action to be available on the facts alleged. This was because, regardless of what view was taken, the claim had no real prospect of success.
The Court, therefore, allowed the appeal and restored the order made by the first instance judge refusing the claimant’s application for permission to serve the proceedings on Google outside the jurisdiction of the courts of England and Wales.
What does this mean?
The decision can be seen as a blow for the millions of consumers affected by unlawful data processing and data breaches.
The ruling means that, under the current legal framework in England and Wales, the most effective way to bring a successful action on behalf of consumers affected by the loss of control of their personal data remains an ‘opt-in’ representative action limited to those claimants whose individual damages can be calculated on a common basis.
Given how individualised the assessment of those damages can be, it necessarily means that the availability of cost-effective redress to large bodies of consumers affected by data breaches is significantly restricted.
That said, it is significant the present case proceeded under the DPA 1998 rather than the GDPR and DPA 2018.
This later legislation makes specific provisions for both material and ‘non-material’ damages; in particular, loss of control over personal data is identified as an example of possible damage resulting from a personal data breach.
Although the Court expressly did not consider this later legislation in the present case, the less stringent ‘damage’ requirement is likely to be a key issue of contention between parties in future claims dealing with similar issues.
The Court did acknowledge that when exercising its discretion in allowing a claim to proceed as a representative action it must seek to give effect to the overriding objective. They went on to say that many of the considerations specifically included in that objective are likely to militate in favour of allowing a claim, where practicable, to be continued as a representative action rather than leaving members of the class to pursue claims individually.
Similarly, the Court’s suggestion that a ‘bifurcated process’ may be suitable for claims of this nature could potentially be seen as a move towards a hybrid type of claim whereby common issues are dealt with as part of a representative action and then individual issues dealt with subsequently – individual claimants would (presumably) only need to be identified once the common issues had been determined.
This points towards a more sympathetic approach to representative actions than is perhaps reflected in the present case. However, it will be for the claimants (and their funders) to decide if it is economically viable for claims to be pursued in this way.
