Positive news for data controllers in the much-anticipated Lloyd v Google Supreme Court judgment

The world of data privacy litigation has been waiting with bated breath for this decision, its importance illustrated by the sheer number of claims issued and put on-hold pending this decision.  In the two years since the Court of Appeal’s decision, there has been a marked increase in the number of claims threatened against data controllers, as well as an increased appetite among litigation funders to invest in data privacy claims. 

This article examines the Supreme Court’s decision and reflects on what it means for the future of data privacy claims.  

Background

In 2017, Richard Lloyd (“Lloyd”) started a representative claim against Google on behalf of more than 4 million individuals. The focus of the claim was on Google’s so-called “Safari Workaround”, which Mr Lloyd alleged allowed Google to place third-party cookies onto individuals’ devices to gather information about their internet use without their knowledge or consent. Mr Lloyd claimed that by doing so Google breached its duties as a data controller as set out in the Data Protection Act 1998 (the “DPA 1998”).

Mr Lloyd did not seek to argue that the affected individuals had suffered material damage or distress under section 13 DPA 1998. Rather, he creatively argued that a uniform sum was owed on the basis of “loss of control” of personal data. This enabled him to assert that he shared an identical interest in the claim with all those he purported to represent.  To bring a representative action under CPR 19.6, this “same interest” requirement is paramount. By framing his claim this way, Mr Lloyd was, in effect, claiming to be entitled to bring an opt-out class action on behalf of all affected individuals.

As Google is based in the USA, Mr Lloyd sought permission to serve the claim outside of the jurisdiction. This was contested by Google on the basis that his claim did not disclose any basis for claiming compensation under the DPA 1998 and the Court should not in any event permit the claim to continue as a representative action. 

The procedural story so far

The High Court decision

The High Court initially found in Google’s favour, refusing permission to serve out of the jurisdiction. The High Court said the claim did not disclose any basis for seeking compensation as damages for loss of control were not provided for in section 13 of the DPA 1998. 

The High Court also found that, even if there was a reasonable basis for seeking compensation, each individual did not have the “same interest”, as required under CPR 19.6. This was because the extent and impact of the alleged breach would inevitably differ for each individual affected, and there were practical challenges in ascertaining whether any given individual was a member of the class in any event. Finally, in considering whether to exercise his discretion under CPR 19.6 to prevent the representative action from continuing, the judge made some notable observations that the only real beneficiaries of the litigation would, ultimately, be the lawyers and the litigation funder involved.  

The Court of Appeal decision 

The Court of Appeal reversed the decision, finding that the representative claim could proceed as the individuals’ control over their personal data had an economic value, meaning that the loss of that control also had a value. Therefore, in principle, damages were capable of being awarded for loss of control of data within section 13 of the DPA 1998 even if no damages for material damage or distress were also being claimed. 

It also rejected the first instance decision that the individuals did not have the same interest in the representative claim and were not identifiable, noting on the contrary that the individuals were all victims of the same alleged wrong and had all suffered the same loss of control of their personal data. On the exercise of the judge’s discretion to stop the action, whilst the Court of Appeal accepted that the first instance judge was right to take account of the fact that the lawyers and funders might be the only real winners in the case, a guiding factor in disagreeing with the exercise of that discretion appears to have been the view that, without the representative action, there would be no other means for those represented by Mr Lloyd to obtain a remedy against Google.  

The key issues for the Supreme Court 

Two key issues are considered in the Supreme Court’s judgment: 

1. Should Lloyd have been refused permission to serve the claim against Google out of the jurisdiction because those affected had not suffered ‘damage’ within the meaning of section 13 of the DPA 1998? 
   
   
2. Should Lloyd be prevented from bringing a representative claim because the Members did not have the ‘same interest’ in the claim and were not identifiable?
   
   

The Supreme Court decision

Damage within the meaning of section 13 DPA 1998

The Supreme Court unanimously rejected Lloyd’s novel attempt to claim a uniform sum of damages based on loss of control of personal data.  The Supreme Court disagreed with Lloyd’s premise that any non-trivial contravention of a data subject’s rights should be compensated.  The main basis of this decision appears to be that the Court of Appeal’s approach wrongly conflates the concept of a contravention occurring with the entitlement to damages.  The Supreme Court was at pains to emphasise the missing link in this equation, which is the need to show causation.  It stressed that the precise wording of the DPA 1998 makes clear that compensation should only be awarded for damage which is “a result of” a contravention.  Proof of a contravention having occurred, without more, should not suffice to win damages. 

The Supreme Court also gave short shrift to the suggestion by Lloyd that loss of control damages were an appropriate remedy in data privacy claims on the basis they are available in misuse of private information claims.  Lloyd’s position was that both data privacy and misuse of private information claims originate from the same fundamental right to privacy and as such the same categories of damages should be available for both.  The Supreme Court dedicated several pages of the judgment to dismissing this suggestion for various reasons; a key one being that misuse of private information requires, by its very nature, the involvement of some kind of information which is private, whereas data privacy claims can routinely involve personal data which is not private in and of itself. On this basis, the Court concluded that it was not necessary or desirable for data privacy and misuse of private information claims to share the same remedies.

Encouragingly for controllers facing claims following a data breach, the Supreme Court identified a further distinction between misuse of private information and data privacy claims.  Namely, that misuse of private information imposes strict liability for deliberate acts and is not a tort which can be based on a lack of care or negligence.  Often data breaches will not involve deliberate acts on the part of a controller, who may in fact be the victim of a cyber-attack.  The judgment therefore potentially provides a useful line of defence for such controllers who find themselves threatened with a claim in misuse of private information. 

Representative actions and the same interest requirement 

The Court conducted a comprehensive review of the case law relating to the use of representative actions in England.  Having done so, the Court expressed the view that while it is not impossible for a representative action to be used in a claim where damages are sought, in most cases determining the damage suffered will require an assessment on an individual-by-individual basis which is not appropriate for the representative action mechanism contained in CPR 19.6.  Exceptions to this were highlighted, such as where a group of consumers might all have been overcharged the same amount for a product, in which case no individual assessment would be necessary, but that was not the case in data privacy claims such as this one. 

The Supreme Court’s view was that a case such as Mr Lloyd’s would have required damage to be assessed on an individual basis, even if such damages were for loss of control (rendering any surviving argument that loss of control damages could be available under the GDPR – as opposed to the DPA 1998 – toothless in the context of representative actions). Mr Lloyd’s attempt to avoid this, by setting the bar at the lowest common denominator (i.e. by only seeking recovery of the amount owed to the least affected person), was a non-starter because that approach sets the bar below the minimum threshold of seriousness required to proceed with a data privacy claim. In other words, by disavowing any individual evidence on the extent of unlawful processing and consequent harm, Mr Lloyd could not sufficiently demonstrate that the threshold had been met, because in order to do so such evidence would be necessary.

Seemingly in an attempt to justify the continued existence of the representative action mechanism, the Court commented on whether claims such as Mr Lloyd’s would benefit from a bifurcated approach.  Such an approach would see the representative action mechanism used to establish the liability of the controller to the entire class of affected individuals during the first stage of proceedings (but would not address damages).  A second stage would follow, during which an individual assessment of claims for damages based on that finding of liability could be made via either individual actions or under the auspices of a Group Litigation Order. 

Where does the decision leave us? 

The judgment is a body blow to claimant law firms and litigation funders for whom the prospect of being able to bring representative actions for loss of control damages represented a tantalising prospect.  It allowed them to fund and file actions against organisations without the inordinate cost, time and effort required to attract, sign up and process each and every member of a group as is required in other forms of multi-claimant litigation. Data controllers should therefore, for the time being at least, sleep a little bit more soundly at night, knowing that the risk of group actions in this area, and possibly the volume of individual claims too, will most likely witness a degree of decline whilst class action lawyers take time to regroup after this decision. 

The Court’s comments on misuse of private information were also good news for data controllers, particularly those being faced with claims following a data breach.  The Court’s indication that claims for misuse of private information require some kind of deliberate act (rather than an omission through a lack of care) means that this cause of action will often be unavailable in circumstances where there has been a third party cyberattack leading to a data breach.  This backs up the recent High Court decision in Warren v DSG Retail Ltd and has important implications on a claimant’s ability to recover the costs of their ATE premium, as recovery of such premiums is not permitted in data protection claims but is permitted in claims for misuse of private information.  

The Supreme Court’s decision completely rules out claims for loss of control damages under the DPA 1998 (i.e. for claims arising out of events which pre-date 25 May 2018) and probably has the same effect upon similar claims under the GDPR.  That said, the various courts who’ve presided over Mr Lloyd’s case have all made mention of a recital of the GDPR which may offer a small flicker of hope that loss of control damages are at least arguably available under the more recent legislation. It’s probable someone will test that point in the near future, but it’s unlikely to be in the context of a representative action, given Lord Leggatt’s view that individual evidence would still be required for this sort of damage.  

For group claims, therefore, it seems that claimant lawyers are left with the following options:

1. Test out the bifurcated approach alluded to in the Supreme Court’s judgment – i.e. use CPR 19.6 to bring a claim for a declaration on liability in a case. Keep everything crossed that they succeed on that claim, so that a percentage of their costs are recoverable, and then pray that this attracts claimants to sign up to follow-on litigation for damages (whether for loss of control, distress or material harm) in a non-representative action;
   
   
2. Return to good old-fashioned Group Litigation Orders or other multi-claimant litigation – these mechanisms are not class actions in the true sense and, as explained above, are costly and time-consuming to put together and often blighted by low take-up rates.  Individual pleadings and evidence need to be prepared for each and every claimant and, due to the exposure of all claimants to adverse costs risks, expensive insurance arrangements need to be put in place to protect against that risk. 
   
   
3. Lobby for something new – the day after the Supreme Court’s judgment, Mr Lloyd called for the government to renew its scrutiny of access to justice in this area.  Earlier this year the UK Government carried out review of the provisions in the UK data protection legislation which permit it to introduce GDPR-specific representative actions (by qualified entities, such as trade associations) if it concludes that to be necessary. The government declined, on that occasion, to make any change, and expressly mentioned the existence of other mechanisms, such as that being tested by Mr Lloyd, as partially justifying its conclusion.  On one view, the Supreme Court has now chosen to throw this particular hot potato back to the government.

Whilst we may all have to hold our breath for a while to see what, if anything, the government now chooses to do about this, for now, after two years of uncertainty, data controllers can afford to exhale thanks to the Supreme Court justices.