The long wait for the decision of the Supreme Court in Lloyd v Google is over.
In 2017, Richard Lloyd (“Lloyd”) started a representative claim against Google on behalf of more than 4 million individuals. The focus of the claim was on Google’s so-called “Safari Workaround”, which Mr Lloyd alleged allowed Google to place third-party cookies onto individuals’ devices to gather information about their internet use without their knowledge or consent. Mr Lloyd claimed that by doing so Google breached its duties as a data controller as set out in the Data Protection Act 1998 (the “DPA 1998”).
Two key issues are considered in the Supreme Court’s judgment:
Damage within the meaning of section 13 DPA 1998
The Supreme Court unanimously rejected Lloyd’s novel attempt to claim a uniform sum of damages based on loss of control of personal data. The Supreme Court disagreed with Lloyd’s premise that any non-trivial contravention of a data subject’s rights should be compensated. The main basis of this decision appears to be that the Court of Appeal’s approach wrongly conflates the concept of a contravention occurring with the entitlement to damages. The Supreme Court was at pains to emphasise the missing link in this equation, which is the need to show causation. It stressed that the precise wording of the DPA 1998 makes clear that compensation should only be awarded for damage which is “a result of” a contravention. Proof of a contravention having occurred, without more, should not suffice to win damages.
The Supreme Court also gave short shrift to the suggestion by Lloyd that loss of control damages were an appropriate remedy in data privacy claims on the basis they are available in misuse of private information claims. Lloyd’s position was that both data privacy and misuse of private information claims originate from the same fundamental right to privacy and as such the same categories of damages should be available for both. The Supreme Court dedicated several pages of the judgment to dismissing this suggestion for various reasons; a key one being that misuse of private information requires, by its very nature, the involvement of some kind of information which is private, whereas data privacy claims can routinely involve personal data which is not private in and of itself. On this basis, the Court concluded that it was not necessary or desirable for data privacy and misuse of private information claims to share the same remedies.
Encouragingly for controllers facing claims following a data breach, the Supreme Court identified a further distinction between misuse of private information and data privacy claims. Namely, that misuse of private information imposes strict liability for deliberate acts and is not a tort which can be based on a lack of care or negligence. Often data breaches will not involve deliberate acts on the part of a controller, who may in fact be the victim of a cyber-attack. The judgment therefore potentially provides a useful line of defence for such controllers who find themselves threatened with a claim in misuse of private information.
Representative actions and the same interest requirement
The Court conducted a comprehensive review of the case law relating to the use of representative actions in England. Having done so, the Court expressed the view that while it is not impossible for a representative action to be used in a claim where damages are sought, in most cases determining the damage suffered will require an assessment on an individual-by-individual basis which is not appropriate for the representative action mechanism contained in CPR 19.6. Exceptions to this were highlighted, such as where a group of consumers might all have been overcharged the same amount for a product, in which case no individual assessment would be necessary, but that was not the case in data privacy claims such as this one.
The Supreme Court’s view was that a case such as Mr Lloyd’s would have required damage to be assessed on an individual basis, even if such damages were for loss of control (rendering any surviving argument that loss of control damages could be available under the GDPR – as opposed to the DPA 1998 – toothless in the context of representative actions). Mr Lloyd’s attempt to avoid this, by setting the bar at the lowest common denominator (i.e. by only seeking recovery of the amount owed to the least affected person), was a non-starter because that approach sets the bar below the minimum threshold of seriousness required to proceed with a data privacy claim. In other words, by disavowing any individual evidence on the extent of unlawful processing and consequent harm, Mr Lloyd could not sufficiently demonstrate that the threshold had been met, because in order to do so such evidence would be necessary.
Seemingly in an attempt to justify the continued existence of the representative action mechanism, the Court commented on whether claims such as Mr Lloyd’s would benefit from a bifurcated approach. Such an approach would see the representative action mechanism used to establish the liability of the controller to the entire class of affected individuals during the first stage of proceedings (but would not address damages). A second stage would follow, during which an individual assessment of claims for damages based on that finding of liability could be made via either individual actions or under the auspices of a Group Litigation Order.
Where does the decision leave us?
The judgment is a body blow to claimant law firms and litigation funders for whom the prospect of being able to bring representative actions for loss of control damages represented a tantalising prospect. It allowed them to fund and file actions against organisations without the inordinate cost, time and effort required to attract, sign up and process each and every member of a group as is required in other forms of multi-claimant litigation. Data controllers should therefore, for the time being at least, sleep a little bit more soundly at night, knowing that the risk of group actions in this area, and possibly the volume of individual claims too, will most likely witness a degree of decline whilst class action lawyers take time to regroup after this decision.
The Court’s comments on misuse of private information were also good news for data controllers, particularly those being faced with claims following a data breach. The Court’s indication that claims for misuse of private information require some kind of deliberate act (rather than an omission through a lack of care) means that this cause of action will often be unavailable in circumstances where there has been a third party cyberattack leading to a data breach. This backs up the recent High Court decision in Warren v DSG Retail Ltd and has important implications on a claimant’s ability to recover the costs of their ATE premium, as recovery of such premiums is not permitted in data protection claims but is permitted in claims for misuse of private information.
The Supreme Court’s decision completely rules out claims for loss of control damages under the DPA 1998 (i.e. for claims arising out of events which pre-date 25 May 2018) and probably has the same effect upon similar claims under the GDPR. That said, the various courts who’ve presided over Mr Lloyd’s case have all made mention of a recital of the GDPR which may offer a small flicker of hope that loss of control damages are at least arguably available under the more recent legislation. It’s probable someone will test that point in the near future, but it’s unlikely to be in the context of a representative action, given Lord Leggatt’s view that individual evidence would still be required for this sort of damage.
For group claims, therefore, it seems that claimant lawyers are left with the following options:
Whilst we may all have to hold our breath for a while to see what, if anything, the government now chooses to do about this, for now, after two years of uncertainty, data controllers can afford to exhale thanks to the Supreme Court justices.