Some might describe 2021 as the high water mark for UK data privacy class actions. Certainly, litigation was plentiful, with data controllers regularly on the receiving end of claims arising out of data breaches or alleged data misuse complaints. GDPR gave data subjects more rights, and more transparency over how their data is used, which encouraged more activism in this space, including litigation. Buoyed up by this, litigation funders and claimant law firms turned their attention to the world of data privacy, and the boom times began. However, then came the Supreme Court’s decision in Lloyd v Google – a major blow for those building data privacy class actions.
However, whilst many thought it might be, Lloyd v Google was not the end of the story for class actions in this space. Claimants and their representatives have not been easily deterred, and in fact are becoming more creative in their attempts to obtain mass remedies. This article will examine what litigation threats remain for data controllers in the post-Lloyd world.
In Lloyd v Google, Mr Lloyd sought to bring a representative action (essentially an opt-out class action) on behalf of 4 million individuals, following Google’s alleged breach of the Data Protection Act 1998. He argued that everyone in the group had suffered a “loss of control” of data belonging to them (meaning they had all suffered the same loss) and therefore satisfied the representative action requirement that each member of the group has the same interest in the action. At the Court of Appeal stage of the case, this argument was accepted. Many copycat claims sprung up as a result of this, although nearly all were stayed pending the Supreme Court’s hearing of Google’s appeal.
The Supreme Court unanimously dismissed the claim. Amongst other things, the Supreme Court held that loss of control damages were not available under the Data Protection Act 1998 without proof of damage or distress (and that even if they were, in most cases determining the damage suffered would require an assessment on an individual-by-individual basis which is not appropriate for the representative action mechanism). It also confirmed that there is a minimum threshold of seriousness applicable to data privacy damages claims, below which claims should not succeed. For a more detailed discussion of the case and decision, please see our earlier article.
Lloyd breathed new life into data controllers’ ability to fend off data privacy class actions (and individual damages claims). The majority of stayed rep actions were not resurrected, and there was an immediate and sharp drop-off of new claims landing on defendant lawyers’ desks. The 19.6 rep action appeared non-viable for DP-related damages claims; meaning that what had been an attractive opportunity for claimant law firms and litigation funders (due to the ability to bring a mass action relatively easily and inexpensively, on an opt-out basis) was no longer on the menu. Whilst the Supreme Court did suggest that the rep action mechanism could remain of use in a two-stage process, where claimants first used it to obtain declaratory relief, and then brought damages claims on the back of that, the economics of running such a process are challenging. For claimant lawyers and funders, therefore, it was back to the drawing board on mass data privacy claims.
The Supreme Court did leave the door slightly ajar for rep actions in two respects, however:
The 19.6 rep action is the only “true” class action procedure available in the UK High Courts. However, there is another route used by claimants seeking to club together and bring similar damage claims – that of a Group Litigation Order (“GLO”). This mechanism is in fact simply a procedure which enables the courts to manage large numbers of related claims together, but still requires individual claims for be issued for each claimant. This renders them attractive to claimant law firms, who have the opportunity to rack up large costs (which they of course hope are recoverable later) in setting up and managing the group register and producing and filing individual claim documents. Whilst the test for a GLO is not “the same interest” in the claim, there is still a threshold which must be met before a court will make a GLO – namely that the claims give rise to common or related issues of fact or law, and that there is no other order which would be more appropriate. This latter requirement has recently proved an obstacle in a post-data breach claim brought against the Police Federation, where the court endorsed the defendant’s view that the most proportionate way in which to deal with the large number of claims was in fact to adopt the “lead claimant” (essentially test case) model rather than incur the significant costs of a GLO unnecessarily. In the data breach class action context, affected claimants then have a set period of time to opt into the claim. In the GLO context, challenges also exist in establishing that claimants have suffered compensable harm – and potential groups can be whittled down in size under this aspect of scrutiny, as a judgment highlighted in the recent case of Bennett & Others v Equifax Limited [2022] EWHC 1487 (QB) (a GLO application made on behalf of 10,000 potential claimants in the wake of the Equifax data breach).
GLOs and 19.6 rep actions, then, both have their challenges. Consequently, claimant lawyers pursuing collective actions are being forced to get creative. Two trends worthy of mention are data class actions brought in the UK Competition Appeal Tribunal (“CAT”), and actions for declaratory relief funded by “public interest” litigation funders. In relation to the former, the CAT offers potentially fertile ground for claimants, if they can reframe their data privacy complaints as some form of competition infringement. This is because, under the Consumer Rights Act 2015, the CAT was conferred with jurisdiction to hear competition claims on an opt-out basis. Claimants must overcome the first stage of the procedure, certification of the class, to proceed with an action, and this can cause obstacles; however, the case of Merricks v Mastercard (heard by the Supreme Court in 2021) lowered the bar for certification by the CAT and so has encouraged actions using this procedure. As of January 2023, 26 claims have now been issued as proposed class actions in the CAT, with 11 of them being certified to proceed by the CAT. To date, only one has been based purely on data privacy complaints (in which over €2 billion in damages is claimed on behalf of the class) and it has currently stalled - although the CAT has stayed the application until the end of August to enable the claimant representative to reformulate her claim, and so this is unlikely to be the last we hear of this claim, or of other claims using the CAT route.
For privacy activists, less motivated by monetary reward and more by pushing their agenda for change, a new route is emerging which sidesteps the issue of collective action altogether but could prove a significant threat to their targets, which currently appears to be largely the BigTech platforms. The emergence of litigation funders whose stated goal is to fund cases which are “for the public good” is unlocking access to remedies other than damages – GDPR claims for declarations of the state of the law, or orders for specific performance (e.g. deletion of data which has allegedly been unlawfully collected), can now be pursued, despite their complexity and cost, because these new funders are not seeking the massive payday their more commercially-focussed counterparts are driven by. If these remedies are granted, this causes tech companies real pain; not only because follow-on damages actions could then be brought but also because the deletion of valuable data and related algorithms would arguably cause them an even bigger loss.
Although the future of data class actions remains uncertain in England, EU Member States are currently implementing the EU Representative Actions Directive (the “Directive”) which will likely have an impact on consumers’ ability to obtain collective remedies in the data privacy sphere, among others. The Directive’s aim is to ensure a more uniform approach to collective redress across the EU for consumers affected by breaches of a wide raft of EU laws and it specifically lists GDPR infringements as within its scope. Representative actions may be brought by consumer groups if they are represented by a qualified entity which is designated by the EU member state, and the member state can decide whether it adopts an opt-in or opt-out procedure. Data controllers may be comforted by the fact that not all Member States will implement the opt-out procedure but, certainly for those which do (and particularly those who, following the recent Osterreiche Post decision (for more on this see here), adopt a more claimant-friendly approach to damages for data privacy breaches), class action “hotspots” are likely to emerge and a degree of forum-shopping seems probable going forward.
If you would like to learn more about the implementation of the Directive in other EU Member States, please see our tracker.
It is therefore still unclear what the next weapon in claimant litigators’ arsenal will look like in the data class action field. For now, as a matter of English proceedings, data controllers can sleep relatively soundly, albeit perhaps with one eye open and focussed firmly on the High Court, the CAT and EU developments.
Please do get in touch if you would like to discuss any of these issues further.
If you want to hear more about data privacy litigation developments in the UK and Europe, our recent webinar on the topic can be accessed here.
For an update on the position in Australia please click here.