The Supreme Court has handed down the long-awaited judgment in the data privacy case of Lloyd (Respondent) v Google LLC (Appellant) [2021] UKSC 50. The court reversed the decision of the Court of Appeal, holding that Mr Lloyd could not proceed with a representative action to claim damages from Google regarding the acknowledged fact that, for a period of several months, it tracked the activity of 4 million iPhone users without their knowledge or consent in breach of the Data Protection Act 1998 (DPA98 since replaced by the UK GDPR and the Data Protection Act 2018 (DPA18)).

The decision is significant because of the impact it has on the viability of litigation-funded opt-out class actions, in particular for breaches of data protection law.

What's the issue?

Consumer rights campaigner Mr Lloyd brought a claim against Google for damages for breach of data protection law by which he sought to do two things: 

• First, he tried to use the representative class action procedure under CPR19.2 as the litigation vehicle to bring a claim on behalf of a class of others with the "same interest", which, in this case, were data subjects who had allegedly had their personal data unlawfully processed by Google in the same way as Mr Lloyd back in 2011-2012. There was no issue over whether Mr Lloyd could bring a claim in his own right. The issue was whether he could do so on behalf of others who fell within the representative class. 
• Second, Lloyd tried to claim for a new head of damage under data protection law, imported from misuse of private information (MOPI) cases called "loss of control" – ie damages purely for losing control of your own data by virtue of a contravention of obligations under data protection legislation. This head of damage is separate to the other two traditional heads of damage recoverable in data protection claims: financial loss and distress. 

The starting point of this long running case was Lloyd's application to the court for permission to serve his claim on Google out of the jurisdiction in the USA. Google opposed this application on the grounds that it had no real prospect of success because damages for loss of control was not available and the claim was not suitable to proceed as a representative class action. 

Google won in the High Court, but the decision was overturned by the Court of Appeal in 2019. On appeal, the Supreme Court agreed with the court of first instance, narrowly interpreting the relevant law and procedure and Mr Lloyd lost on both points.

The ramifications, had he won, would have been immense for data subjects and controllers, data litigation firms and litigation funders (as demonstrated by the legion of interveners in this case). 

Lloyd's case

Lloyd alleged that Google had failed to comply with the data protection principles under the DPA98 including failure to process personal data lawfully. Lloyd alleged a breach of principles 1, 2 and 7 of DPA98. 

Instead of suing over just his own claim, he tried to bring a representative class action on behalf of himself and a class of others affected by the same unlawful processing. His definition of this class was everyone in England and Wales who, at the relevant time, had an Apple iPhone on which Google’s DoubleClick Ad cookie was placed. 

This was a controversial approach given the size of the class was very large, meaning the potential value of the claim created high stakes for Google. 

Lloyd accepted that he could not use the representative action procedure to claim compensation on behalf of others if the compensation recoverable by each user would have to be individually assessed because the others he represented would not hold the "same interest" as required by law. However, he contended that any individual assessment was unnecessary because, as a matter of law, compensation could be awarded under the old law for "loss of control" of personal data without the need to prove that the claimant suffered any financial loss or distress as a result of the breach. 

He also argued that a "uniform sum" of damages could be awarded to each person whose data protection rights had been infringed without the need to investigate any circumstances particular to their individual case. 

While the amount of damages recoverable per person would be a matter for argument later, a figure of £750 was advanced in his letter of claim which, multiplied by the number of people whom Mr Lloyd claimed to represent, would have produced an award of damages of £3 billion. 

The Supreme Court decision 

The Supreme Court disagreed with Lloyd's case, agreeing with Google for the following reasons: 

• Representative action claims can be brought by people with a common issue, but this cannot happen where there is a conflict of interest between class members where the position of some would prejudice that of others. While there was no conflict suggested in this case and the claims clearly raised common issues, Lloyd had brought a representative action for damages on behalf of each member of the class on a uniform per capita basis. However, as the effect on the represented class was not uniform (for example, some allegedly had more of their data than others unlawfully processed, including different types of data, some of it sensitive personal data), this would lead to different awards of compensation being given to different members of the class which would involve an individualised assessment of damages. Therefore, the class did not all hold the same interest. 
• The court rejected Lloyd's argument that an individual is entitled to compensation purely for a breach of DPA98 and without the need to prove any facts particular to them. To establish a claim for compensation, an individual must prove a contravention, but must also prove that damage has been suffered as a result, which must be either financial or in the form of distress. That requires evidence from each individual, which would be incompatible with claiming damages on a representative basis because claimants would bring different evidence and therefore have differing interests. 
• The court also held that damages for the separate head of loss of control (as imported from MOPI claims) was not recoverable in data protection claims because Section 13 of the DPA98 (which sets out the statutory basis for damages awards) could not be interpreted to mean or include loss of control (or user damages) because "contravention" and "damage" are not the same thing. Under s13, a contravention of the DPA98 must cause a data subject to suffer (material) damage in order to trigger any right to compensation. A data subject is not entitled to compensation by virtue of the unlawful act itself, but because of the damage which results. What's more, the relevant EU law could not be interpreted to extend the meaning of "damage" beyond financial loss or distress and s13 of DPA98, was not incompatible with EU law. The court said that were this not the case, an individual would be entitled to recover compensation (under the old law) without proof of material damage or distress whenever a data controller had failed to comply with the DPA98 on the basis that such a breach would amount to a loss of control. 
• Further, the court said there was no reason why damages awarded in a common law claim for MOPI should be relevant to the proper interpretation of the statutory regime for claiming damages under DPA98 simply on the basis that both come from a common source. There are also significant differences between such claims. For example, data protection legislation extends beyond the scope of MOPI and data need not have any reasonable expectation of privacy to be protected under DPA98 (whereas it must in a MOPI claim for which loss of control damages are recoverable). Damages may also be awarded in MOPI claims without proof of material damage or distress. Therefore, loss of control damages in MOPI claims are not applicable by analogy to DPA98 data protection claims. 

For all these reasons, the court concluded that s13 DPA98 cannot reasonably be interpreted as conferring on a data subject a right to compensation for any (non-trivial) contravention by a data controller of any of the requirements of the DPA98 without the need to prove that the contravention has caused material damage or distress to the individual concerned. 

The court also held that a representative action could not succeed under s13 because it would still be necessary to establish the extent of the unlawful processing in each individual case which would include analysis of relevant factors such as "Over what period of time did Google track the individual’s internet browsing history? What quantity of data was unlawfully processed? Was any of the information unlawfully processed of a sensitive or private nature? What use did Google make of the information and what commercial benefit, if any, did Google obtain from such use?". 

If none of these factors are taken into account, the facts alleged entitling members to join the representative class would be insufficient to establish that anyone in the class was entitled to damages by way of compensation because such facts fail to meet (and have no prospect of meeting) the legal threshold. 

Therefore, it was not enough for Lloyd to claim that each person he purported to represent in the class was entitled to damages simply by virtue of being proven members of the class and without having to prove any facts to show that Google wrongfully collected and the used their data. The court said Lloyd was seeking to recover damages without even attempting to prove that unlawful processing had taken place. 

As a result, the court said that Lloyd's claim had no real prospect of success and permission to serve his claim outside the jurisdiction was refused. 

What does this mean for you?

The court spelled out in the first sentence that Mr Lloyd brought this claim with the financial backing of a litigation funder, and followed this by references to the earlier claim brought on the same facts by three data subjects in the Vidal-Hall case. It also commented on the fact that while representative class actions are available in the USA, they have been rejected by the government here in the UK. Given these comments and the possibility of Lloyd's claim being worth £3 billion, we can't help but think that public policy drove this decision. 

This is despite the reality that unlawful data processing or data breaches can affect millions of consumers and that litigation funding is a practical reality for running these mass claims. Again, it seems the law is lagging too far behind technology (especially given this is a pro-data controller decision, but under the old law) and civil justice should have mechanisms to allow large numbers of people to assert their data privacy rights. 

The actual claim itself, had Mr Lloyd brought it himself, would have been runnable in principle had he sued for financial loss or distress, as the claimants in Vidal-Hall did. However, he chose not to do so in order to try and shoehorn his claim into the representative class action vehicle rather than bring his claim alone. 

Lloyd also chose not to sue for MOPI, a claim for which damages for loss of control are recoverable. The court suggested that this might have been because of the necessity to present evidence of facts particular to each individual claimant (as happened in Vidal-Hall), which would have rendered such a claim incompatible with a representative action. However, data subject claimants will be wary of bringing MOPI claims over data breaches following the decision in Warren v DSG Retail Ltd [2021] EWHC 2168. 

This decision does not, however, close the door on using representative actions for data protection claims for several reasons: 

• First, this is a decision based on the old law because the events occurred in 2011-2012. Article 82 of the GDPR expressly says that non-material damages are recoverable. 
• Second, this decision is arguably fact specific to Lloyd's case, rather than universally prohibitive. While in this instance, it was not possible to demonstrate that the entire relevant class of data subjects had suffered the same damage, this will not always be the case in future representative actions where the class could be better defined with demonstrably the same set of facts. 
• Finally, it's worth remembering that claims by individual claimants and opt-in Group Litigation Order claims are still options and adequate litigation vehicles, albeit GLOs also have historically low participation levels and litigants are also less likely to come forward. 

While the Supreme Court did not, as many thought it might, open the floodgates to opt-out representative actions for data breaches, nor did it bolt them shut.

Find out more

To discuss the issues raised in this article in more detail, please reach out to a member of our Data Protection & Cyber team.