Radar - November 2021 – 1 / 3 观点
The Supreme Court has handed down the long-awaited judgment in the data privacy case of Lloyd (Respondent) v Google LLC (Appellant)  UKSC 50. The court reversed the decision of the Court of Appeal, holding that Mr Lloyd could not proceed with a representative action to claim damages from Google regarding the acknowledged fact that, for a period of several months, it tracked the activity of 4 million iPhone users without their knowledge or consent in breach of the Data Protection Act 1998 (DPA98 since replaced by the UK GDPR and the Data Protection Act 2018 (DPA18)).
The decision is significant because of the impact it has on the viability of litigation-funded opt-out class actions, in particular for breaches of data protection law.
Consumer rights campaigner Mr Lloyd brought a claim against Google for damages for breach of data protection law by which he sought to do two things:
The starting point of this long running case was Lloyd's application to the court for permission to serve his claim on Google out of the jurisdiction in the USA. Google opposed this application on the grounds that it had no real prospect of success because damages for loss of control was not available and the claim was not suitable to proceed as a representative class action.
Google won in the High Court, but the decision was overturned by the Court of Appeal in 2019. On appeal, the Supreme Court agreed with the court of first instance, narrowly interpreting the relevant law and procedure and Mr Lloyd lost on both points.
The ramifications, had he won, would have been immense for data subjects and controllers, data litigation firms and litigation funders (as demonstrated by the legion of interveners in this case).
Lloyd alleged that Google had failed to comply with the data protection principles under the DPA98 including failure to process personal data lawfully. Lloyd alleged a breach of principles 1, 2 and 7 of DPA98.
Instead of suing over just his own claim, he tried to bring a representative class action on behalf of himself and a class of others affected by the same unlawful processing. His definition of this class was everyone in England and Wales who, at the relevant time, had an Apple iPhone on which Google’s DoubleClick Ad cookie was placed.
This was a controversial approach given the size of the class was very large, meaning the potential value of the claim created high stakes for Google.
Lloyd accepted that he could not use the representative action procedure to claim compensation on behalf of others if the compensation recoverable by each user would have to be individually assessed because the others he represented would not hold the "same interest" as required by law. However, he contended that any individual assessment was unnecessary because, as a matter of law, compensation could be awarded under the old law for "loss of control" of personal data without the need to prove that the claimant suffered any financial loss or distress as a result of the breach.
He also argued that a "uniform sum" of damages could be awarded to each person whose data protection rights had been infringed without the need to investigate any circumstances particular to their individual case.
While the amount of damages recoverable per person would be a matter for argument later, a figure of £750 was advanced in his letter of claim which, multiplied by the number of people whom Mr Lloyd claimed to represent, would have produced an award of damages of £3 billion.
The Supreme Court disagreed with Lloyd's case, agreeing with Google for the following reasons:
For all these reasons, the court concluded that s13 DPA98 cannot reasonably be interpreted as conferring on a data subject a right to compensation for any (non-trivial) contravention by a data controller of any of the requirements of the DPA98 without the need to prove that the contravention has caused material damage or distress to the individual concerned.
The court also held that a representative action could not succeed under s13 because it would still be necessary to establish the extent of the unlawful processing in each individual case which would include analysis of relevant factors such as "Over what period of time did Google track the individual’s internet browsing history? What quantity of data was unlawfully processed? Was any of the information unlawfully processed of a sensitive or private nature? What use did Google make of the information and what commercial benefit, if any, did Google obtain from such use?".
If none of these factors are taken into account, the facts alleged entitling members to join the representative class would be insufficient to establish that anyone in the class was entitled to damages by way of compensation because such facts fail to meet (and have no prospect of meeting) the legal threshold.
Therefore, it was not enough for Lloyd to claim that each person he purported to represent in the class was entitled to damages simply by virtue of being proven members of the class and without having to prove any facts to show that Google wrongfully collected and the used their data. The court said Lloyd was seeking to recover damages without even attempting to prove that unlawful processing had taken place.
As a result, the court said that Lloyd's claim had no real prospect of success and permission to serve his claim outside the jurisdiction was refused.
The court spelled out in the first sentence that Mr Lloyd brought this claim with the financial backing of a litigation funder, and followed this by references to the earlier claim brought on the same facts by three data subjects in the Vidal-Hall case. It also commented on the fact that while representative class actions are available in the USA, they have been rejected by the government here in the UK. Given these comments and the possibility of Lloyd's claim being worth £3 billion, we can't help but think that public policy drove this decision.
This is despite the reality that unlawful data processing or data breaches can affect millions of consumers and that litigation funding is a practical reality for running these mass claims. Again, it seems the law is lagging too far behind technology (especially given this is a pro-data controller decision, but under the old law) and civil justice should have mechanisms to allow large numbers of people to assert their data privacy rights.
The actual claim itself, had Mr Lloyd brought it himself, would have been runnable in principle had he sued for financial loss or distress, as the claimants in Vidal-Hall did. However, he chose not to do so in order to try and shoehorn his claim into the representative class action vehicle rather than bring his claim alone.
Lloyd also chose not to sue for MOPI, a claim for which damages for loss of control are recoverable. The court suggested that this might have been because of the necessity to present evidence of facts particular to each individual claimant (as happened in Vidal-Hall), which would have rendered such a claim incompatible with a representative action. However, data subject claimants will be wary of bringing MOPI claims over data breaches following the decision in Warren v DSG Retail Ltd  EWHC 2168.
This decision does not, however, close the door on using representative actions for data protection claims for several reasons:
While the Supreme Court did not, as many thought it might, open the floodgates to opt-out representative actions for data breaches, nor did it bolt them shut.
To discuss the issues raised in this article in more detail, please reach out to a member of our Data Protection & Cyber team.
作者 Debbie Heywood 以及 Michael Yates