The greatly-anticipated judgment of the Supreme Court in the case of Lloyd v Google LLC has been handed down today, bringing an end to a class action against Google worth around £3 billion.
The decision is a milestone in the development of UK data protection litigation. It confirms that the Data Protection Act 1998 (predecessor to the UK GDPR and Data Protection Act 2018) does not allow damages to be awarded for "loss of control" of personal data where there is no material damage (i.e. financial loss) or mental distress arising from the unlawful processing of data itself. An anticipated "floodgates" situation, where data controllers could have faced US style opt-out class actions for breaches of data protection law without proof of loss, is for now kept at bay, bringing relief to organisations in a wide range of sectors.
The viability of representative actions under Civil Procedure Rule 19.6 (CPR 19.6), likened to US style "opt out" class action litigation, was examined and broadened by the Supreme Court. The judges' consideration of CPR 19.6 shines a positive light on that mechanism for group litigation in the future, provided the represented parties meet the "same interest" requirement under the rule and that damages can be calculated on a basis common to all persons represented.
This was an action brought against Google LLC by Mr Richard Lloyd, former director of Which?, who acted as a representative under court rule CPR 19.6 for more than 4 million affected Apple iPhone user individuals in England and Wales.
Mr Lloyd's claim arose from Google's use of a work-around to bypass the cookie settings on the Safari browser and place tracking cookies for commercial purposes without the individual's knowledge or consent in a period of time from August 2011 to February 2012. The tracking enabled advertisers to target adverts at users based on their browsing history. The claim was for damage allegedly suffered by the group of Apple iPhone users as a result of unlawful processing by Google of their personal data in breach of the requirements of the Data Protection Act.
Mr Lloyd sought to rely on a procedure contained in CPR 19.6 which allows a claim to be brought by (or against) one or more persons as representatives of others who have the "same interest" in the claim. Mr Lloyd argued that the "same interest" requirement was satisfied and that this representative procedure can be used to recover a uniform sum of damages for each person whose data protection rights have been infringed, without having to investigate their individual circumstances. A sum of £750 per person was suggested, which, multiplied by the number of people grouped into the representative class, would produce an award of damages in the region of £3 million.
As Google is incorporated in Delaware, Mr Lloyd needed the court's permission to serve the claim form on Google outside the jurisdiction.
The Data Protection Act 1998 has since been replaced by the UK General Data Protection Regulation supplemented by the Data Protection Act 1998, but it was in force at the time of the alleged breaches and applies to this claim.
First instance and Court of Appeal decisions
In the high court, Warby J was not persuaded that Mr Lloyd's claim was viable and refused permission to serve the proceedings on Google. He decided in favour of Google that (1) damages cannot be awarded under the DPA 1998 without proof that a breach of the requirements of the Act caused an individual to suffer financial damage or distress; and (2) the claim in any event was not suitable to proceed as a representative action under CPR 19.6.
The Court of Appeal reversed Warby J's decision and granted Mr Lloyd permission to serve out of the jurisdiction. Google then appealed to the Supreme Court resulting in today's judgment which restores Warby J's first instance decision.
The implications of the Supreme Court judgment
This decision makes clear that compensation cannot be recovered for alleged loss of control of personal data without in fact proving there has been some financial damage or distress caused. This brings relief for many organisations, in particular those where data is at the heart of operations. The Court of Appeal judgment in April had precipitated the filing of some representative group action claims, the risk posed by which is now significantly reduced. Not all class actions filed are doomed, but this decision has clearly undermined the representative class action mechanism in a data protection context.
The judgment is also expected to impact on the appetite of claimant law firms to litigate other data privacy group actions in light of the new necessity to prove financial loss or distress, and with the potential fallback option of "loss of control" damages now not available. At the very least, the decision will impel claimant law firms to consider how they might conduct such litigation cost effectively.
The court has broadened the "same interest" test required in the representative action mechanism under CPR 19.6 which will likely attract claimants and litigation funders to examine approaches which may succeed for calculating compensatory damages on a basis common to all class members.
If you have any questions about this article, please contact Helen Davenport or Louise Macdonald.