Article
The Supreme Court Judgment in Lloyd v Google LLC [2021] UKSC 50
On 10 November 2021 the UK Supreme Court handed down its decision in Lloyd v Google LLC [2021] UKSC 50 in which it unanimously granted Google's appeal in the £3bn data privacy lawsuit. The full text of the Supreme Court judgment can be found here.
The case affirmed that Claimants in Data Protection Act 1998 ("DPA 1998") cases cannot obtain damages without proof of damage – to be actionable damages require proof of distress or financial loss, "loss of control" of personal data is not enough. The ruling, which also impacts the collective redress regime, also found that while representative actions may be brought for damages, it would be preferable for these to be brought through a two-stage, or "bifurcated" procedure. First, a claim for a declaration on liability, and second, a claim for damages which would need to be assessed by way of individualised assessment.
Background
The case was brought by former Which? Director Richard Lloyd, supported by the campaign group Google You Owe Us with financial backing from Therium Litigation Funding IC. Mr Lloyd issued a claim against Google LLC alleging breach of its duties under section 4(4) of the DPA 1998 on behalf of everyone resident in England and Wales who owned an iPhone at the relevant time – amounting to an estimated 4.4 million iPhone users.
The claim alleged that in late 2011 and early 2012 Google secretly tracked the internet activities of iPhone users and used the data collected for commercial purposes without user knowledge. A case was previously brought in 2013 Vidal-Hall v Google Inc (Information Comr intervening) [2015] EWCA Civ 311, although the appeal in that claim was not heard before the UK Supreme Court following agreement between the parties.
The events that gave rise to the claim took place between 9 August 2011 and 15 February 2012 and involved the alleged use of the "Safari workaround" to bypass Apple's privacy settings. Google claimed that it was prevented by the Safari browser's default privacy settings from collecting data from iPhone, iPad and Mac users. However, this was subsequently discovered to be a misrepresentation as although the default settings for Safari blocked all third party cookies, a blanket application of these settings would have prevented the use of certain web functions, leading Apple to devise some exceptions to the settings.
The effect was to enable Google to place its DoubleClick cookie on an Apple device. That enabled Google to collect information relating to users' internet surfing habits and locations, and also further diverse factors as their interests and pastime, race or ethnicity, social class, political or religious beliefs or affiliations among other factors, enabling targeted advertising without the user's knowledge or consent.
The DPA 1998 Scheme
Section 4(4) of the DPA 1998 imposes on a duty on a data controller to comply with the Schedule 1 data protection principles "in relation to all personal data with respect to which he is the data controller". Section 13 of the DPA gives an individual who has suffered damage as a result of a contravention "by a data controller of any of the requirements of this Act" a right to compensation from the data controller for that damage.
The claim for compensation in Lloyd v Google was founded on section 13 of the DPA 1998 which provides:
"(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if –
(a) the individual also suffers damage by reason of the contravention, or
(b) the contravention relates to the processing of personal data for the special purposes.
(3) In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned."
The Supreme Court found that compensation may only be awarded where it can be established that an individual has suffered damage as the result of a breach of the DPA 1998 by a data controller. Damage has been interpreted by the Supreme Court to not include "distress" and refers "only to material damage" (see judgement at [92]) and as such statutory infringement would not alone, constitute such damage. Distress can only be recovered if either of the conditions in subsection (2) is met.
The Supreme Court concluded that in order to award damages it would be necessary "to show both that Google made some unlawful use of personal data relating to that individual and that the individual suffered some damage as a result" and that without being able to prove such a matter, the claim would be "doomed to fail" [8].
Collective Redress in English Law
To bring the claim on the behalf of all iPhone users Mr Lloyd sought to rely on an "innovative use of the representative procedure" in rule 19.6 of the Civil Procedure Rules. This procedure being one of long standing in England and Wales whereby a claim can be brought by multiple persons who have "the same interest" in the claim. CPR 19.6(1) reads as follows:
Where more than one person has the same interest in a claim –
(a) the claim may be begun; or
(b) the court may order that the claim be continued,
by or against one or more of the persons who have the same interest as representatives of any other persons who have that interest.
In the Supreme Court's judgment on scope for claiming damages set out at [80-83] it concluded that there were two circumstances in which CPR 19.6 could be used for a class action for damages, in the wider context that the potential for claiming such damages is "limited by the nature of damages at common law".
First, damages can be claimed under the representative procedure where damages sustained by the group can be assessed in the aggregate. Second, where the representative rule is used only for a declaration with regard to common questions, with individual issues regarding liability or damages to be answered in individual claims to be commenced separately (the "bifurcated approach").
The Supreme Court disagreed with the Claimant's case that a uniform sum could be recovered for each iPhone user in this case, assessing that any damage sustained would need to assessed by reference to the data involved, and the use or benefit it afforded Google, and that absent evidence of these matters that individuals would not be entitled to compensation.
Impact
At the heart of the decision is the need for claimants to demonstrate damage, whether in the form of distress or financial loss to make a successful claim under the DPA 1998, and restricts those claimants ability to bring data privacy class actions in the UK under the DPA 1998 (which has now been repealed). This is likely to have an impact on a number of existing claims and potential future claims by reducing the appeal to prospective claimants and litigation funders given the cost of bringing low-value claims.
It is important to note, however, that there are statutory differences between the DPA 1998 and the UK GDPR, and while this case will necessarily be persuasive to subsequent group actions under the UK GDPR and DPA 2018, it will not necessarily be binding. Nevertheless, it shows a general trend that "opt-out" representative actions are unlikely to be supported in UK law. This is, in general, a very positive development for data controllers as it now seems unlikely that litigation funders will have appetite to pursue similar representative data protection claims. The impact on individual claimants, however, is negative rendering it harder to bring class actions for loss of control of personal data under the DPA 1998.