Lloyd v Google [2021] UKSC 50: A landmark Supreme Court judgment

Caroline Harbord and Nick Owen consider the new precedent on data law

Large data controllers will breathe a huge sigh of relief following the Supreme Court’s decision to refuse Richard Lloyd permission to serve a £3bn representative claim on Google in Delaware.

The decision is undoubtedly a setback in the developing field of “opt-out” data protection group claims – and the alternative “bifurcated approach” suggested by the Supreme Court raises many practical difficulties which could ultimately render it unviable.

However, the complex judgment includes some interesting nuggets about the judicial approach to data protection claims and to representative actions more generally. While the door for such claims has not been opened in the way that some (including the Information Commissioner) may have hoped, it remains ajar for future data protection group claims.

Background

The claim arises from the so-called “Safari Workaround”. Lloyd alleged Google bypassed Safari’s cookie settings to secretly track and harvest internet activity of millions of iPhone users. Lloyd, a former director of consumer group Which?, sought to use the representative procedure at CPR 19.6 to pursue the claim on behalf of the 4m iPhone users affected in England & Wales, on the basis they satisfied the “same interest” test. Mr Lloyd pursued the claim on behalf of the class on an “opt-out” basis, which meant potential claimants (i.e. the 4m iPhone users) were to be treated as participating in the claim unless they specifically opted out.

The Supreme Court Judgment

Overturning the Court of Appeal, the Supreme Court held that:

(a)   Damages for breaches of s.13 Data Protection Act 1998 (DPA) for “loss of control” of data could not be awarded unless there was proof that the relevant breach had caused material financial damage or distress.
It held it would not be appropriate to award damages for an infringement of the right in and of itself (as is permitted in claims arising from the tort of misuse of private information) because this would be contrary to the construction of DPA 1998, and because of material differences between the two regimes; and

(b)   It was not appropriate for Lloyd to pursue the claim using the representative procedure under CPR 19.6. This is because the claim, as formulated, would require an individual assessment of damages on a claimant-by-claimant basis, thus taking it outside the scope of CPR 19.6.

The court rejected Lloyd’s argument that each claimant should be awarded “lowest common denominator” damages of £750 because, even if such user damages were permitted (which the court denied), the damage set out in the claimant’s pleadings would not pass the minimum threshold.

The Bifurcated Approach

In the judgment, the court acknowledged the shortcomings of the representative regime under CPR 19.6, and expressed its preference for these shortcomings to be addressed by Parliament. Until such legislative reform, the court suggested Lloyd’s claim (and its equivalents) should be pursued using a bifurcated approach: Lloyd should first issue proceedings to establish liability on the part of Google, following which individual claimants could issue secondary proceedings to determine their individual damages.

There are many practical difficulties which may render this approach unfeasible. For example, it is unlikely to be attractive to litigation funders, who would be required to commit their capital for a longer period of time and would not receive a direct return from the first proceedings, even if successful. 

Potential Opportunities?

Notwithstanding the difficulties highlighted above, the judgment does not mean that all group claims for breaches of data protection are dead in the water. The claim in Lloyd v Google relates to the law set out in DPA 1998. That law is no longer in force, and the court specifically declined to be drawn on whether the claim would stand under the DPA 2018 and GDPR (noting that, unlike the DPA 1998, Article 82 of the GDPR permits compensation for non-material damage).

In addition, it is conceivable such an “opt-out” group claim could succeed where the claim relates to different factual circumstances. For example, a representative action under the tort of misuse of private information might arise where there is a sufficiently large group of individuals whose undeniably private data (such as medical records) is inappropriately used. In this regard, the court declined to uphold Google’s argument that Lloyd, as self-appointed class representative, had no authority to seek “lowest common denominator” damages (which, in effect, waived major parts of certain claimants’ damages). The court’s position is interesting, because it provides a potential work-around to the individual assessment of damages problem, which proved to be a significant stumbling block for Lloyd.

Finally, it is notable that, had Mr Lloyd brought the claim before the Competition Appeal Tribunal (CAT) alleging the breach arose from an abuse by Google of its dominant position, the outcome could have been quite different. This is because the CAT has power to award damages to groups on an aggregate, rather than individual, basis (provided it is satisfied that the allocation is “just”). This is certainly food for thought for future claimants, and may well lead to renewed calls for the CAT regime to be rolled out to all sectors.

Caroline Harbord is a Senior Associate, and Nick Owen is an Associate, both in the Dispute Resolution team at Forsters LLP: forsters.co.uk