Lloyd v Google [2021] UKSC 50: A landmark Supreme Court judgment
![Lloyd v Google [2021] UKSC 50: A landmark Supreme Court judgment](/_next/image?url=https%3A%2F%2Fimages.iicj.net%2Farticle%2Ffeature%2FDataPikfbcfd.jpeg&w=3840&q=75)
Caroline Harbord and Nick Owen consider the new precedent on data law
Large data controllers will breathe a huge sigh of relief following the Supreme Court’s decision to refuse Richard Lloyd permission to serve a £3bn representative claim on Google in Delaware.
The decision is undoubtedly a setback in the developing field of “opt-out” data protection group claims – and the alternative “bifurcated approach” suggested by the Supreme Court raises many practical difficulties which could ultimately render it unviable.
However, the complex judgment includes some interesting nuggets about the judicial approach to data protection claims and to representative actions more generally. While the door for such claims has not been opened in the way that some (including the Information Commissioner) may have hoped, it remains ajar for future data protection group claims.
Background
The claim arises from the so-called “Safari Workaround”. Lloyd alleged Google bypassed Safari’s cookie settings to secretly track and harvest internet activity of millions of iPhone users. Lloyd, a former director of consumer group Which?, sought to use the representative procedure at CPR 19.6 to pursue the claim on behalf of the 4m iPhone users affected in England & Wales, on the basis they satisfied the “same interest” test. Mr Lloyd pursued the claim on behalf of the class on an “opt-out” basis, which meant potential claimants (i.e. the 4m iPhone users) were to be treated as participating in the claim unless they specifically opted out.
The Supreme Court Judgment
Overturning the Court of Appeal, the Supreme Court held that:
(a) Damages for breaches of s.13 Data Protection Act 1998 (DPA) for “loss of control” of data could not be awarded unless there was proof that the relevant breach had caused material financial damage or distress.
It held it would not be appropriate to award damages for an infringement of the right in and of itself (as is permitted in claims arising from the tort of misuse of private information) because this would be contrary to the construction of DPA 1998, and because of material differences between the two regimes; and
(b) It was not appropriate for Lloyd to pursue the claim using the representative procedure under CPR 19.6. This is because the claim, as formulated, would require an individual assessment of damages on a claimant-by-claimant basis, thus taking it outside the scope of CPR 19.6.
The court rejected Lloyd’s argument that each claimant should be awarded “lowest common denominator” damages of £750 because, even if such user damages were permitted (which the court denied), the damage set out in the claimant’s pleadings would not pass the minimum threshold.
The Bifurcated Approach
In the judgment, the court acknowledged the shortcomings of the representative regime under CPR 19.6, and expressed its preference for these shortcomings to be addressed by Parliament. Until such legislative reform, the court suggested Lloyd’s claim (and its equivalents) should be pursued using a bifurcated approach: Lloyd should first issue proceedings to establish liability on the part of Google, following which individual claimants could issue secondary proceedings to determine their individual damages.













