Lloyd v Google LLC: Supreme Court closes floodgates on opt-out data protection claims

25 November 2021
Author: Joseph Irwin

On 10 November 2021, the Supreme Court delivered its judgment in Lloyd v Google LLC [2021] UKSC 50, finding unanimously in favour of Google and rejecting the claim brought by Mr Lloyd on behalf of himself and over 4 million other iPhone users in respect of alleged breaches of data protection law.

The judgment will come as a significant relief to data controllers of all sizes who, following the Court of Appeal’s decision, faced the prospect of large-scale data claims. The Supreme Court’s discussion of the representative claim procedure will also be of interest to anyone involved in multi-party litigation.

Key points

  1. The Court rejected Mr Lloyd’s argument that data subjects are entitled to compensation for the mere “loss of control” of their data, without proof of financial loss or distress. In any event, the claim could not proceed as a representative claim, as facts relating to each represented person were needed to prove any entitlement to damages.
     
  2. The case was decided under the data protection laws applicable at the time, which have since been superseded. Whilst it is possible that a different result might be reached on the “loss of control” issue under the new regime (based on potentially broader statutory wording), the need for individual facts would likely still cause issues for a representative claim.
     
  3. Despite rejecting Mr Lloyd’s claim, the Court emphasised the representative procedure as “a flexible tool of convenience in the administration of justice”, particularly at a time when digital technologies have greatly increased the potential for mass harm and, therefore, the need for collective redress. It nevertheless considered that a detailed legislative framework would be preferable, although it remains to be seen whether Parliament will take any action.
     
  4. As the legal test for a representative claim was not met, the Court did not have to consider whether to exercise its discretion to prevent the claim proceeding on that basis. It therefore did not need to engage with the desirability of this type of action, in particular whether it was “officious litigation” as the High Court had held (with which the Court of Appeal disagreed).

The facts

Mr Lloyd alleged that for several months in 2011-2012, Google had used a cookie to secretly track the internet activity of millions of iPhone users without their consent and sold that information to advertisers. This allegation was not new and had already given rise to substantial settlements in the US.

Mr Lloyd, with the backing of a commercial litigation funder, sought to bring his claim on behalf of everyone in England and Wales who had been affected, with an estimated value of £3bn.

The law

Data Protection Act 1998

The data protection law applicable at the relevant time was contained in the Data Protection Act 1998 (“DPA 1998”).

Section 4(4) DPA 1998 required ‘data controllers’ (such as Google) to comply with various data protection principles, which Mr Lloyd claimed had been breached.

Section 13 DPA 1998 gave individuals a right to compensation where they suffered “damage” due to a breach.

Representative claims (CPR 19.6)

The UK, unlike some other countries, does not have a general mechanism for bringing ‘class actions’. Instead, there exist a variety of procedures by which collective redress can be sought.

Mr Lloyd attempted to use the representative procedure in CPR 19.6, which allows a claim to be brought by (or against) one or more persons as representatives of others who have the “same interest” in the claim.

A key feature of this procedure is that it is ‘opt-out’ and, as such, represented persons do not need to take any positive step, or even be aware of the existence of the action, in order to take advantage of the outcome.

The Supreme Court’s judgment

It had previously been held in another case that “damage”, for the purposes of section 13 DPA 1998, includes (i) material damage (essentially financial loss) and (ii) distress. In either case, an individual assessment of the harm is needed, precluding use of the representative procedure (as the represented persons would not have the “same interest”).

Mr Lloyd, however, sought to “break new legal ground” by arguing that claims under section 13 DPA 1998 could also be made for the “loss of control” over personal data which, he said, inevitably results from a breach of the Act and which all members of the class had suffered. In other words, that damages were available for the breach itself, without the need to prove material damage/distress.

The Court rejected this argument on the basis that:

  1. Such a reading of section 13 DPA 1998 was “untenable” as a matter of domestic law and was not required by EU law.
     
  2. The fact that the tort of misuse of private information, for which damages can be awarded for the loss of autonomy itself, and the data protection legislation both sought to protect a person’s right to privacy did not mean that they must do so by affording identical remedies. In fact, there were material differences between the two regimes which made the analogy “positively inappropriate”.

The Court went on to hold that, even if “loss of control” did constitute “damage” for the purpose of section 13 DPA 1998, the claim could still not have proceeded as a representative claim, as it would have been necessary to establish, in each case, the extent of any unlawful processing by Google in order to determine the amount of damages (if any) to be awarded. Relevant factors would include the quantity and nature of the data, the period of time over which it was taken and the use to which it was put. This would inevitably differ from one individual member of the class to another.

Mr Lloyd had sought to overcome this issue by disavowing reliance on any facts relating to individual class members and instead claiming an “irreducible minimum harm” suffered by each of them for which a uniform sum of damages could be awarded. This, however, failed because the limited common facts on which Mr Lloyd sought to rely (only that each person had a cookie unlawfully placed on their device) were insufficient to establish anything more than trivial or de minimis harm and, therefore, any entitlement to damages.

The Court similarly rejected Mr Lloyd’s alternative method of assessment based on ‘user damages’ (a hypothetical sum which data subjects could have charged Google for releasing it from its duties), as, even if such damages were available (which was not the case), the sum which Google would pay to place a cookie on a user’s device, but not to collect or use any of their data, would be zero.

The future of representative claims

Whilst the judgment highlights a significant constraint on the ability to use the representative procedure to claim damages, the Court nevertheless held that this would be possible where the damages could be calculated on a basis common to all the persons represented (e.g. where they were each wrongly charged a fixed fee) or where the loss suffered by the class as a whole could be calculated without reference to individual claims.

The Court also considered that, where damages would require individual assessments, a bifurcated (two-stage) process might be used, whereby a declaration of liability is sought through a representative claim, followed by individual (or presumably group) claims for damages. This approach could have been adopted by Mr Lloyd but wasn’t, “doubtless”, the Court held, because pursuing the individual claims would not have been cost-effective.

Also, whilst the Court held that the representative procedure was not available in this case, it nevertheless endorsed a liberal approach to it and, in particular, the “same interest” requirement, which will no doubt influence lower courts for years to come. In particular, it held:

  1. Contrary to the approach taken in some other cases, the “same interest” requirement does not impose a tripartite test (namely a common interest, common grievance and remedy beneficial to all). Instead, it should be interpreted purposively in light of its rationale and the overriding objective of the CPR.
     
  2. The purpose of the requirement is to ensure that the representative can be relied on to promote and protect the interests of all represented persons. Whilst this would not be possible where there was a genuine conflict of interest between them, there was no issue with class members having “merely divergent interests”, in that an issue arises in respect of some of the claims but not others. Such concerns as may have once existed about whether representatives could be relied on to pursue vigorously lines of argument not directly applicable to their case are misplaced in the modern context, where proceedings are typically driven by lawyers/litigation funders, with the representative claimant merely acting as a figurehead.

The full text of the Supreme Court’s judgment is available here.

Return to Listings

Our Insights