Lloyd v Google: A strong byte by the UKSC

By Arthur Ddamulira

Background

Mr Lloyd issued a claim alleging that Google breached the duties that it owed to over 4 million Apple iPhone users as a data controller under the Data Protection Act 1998 (the “DPA 1998”), during a period of some months in 2011-2012, when Google was allegedly able to collect and use their browser generated information because of a Safari workaround. Mr Lloyd launched a representative action against Google for this breach and suggested each claimant should receive approximately £750 compensation each, which would indicate a total potential liability for Google of up to £3 billion.

The use of a representative action is important as it is a form of “opt-out” litigation - the claim is made on behalf of everyone who is a member of a particular class of claimant unless they opt out. It contrasts with a Group Litigation Order which is “opt-in” and requires individual claimants to decide to become parties to the litigation. However, to bring a representative action, each class member must have the “same interest” in the claim.


Procedural history

The Court of Appeal reversed a decision by Warby J who decided in Google’s favour and therefore refused permission to serve the proceedings on Google. Google now appeals to the Supreme Court.


Supreme Court

The issues before the court are whether damages are recoverable under the DPA 1998 for “loss of control” of data, without needing to identify any specific distress or pecuniary loss. Whether the proposed group of individuals satisfy the “same interest” test as required for a representative action in England and Wales to proceed. Finally, whether the Court should exercise its discretion and disallow the representative action proceeding in any event.

The court aptly dealt with the third issue and decided that it was unnecessary to decide whether the Court of Appeal was entitled to interfere with the first instance judge’s discretionary ruling because, regardless of what view of it is taken, the claim had no real prospect of success.


Regarding the first issue, the Court decided that interpreting “damage” under the Act to include a pure “loss of control” claim was untenable. Furthermore, there was no requirement under EU law to interpret the law to allow for “loss of control” compensation. Also, the argument that “loss of control” compensation should be available under the old Data Protection Act 1998 because it shares a “common source” with the tort of misuse of private information was misplaced because there are differences between the two such that no analogy could be rightly drawn. Also, the wording of section 13(1) of the DPA is inconsistent with an entitlement to compensation based solely on proof of a contravention of the DPA. This means that an underlying breach, in and of itself, does not automatically entitle an individual to damages.


Regarding representative actions, the Court was broadly encouraging of the use of representative actions in seeking, for example, declaratory relief concerning liability. In principle, the court was also open to their use in claiming damages where certain types of uniform per claimant damages are sought, but not in situations such as this case, where an individualised assessment of damages is required. This means that if liability was established, the court would still compensate the individual class members by reference to the harm or loss sustained. This harm could only be established by Mr Lloyd adducing evidence for each member of the represented class. Mr Lloyd could not circumvent the evidential burden required for this assessment. It is important to note that damages may still be claimed in a representative action if they can be calculated on a basis common to all persons represented.


Significance

Significantly, the court declined to discuss the UK GDPR which came into effect in January 2021. This leaves the position there potentially unclear. With large tech companies continuing to hold large swaths of data under the new regime, this poses ongoing risks of data misuse for millions of individuals. This means any success for similar actions under GDPR is a test that the court will have to answer and a task that firms with strong litigation practices will most likely handle. The judgment also shows an unwillingness to group individuals and award a “uniform sum” for damages without properly inspecting the circumstances of their claims and requiring those circumstances to be proven. This further bolsters English courts’ unwillingness to adopt US-style class-action lawsuits in favour of the more tedious requirement to assess damages available to individual claimants. Such a requirement, and this judgment, also closes any potential floodgates that could have opened if the judgment was in favour of Mr Lloyd. Commentators see this as a blow to consumers since there are numerous cases in the pipeline that may not be able to proceed after this ruling. For example, there is an ongoing claim against TikTok on behalf of “young people”. These are the exact type of large unspecific groups the supreme court just rejected in this case.