Good news for data controllers: Lloyd v Google Supreme Court decision
On 10 November 2021, the UK Supreme Court handed down the much anticipated judgment in Lloyd v Google LLC [2021] UKSC 50, unanimously allowing Google’s appeal and reversing the decision of the Court of Appeal.
In summary, the Supreme Court ruled that damages for “loss of control” are not available for breach of the Data Protection Act 1998 (DPA 1998), and that even if loss of control damages had been available, the claim could not be brought as a representative action as it would still have been necessary to assess the extent of the unlawful processing in each individual case.
The decision determines a number of issues that will have far reaching consequences for the future of data protection litigation, and the class action landscape in England & Wales more generally.
Background
Mr Lloyd sought to bring a claim as a representative action against Google on behalf of approximately 4 million individuals, claiming that Google had unlawfully processed browser data directly from users’ mobile devices without their consent using what has been called the “Safari Workaround”, to bypass privacy settings in order to track cookies for the purposes of targeted advertising.
A representative action is a form of “opt-out” litigation that is brought on behalf of all members of a particular class of claimant, unless they opt out. This type of class action contrasts with a Group Litigation Order which requires individual claimants to “opt-in” to the litigation.
The procedure for bringing a claim as a representative action is embodied in rule 19.6 of the Civil Procedure Rules, which requires that such a claim may be brought by or against a representative of others who have the “same interest” in the claim. Mr Lloyd argued that this “same interest” test was satisfied as each of the individuals he sought to represent had had their data protection rights breached in the same way. He argued that it was not necessary to prove any facts particular to individuals, on the basis that compensation should be awarded under the DPA 1998 (which was the relevant legislation in force at the time of the alleged breaches, but has since been replaced by the UK General Data Protection Regulation, supplemented by the Data Protection Act 2018) for “loss of control” over their personal data.
Google was successful at first instance, before the judge’s decision was overturned in Mr Lloyd’s favour by the Court of Appeal. On appeal to the Supreme Court, the court considered the following key issues:
- Loss of control damages: whether a damages claim under the Act could proceed in circumstances where no pecuniary loss, damage or distress has been suffered, with the result that claimants can bring an action for the mere “loss of control” of their data?
- Same interest: whether the “same interest” requirement can be satisfied if the pecuniary loss or distress suffered by the claimant class varies or, where recovery for mere loss of control is allowed, the class of claimants will satisfy this requirement as they have all suffered the same loss, namely the loss of control of their data.
Decision and implications
In a decision that will be largely welcomed by data controllers, the Supreme Court found on these central issues that:
- The claim that individuals could recover damages for “loss of control” over their personal data failed on the wording of s. 13 DPA 1998.[1] The court held that on its proper interpretation, the term “damage” in s. 13 must mean material damage (such as financial loss) or mental distress, and not just any unlawful processing itself. Accordingly, claims under the DPA 1998 require proof of financial loss or distress to found a cause of action.
- A claim for damages will not be able to be brought as a representative action unless the damages claimed can be calculated on a common basis for all of the members of the class represented. Thus, the circumstances in which such a claim may be brought will naturally be limited by the compensatory nature of damages as a remedy, given this will usually require “an individualised assessment which raises no common issue and cannot fairly or effectively be carried out without the participation in the proceedings of the individuals concerned”.
The court’s decision understandably focused on the interpretation of s. 13 DPA 1998 as the provision on which Mr Lloyd’s claim was based. Whilst the court did not determine whether the same approach applies to claims brought under the current data protection legislation (namely, the UK GDPR and DPA 2018), it is notable that the equivalent provision in the UK GDPR, Article 82, is worded in substantively similar terms.[2] The decision therefore largely removes the threat for data controllers of claims from large numbers of affected individuals seeking damages for the fact of a data breach or cyber-attack based on data protection legislation, although “loss of control” damages remain available for breaches of the tort of misuse of private information.
Similarly, although the court was keen to stress that the representative action procedure remains a legitimate means by which to bring low value claims on behalf of consumers, the court’s reasoning in relation to the “same interest” test is likely in practice to limit the use of this procedure as a “one stop shop” means of bringing low value damages claims against data controllers on behalf of a large class of individuals. Instead, claimants may need to adopt a two-stage process of the sort described in the court’s judgment, whereby the representative action is brought to determine issues of liability which can then form the basis for individual claims for compensation. As the court recognised, however, such an approach may in practice be less economically viable for claimants and their funders.
Further content
On Thursday, 18 November 2021 we hosted a webinar, where our panel of litigation partners were joined by leading data privacy silk Anya Proops QC to discuss the judgment and its implications. Click here to watch it on-demand.
[1] Article 82(1) provides that: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
[2] The section provides at s. 13(1) that: “An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.”