In a recent judgment, the UK Supreme Court unanimously refused to give permission for a litigant to serve a claim form outside of the jurisdiction in respect of a representative action brought against Google. This case, Lloyd v Google, is the latest, and most significant, in a line of recent decisions (see our other updates here and here) which show a general trend of the courts interrogating the type of losses that have been claimed and rejecting claims for losses that are not properly recoverable. The decision also provides some extremely helpful insights into the different options for initiating or defending legal proceedings on behalf of a class of affected persons.  Overall, the outcome represents a positive decision for any data controllers concerned about the possibility of class actions relating to data misuse, or indeed any organisation concerned with its exposure towards representative actions.

Key takeaways:

This decision has provided some welcome further clarification of how the UK courts will approach data protection compensation claims and attempts to bring actions in respect of a representative class.

The key result of this Supreme Court ruling is the major implications it has on the availability of representative actions. Indeed, it seems highly unlikely now that any claimants wishing to make use of this type of representative action will be able to do so in the context of a data misuse claim, except perhaps to obtain declarations of liability against a controller. It should be noted though that this “opt-out” representative action is just one of a number of different options for group litigation in the UK courts.  We are aware of certain other significant data claims in respect of a class which are proceeding on the basis of an “opt-in” group litigation order pursuant to CPR 19.11, and the procedural impacts of this decision may be more limited for those cases. 

As regards the data protection implications of this decision, the case is undoubtedly another very welcome development for data controllers.  Although decided under the old UK law, with the court being clear that it was not expressing any views on the effect of GDPR on this decision, a number of the principles set out in this decision seem to be highly relevant to the current UK laws.  In particular, (i) contravention of data protection laws alone is not sufficient to launch a successful claim, and individuals must be able to demonstrate damage to a court’s satisfaction, (ii) claims in respect of loss of control of personal data based purely on GDPR breaches seem to be unsustainable going forward.

Background to the case

In brief summary of the facts:

Long before GDPR and the UK Data Protection Act 2018 were passed, in the period between 2011 and 2012, Google had issues in the roll-out of its new advertising features on Apple’s browser Safari.

In implementing a workaround so that the roll out would operate on Safari browsers, Google was able to bypass certain protections against third party marketing in the browser and place “DoubleClick” ad cookies without the consent or knowledge of Safari users.

Having placed these cookies, Google was able to collect Safari users’ data without their knowledge or consent for commercial purposes, which enabled advertisers to target advertisements at users based on their browsing history.

Regulatory action in respect of these allegations had already concluded in the US, and the UK courts had already heard a claim in respect of the same series of events brought by different data subjects (Vidal-Hall v Google Inc). The claim in Vidal-Hall, however, was not brought on behalf of a class and was more widely pleaded than the instant claim (e.g. it alleged that Google had tortiously misused the claimants’ private information).    

The claimant, a consumer rights activist, sought compensation under the Data Protection Act 1998 (“DPA 1998“) from Google, arguing that the workaround allowed Google to secretly track the activities and collect data without the consent and that the group should be compensated.   

What was the claim?

The Claimant was attempting to bring this case on behalf of the entire population of iPhone users in the UK during the period while Google was using the Safari workaround – this numbered approximately 4 million individuals.  “Class actions” of the style prevalent in the US are much more limited under UK law.  However, the Civil Procedure Rules do allow claims to be brought by an individual representing a group of people who have the “same interest” in the claim under CPR 19.6.  The Claimant used what was described by a lower court as an “unusual and innovative use” of this procedure to bring this claim against Google. 

The argument from the Claimant went that the “same interest” requirement was satisfied because all individuals affected by the Safari workaround had suffered from the “loss of control” of their data.  This obviated the need to investigate the individual circumstances of each user and determine what compensation was recoverable case by case, which would have made the “same interest” arguments unsustainable as well as adding significant administrative burden. Suggested damages of £750 per data subject were referred to in the letter of claim (although this amount would be a matter for argument) – and with 4 million users affected, this meant Google’s potential pay out would reach the £3 billion mark.

As Google was incorporated in the US, the Claimant needed permission from the court to serve the claim form outside of the jurisdiction.  Google contested the application made by the Claimant for permission to serve, on the basis that “loss of control” damages were not permissible under the DPA 1998 without proof of financial damage or distress, and that the claim was in any case not suitable for a representative action.  At first instance, the court decided in Google’s favour and refused permission to serve.  This was reversed in the Court of Appeal, and then appealed to the Supreme Court. 

What happened?

The Supreme Court unanimously agreed that the claim for damages had no prospect of success, and therefore upheld the trial judge’s ruling refusing the claimant permission to serve the claim form on Google.   

Representative Actions in General 

The court began its analysis with a detailed exploration of the long history and principles which underpin the representative procedure.  It found from the authorities that there were six key principles which had to be taken into consideration when deciding whether to allow a representative action to proceed:

The representative has to have the “same interest” in the claim as the persons represented.  This is to be interpreted purposively in light of the CPR’s overriding objective. Although there is inherently some flexibility in how the “same interest” can be defined, it clearly does not exist where there is a conflict of interest between class members and an argument may advance the interests of some of the class but not others.

The court has a wide discretion about whether to allow a representative action to proceed. 

The representative does not need the consent of other class members in order to act as the representative.  Indeed, it is possible for the class members to be entirely unaware that the representative action has been brought on their behalf.

There is some degree of flexibility in how the class may be defined, although the precision with which a class can be defined will inform the court in the exercise of its discretion in deciding whether it is just and convenient for the action to proceed on a representative basis.

In principle, it is possible for the court to make non-party costs orders against persons who have been represented although the court recognised it would be difficult to envisage a situation where it would be just to make such an order against a person who had not authorised the representative.  It did however make clear that commercial litigation funders who finance unsuccessful proceedings would likely be ordered to pay the successful party’s costs.

The potential for claiming damages in a representative action is made more challenging by the long established principles requiring that damages can only be awarded on a compensatory basis.  The object of any damages award is to put the claimant in the position that they would have been in had the wrong not occurred, and this exercise necessarily involves an assessment of the individual position of each person in respect of whom the claim has been brought.  Where there is no common issue between the class when it comes to the loss they have suffered, it is not possible to fairly or effectively assess damages without the participation of the individuals in respect of whom damages are claimed.  The court concluded in quite strong terms that “a representative action is therefore not a suitable vehicle” for this damages assessment exercise.  There may be some situations where a damages entitlement can be calculated on a common basis across the class, such as where every class member had incorrectly been charged a fixed fee, but then a secondary issue would arise on the question of how to distribute any damages award to the members of the class – which would include a thorny question about the legal basis for making payments to litigation funders without the individual consent of each represented individual entitled to damages. 

Lord Leggatt outlined that in principle a representative action could be used to establish the data controller’s liability and whether it had acted in breach of the DPA 1998.  The claimants could have sought a declaration to this effect and that any affected member of the class was entitled to damages.  This would have required the affected individuals to initiate separate proceedings based on this declaration in order to determine the award of damages which would provide compensation particular to their circumstances (e.g. how long they were affected by the Safari workaround, what type of data was lawfully processed, how much data was unlawfully processed, etc).  This approach was not used here, and a representative action for damages was pursued, in part because the litigation was financially backed by a commercial litigation funder who would have considered the proceedings uneconomical if separate further claims had to be brought and each individual loss had to be proven.

Damages under the DPA 1998

In order to establish a claim which would not require this individual assessment, which as well as being highly unattractive commercially would have likely meant there was no “same interest” thereby making the claim untenable, the Claimant made two arguments.  First, that data subjects were entitled to compensation under s.13 of the DPA 1998 on the basis that a “uniform sum” could be awarded to reflect the serious nature of the breach. The claim was framed by reference to the decision in Gulati v MGN, where in a claim for misuse of private information, damages were awarded on the basis that the misuse deprived the claimants of their right to control the use of the private information.  The claimant in Lloyd sought to extend this principle such that it applied whenever a data controller failed to comply with any of the requirements of the DPA 1998 – provided that the contravention exceeded a de minimis level, it would constitute a loss of control which for which compensation was payable.  This position was supported, according to the Claimant, because claims under the DPA 1998 and in tort for misuse of private information derived from the same common source – the fundamental right to privacy enshrined in Article 8 of the European Convention on Human Rights. 

The court rejected this argument.  As well as rejecting out of hand the argument that a common source for two entirely different legal regimes meant that the principles applicable to damages recovery had to be aligned, it considered closely the wording of s.13 DPA 1998.  The court held that a claim for loss of control of personal data in the sense argued for by the Claimant was not “damage” within the meaning of the DPA 1998.  Contravention of the regime itself was not the same thing as damage, and the damage an individual had to suffer was material damage (i.e. financial loss, physical or psychological harm) or, in certain cases, distress caused by the unlawful processing of data. On that basis, the alleged loss of control of the users’ data was not enough — Lloyd instead had to prove damage resulting from that breach, which could only have been done on an individualised basis.   

The second argument was that each member of the class was entitled to damages assessed as an amount they could reasonably have charged for Google to be released from the duties which it breached.  This argument was given short shrift by the court, who determined that the principles on which these “user damages” are awarded do not apply to compensation claims under the DPA 1998. This is because although user damages could apply in an action for misuse of private information, compensation for breaches of the DPA 1998 could only be awarded in accordance with s.13 where material damage or distress has been suffered.    

Having emphatically decided that the claim was not sustainable in the absence of evidence that the individual had suffered material damage or distress, the court nevertheless considered the counterfactual position had the claim been able to proceed without this evidence.  It concluded that the representative claim would nevertheless have failed. The extent of the unlawful processing would still need to have been determined in each individual case in order to establish the level of damages to be awarded – there would be been differences between users in the period for which they were affected, the quantity and sensitivity of data unlawfully processed, and the commercial benefits derived from this by Google.

The claimant accepted this, but said that it was possible to ascertain an “irreducible minimum harm” suffered by each member of the class in respect of which a uniform sum of damages could be awarded.  The facts that were common to each individual that would have fallen within the class were necessarily set at a fairly low level of activity – all that was required was that someone whose internet usage, apart from one visit to one website, was not illegally tracked and received no targeted advertising as a result of Google’s placing of the cookie.  Whilst this had the effect of making the class as broad as possible whilst still being capable of definition, it did lead the court to conclude that any “damage” (in the broader sense advocated by the claimant, which had already been rejected by this point) suffered would at best be trivial.  Without some proof of harm beyond this bare minimum level required to establish the boundaries of the class, the claim on behalf of an individual had no prospect of exceeding the de minimis threshold required for a damages award. 

Similarly an argument framed by reference to user damages would also have failed.  Based on the level of irreducible minimum harm advanced, the hypothetical licence which would have been sought would have been for placing a cookie as a third party cookie, but without releasing Google from its obligations not to collect or use any information about that person. Such a licence would be without any commercial value to the person placing the cookie, and accordingly they would not have paid a user fee in order to validly place such a cookie.  

One further observation

One GDPR driven impact which is potentially unhelpful for data controllers established outside of the UK should be noted however.  The recent decision of Sanso Rondon v Lexis Nexis is authority for the proposition that, although appointed representatives have no liability of themselves for a controller’s GDPR breaches, their duties they are under an obligation to accept service of process where proceedings are brought against the controller they represent.  Arguably, this would have been quite unhelpful for Google in this instance, given that the claimant could have served on Google’s appointed representative without having to seek the court’s permission to serve out.  Had no application to effect service been required, the litigation process would likely have advanced much further before the court was asked to consider the question of whether the claimant has a reasonable prospect of success, which could have materially increased litigation costs for both sides of the dispute.  The decision in Lloyd may give some organisations who are grappling with the question of whether they need to appoint an authorised representative in the UK some pause for thought. 

Author

Paul is head of cybersecurity in the UK and a key member of our wider data protection team. For 15 years, Paul has guided clients through all types of major data security incidents as well as complex technology and data disputes. Paul pioneered an award-winning data breach and dark web scanning tool which was the first product of its kind in the legal market.

Author

James is a Senior Associate in the London Technology team. James advises on a wide range of contentious and non-contentious matters across a variety of industry sectors. His practice primarily consists of advising on commercial contracting arrangements, IT and business process sourcing, technology disputes, data protection and other regulatory issues. James has also been seconded to the network sharing and IT procurement team of a mobile network operator, the operations and technology procurement team of a mobile network operator and to the IP agreements and licensing team of a leading international oil company.