Not so long ago, following the Court of Appeal’s judgment in the seminal case of Lloyd v Google LLC [2019] EWCA Civ 1599, commentators and media outlets predicted an era where organisations would be submerged in a rising tide of US-style ‘class-action’ data breach claims.
On the contrary, 2021 has given us three recent cases which have decisively reshaped the likely future landscape of these claims. They are:
- Darren Lee Warren v DSG Retail Limited [2021] EWHC 2168 (QB)
- Alan Rolfe & Ors v Veale Wasborough Vizards LLP [2021] EWHC 2809 (QB)
- Lloyd v Google LLC [2021] UKSC 50
In the third and final installment of our data protection claims series, we will be discussing case three: Lloyd v Google LLC [2021] UKSC 50.
The background facts
The case stems from allegations that between August 2011 and February 2012, Google took advantage of the configuration of software on Apple iPhones, so that if a user of Safari on those iPhones visited a website that contained DoubleClick Ad content, a third-party marketing cookie was installed on the user’s device. This was known as the ‘Safari Workaround’, as it had the effect of bypassing protections in Apple’s Safari browser on those devices, which blocked third-party marketing cookies by default. The DoubleClick Ad cookie is alleged to have enabled Google to track the user’s activity across websites and to collect considerable amounts of information about their internet usage and advertisement viewing habits. This allegedly enabled Google’s distribution of targeted advertising to those users and ultimately fed into Google’s commercial profits.
This case concerns Mr Richard Lloyd who, supported by very significant litigation funding, issued a representative claim under CPR 19.6 for damages for breach of the DPA 1998. For the purposes of the representative action, Mr Lloyd issued a claim not only on behalf of himself, but all those potentially affected by the Safari Workaround (the ‘Class’). This is a well-established procedure in which a claim can be brought by an individual as a representative of others who have ‘the same interest’ in the claim. Mr Lloyd argued that this requirement was satisfied, since all members of the Class could claim damages for ‘loss of autonomy’ or ‘loss of control’ over their data, for a uniform amount (which court documents stated as being £750 per user), and without the need for individual assessment of damages.
As Google is incorporated in the US, Mr Lloyd required the Court’s permission to serve the claim outside the jurisdiction. Google resisted this on the basis that the representative claim had no real prospect of success.
The decision
The judgment of the Supreme Court (Lord Leggatt, with whom the others agreed), allowed Google’s appeal, overturning the decision of the Court of Appeal, which would have allowed Mr Lloyd to serve his claim out of the jurisdiction on Google.
There are two key points from the judgment:
- The impact on Data Protection Law claims
- The potential impact on Misuse of Private Information (MoPI) claims
Mr Lloyd argued that damages could be awarded for ‘loss of control’ of personal data, stemming from any non–trivial contravention by a data controller of any of the requirements of the DPA 1998.
After exploring, and rejecting, several alternative arguments, the Supreme Court concluded that s13 DPA 1998 could not reasonably be interpreted as conferring on a data subject a right to compensation for any ‘contravention’ by a data controller of any of the requirements of the DPA 1998, without the need to further and separately prove that the contravention caused material ‘damage’ or ‘distress’ to the individual concerned [138].
This, in turn, would require individualised assessment [144]. On the Claimant’s own case there was a de minimis threshold that had to be crossed before a breach of the DPA 1998 would give rise to an entitlement to compensation under s13 DPA [153]. The bare minimum to bring someone into the Class (or the ‘lowest common denominator’) was someone whose internet usage – apart from one visit to a single website, which resulted in the download of the Google DoubleClick Ad cookie – was not illicitly tracked and collated and who received no targeted adverts [151]. This was considered to be below the de minimis threshold and the Supreme Court found it impossible to characterise the damage as more than trivial.
The Supreme Court stated that the Claimant was, in effect, attempting to recover damages without attempting to prove the allegation was true in any individual case or any details of unlawful processing beyond the bare minimum to bring them within the definition of the Class [153]. Accordingly, this case had no prospect of success in meeting the de minimis threshold for an award of damages.
Mr Lloyd did not bring a Misuse of Personal Information (MoPI) claim for reasons which are unexplained. However, as Mr Lloyd did attempt to argue that the principles identified in caselaw for MoPI claims at common law also apply to the assessment of compensation under s13 of the DPA 1998, the Supreme Court did go on to comment on the availability of damages claimed on a representative basis for such a claim.
A fundamental element of Mr Lloyd’s attempt to bring his claim within the representative action procedure was the assertion that a non-trivial breach of any individual’s rights gives rise to an entitlement to damages for ‘loss of control’ of personal data. Mr Lloyd argued that because the tort of Misuse of Private Information (where ‘loss of control’ damages are awarded) and data protection legislation are both rooted in the same fundamental right to privacy (Article 8 of the European Convention of Human Rights (ECHR)), the same approach to damages should be adopted for both causes of action.
The Supreme Court rejected this approach. Lord Leggatt observed that there are material differences between the two regimes, including that data protection legislation applied to all personal data with no need to prove that the data is confidential or private in nature or that there is a reasonable expectation of privacy, whereas an action in MoPI protects information only where there is a reasonable expectation of privacy [130]. Furthermore, a Claimant is entitled to damages for contravention of the data protection legislation only where the data controller has failed to exercise reasonable care, whereas an action in MoPI is a tort involving strict liability for deliberate acts, and damages ‘can be awarded for commission of the wrong itself’ and ‘may be awarded without proof of material damage or distress’ [133].
Finally, going back to the need for individualised claims, the Supreme Court commented that the Claimant would have been aware that to establish a reasonable expectation of privacy, it would have been necessary to obtain evidence from each individual claimant and this requirement would be ‘incompatible’ with the nature of his representative claim [106].
Similarly, ‘user damages’ (i.e. compensation in a hypothetical negotiation with the Defendant for the loss of control of the use of the data), which lend themselves appropriately to MoPI claims, could not be sought in this case because of the inability or unwillingness of the Claimant to prove what, if any, wrongful use was made by Google of the personal data of any particular individual, which again means that any damages awarded would have to be nil [154]. This would require individualised assessment of what unlawful processing by Google of the Claimant’s data actually occurred. For the Court to avoid the process of individualised assessment, they would have to consider the only wrongful act in common for the whole Class (i.e. the ‘lowest common denominator’, as above). This was the individual who had a DoubleClick Ad cookie placed on their phone, but without more, such a ‘licence’ to Google, would be valueless and the ‘user damages’ which could reasonably be charged for it would be nil [157].
Case comment
The judgment offers guidance for future claimants, who now know what hurdles they face in seeking to pursue a representative action for damages in data privacy litigation. It is abundantly clear that claimants in data protection litigation must show the breach that has taken place and the resulting damage of that breach on an individualised basis.
The judgment is unlikely to preclude the possibility of a group of individualised data breach claims where individuals have been tracked for several years and sensitive data has been collected i.e. data concerning health and/or sexuality – in other words, more serious and egregious breaches.
The downsides for Claimants are likely to be practical. MoPI claims may be more attractive than data protection claims due to the availability of ‘loss of control’ damages, but Claimants must establish the ‘reasonable expectation of privacy’ (narrower than the availability of DPA claims) and cannot bring these claims where there is no ‘wrongful’ act by the controller. This will impact a Claimant’s efforts to acquire costs protection because ATE insurance premiums are not recoverable from the Defendant for pure data protection claims. Lawyers will of course still be free to run cases on conditional fee (no-win-no-fee) agreements, although that in and of itself presents a substantial risk to firms.
It remains to be seen what, if any impact, the judgment will have on future mass claims founded on a breach of the UK GDPR and/or DPA 2018. The Supreme Court made clear that references to terms of the UK GDPR could not assist any interpretation of the DPA 1998. However, the terminology of Article 82 is similar to the DPA 1998 and the Data Protection Directive, therefore it is reasonable to believe that the case may be decided in a similar manner on the new law.