Landmark Supreme Court decision curtails representative claims for data protection breaches (Lloyd v Google LLC)

Dispute Resolution analysis: The Supreme Court handed down its judgment in Lloyd (Respondent) v Google LLC (Appellant) on 10 November 2021, upholding the decision of Mr Justice Warby at first instance. The outcome (a unanimous decision from the Supreme Court) has enormous implications not just for data protection cases but for the UK class claims landscape as a whole. The Supreme Court result is undoubtedly good news for data controllers although bad news for the many data protection claims waiting in the wings. It seems likely that this result may well lead to a drop off, or at least a dampening, of the surge of cases in this area. Written by Rachel Ziegler, senior associate and Nazia Sohail, trainee solicitor at Bryan Cave Leighton Paisner LLP.

Lloyd (Respondent) v Google LLC (Appellant) [2021] UKSC 50

What are the practical implications of this case?

This case was brought under the Data Protection Act 1998 (DPA 1998) and the Supreme Court expressly stated their judgment had not considered the position under the current United Kingdom General Data Protection Regulation, Retained Regulation (EU) 2016/679 (UK GDPR) (as supplemented by the Data Protection Act 2018) that has since replaced it.

Nevertheless, any future claims in relation to unlawful data processing activity subject to the UK GDPR regime (or other historic claims under DPA 1998) may struggle to use the representative claims mechanism under CPR 19.6.

That is because this judgment was clear that to do so under DPA 1998 would require a claimant to conduct an exercise to collect evidence of the unlawful processing on a per-individual basis and then provide evidence of the individual harm suffered. Lord Leggatt noted that a general claim could have been brought to establish whether Google was in breach of DPA 1998 as a basis for pursuing individual claims for compensation. However, he noted that the claimant had not proposed such a two–stage procedure ‘doubtless because the proceedings would not be economic’.

Alternatively, an open route remains by way of seeking a group litigation order (using the opt-in mechanism); however, Lord Leggatt warns in his judgment that opt-in actions have historically experienced low participation rates due to lack of awareness of the opportunity to join the litigation.

Beyond this, there are some potential wider implications for the UK class action landscape. This decision may dampen the appetite of litigation funders and class action lawyers when it comes to data protection cases. Having said that, the popularity of class actions in other areas, for example competition and securities, continues apace and are unlikely to be slowed down by this case.

We anticipate that further clarification from the government and/or the Information Commissioner’s Office on policy intentions in the data protection space will be sought by those lawyers and funders seeking to promote data protection breach class actions.

The Supreme Court also overturned the Court of Appeal’s finding that an individual is entitled to recover compensation under DPA 1998, s 13 for so called ‘loss of control’ of their personal data—ie a right to damages without proof of material damage or distress whenever a data controller failed to comply with any of the requirements of DPA 1998 in relation to their personal data (provided only that the contravention is not trivial or de minimis).

Since the Supreme Court only considered DPA 1998, whether individuals can claim damages for a loss of control of their personal data under the UK GDPR still remains open to doubt.

What was the background?

Mr Richard Lloyd, with financial backing from a commercial litigation funder, issued a claim against Google LLC purporting to be a representative claim under CPR 19.6 on behalf of 4.4 million iPhone users.

Mr Lloyd applied for permission to serve the claim out of the jurisdiction. Google opposed the application on the grounds that: (i) damages could not be awarded under DPA 1998 without proof that a breach of the requirements of DPA 1998 caused an individual to suffer financial damage or distress, and (ii) the court should not in any event permit the claim to continue as a representative action.

Permission to serve out of the jurisdiction was denied at first instance by Warby J, but granted by the Court of Appeal. The Court of Appeal’s judgment was highly significant in that it appeared to expand the ambit of the use of CPR 19.6.

The issues on appeal to the Supreme Court were whether Mr Lloyd should have been refused permission to serve his representative claim against Google out of the jurisdiction: (i) because members of the class had not suffered ‘damage’ within the meaning of DPA 1998, s 13; and/or (ii) Mr Lloyd was not entitled to bring a representative claim because other members of the class did not have the ‘same interest’ in the claim and were not identifiable; and/or (iii) because the court should exercise its discretion to prevent the claim proceeding as a representative action.

What did the court decide?

Despite heavy lobbying during the government’s consultation last year, Parliament has not legislated to establish a class action regime in relation to the data protection space. In order to overcome this difficulty, Mr Lloyd relied upon CPR 19.6, which, in the words of the Court of Appeal, was ‘an unusual and innovative use of the representative procedure’. This is a procedure of very long standing in England and Wales whereby a claim can be brought by (or against) one or more persons as representatives of others who have ‘the same interest’ in the claim.

Mr Lloyd accepted that he could not use this procedure to claim compensation on behalf of other iPhone users if the compensation recoverable by each user would have to be individually assessed. But he contended that such individual assessment was unnecessary and that compensation could be awarded for ‘loss of control’ of personal data without the need to prove any financial loss or mental distress as a result.

The Supreme Court held that:

• the term ‘damage’ in DPA 1998, s 13 refers to material damage (such as financial loss) or distress and not to unlawful processing in of itself, and
• in order to recover compensation under DPA 1998, s 13, the claimant had to prove:
  • what wrongful use was made of personal data relating to each individual, and;
  • the material damage or distress suffered as a result of a breach of the requirements of DPA 1998 (requiring evidence of the particular damage or distress suffered by each individual for whom such a claim was made)

The Supreme Court held that this is incompatible with claiming damages on a representative basis and the representative action by Mr Lloyd should not be allowed to proceed.

Significantly Lord Leggatt, giving the lead judgment, noted that the ‘same interest’ requirement under CPR 19.6 must be interpreted purposively and pragmatically in light of its rationale and the overriding objective of the CPR of dealing with cases justly. The attempt to recover damages without proving either what, if any, unlawful processing of personal data occurred in the case of any individual or that the individual suffered material damage or mental distress as a result of such unlawful processing was therefore unsustainable.

In order to be credible, Mr Lloyd would have had to go into detail to show:

• the extent of the alleged unlawful processing for each individual, and
• the corresponding damage or distress suffered by each individual

Case details

• Court: UK Supreme Court
• Judge: Lord Justice Reed, Lady Justice Arden, Lord Justice Sales, Lord Justice Leggatt, and Lord Justice Burrows
• Date of judgment: 10 November 2021

First published on LexisPSL.