On November 10, 2021, a unanimous decision by the UK’s Supreme Court in Lloyd v. Google in favor of Google rejects an attempt to bring opt-out class action cases for data privacy claims in the UK.
In the UK, a robust class action regime for the field of data protection does not currently exist, and the Lloyd decision reflects a rejection of class action or representative actions in the data privacy realm Unlike the UK, a class action regime that allows for mass claims (including opt-out cases) has long existed in the US. Further, class action claims in the US have extended beyond traditional privacy tort claims to other claims related to data privacy (e.g., for violations of consumer protection laws and recently enacted data privacy laws such as the CCPA).
Background of Lloyd v. Google LLC
Plaintiff Richard Lloyd filed an opt-out mass privacy action in English courts against Google relying on an old Civil Procedure Rule 19.6 which permits representative actions. Lloyd sought to bring the mass privacy action on behalf of 4.4 million allegedly affected iPhone users as a representative action for breach of Section 4(4) of the Data Protection Act 1998 (“DPA”).
Lloyd alleged that Google had breached its duties as a data controller under Section 4(4) of the DPA. Google allegedly used a workaround to capture user browser data from iPhone users when visiting a site with Google content after Apple enabled the automatic blocking of third-party cookies in its Safari browser. Lloyd alleged that the use of Google’s Safari workaround secretly tracked and captured data from millions of Apple iPhone users (between late 2011 and early 2012) without the users’ knowledge or consent.
Further, Lloyd argued that an individual is entitled to compensation under Section 13 of the DPA whenever a data controller fails to comply with any of the requirements of the DPA in relation to that individual’s personal data without proof of damages, provided that the breach is not trivial or de minimum. Lloyd sought a uniform amount of damages for all individuals without proving damage for all on basis of “loss of control” (or “user”) damages, a lowest common denominator of loss suffered by every individual by reason of the breach. Lloyd argued that because the loss of control of data has value, the users were entitled to compensation for that value of that loss.
In the High Court, Lloyd had to show a reasonable prospect of success to serve Google out of jurisdiction to move the case forward. Google contested Lloyd's claim on two grounds:
- damages cannot be awarded under the DPA for "loss of control" of data without proof that it caused financial damage or distress; and
- the claim, in any event, is not suitable to proceed as a representative action.
The High Court held in favor of Google on both issues and refused permission to serve Google.
Then, Lloyd appealed and the Court of Appeals which allowed it, reversed the High Court’s decision, and granted permission to serve Google.
Finally, Google appealed to the Supreme Court where the case captured more attention and triggered various intervening parties including UK’s Information Commissioner's Office (ICO).
UK Supreme Court Decision
The issue brought before the Supreme Court on whether Lloyd should have been refused permission included three key questions:
- Whether members suffered damages within the meaning of section 13 of the DPA 1998?
- Did the class share the "same interest," as required for a representative action to proceed?
- Should the court exercise its discretion to disallow the representative action?
1. Damages for Loss of Control
The Supreme Court rejected Lloyd’s argument that “loss of control” damages without proof was within meaning of the DPA.
Meaning of Damages
The Supreme Court held that to recover compensation under the DPA proof of material damage or distress are required: “to recover compensation [under the DPA] for any given individual, it would be necessary to show both that Google made some unlawful use of personal information relating to that individual and the individual suffered some damage as a result.”
The Supreme Court considered the wording of Section 13 of the DPA which states that a person who suffers damage from contravention by a data controller of any requirements of the act (or damages suffered from distress meeting specific conditions of Section 13) is entitled to compensation for that damage or distress. It also noted that the intent behind the wording of Section 13 of the DPA was to implement Article 23 of the GDPR which provided compensation from a controller for damages suffered, i.e., material damage.
Thus, requiring only proof of breach would be inconsistent with the DPA.
Loss of Control Damages for Data Protection Violation
Lloyd argued that the same rule for “loss of control” or “user” damages without proof of damages permitted for claims for the tort of misuse of private information should apply to the claim for the violation of the DPA. Lloyd claimed this was appropriate because they are based on the same right to privacy. In the tort cases, loss of control compensation was available for wrongful use of property, even without financial/physical damage.
The Supreme Court rejected Lloyd’s argument that the same rules for loss of control or user damages should apply. It emphasized distinctions between the common law tort claim of violation of privacy for misuse of private information a claim for a violation of a data protection law (e.g., the tort claim requires a reasonable expectation of privacy). Further, the court noted that Lloyd did not bring a claim for misuse of the data collected by Google but rather a violation of the DPA.
Thus, loss of control damages without proof did not apply.
2. Representative Action
Most critically, the Supreme Court found that a representative action, in this case, would fail.
The Supreme Court held that recovery under the DPA requires proof of unlawful use and material damage or distress suffered as a result. The Supreme Court said that Lloyd had to show that each of the individuals of the class had both suffered a breach and suffered damages as a result of that breach. Thus, the use of a representative action as a method for recovery without proving either will fail.
In the decision, the Supreme Court rejected the argument for a representative action for breach of the DPA. Further, the Supreme Court determined that a representative action for damages without an individualized assessment for damages would fail.
Representative Action for Breach – Same Interest Test
The Supreme Court evaluated the representative action to establish breach of the DPA and entitlement to compensation based on that breach. The CPR 19.6 permits claims to seek recovery on behalf of a group of individuals where all individuals have “the same interest” in the claim. The court noted that the CPR 19.6(1) requires proof that all individuals have the “same interest” in claim as the representative and this test was not met.
However, the court noted that Lloyd could have framed the claim differently and adopted a bifurcated process for the representative action under the Act and individual claims for damages separately. As Lloyd did not seek a bifurcated action, the Supreme Court stated that the only other option for Lloyd was a representative action for damages.
Representative Action for Damages – Uniform v. Individual
The Supreme Court evaluated a representative action for damages and Lloyd’s claims for damages for each class member on “uniform per capita basis.” The court stated that this option fails because the effect of Safari Workaround was not uniform across the class and likely varied by types of users (i.e., super/heavy users v. limited users) and different types and amounts of affected data. Thus, individualized assessment of damages would be required for all class members.
Lloyd argued for no assessment requirement relying on the proposition that the class was entitled to compensation for any (non-trivial) contravention of DPA without the need to prove individual damages. Lloyd argued that all members suffered a loss (damages or distress under the Art) based either on general damages on uniform per capita basis, or the amount that could reasonably be charged for releasing Google from duties. The Supreme Court rejected both arguments.
The Supreme Court unanimously allowed Google’s appeal and restored the dismissal of the case by the High Court.
This decision provides some key takeaways:
- Claims for Violations of the DPA:
- Proof of material damages or distress are required for claims for violation of the DPA brought by individuals and groups
- Representative actions are not suitable for claims for violation of the DPA without evidence of misuse or material damages/distress
- Other Mass Privacy Claims:
- Opt-out representative action for damages requires an individualized assessment of damages
Further, the Supreme Court’s decision to reject Lloyd’s attempt to bring an opt-out case against Google shows that opt-out representative actions are likely not possible (or at least very difficult) for data protection actions.
How will this impact future data privacy claims in the UK?
This much anticipated and landmark decision will drastically reduce the number of mass privacy claims brought in the UK due to the heightened evidentiary burden, and deter cases where only minimal evidence of harm as a result of breach exists.
For plaintiffs/claimants, this decision makes it even more difficult for individuals and class counsel to bring a mass privacy claims in the UK without obtaining proof of damages for all potential class members. This could be costly and likely deter many cases but does not completely prevent these types of cases where individuals have suffered actual damages.
For businesses, this decision provides some relief from potential frivolous claims or claims lacking evidentiary support for businesses processing personal information in or about individuals in the UK.
Other pending potential representative actions (awaiting this decision) will likely be prevented from moving forward in UK courts. However, note, the Lloyd decision focused on the DPA as applied during the claim period (2011 to 2012) and not recent developments in the data privacy framework in the UK (i.e., updates to the DPA and the UK GDPR).
Even in light of the Lloyd decision, the international data privacy landscape remains complex. Octillo works with its clients on developing international privacy compliance strategies and programs to implement proactive measures to protect personal data and thus reduce the risk of litigation. Our team of experienced attorneys, who are also devoted technologists, are specially equipped with the skills and experience necessary to provide guidance to navigate the complexities of international privacy frameworks and handle any resulting enforcement actions or litigation matters.
*Attorney Advertising; prior results do not guarantee similar outcomes.