KEEPING THE FLOODGATES SHUT: UK SUPREME COURT GIVES LANDMARK DATA PROTECTION RULING

Prospective Class Action Against Google is Stopped

Summary

The UK Supreme Court has handed down its much anticipated judgment in Lloyd v Google LLC.^[1] Google has successfully appealed against the Court of Appeal’s judgment, which had been perceived as lowering the threshold for bringing opt-out data protection “representative actions” under the Civil Procedure Rules in England. In particular, the Supreme Court has rejected the Court of Appeal’s finding that damages could be claimed merely for an individual’s loss of control of his or her personal data, whether or not s/he suffers any actual financial loss or distress. Our Perspective on the Court of Appeal’s judgment can be found here.

The case was brought by Mr Lloyd, as the putative representative of around 4 million iPhone users claiming uniform “per capita” damages for alleged data protection breaches by Google by collecting the data of those individuals through their iPhone usage, without their knowledge or consent, between August 2011 and February 2012 (the “Safari Workaround”). It was alleged that this gave rise to a right to seek damages for breach of the Data Protection Act 1998 (the “1998 Act”)—the predecessor to the current Data Protection Act 2018 (the “2018 Act”)—by Mr Lloyd as representative on behalf of the class of affected iPhone users.

The Supreme Court’s judgment restores the High Court’s dismissal of the case in 2018, on the basis it did not have a reasonable prospect of success for the purpose of serving Google outside the jurisdiction. In so doing, it has given important in-principle support to the representative action as a mechanism for bringing data protection and other mass tort claims, while at the same time upholding fundamental tort law principles that, in practice, have a chilling effect on the use of the representative action as a vehicle for tortious class actions. The Court found that the representative action—a procedure dating back to the 19th century for allowing one person to bring a claim on behalf of others who share the “same interest”—does not override longstanding tort law precepts (as also applicable to claims under the 1998 Act) which have the effect of restricting the use of the representative action as a broad-based, opt-out class action regime, e.g., of the kind long used in the United States. It is now perhaps more clear than it has ever been that the introduction of any such regime—beyond the “collective proceeding” currently available in competition cases in the Competition Appeal Tribunal—is a matter for Parliament, should that be considered a desirable step for the UK to take.

As to representative actions for data breaches specifically, a right to claim damages for the mere “loss of control” of data may now be contained in the General Data Protection Regulation (GDPR), as transposed into the 2018 Act; had Mr Lloyd been able to bring his case under the GDPR, the outcome may have been different.

The Issues

Section 13 of the 1998 Act entitled a person to claim damages they suffer by reason of any contravention by a data controller of a requirement of the Act. The issue at the heart of the appeal was whether damages could be awarded under section 13 without proof in each individual case that financial damage or distress had been suffered.

The Court first considered the scope of Rule 19.6 of the CPR, which allows a person to bring a claim as a representative on behalf of others (and thus binding them to the outcome) where they all share the “same interest”. Notwithstanding the outcome of the case, the decision gives a relatively expansive interpretation to this rule. The Rule 19.6 procedure can be used in claims for damages and where members of the class have separate causes of action provided there is a common issue (or issues) sufficient to ensure the representative is capable of promoting the interests of all the members of the class, without a conflict of interest arising between the members. On that basis, the Supreme Court found that in this case, Mr Lloyd was capable of representing the class, which appeared to have the requisite “same interest” as Mr Lloyd for the purposes of CPR 19.6, in the sense that the Safari Workaround affected each of them. Indeed, the Court noted that the development of mass production of goods and provision of services in the modern age, in particular the development of digital technologies, has led to the potential for mass harm for which legal redress may be sought and for which the representative action procedure may be apt.

However, notwithstanding the potential applicability of Rule 19.6 in this case, key to the Supreme Court’s decision was its finding that, on the ordinary application of the compensatory principle (i.e. that damages should put the claimant in the position s/he would have been in had the wrongdoing not occurred), each individual in the class would be required to prove damage as a result of Google’s alleged breach of the 1998 Act. The mere, and generic, “loss of control” of personal data across the class was not sufficient.

The difficulty for Mr Lloyd was that his framing of the “same interest” was informed by his approach to the damages being claimed, which he said did not need to be proved individually because of the “lowest common denominator” approach. By that approach, Mr Lloyd claimed that it was possible to identify an “irreducible minimum harm” suffered by every member of the class, being the mere loss of control of their personal data. A uniform sum of damages could therefore be awarded on a per capita basis across the class in respect of that loss of control. The Court found that an attempt to recover compensation under the 1998 Act in this way (i.e. without attempting to show individualised damage) was “doomed to fail”. That was because:

• Section 13 of the 1998 Act did not permit compensation without proof of material damage or distress whenever a data controller commits a non-trivial breach of any requirement of the 1998 Act, in relation to any personal data of which that individual is the subject. In this regard, the 1998 Act draws a distinction between “damage” on the one hand and a contravention of the 1998 Act which causes it, on the other. In other words, the alleged contravention itself and the attendant “loss of control” was not “damage” under the Act.

• Further, the effect of the Safari Workaround was not, in fact, uniform across the class—each person’s internet use and the type and extent of personal data the Safari Workaround extracted was different for each user. It could not therefore be said that there had been a breach of the 1998 Act, and that the damage suffered (if any) was the same, in every case.

• Contrary to the Court of Appeal’s premise, EU law did not alter the position in relation to domestic law. That was because on the Court’s reading the interpretation of the 1998 Act (as above) was so clear that any incompatibility between the 1998 Act and applicable EU law (being the Data Protection Directive, the predecessor to GDPR) could only be removed by amending the legislation, which could only be done by Parliament.

• The Court also rejected Mr Lloyd’s argument that the approach to damages for the purposes of the 1998 Act should be the same as the approach for damages in a claim under the tort for misuse of private information—as the two had a “common source.” This argument failed because there was in the Court’s view simply no reason why an English domestic tort should be regarded as relevant to the proper interpretation of the term “damage” in a statutory provision intended to implement a European Directive.

The Court also noted that Mr Lloyd could have sought to take an alternative two-stage approach, whereby a trial would be held on the “common issues” amongst the represented class, to establish liability, followed by individual claimants bringing claims for compensation. That approach had not been followed in this case, doubtless because it would be uneconomic for funders to fund a liability-only trial and bear the risk of an insufficient number of persons opting in at the second stage.

Accordingly, the Court concluded that while the claim might in principle be brought as a representative action by Mr Lloyd, it did not have a reasonable prospect of success because he was not proposing to establish a breach of the 1998 Act or any resulting damage in each individual case.

Key Takeaways

Overall, while this outcome will no doubt be seen as a setback for prospective data protection claimants and litigation funders, it is not fatal to the use of the representative action in other data protection or other tort cases, should the right set of facts present itself.

That is because, on one level, the Supreme Court has set out a blueprint for an alternative pathway for a viable claim. In addition, the case highlights certain procedural and legal pitfalls which could potentially be avoided by claimants in the future.

Further, the case relates to the 1998 Act, which is no longer in force and which has been superseded by the 2018 Act (which implements the GDPR). The Supreme Court expressly left the current GDPR regime “to one side” in reaching its decision. Under Article 82.1 of the GDPR, a person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation for the damage suffered. Recital 85 refers to “loss of control” over personal data as an example of physical, material or non-material damage. Therefore, the outcome in this case may have been different if the current legal framework had applied.

That being said, the data protection landscape is in what could be described as a constant state of evolution and has moved on considerably since 2011/2012, the period relevant to Mr Lloyd’s claim. Sophisticated data controllers and processors monitor, assess and improve their systems and controls on an ongoing basis. Given that current data protection laws require all data controllers and processors to obtain user consent or otherwise rely on the other limited gateways under the GDPR to permit the lawful processing of personal data, the chances of a fact pattern similar to Lloyd arising again appear to be limited: companies that collect and trade in substantial amounts of personal data are now very mindful of their obligations under the GDPR and the 2018 Act and deliberate and persistent (as opposed to one-off, inadvertent and/or opportunistic) misuses of personal data on a large scale—as the Safari Workaround is alleged to have been—will likely become increasingly rare.

Finally, as to the representative action more generally, it is now clear that its role as a vehicle for mass tort claims will continue to be limited. While the Court’s reasoning as to the applicability of CPR 19.6 may mean that that issue in other mass tort claims (including the recent Jalla v Shell ^[2] case) will, or would have been, analysed more in the claimants’ favour, the invariable requirement of having to establish liability and damage in each individual case will limit the representative action’s practical utility to those cases where genuinely uniform liability and damage can be established across the class, such as (as the Supreme Court noted) the uniform overcharging of a fixed fee or a mass product defect. Unlike the position in competition collective proceedings, recently confirmed by Mastercard v Merricks,^[3] the representative action has not altered the fundamental principles (such as the compensatory principle) that govern tortious damages claims. Therefore, any widely applicable, practicable English class action regime will require legislative intervention by Parliament.