Lloyd v Google: Google win landmark data claim
The judgment may cause many third-party litigation funders to 'rethink strategy for representative data protection litigation'
The Supreme Court has unanimously ruled to block a representative action brought against Google by a former executive director of consumer watchdog Which?
Richard Lloyd sought compensation under section 13 of the Data Protection Act 1998 (the Act) for damage allegedly suffered by four million Apple iPhone users as a result of unlawful processing by Google of their personal data in breach of the Act. His claim was funded by a third-party litigation funder, Therium.
The hotly anticipated judgment in Lloyd (Respondent) v Google LLC (Appellant) [2021] UKSC 50, was handed down today (10 November).
David Barker, a partner at Pinsent Masons, led the team that acted for Google in the landmark case. He said the decision the case should not proceed “is a very positive development for data controllers of all sizes”.
Between August 2011 and February 2012, Google placed advertising tracking cookies on iPhones using Apple's 'Safari' browser in England and Wales. Google rolled out a feature known as ‘social ads’ on the now defunct Google+. It sought to protect user privacy by segregation of data. However, Google ran into problems with this feature on Safari browsers, due to Safari’s handling of third-party cookies.
Google implemented a workaround; however, this resulted in Google’s ‘DoubleClick’ advertising cookie also being set in a third-party context, despite Apple claiming this was impossible on the Safari browser. As a result, it was alleged DoubleClick cookies had been set without user consent.
In England and Wales, ‘opt-out’ class claims may only be brought in a competition law context. As such, Lloyd sought to bring a claim under rule 19.6 of the Civil Procedure Rules which permits an individual to bring a claim on behalf of a wider class if all members of the class have the “same interest” in the claim.
Lloyd asked the court to overlook individual circumstances and instead award damages on a ‘lowest common denominator’ basis – being a hypothetical person least affected by the breach. He sought suggested damages of £750 for each class member in respect of their “loss of control” of their data.
The appeal sought to address whether the respondent should have been refused permission to serve the claim out of jurisdiction because: (i) members of the class had not suffered damage within the meaning of section 13 of the Act; and/or (ii) the respondent was not entitled to bring a representative claim because other members of the class did not have the same interest in the claim and were not identifiable, and/or (iii) the court should exercise its discretion to direct that the respondent should not act as a representative.
The court ruled not every data subject affected by a non-trivial data breach is entitled to compensation for “loss of control” of their personal data. It confirmed compensation for a non-trivial breach of the Act can only be made if the data subject has suffered material damage, meaning a tangible financial loss or distress.
The court also found the approach to the claim was not valid as a representative action for damages. It said the claimant must show each and every member of the class had suffered a breach of their rights and suffered damage as a result of that breach. It stressed the potential for claiming damages in a representative action is limited at common law. Damages are “awarded with the object of putting the claimant – as an individual – in the same position, as best money can do it, as if the wrong had not occurred”, commented Lord Leggatt.
Commenting on the case, Barker said it “identifies further challenges for claimants seeking to rely on misuse of private information in a data processing context”. He highlighted that litigation funders would be “unlikely” to “have any appetite to pursue” several other representative actions based on alleged data protection breaches that had been put on hold pending the Lloyd judgment. These include claims against TikTok, Facebook and Marriott Hotels.
Barker also explained: “The Supreme Court’s decision brings the position firmly into line with the outcome of the UK government consultation conducted last winter on the possibility of introducing a bespoke procedure for opt-out class actions in the data protection space.
“In its report on that consultation, the Department of Culture, Media and Sport said in February 2021 that the case for introducing an opt-out procedure into law was not strong enough”.
Alexander Dittel, partner at Wedlake Bell commented on the case and agreed with Barker’s assessment of the outlook for third-party funders: “… litigation funders will be forced to rethink strategy for representative data protection litigation.
“As framed, the claim was inconsistent with the compensatory principle. It is not possible to claim a uniform sum for each of the different types of iPhone users who might have been affected in very different ways”.
Dittel added: “The judgment will not stop vexatious claims for compensation for trivial breaches of data protection law which often cite Lloyd v Google as justification. However, the concept of "loss of control" will no longer serve as a sword.
“According to the Supreme Court, none of the requirements of the 1998 Act are predicated on “control” over personal data by the data subject. So, while the case does not offer an absolute defence, it will come as a relief to many organisations and might provide ammunition to successfully fight vexatious claims, something that is currently reserved for the larger well-resourced organisations”.
However, he warned: “Big technology companies are not off the hook. This action is over but the growing privacy community is likely planning its next attack. The Supreme Court explained that the action could have been used to establish Google's breach of the law which would then help individual claimants to seek specific damages”.