UK Supreme Court Rules in Favour of Google in Data Protection Class Action Claim

On 10 November 2021, the Supreme Court of the United Kingdom handed down its much-awaited judgment in the case of Lloyd v Google LLC [2021] UKSC 50.

The Supreme Court unanimously ruled that the claim, which is a representative action alleging breaches of the Data Protection Act 1998 (“DPA 1998”), could not proceed.

The Supreme Court ruled that the claim did not fulfil the requirement that individual claimants in a representative action must have the “same interest” under rule 19.6 of the English Civil Procedure Rules (“CPR”). Further, the Supreme Court held that it was not enough for a claim for compensation to be premised on mere contravention of a data controller’s statutory duties under the Data Protection Act 1998, but that “material damage” must result in order for a claim for compensation to be brought.

This judgment provides clarity to data controllers that data subjects cannot recover compensation for a breach (even if non-trivial) of the data controller’s statutory duties without demonstrating the damage or distress suffered as a consequence. It also provides important clarifications on when an “opt-out” style representative action can be pursued.

Background and Appeal

In May 2017, Richard Lloyd (“Lloyd”), a consumer protection advocate, brought a claim against Google LLC (“Google”) on behalf of a purported class of around 4.4 million Apple iPhone users, alleging that Google tracked some of their internet activity between 2011 and 2012 in breach of section 4 of the DPA 1998. As Google is a Delaware corporation, Lloyd required, and applied for, permission to serve the claim in the United States.

Although the DPA 1998 has since been superseded by the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA 2018”), the case has significant implications for both data privacy litigation and representative claims in the English courts.

Lloyd sought to make a claim as a representative claimant for a group of iPhone users who, he argued, have the same interest as he did in the claim. Importantly, the claim was made without the individual users signing up to, or even necessarily being aware of, the claim. Instead, the claim was made under CPR 19.6 which allows a representative claim where there are multiple claimants “who have the same interest”. A decision in a representative claim is binding on all persons who are represented in the claim.

The High Court dismissed Lloyd’s claim and refused him permission to serve the claim in the United States. The High Court found that: (i) none of the represented class had suffered “damage” as there was no pecuniary loss or distress, and (ii) the proposed members of the class did not have the same interest as required under CPR 19.6.

The Court of Appeal reversed that decision, and found that: (i) compensatory damages are in principle capable of being awarded for loss of control of data, even if there is no pecuniary loss and no distress, subject to it meeting a de minimis threshold, and (ii) the users represented by Lloyd had the same interest for the purpose of CPR 19.6 in the form of loss of control over their data.

Google appealed the case to the Supreme Court, arguing that there was no harm from a loss of control of personal data that could be compensated by an award of damages, and that users did not have the “same interest” because they were in fact a disparate group and the claim proposed was in reality a new form of “opt-out” class action that would require legislation to proceed.

The UK Information Commissioner’s Office (“ICO”) intervened before the Supreme Court. Their main contention was that the right to control personal data and have autonomy over it is a fundamental right with intrinsic value separate from any economic value underlying the data, and that as a result, loss of control over such data causes harm in the form of injury to a data subject’s fundamental right, regardless of any specific damage or distress caused.

The Supreme Court’s Decision

The Supreme Court unanimously allowed the appeal and restored the order made by the High Court refusing Lloyd’s application for permission to serve the proceedings on Google in the United States.

The Supreme Court acknowledged that while the development of digital technologies has greatly increased the potential for mass harm for which legal redress may be sought, the claim could not be brought as a representative action for damages in circumstances where the alleged harm suffered by each individual claimant would be different. This could not therefore satisfy the “same interest” test under CPR 19.6.

Further, the Supreme Court rejected Lloyd’s arguments that compensation can be awarded under the DPA 1998 for loss of control of personal data alone, brought about by a non-trivial contravention by a data controller of any requirements of the DPA 1998. The Supreme Court ruled that section 13 of the DPA 1998 provides that an individual must suffer “damage” as a result of the contravention, which was not met by the presence of unlawful processing per se. The Supreme Court further interpreted “damage” (in the context of section 13 of the DPA 1998) to mean tangible material damage (such as financial loss) or damage resulting from mental distress as distinct from, and caused by, the unlawful processing of personal data. The Court of Appeal’s analysis of damages for “loss of control” of personal data as a type of compensatory damage was rejected.

Important Takeaways

Damage needed to recover compensation for claims concerning loss of control over personal data. The Supreme Court did not make any determination regarding whether there was any breach of the data protection principles under the DPA 1998. The Supreme Court made clear, however, that it was not sufficient to prove a breach by a data controller of its statutory duties under the DPA 1998 for a claim for compensation under section 13. Instead, there has to be “damage” or “distress” suffered as a consequence of such breach. As provided in sections 13(1) and (2), an individual has to suffer damage or distress by reason of any contravention by a data controller of any of the DPA 1998’s requirements in order to be entitled to compensation for that damage. Section 13(2) further clarifies that where the individual suffers distress, he or she must also suffer damage by reason of the contravention. The Supreme Court ruled that, in the specific, now-historical context of section 13 of the DPA 1998 (see the next section as regards changes under the GDPR), “damage” means “material damage” and compensation can only be recovered for such material damage or distress (separately covered by section 13(2)).

Lloyd had sought to base his claim on the fact that the tort of misuse of private information and data protection legislation such as the DPA 1998 are both rooted in the same fundamental right to privacy. As such, because compensation could be claimed for breach of said tort without proving material damage or distress, merely by virtue of interference with a claimant’s right, compensation could also be claimed in the same way for breach of the DPA 1998.

However, the Supreme Court rejected Lloyd’s interpretation, and ruled that the wording of section 13 drew a clear distinction between the contravention of the DPA 1998’s requirements, in that only if damage occurs “by reason of” the contravention could there be a right to compensation. Hence, there is no entitlement to compensation based solely on proof of contravention.

Lloyd had also sought to base his claim on the English common law tort of a breach of the right to privacy. The Supreme Court equally dismissed this argument, citing the significant difference between the tort of privacy and data protection legislation in that a claimant is entitled to compensation for contravention of the legislation only where a data controller has failed to exercise reasonable care (making it inherently fault-based), whereas the tort of privacy involves strict liability for deliberate acts rather than acts involving want of care.

The Supreme Court considered that it would have been open to Lloyd to claim, at least in his own right, and without any material damage caused, damages under section 13 of the DPA 1998 for distress suffered by reason of contravention of any of the DPA 1998’s requirements. However, Lloyd did not make such a claim, and it would have been incompatible with his claiming damages on a representative basis, given that it would have required evidence of distress from each individual Apple iPhone user, making it an “opt-in” claim.

Implications for DPA 2018 and GDPR. The DPA 1998 had been superseded by the GDPR, supplemented by the DPA 2018, which repealed and replaced the DPA 1998 except in relation to acts or omissions before it came into force. Following the UK’s withdrawal from the European Union, the GDPR has been retained in UK domestic law as the UK GDPR, and continues to be supplemented by the DPA 2018 (together with the UK GDPR, “UK Data Protection Laws”). As the facts of the claim only arose under the DPA 1998, the Supreme Court did not consider the UK Data Protection Laws.

However, the decision could be influential on the interpretation of the UK Data Protection Laws, particularly Article 82 of the UK GDPR and section 169 of the DPA 2018 which allow compensation to be claimed for damage suffered as a result of contravention of the UK Data Protection Laws by either a data processor or controller. The language of these two provisions largely mirrors that of section 13 of the DPA 1998, in that there is a distinction drawn between “damage” and the “infringement” (Article 82 of the UK GDPR) or “contravention” (section 169 of the DPA 2018). The Supreme Court’s finding that the right to compensation must arise out of a “damage”, and not a mere infringement of the statutory duties, would appear to similarly apply there. That said, Article 82 of the UK GDPR explicitly refers to “non-material damage” as also giving rise to the right to compensation, and when read in tandem with Recital 85 (“a personal data breach may… result in physical, material or non-material damage to natural persons such as loss of control over their personal data…” (emphasis added)), could result in compensation being awarded for loss of control. We note that the Supreme Court of Justice of the Republic of Austria has recently referred a similar question to the Court of Justice of the European Union (whether Article 82 of the GDPR requires the plaintiff to have suffered damage or whether the infringement itself is sufficient for compensation), which will provide for a more determinative decision in respect of the GDPR. Regardless, even if compensation were available for non-material damages such as loss of control, the judgment makes clear that “it would still be necessary… to establish the extent of the unlawful processing in his or her individual case”, which would effectively preclude representative action being brought on such grounds.

Additionally, the Supreme Court found no authority, either generally in EU law or in the specific context of the Data Protection Directive (which preceded the GDPR), suggesting that the term “damage” should be interpreted as including an infringement of a legal right which causes no material damage or distress. The citing of EU law could, depending on further treatment by courts, influence future claims made under the UK GDPR.

Same interest test under CPR Rule 19.6(1). The Supreme Court’s judgment will be regarded as the leading authority on the viability of representative actions, confirming that representative claims for a broad class of persons who have not “opted-in” are possible, while providing important guidance on the “same interest” requirement for representative actions in the data privacy context.

Although the Supreme Court stated that it would have “no legitimate objection” to a representative claim being brought to establish whether there was a breach of the DPA 1998 (the effect of which would be similar to a declaratory action), Lloyd’s claim went further, claiming uniform per capita damages on behalf of each claimant. Crucially, the Supreme Court found however, that the alleged conduct would have impacted the class in different ways, depending on each individual’s personal circumstances (frequency of use for instance). As such, the Supreme Court considered that an individualised assessment of damages would be required for each member of the class in order to give effect to the principle that damages are intended to put each claimant, as individuals, into the position that they would have been in had the damage not occurred. This was compounded by the fact that the measure of each individual’s damages would be affected by the degree of interaction experienced by each user, which was specific to each individual and capable of wide variation across the class. Further, Lloyd’s argument that proof should only be required that a person meets the criteria to be a member of the represented class, and that all such persons should be treated as having suffered damage on a “lowest common denominator” basis, failed to show that each member of the class had in fact suffered “damage” as required under the DPA 1998. This meant that a representative action, where individual claimants do not actively participate, had “no prospect of meeting the threshold for an award of damages” and was not a suitable means of bringing the claim.

While the judgment will disappoint prospective representatives in future representative actions involving heterogeneous damage across the class, the Supreme Court clarified that there may be cases where damages can be determined on a representative basis. Examples are where all class members have wrongly been charged a fixed fee, or all class members acquired the same defective product where the value of the product was reduced by the same amount. The Supreme Court also indicated that a purposive approach to the interpretation of the “same interest” requirement should be adopted to facilitate access to justice. The judgment may renew calls for legislation to provide redress in consumer and privacy claims. However, in February 2021, the UK government had concluded, in response to its consultation on representative action in the context of the DPA 2018, that the benefits of such legislation may not outweigh the risks to businesses and the resulting increase in the workload of the ICO and the courts.