Data protection: Google off the hook

In the much anticipated Supreme Court decision Lloyd v Google [2021] UKSC 50, it was held that Richard Lloyd, the former director of consumer rights group Which?, was not entitled to bring proceedings against Google on behalf of 4.4 million Apple iPhone users resident in England & Wales. The UK cyber and class action communities had been waiting for this decision as, if Lloyd had succeeded, it could have opened the floodgates for more mass action claims against tech firms for data breaches. 

As it stands, the decision is big relief for Big Tech. However, it does leave consumers at a bit of a loss when it comes to having a viable route to compensation for breaches of their privacy rights. This article will discuss the decision and comment on what it means for Big Tech and consumers.

Background to the appeal

In this landmark action for data breach claims, Lloyd alleged that between 2011 and 2012 Google had unlawfully tracked the users’ internet activity without their consent in breach of data protection laws. The alleged breach occurred as a result of a workaround Google developed to bypass Safari’s block on all third party cookies. The alleged workaround worked by placing their “DoubleClick Ad” cookies on a user’s device if users visited a website with content from Google’s “DoubleClick Ad” domain. The data collected on health, race, ethnicity, sexuality and finance were allegedly used for commercial purposes, enabling advertisers to target specific groups of users based on their browsing history.

In 2017, Lloyd issued a damages claim on behalf of iPhone users under s 13 of the Data Protection Act 1998 (“DPA”), stating that Google had breached its duty as a data controller under s 4(4) of the DPA. The fact that this was brought under the data protection regime preceding the Data Protection Act 2018 and the UK GDPR is commented on below.

Lloyd sought to bring a “representative action”, which allows a claim to be brought by one or more persons as representatives of others who have the “same interest” in the claim, in terms of rule 19.6 of the Civil Procedure Rules. The key issue to be highlighted here is that Lloyd claimed it would not be necessary to establish the individual circumstances of each person represented by the action. Instead, he hoped that a uniform sum of damages could be awarded for each person.

Before Lloyd could serve the claim on Google he needed permission from the court. This is because Google is a Delaware corporation and therefore Lloyd was outside its jurisdiction. Unsurprisingly, Google opposed this application on two grounds: first, that under the DPA damages cannot be awarded without proof that a breach of the requirements of the Act caused an individual to suffer financial damages or distress; and secondly, the claim was not suitable to proceed as a representative action. 

The decision on whether Lloyd could serve the claim escalated through the English court system. The High Court initially refused permission and upheld Google’s grounds of opposition, but the Court of Appeal overturned this and allowed the action to proceed as a representative action, also holding that damages for loss of control were recoverable even if financial loss or distress was not shown.

Nature of “damage”

On 10 November 2021, the Supreme Court had the final say. The unanimous judgment restored the High Court’s decision to refuse permission to serve the proceedings on Google. Lord Leggatt gave two reasons for the Supreme Court’s conclusion.

First, and perhaps most crucial if we think back to Lloyd’s claim, compensation can only be awarded in terms of s 13 of the DPA where it is established that an individual has suffered “damage”, meaning either financial loss or distress. Lloyd’s position that the DPA allowed for compensation on the basis of non-trivial contravention of the obligations of the DPA was incorrect, as some form of damage had to be established and evidenced. Lord Leggatt found no basis in the DPA for Lloyd’s claim that it was sufficient for a claimant to allege a “loss of control” over their personal data. The argument which permitted the recovery of damages on the same grounds as claims for “misuse of private information” was also rejected.

Secondly, proof of individual circumstances would be required. Questions relating to how much data was tracked and for how long, the sensitivity of the data, and the use made of the data were all relevant in the assessment of damages. These questions could not be answered on behalf of the millions of users in this representative action.

The result of these two conclusions was that it was not possible to demonstrate that the 4 million affected iPhone users all shared “the same interest”. Instead, each affected data subject would have suffered different damage. As such, the proceedings could not be brought as a representative action.

Representative actions

Since this case began its journey in 2017 the landscape of data protection has changed much, with the Data Protection Act 1998 being replaced by the UK GDPR and the Data Protection Act 2018. That being said, the judgment itself is of significance to the interpretation and development of new data protection legislation. Whether or not the wording differences between old and new would have given a different decision is not clear. It is clear from the decision in this case that separate proceedings to assess damages would have been the necessary route to take, which would normally be uneconomical. However, the judgment did reserve opinion on whether a claim could be brought that would permit some compensation to be awarded through a representative action.

The Supreme Court’s decision in this case has clear knock-on effects for representative actions and group litigation. When the High Court’s refusal was initially overturned by the Court of Appeal, there was much speculation on the data breach claims that might come forward. However, it is expected that many of these claims will now not come to light following the Supreme Court’s decision. It is assumed that an effect of the ruling will be to reduce the prospects of success for class action-style compensation claims here in the UK, which will be welcome news for data controllers. The judgment echoes the recent Court of Appeal decision in Jalla v Shell International Trading & Shipping Co Ltd [2021] EWCA Civ 1389, which demonstrated the strict interpretation taken by the English courts to the requirement that the relevant claimants have “the same interest in a claim”.

The Supreme Court decision is a win for data controllers who have been fearful of an onslaught of mass action claims following in the shadow of the Court of Appeal decision. However, the risk of “opt-out” style collective proceedings has not completely gone away. These can be introduced on a sector-by-sector basis. Currently, the only example we have in the UK are those which relate to breaches of competition law; however questions have been raised as to whether similar actions could be applicable to data protection. The currently ongoing review of the UK GDPR may also provide the opportunity to introduce them.

Although the risk of collective data protection actions has not gone away, the immediate threat to data controllers has subsided in the wake of this Supreme Court ruling.